Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
05-05-2024 01:28
Static task
static1
Behavioral task
behavioral1
Sample
a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe
Resource
win7-20240221-en
General
-
Target
a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe
-
Size
4.3MB
-
MD5
898a94f29edc228ce3bd2054f3d5d6dd
-
SHA1
f2b5d32ca5520f35a738ef1ccbbf5fb2160bfbc5
-
SHA256
a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37
-
SHA512
8a7ee18864b118bd165b9f97aad3d188cd51985180feedf5c32c2f5acd6d427f05b7e6077a9c0c405bd152a203086203aa306db802e13f917c04040c4b789eae
-
SSDEEP
49152:ENPuAcWILneTm53Oln3Gl1iy92HEs/sFZ583oMLmUZ8hXyaSvgIsR1SB:ENP0WILeTm5+l2lb40r5837L8iVvIvQ
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1229451067175997500/jIKKpDize9BATyGRwJszp_dngrLcH2ykCNVKA2g8DaU3tS2rFJtimCYVQM10Zmvy_yF-
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Umbral payload 3 IoCs
resource yara_rule behavioral1/memory/2892-0-0x0000000000400000-0x000000000084E000-memory.dmp family_umbral behavioral1/files/0x000d00000001224c-3.dat family_umbral behavioral1/memory/2508-14-0x00000000013E0000-0x0000000001420000-memory.dmp family_umbral -
Process spawned unexpected child process 6 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1104 2560 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1976 2560 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1980 2560 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1692 2560 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2576 2560 schtasks.exe 38 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1784 2560 schtasks.exe 38 -
resource yara_rule behavioral1/memory/2892-0-0x0000000000400000-0x000000000084E000-memory.dmp dcrat behavioral1/files/0x002b000000014c67-9.dat dcrat behavioral1/files/0x00090000000155e2-36.dat dcrat behavioral1/memory/1652-37-0x00000000010E0000-0x000000000132A000-memory.dmp dcrat behavioral1/memory/2460-62-0x0000000001160000-0x00000000013AA000-memory.dmp dcrat behavioral1/memory/1696-141-0x00000000000C0000-0x000000000030A000-memory.dmp dcrat behavioral1/memory/1436-153-0x00000000011F0000-0x000000000143A000-memory.dmp dcrat -
Disables Task Manager via registry modification
-
Executes dropped EXE 15 IoCs
pid Process 2508 stealer.exe 2644 чекер dc.exe 2964 Inject.exe 1652 driverBrokercommon.exe 2460 conhost.exe 3044 conhost.exe 2504 conhost.exe 1928 conhost.exe 2712 conhost.exe 2276 conhost.exe 2336 conhost.exe 1696 conhost.exe 1436 conhost.exe 1716 conhost.exe 2820 conhost.exe -
Loads dropped DLL 6 IoCs
pid Process 2892 a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe 2892 a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe 2892 a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe 2604 Process not Found 2984 cmd.exe 2984 cmd.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Mail\de-DE\wininit.exe driverBrokercommon.exe File created C:\Program Files (x86)\Windows Mail\de-DE\56085415360792 driverBrokercommon.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\inf\conhost.exe driverBrokercommon.exe File opened for modification C:\Windows\inf\conhost.exe driverBrokercommon.exe File created C:\Windows\inf\088424020bedd6 driverBrokercommon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1980 schtasks.exe 1692 schtasks.exe 2576 schtasks.exe 1784 schtasks.exe 1104 schtasks.exe 1976 schtasks.