Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
16-05-2024 06:46
Static task
static1
Behavioral task
behavioral1
Sample
5D474E6A5232B3D3DD5576111A2B22A1.exe
Resource
win7-20240508-en
General
-
Target
5D474E6A5232B3D3DD5576111A2B22A1.exe
-
Size
8.4MB
-
MD5
5d474e6a5232b3d3dd5576111a2b22a1
-
SHA1
60923eeaaf6334dde034a338302bcc25a2552618
-
SHA256
942f9e81e5d489676579e93f2e8f0c7af018399bbebf9d90f631333ab9853cbc
-
SHA512
93794f9a4548c55ab64bdf0a72a5aa08271e7ca58793de0c20c34dbff679638c22a6515e8c402ed8cf41c0a8db25f2aea33a2552fb633f43fc1bcfd7d22fdfae
-
SSDEEP
98304:tVDbpZYm4jCCC08mudOK+rdYsL9mJ+C01l96Y:tVDbpZYxBC0wWrdYB+tl9B
Malware Config
Signatures
-
DcRat 35 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeruntimeDhcpCommon.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe5D474E6A5232B3D3DD5576111A2B22A1.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 5100 schtasks.exe 1976 schtasks.exe 3244 schtasks.exe 4072 schtasks.exe 4132 schtasks.exe 1532 schtasks.exe 1536 schtasks.exe 4592 schtasks.exe 2056 schtasks.exe 4044 schtasks.exe 5116 schtasks.exe 4568 schtasks.exe 3884 schtasks.exe 3180 schtasks.exe 3804 schtasks.exe 2280 schtasks.exe 2708 schtasks.exe 3612 schtasks.exe 1504 schtasks.exe 3720 schtasks.exe 3556 schtasks.exe 4028 schtasks.exe 968 schtasks.exe File created C:\Program Files (x86)\Internet Explorer\es-ES\e1ef82546f0b02 runtimeDhcpCommon.exe 2028 schtasks.exe 1776 schtasks.exe 3332 schtasks.exe 2700 schtasks.exe 1064 schtasks.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 5D474E6A5232B3D3DD5576111A2B22A1.exe 3836 schtasks.exe 3620 schtasks.exe 4384 schtasks.exe 1764 schtasks.exe 1684 schtasks.exe -
Process spawned unexpected child process 33 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2056 4820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2028 4820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4568 4820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1776 4820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1532 4820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3884 4820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3836 4820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1536 4820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3332 4820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3180 4820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2700 4820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4044 4820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3244 4820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3620 4820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5100 4820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3804 4820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1976 4820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3612 4820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4384 4820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4072 4820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1504 4820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2280 4820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1064 4820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1764 4820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1684 4820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4028 4820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2708 4820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3720 4820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4132 4820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 968 4820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4592 4820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5116 4820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3556 4820 schtasks.exe -
Processes:
RuntimeBroker.exeruntimeDhcpCommon.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" runtimeDhcpCommon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" runtimeDhcpCommon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" runtimeDhcpCommon.exe -
Processes:
resource yara_rule behavioral2/memory/2236-0-0x0000000000400000-0x0000000000C6C000-memory.dmp dcrat C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe dcrat C:\surrogatedriverbroker\runtimeDhcpCommon.exe dcrat behavioral2/memory/1884-114-0x00000000007C0000-0x0000000000B2A000-memory.dmp dcrat -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
RuntimeBroker.exe5D474E6A5232B3D3DD5576111A2B22A1.exeDCRatBuild.exeWScript.exeruntimeDhcpCommon.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 5D474E6A5232B3D3DD5576111A2B22A1.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation DCRatBuild.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation runtimeDhcpCommon.exe -
Executes dropped EXE 3 IoCs
Processes:
DCRatBuild.exeruntimeDhcpCommon.exeRuntimeBroker.exepid process 3612 DCRatBuild.exe 1884 runtimeDhcpCommon.exe 116 RuntimeBroker.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
runtimeDhcpCommon.exeRuntimeBroker.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA runtimeDhcpCommon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" runtimeDhcpCommon.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe -
Drops file in Program Files directory 7 IoCs
Processes:
runtimeDhcpCommon.exedescription ioc process File created C:\Program Files (x86)\Windows NT\Accessories\en-US\msedge.exe runtimeDhcpCommon.exe File created C:\Program Files (x86)\Windows NT\Accessories\en-US\61a52ddc9dd915 runtimeDhcpCommon.exe File created C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\de-DE\unsecapp.exe runtimeDhcpCommon.exe File created C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\de-DE\29c1c3cc0f7685 runtimeDhcpCommon.exe File created C:\Program Files (x86)\Internet Explorer\es-ES\SppExtComObj.exe runtimeDhcpCommon.exe File opened for modification C:\Program Files (x86)\Internet Explorer\es-ES\SppExtComObj.exe runtimeDhcpCommon.exe File created C:\Program Files (x86)\Internet Explorer\es-ES\e1ef82546f0b02 runtimeDhcpCommon.exe -
Drops file in Windows directory 3 IoCs
Processes:
runtimeDhcpCommon.exedescription ioc process File created C:\Windows\servicing\RuntimeBroker.exe runtimeDhcpCommon.exe File created C:\Windows\Panther\actionqueue\MoUsoCoreWorker.exe runtimeDhcpCommon.exe File created C:\Windows\Panther\actionqueue\1f93f77a7f4778 runtimeDhcpCommon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 33 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3836 schtasks.exe 1976 schtasks.exe 1504 schtasks.exe 4132 schtasks.exe 2056 schtasks.exe 1776 schtasks.exe 2280 schtasks.exe 4592 schtasks.exe 3556 schtasks.exe 1536 schtasks.exe 3804 schtasks.exe 1764 schtasks.exe 4044 schtasks.exe 3244 schtasks.exe 4072 schtasks.exe 3884 schtasks.exe 2700 schtasks.exe 4028 schtasks.exe 968 schtasks.exe 5116 schtasks.exe 2028 schtasks.exe 1532 schtasks.exe 3180 schtasks.exe 3620 schtasks.exe 3332 schtasks.exe 5100 schtasks.exe 4568 schtasks.exe 3612 schtasks.exe 4384 schtasks.exe 1064 schtasks.exe 1684 schtasks.exe 2708 schtasks.exe 3720 schtasks.exe -
Modifies registry class 3 IoCs
Processes:
5D474E6A5232B3D3DD5576111A2B22A1.exeDCRatBuild.exeRuntimeBroker.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 5D474E6A5232B3D3DD5576111A2B22A1.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings DCRatBuild.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings RuntimeBroker.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
runtimeDhcpCommon.exeRuntimeBroker.exepid process 1884 runtimeDhcpCommon.exe 1884 runtimeDhcpCommon.exe 1884 runtimeDhcpCommon.exe 1884 runtimeDhcpCommon.exe 1884 runtimeDhcpCommon.exe 1884 runtimeDhcpCommon.exe 1884 runtimeDhcpCommon.exe 1884 runtimeDhcpCommon.exe 1884 runtimeDhcpCommon.exe 1884 runtimeDhcpCommon.exe 1884 runtimeDhcpCommon.exe 1884 runtimeDhcpCommon.exe 1884 runtimeDhcpCommon.exe 1884 runtimeDhcpCommon.exe 1884 runtimeDhcpCommon.exe 1884 runtimeDhcpCommon.exe 1884 runtimeDhcpCommon.exe 1884 runtimeDhcpCommon.exe 1884 runtimeDhcpCommon.exe 1884 runtimeDhcpCommon.exe 1884 runtimeDhcpCommon.exe 116 RuntimeBroker.exe 116 RuntimeBroker.exe 116 RuntimeBroker.exe 116 RuntimeBroker.exe 116 RuntimeBroker.exe 116 RuntimeBroker.exe 116 RuntimeBroker.exe 116 RuntimeBroker.exe 116 RuntimeBroker.exe 116 RuntimeBroker.exe 116 RuntimeBroker.exe 116 RuntimeBroker.exe 116 RuntimeBroker.exe 116 RuntimeBroker.exe 