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 2852 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1652 driverBrokercommon.exe 1652 driverBrokercommon.exe 1652 driverBrokercommon.exe 1652 driverBrokercommon.exe 1652 driverBrokercommon.exe 1652 driverBrokercommon.exe 1652 driverBrokercommon.exe 2460 conhost.exe 2460 conhost.exe 2460 conhost.exe 2460 conhost.exe 2460 conhost.exe 2460 conhost.exe 2460 conhost.exe 2460 conhost.exe 2460 conhost.exe 2460 conhost.exe 2460 conhost.exe 2460 conhost.exe 2460 conhost.exe 2460 conhost.exe 2460 conhost.exe 2460 conhost.exe 2460 conhost.exe 2460 conhost.exe 2460 conhost.exe 2460 conhost.exe 2460 conhost.exe 2460 conhost.exe 2460 conhost.exe 2460 conhost.exe 2460 conhost.exe 2460 conhost.exe 2460 conhost.exe 3044 conhost.exe 3044 conhost.exe 3044 conhost.exe 3044 conhost.exe 3044 conhost.exe 3044 conhost.exe 3044 conhost.exe 3044 conhost.exe 3044 conhost.exe 3044 conhost.exe 3044 conhost.exe 3044 conhost.exe 3044 conhost.exe 3044 conhost.exe 3044 conhost.exe 3044 conhost.exe 3044 conhost.exe 3044 conhost.exe 3044 conhost.exe 3044 conhost.exe 3044 conhost.exe 3044 conhost.exe 3044 conhost.exe 3044 conhost.exe 3044 conhost.exe 3044 conhost.exe 3044 conhost.exe 3044 conhost.exe 3044 conhost.exe 2504 conhost.exe -
Suspicious use of AdjustPrivilegeToken 53 IoCs
description pid Process Token: SeDebugPrivilege 2508 stealer.exe Token: SeDebugPrivilege 1652 driverBrokercommon.exe Token: SeIncreaseQuotaPrivilege 2348 wmic.exe Token: SeSecurityPrivilege 2348 wmic.exe Token: SeTakeOwnershipPrivilege 2348 wmic.exe Token: SeLoadDriverPrivilege 2348 wmic.exe Token: SeSystemProfilePrivilege 2348 wmic.exe Token: SeSystemtimePrivilege 2348 wmic.exe Token: SeProfSingleProcessPrivilege 2348 wmic.exe Token: SeIncBasePriorityPrivilege 2348 wmic.exe Token: SeCreatePagefilePrivilege 2348 wmic.exe Token: SeBackupPrivilege 2348 wmic.exe Token: SeRestorePrivilege 2348 wmic.exe Token: SeShutdownPrivilege 2348 wmic.exe Token: SeDebugPrivilege 2348 wmic.exe Token: SeSystemEnvironmentPrivilege 2348 wmic.exe Token: SeRemoteShutdownPrivilege 2348 wmic.exe Token: SeUndockPrivilege 2348 wmic.exe Token: SeManageVolumePrivilege 2348 wmic.exe Token: 33 2348 wmic.exe Token: 34 2348 wmic.exe Token: 35 2348 wmic.exe Token: SeIncreaseQuotaPrivilege 2348 wmic.exe Token: SeSecurityPrivilege 2348 wmic.exe Token: SeTakeOwnershipPrivilege 2348 wmic.exe Token: SeLoadDriverPrivilege 2348 wmic.exe Token: SeSystemProfilePrivilege 2348 wmic.exe Token: SeSystemtimePrivilege 2348 wmic.exe Token: SeProfSingleProcessPrivilege 2348 wmic.exe Token: SeIncBasePriorityPrivilege 2348 wmic.exe Token: SeCreatePagefilePrivilege 2348 wmic.exe Token: SeBackupPrivilege 2348 wmic.exe Token: SeRestorePrivilege 2348 wmic.exe Token: SeShutdownPrivilege 2348 wmic.exe Token: SeDebugPrivilege 2348 wmic.exe Token: SeSystemEnvironmentPrivilege 2348 wmic.exe Token: SeRemoteShutdownPrivilege 2348 wmic.exe Token: SeUndockPrivilege 2348 wmic.exe Token: SeManageVolumePrivilege 2348 wmic.exe Token: 33 2348 wmic.exe Token: 34 2348 wmic.exe Token: 35 2348 wmic.exe Token: SeDebugPrivilege 2460 conhost.exe Token: SeDebugPrivilege 3044 conhost.exe Token: SeDebugPrivilege 2504 conhost.exe Token: SeDebugPrivilege 1928 conhost.exe Token: SeDebugPrivilege 2712 conhost.exe Token: SeDebugPrivilege 2276 conhost.exe Token: SeDebugPrivilege 2336 conhost.exe Token: SeDebugPrivilege 1696 conhost.exe Token: SeDebugPrivilege 1436 conhost.exe Token: SeDebugPrivilege 1716 conhost.exe Token: SeDebugPrivilege 2820 conhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2892 wrote to memory of 2508 2892 a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe 28 PID 2892 wrote to memory of 2508 2892 a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe 28 PID 2892 wrote to memory of 2508 2892 a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe 28 PID 2892 wrote to memory of 2508 2892 a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe 28 PID 2892 wrote to memory of 2644 2892 a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe 29 PID 2892 wrote to memory of 2644 2892 a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe 29 PID 2892 wrote to memory of 2644 2892 a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe 29 PID 2892 wrote to memory of 2644 2892 a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe 29 PID 2892 wrote to memory of 2964 2892 a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe 30 PID 2892 wrote to memory of 2964 2892 a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe 30 PID 2892 wrote to memory of 2964 2892 a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe 30 PID 2892 wrote to memory of 2964 2892 a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe 30 PID 2644 wrote to memory of 2536 2644 чекер dc.exe 32 PID 2644 wrote to memory of 2536 2644 чекер dc.exe 32 PID 2644 wrote to memory of 2536 2644 чекер dc.exe 32 PID 2644 wrote to memory of 2536 2644 чекер dc.exe 32 PID 2536 wrote to memory of 2984 2536 WScript.exe 33 PID 2536 wrote to memory of 2984 2536 WScript.exe 33 PID 2536 wrote to memory of 2984 2536 WScript.exe 33 PID 2536 wrote to memory of 2984 2536 WScript.exe 33 PID 2984 wrote to memory of 1652 2984 cmd.exe 35 PID 2984 wrote to memory of 1652 2984 cmd.exe 35 PID 2984 wrote to memory of 1652 2984 cmd.exe 35 PID 2984 wrote to memory of 1652 2984 cmd.exe 35 PID 2508 wrote to memory of 2348 2508 stealer.exe 36 PID 2508 wrote to memory of 2348 2508 stealer.exe 36 PID 2508 wrote to memory of 2348 2508 stealer.exe 36 PID 1652 wrote to memory of 768 1652 driverBrokercommon.exe 45 PID 1652 wrote to memory of 768 1652 driverBrokercommon.exe 45 PID 1652 wrote to memory of 768 1652 driverBrokercommon.exe 45 PID 2984 wrote to memory of 2852 2984 cmd.exe 47 PID 2984 wrote to memory of 2852 2984 cmd.exe 47 PID 2984 wrote to memory of 2852 2984 cmd.exe 47 PID 2984 wrote to memory of 2852 2984 cmd.exe 47 PID 768 wrote to memory of 940 768 cmd.exe 48 PID 768 wrote to memory of 940 768 cmd.exe 48 PID 768 wrote to memory of 940 768 cmd.exe 48 PID 768 wrote to memory of 2460 768 cmd.exe 49 PID 768 wrote to memory of 2460 768 cmd.exe 49 PID 768 wrote to memory of 2460 768 cmd.exe 49 PID 2460 wrote to memory of 1096 2460 conhost.exe 50 PID 2460 wrote to memory of 1096 2460 conhost.exe 50 PID 2460 wrote to memory of 1096 2460 conhost.exe 50 PID 2460 wrote to memory of 1216 2460 conhost.exe 51 PID 2460 wrote to memory of 1216 2460 conhost.exe 51 PID 2460 wrote to memory of 1216 2460 conhost.exe 51 PID 1096 wrote to memory of 3044 1096 WScript.exe 54 PID 1096 wrote to memory of 3044 1096 WScript.exe 54 PID 1096 wrote to memory of 3044 1096 WScript.exe 54 PID 3044 wrote to memory of 3060 3044 conhost.exe 55 PID 3044 wrote to memory of 3060 3044 conhost.exe 55 PID 3044 wrote to memory of 3060 3044 conhost.exe 55 PID 3044 wrote to memory of 1144 3044 conhost.exe 56 PID 3044 wrote to memory of 1144 3044 conhost.exe 56 PID 3044 wrote to memory of 1144 3044 conhost.exe 56 PID 3060 wrote to memory of 2504 3060 WScript.exe 57 PID 3060 wrote to memory of 2504 3060 WScript.exe 57 PID 3060 wrote to memory of 2504 3060 WScript.exe 57 PID 2504 wrote to memory of 2808 2504 conhost.exe 58 PID 2504 wrote to memory of 2808 2504 conhost.exe 58 PID 2504 wrote to memory of 2808 2504 conhost.exe 58 PID 2504 wrote to memory of 2856 2504 conhost.exe 59 PID 2504 wrote to memory of 2856 2504 conhost.exe 59 PID 2504 wrote to memory of 2856 2504 conhost.exe 59 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe"C:\Users\Admin\AppData\Local\Temp\a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Users\Admin\AppData\Local\Temp\stealer.exe"C:\Users\Admin\AppData\Local\Temp\stealer.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2348