116 RuntimeBroker.exe 116 RuntimeBroker.exe 116 RuntimeBroker.exe 116 RuntimeBroker.exe 116 RuntimeBroker.exe 116 RuntimeBroker.exe 116 RuntimeBroker.exe 116 RuntimeBroker.exe 116 RuntimeBroker.exe 116 RuntimeBroker.exe 116 RuntimeBroker.exe 116 RuntimeBroker.exe 116 RuntimeBroker.exe 116 RuntimeBroker.exe 116 RuntimeBroker.exe 116 RuntimeBroker.exe 116 RuntimeBroker.exe 116 RuntimeBroker.exe 116 RuntimeBroker.exe 116 RuntimeBroker.exe 116 RuntimeBroker.exe 116 RuntimeBroker.exe 116 RuntimeBroker.exe 116 RuntimeBroker.exe 116 RuntimeBroker.exe 116 RuntimeBroker.exe 116 RuntimeBroker.exe 116 RuntimeBroker.exe 116 RuntimeBroker.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RuntimeBroker.exepid process 116 RuntimeBroker.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
runtimeDhcpCommon.exeRuntimeBroker.exevssvc.exedescription pid process Token: SeDebugPrivilege 1884 runtimeDhcpCommon.exe Token: SeDebugPrivilege 116 RuntimeBroker.exe Token: SeBackupPrivilege 4384 vssvc.exe Token: SeRestorePrivilege 4384 vssvc.exe Token: SeAuditPrivilege 4384 vssvc.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
5D474E6A5232B3D3DD5576111A2B22A1.exeDCRatBuild.exeWScript.execmd.exeruntimeDhcpCommon.exeRuntimeBroker.exedescription pid process target process PID 2236 wrote to memory of 3612 2236 5D474E6A5232B3D3DD5576111A2B22A1.exe DCRatBuild.exe PID 2236 wrote to memory of 3612 2236 5D474E6A5232B3D3DD5576111A2B22A1.exe DCRatBuild.exe PID 2236 wrote to memory of 3612 2236 5D474E6A5232B3D3DD5576111A2B22A1.exe DCRatBuild.exe PID 3612 wrote to memory of 4592 3612 DCRatBuild.exe WScript.exe PID 3612 wrote to memory of 4592 3612 DCRatBuild.exe WScript.exe PID 3612 wrote to memory of 4592 3612 DCRatBuild.exe WScript.exe PID 3612 wrote to memory of 2428 3612 DCRatBuild.exe WScript.exe PID 3612 wrote to memory of 2428 3612 DCRatBuild.exe WScript.exe PID 3612 wrote to memory of 2428 3612 DCRatBuild.exe WScript.exe PID 4592 wrote to memory of 5000 4592 WScript.exe cmd.exe PID 4592 wrote to memory of 5000 4592 WScript.exe cmd.exe PID 4592 wrote to memory of 5000 4592 WScript.exe cmd.exe PID 5000 wrote to memory of 1884 5000 cmd.exe runtimeDhcpCommon.exe PID 5000 wrote to memory of 1884 5000 cmd.exe runtimeDhcpCommon.exe PID 1884 wrote to memory of 116 1884 runtimeDhcpCommon.exe RuntimeBroker.exe PID 1884 wrote to memory of 116 1884 runtimeDhcpCommon.exe RuntimeBroker.exe PID 116 wrote to memory of 2168 116 RuntimeBroker.exe WScript.exe PID 116 wrote to memory of 2168 116 RuntimeBroker.exe WScript.exe PID 116 wrote to memory of 3884 116 RuntimeBroker.exe WScript.exe PID 116 wrote to memory of 3884 116 RuntimeBroker.exe WScript.exe -
System policy modification 1 TTPs 6 IoCs
Processes:
RuntimeBroker.exeruntimeDhcpCommon.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" runtimeDhcpCommon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" runtimeDhcpCommon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" runtimeDhcpCommon.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\5D474E6A5232B3D3DD5576111A2B22A1.exe"C:\Users\Admin\AppData\Local\Temp\5D474E6A5232B3D3DD5576111A2B22A1.exe"1⤵
- DcRat
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3612 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\surrogatedriverbroker\MX0u5YpaE0Bl8Q4tzHjuN5MlF.vbe"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\surrogatedriverbroker\iB8LDc93mffvsV4P5elLH7ibJvoD.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\surrogatedriverbroker\runtimeDhcpCommon.exe"C:\surrogatedriverbroker\runtimeDhcpCommon.exe"5⤵
- DcRat
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1884 -
C:\Recovery\WindowsRE\RuntimeBroker.exe"C:\Recovery\WindowsRE\RuntimeBroker.exe"6⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:116 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5818b527-3acb-4b64-87cd-c66639d6b2bc.vbs"7⤵PID:2168
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\de2055f3-e164-4113-b290-2f1dbd3e7d8f.vbs"7⤵PID:3884