-
-
-
C:\Users\Admin\AppData\Local\Temp\чекер dc.exe"C:\Users\Admin\AppData\Local\Temp\чекер dc.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\MsWinsessiondllNet\zHYxYvywzA0UOqnH8B4aBgoRvO2C5.vbe"3⤵
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\MsWinsessiondllNet\q6hjn2OvCg2VETYAoy3FIOj.bat" "4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\MsWinsessiondllNet\driverBrokercommon.exe"C:\MsWinsessiondllNet\driverBrokercommon.exe"5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UaJRNF11a2.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:940
-
-
C:\Windows\inf\conhost.exe"C:\Windows\inf\conhost.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0a0a1e6e-5481-4639-ae8b-5fea2ac76621.vbs"8⤵
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\inf\conhost.exeC:\Windows\inf\conhost.exe9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0cd5995c-5c03-4040-b512-619c1eccbcb3.vbs"10⤵
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\inf\conhost.exeC:\Windows\inf\conhost.exe11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d78b4399-8139-4837-973a-f2f0f90fe745.vbs"12⤵PID:2808
-
C:\Windows\inf\conhost.exeC:\Windows\inf\conhost.exe13⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1928 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9e1306a1-7d80-41d9-a54a-66f1727dc77c.vbs"14⤵PID:1912
-
C:\Windows\inf\conhost.exeC:\Windows\inf\conhost.exe15⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2712 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2b170f59-441c-4133-a8dc-1297c5cdbc6a.vbs"16⤵PID:1760
-
C:\Windows\inf\conhost.exeC:\Windows\inf\conhost.exe17⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2276 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c1b0d6d0-77d3-4654-9345-549cd621ce7f.vbs"18⤵PID:2832
-
C:\Windows\inf\conhost.exeC:\Windows\inf\conhost.exe19⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2336 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b4f4761-f16f-4de3-b5fb-0923ce7bdfea.vbs"20⤵PID:2484
-
C:\Windows\inf\conhost.exeC:\Windows\inf\conhost.exe21⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1696 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\39f25686-6a3e-4eda-875d-a5be55c4b30d.vbs"22⤵PID:2348
-
C:\Windows\inf\conhost.exeC:\Windows\inf\conhost.exe23⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1436 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9c5e5929-4054-4c15-bacf-e767c8424da0.vbs"24⤵PID:2472
-
C:\Windows\inf\conhost.exeC:\Windows\inf\conhost.exe25⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1716 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\54d1267b-f558-4723-a5e9-e5e7f7b12168.vbs"26⤵PID:2960
-
C:\Windows\inf\conhost.exeC:\Windows\inf\conhost.exe27⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2820 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e2128f3e-4b1b-4b82-b696-70ee170e0496.vbs"28⤵PID:2616
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\799571d0-feee-4ef0-a2bd-927a43a01780.vbs"28⤵PID:1704
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6139caac-670c-420e-a75c-fa399d21bd69.vbs"26⤵PID:108
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\51387e81-ee66-446b-a46a-d0e3ed1d0595.vbs"24⤵PID:984
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd645dac-b7c5-44f9-a4a4-3ff1610dd827.vbs"22⤵PID:2344
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ae17c003-b5fe-4f4f-be48-34d5b9eac8fe.vbs"20⤵PID:2792
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e7714cb1-5e00-45fe-a1f0-ae5b007ec77b.vbs"18⤵PID:1772
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b02fd538-2945-43e5-a920-0034d7675f77.vbs"16⤵PID:2304
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d5150883-ed23-4482-a854-c5a2a66d82ea.vbs"14⤵PID:2240
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ac14dba-f1e7-43c2-8a6c-dda8c9a7323c.vbs"12⤵PID:2856
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6244d727-ed45-43e8-ad89-3c478c88af5c.vbs"10⤵PID:1144
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\93f16f6c-47c0-4cae-90c5-45b4dc351db8.vbs"8⤵PID:1216
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f5⤵
- Modifies registry key
PID:2852
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Inject.exe"C:\Users\Admin\AppData\Local\Temp\Inject.exe"2⤵
- Executes dropped EXE
PID:2964
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Windows\inf\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\inf\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Windows\inf\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\de-DE\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\de-DE\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\de-DE\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1784
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.3MB
MD5d84e590c3715c79dc5b92c435957d162
SHA12901580903e4b356448d9fe7bea510261e655363
SHA256d81c1097d231fdcb536974ef025f230d1c4091bab3edcf4f9da9344b44b638ba
SHA512b797cdb43776a7e8a19f9c93299857d8f88651e13c7ba5ddb57f0ac0b24c7b98e6cc6c20ae1561948fb49774edad31cd237f40c9c690d34923ffee56bc02a485
-
Filesize
158B
MD5ea70d7b0f1a8a1ff2d246efbdcfe1001
SHA1252e762aee8fcc5761e17bb84aa3af8276852f5c
SHA2561947411b5329e6db696c2354b56290b82aaf58b5f5d75fd4f3315fbe27999e31
SHA5121fd28c415177644e069ded3e0ab3d27105fdac2d76f1060abb127e1961f310c81559e4c1213e61a7f32583cee9f4560106cafc88f0f20cf470edb756aadbec86
-
Filesize
218B
MD57c9bb5fda146efee5ee4a243d6e404b0
SHA1c2fb82a9efb3a2469e6a120ac4781a7fe26eb3dd
SHA2561d4b4c4da6c16a2701cec1c24ff21168d26d4f81c0ac8b3e30ed01b8468d488b
SHA512797e74b283e74a3282223d8035408d55269e4451a289e3873ea197624985121c87dccdbdef42ff99fd8b4d1fd7e856388444e3fc699a9d6b061499682a043771
-
Filesize
702B
MD554a4ab02c1f992df21647e3a4b609dc5
SHA1933dfdeb84d9634a6c29605a5b445b9769ad7beb
SHA25645919df7cf84c7ef28302c045d59dc8ca5f77e79d70d1b1f85d1e524b70f5a1a
SHA512fc32ad4184906f96c4562c1544644c7c17901ce058030a6894d15639d93b73b9cf7d2a94acb0641a0c06089ceb990543cb359de3e3b420ee6622725542946b9f
-
Filesize
702B
MD5033de561bdc7c0ca00ad0401bb082688
SHA12e8f6980e6b56f46c045a55803efb854595df75c
SHA2563dc818abd994a8ef72851ff07a297b8cd5cfdb9b5fefd67328a8927985b7da5a
SHA51261c4b381627f40b831a08cbf5b57245c720791bf693b378ca929731522847d68d6455047735fce7a590b769dcd1414dc2169e9ac1214a3dd4a778a580d2dba8c
-
Filesize
702B
MD56febe70bd4b9501ff665cbdc618847c5
SHA18840b48e3ef3baea97cf136db5020255a96e71fa
SHA25665970a84b910cd3e31c2bd70c919c6c82bd47b6b0e590df373ca10a0f2fe8f72
SHA5121da13ac7bee6e3dbef7d9088449033483b17c0b2765be7c33defc945185c4ff402febe3d7498c2aef859ac01dd2b136e1e7531632bf0c6ebf93db01fd48342fa
-
Filesize
702B
MD55ee3bd681f680cdc5518b286570b28c2
SHA1d86da3820b4d08031f5f263e727eb12c0881bea1
SHA2563ab21a3c8c8b8584c7d35ab76d6556fe281666bee0880baef4490a719a56b989
SHA51277585d574d8dcc0fa257c5cd11b38b0f616e74726cc4a3fd6f11d99e19ce9f3e38f6521ef43ea61d3ea59223101c2f067853a046c4edda3f9dfcf2113d557e96
-
Filesize
702B
MD5dcee4dce741bd20ca0db644c2c5e46e7