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\surrogatedriverbroker\file.vbs"3⤵PID:2428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\SppExtComObj.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Start Menu\taskhostw.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Default\Start Menu\taskhostw.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Start Menu\taskhostw.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\msedge.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\msedge.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\msedge.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Templates\WmiPrvSE.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\All Users\Templates\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Templates\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\de-DE\unsecapp.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\de-DE\unsecapp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\de-DE\unsecapp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1504
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4132
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 14 /tr "'C:\Windows\Panther\actionqueue\MoUsoCoreWorker.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Windows\Panther\actionqueue\MoUsoCoreWorker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 11 /tr "'C:\Windows\Panther\actionqueue\MoUsoCoreWorker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3556
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4384
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4080 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:81⤵PID:2600
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:2484
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
714B
MD54e15524f8b033743777c8e4ad4dc52d2
SHA10a68acee4cb664c216d29ab53608a5ade93d1c2d
SHA256cfadfce390c151520a2169937ad25950549a673c50f56fb7aedd04c495d5cd9c
SHA51282a4f47dd0acb933fc90be1ddbc740bbc74fcaada74fca0a49730a2f6ffb913447ca881d281a433422103db50644280e87ec88d4904cdfeb69031cd603fdd2b7
-
Filesize
3.7MB
MD5d26ea8a9103b82d0e4f80b687f0c1adc
SHA1811bc8c8b6fcca69882e483ed0d59d45e7851f1a
SHA25650548a8353e5f24e36e11a4dfa2beb766b1adc1d358c54202447c8d389212eb5
SHA51268583d1f11ff00baebc5271e852848c7df76ff32df4788f91792d98728cbd69ccd04e4814265ecbb12b79ddd46bad35aafe1192551f526ff616df3e97ea7884e
-
Filesize
1KB
MD5bba499baa7c430d4f0bac0b231e75b82
SHA1743a8a70bae9478061103d668b0d000371fd1840
SHA256418b1fb225defe29d9605e560757d93048210818c49dce49f62a1f7f5e02f2fc
SHA51217c745b9919405a6243564b7f44c7b9e3ae586dec6a2947572072b2c45a65e020cbcaf54f0761393cf088f7f4006492cda22ae3e9d19d416fd35a66f49e6cdeb
-
Filesize
264KB
MD518cc2b457a795b627b37dda9cfd355c5
SHA15778d3f45a662a681788e16426afdd266707f672
SHA256c94678aff77a06737177b585f5c4139d5c67d41711754f055e9bed480522b7b1
SHA512cd68c7304443aa951898fef5a45da3fb689f7c61bf1c468f2d19a8e929bc1c8b5f0c90caac630457ba27114a131fb80e5dc3ad3e4886fce91ca82a3ffcbfd75d
-
Filesize
491B
MD53140200c003251e08c20020e1a2c02f1
SHA1aff58ce17aceb2d23942b4e10bc57213a2bc78b4
SHA2562e2f7e09d19bc15153ede1505b4f66f62cf620534112ebea6ea065745b60db89
SHA512e66a19cb49a1f7f4841a90a2dfde172a0c0c00d559b3c007b69d30cd09861185c0bff45a1182d1b8cb873f8d1ebebe2c5fa01b5884d34a416c9b64d3f74a6a47
-
Filesize
226B
MD5d9095993dc975aad0602ba66b32dad3d
SHA18c26fd1ad732827301e5af7de044420f0c06fbbe
SHA2563329d6bb2e9c7115fb8ac58881e94796069d0b7874abccc4a0bc7718731de27e
SHA5122c7adbd664c8ee7aa84c12eea0e7685f5e2275c9cd19f9a1dece9f9e3f958f9b05339be799b643fe1a0e20d8fb74ca3df0fcb9903d830137fa774b13281d7d3a
-
Filesize
34B
MD5677cc4360477c72cb0ce00406a949c61
SHA1b679e8c3427f6c5fc47c8ac46cd0e56c9424de05
SHA256f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b
SHA5127cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a
-
Filesize
48B
MD585cfb82d14d95349f280e53f0764fbfc
SHA1645a8f36343a8e4b88966ab70a4a24f49b9ca2b9
SHA2563628bedd47e43459572a27570f4cf9c4ef2083703c2fbc32f3f7a67b7a109371
SHA51202cb06aa443a044f0f1a492a2e30e3d9521902a9fefba54a829bffbb37eed07e4e1c9753cd8cca71baa1a1229343ecbd05940389165e35fc71b90f48fc1191e8
-
Filesize
3.4MB
MD5dc167730759f4877ed79888e1f365249
SHA15ce03602609fa90f26b3a6774519c006a9c20bf6
SHA2560704d02dd6f8b50b3b60652096539fe51cd5ae2d3b4092763245dfcf8dc68316
SHA512d027f85c981d182b2f4bc359d86e1093c2a2ab72a78dc5d408bbb103c0626e0da3063173710ffbf2c94e2080aefe56154d371f39f09a9e6e1f4a1cd62e20140b