SHA111db5b4398b3f46aee65d3381bde7ba7143c22d6
SHA2566d725edfb7ccbf27477df652f4334171a691e9c731681c805a7d84ebd9269177
SHA51224efe9c8faea46acf6d3f5692ad6fb1292fd065e87196ca7cf4b46eec1ce17619936cb81a053b289ca7451e32b83f139dd12554497ef8374628fdc563907553d
-
Filesize
702B
MD511cbace0608b5facaec85f9ab63a2743
SHA1071f69516a7bb9d86edeae73d13b72a3ced7abdd
SHA256a038ca5a1d89a8b89fbdce7c537dde8c878644cb4a509bac4e7386945c4bb713
SHA512dc18040ec489320b1e060ad2ae8ca3d148812e88e99a38967b49b23e57d91c0e42d1943c5bbce6800dbb7ad10e042dd0a9bb64772fd9ed8d18e8399b632e6021
-
Filesize
478B
MD58abcd2ae172afeb4ff08339b8fcffc25
SHA1c19f781edabe30c1d1fbf2bb7cc970456eacd060
SHA2561e5334f0d108336af7b8d597f3937ceb35a057922ace5b3e61e45a6cf48e0a6b
SHA5122876bb2c9f8ac0aeb72f0bba3f907ed3dba9e5322cd28d8875d55a6a784e80d4bc032582b5977811bd6db659887e8397cca7f1aef603ec8b974936196313605f
-
Filesize
702B
MD54b6b46eab9c52b28d9814e7abd31baaf
SHA1bafcefe324854d398d6f8bb506d593f59a72c3bf
SHA25658c2bb82bf82371de06c2d3a7cad22c24e5f9e4bd94f4bf415436d5b1cc2f395
SHA51224b6981da8cde1d9be8ddad6e5feb7c9e2a4f1b90cf2c84f5f7f4393cefcfe70a70801e16ed5aa26b008907608280297aeb565c993e7590d2149c93dbe693692
-
Filesize
702B
MD5e6be198e9b7e5ce620d555dd8c3ffcf0
SHA14a172a1ae35f9a8cd67943c9981612467d3d45c8
SHA2567c097f6b2f439250559ea809c39f4bdff6acb0ee7a172aaa26d2d7a6aa5245ae
SHA512fb542d4cc53e0468211623a8b37930f9b889fec67458cf17c3e67282f2814de916705996d2663fa3e2ce1f51269e413771ceeb524f644eda09c0f6d4747cdea6
-
Filesize
191B
MD5f7d10cf8a502ea71bc4cf2823a716694
SHA11a03facad61a8d1b448da90c60aa10b2ec73125a
SHA256e2aa65fb4d4586edde781afee4a2c45456983110fecf37800b48ca47921a6c71
SHA51253df9b650686d54d3e80c1a416b98e9353a89a09d3e4884212ab42a2dced1f0b400f76afc298d1d868c5504736de7ab4694a408c12358d295242937a4547d09c
-
Filesize
702B
MD5d6c220096df3c66a29f927f521da8e5f
SHA1572d59a219f371433f29b5a1d10f45193cffba20
SHA256e17e34086e8e29048ccadf5e5ea9bf57643d6f834b380086e623c92dd23af439
SHA5128351d2c62e13732494b9979bd7a563cf88e1c7ccc0896adaef32ee5fff4ae758c998aaf413292124a8d46f5bdfaa9c7e519de03093091107c0683b93510ddbc2
-
Filesize
702B
MD59ae89897944358d29f5cffdc7ae53012
SHA1ac33a9b6cf573f9af6b47b488a7aef5f5a6a90d7
SHA256f90b4075a640a9f6e66fd66a99e12cc0b28d5a3dd7481a94538e4adfb52fed57
SHA512a062d88a1cc77a451e251a8225c2d5fb3985a14390eeb1cbfd927c4eabc69c259cd267b58c70fd6462f6269f05fce35c992e5d439c2c49fc688fb6b16954befe
-
Filesize
702B
MD5ee5ef58333c9ac975005e403469f5ad9
SHA19ce58c735d017f14510772fb4d44528177509c59
SHA2567d83e686176e73272f93deb3a961be58d15414f0b24fff41b12a83a2771635b6
SHA51294d418bac88c3e2a15a12a3157fdf5a43b434302a958813af47ffff74dcfdec8695e8566d07292246b43d3a47f2233c6e31deb2345be736a99f906a0ebd9e2b1
-
Filesize
75KB
MD5d428ddd1b0ce85a6c96765aeaf246320
SHA1d100efdaab5b2ad851fe75a28d0aa95deb920926
SHA256453a331db812ed6e0ce6cca5d3b5be26e66c44b5f6fbdc88f98442670b8daecb
SHA5123f9dda9d998ef282eb31644296ef0617bbf40352189f4ccd744191f466e932ffde2fd2bdaebe89f0bc06e465d57a8e46e08b3001fe834b3d989fc71125d25899
-
Filesize
229KB
MD58cc1e7cf94fec9bc505ce7411aa28861
SHA108703de84f3db427c368f16c873664d78bd83264
SHA256cc60087c94ea0ab843dcae2cdd76ac5e9c90599d2909bbba12881babf46158ba
SHA512fe60f11452c9e470c0b63385cf0ee8f9fd07598c1294ba25cc8c7c093142efe865aba39680ae5f80611db9423717a7094c939f180e5195e7ae91a9633872a423
-
Filesize
2.6MB
MD56216b6bef94c09a40bfa263809b1ae56
SHA1a928120e65199c6aaae6c991aa0466f3f8b06020
SHA256eabc7e4491961469ccb9c8cd716dbaf5285ecb8ad3edfc6bfec133a1ec80f05b
SHA5120e311738b5bdf73f01c552b59646485418ab5b99862af5da2bb934d4262307ac8f57274bbd7f6c99376e6be99d424aad5282a73a063529310425666be224d215