Overview

overview

10

Static

static

3

NewProject1.exe

windows7-x64

10

NewProject1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 17:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NewProject1.exe

  • Size

    4.9MB

  • MD5

    eace0ed3521967a36f02f3408a76689d

  • SHA1

    54210340f93b45b7bd0eff93da29151a5e846174

  • SHA256

    a2d773d335de672b8b525f26483081ef86bdfbb524afdf3dab5922e66d864e96

  • SHA512

    9646a69340e263150fc05519576fdc4d07ef51cf05f974dfd4f94b866e896255ee469207b6181b976d253a2497a753439c1ec639897dbe7c0fb89674eaba6448

  • SSDEEP

    98304:w409oEFvy98NF/4uhbfc7DdGnTYrhMiAV4i2BWWH:i/FayNFQKU7qstyKnJ

Score
10/10
44caliberpersistencespywarestealer

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/1237112288494747648/RwLhzmD0ehxDiBdZsbgoSXVKoOkldpfaRP7ikjkQV9Ya8EVVXay-1UF3yarrrtlSnrpv

Signatures

  • 44Caliber

    An open source infostealer written in C#.

    stealer44caliber
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Downloads MZ/PE file
  • Modifies AppInit DLL entries 2 TTPs
    persistence
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 41 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 43 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\NewProject1.exe
    "C:\Users\Admin\AppData\Local\Temp\NewProject1.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1472
    • C:\ProgramData\extreme.exe
      "C:\ProgramData\extreme.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2076
      • C:\Windows\SYSTEM32\CMD.exe
        "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "AssemblyBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:764
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "AssemblyBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe"
          4⤵
          • Creates scheduled task(s)
          PID:2376
      • C:\Windows\SYSTEM32\CMD.exe
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1732
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
          4⤵
          • Creates scheduled task(s)
          PID:4636
      • C:\Windows\SYSTEM32\CMD.exe
        "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Svchost" /tr "C:\Users\Admin\AppData\Local\amd64_microsoft-windows-f..client-applications_31bf3856ad364e35_10.0.19041.3636_none_ed91412UI917\swapdrives.exe" /RL HIGHEST & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1116
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /create /f /sc minute /mo 5 /tn "Svchost" /tr "C:\Users\Admin\AppData\Local\amd64_microsoft-windows-f..client-applications_31bf3856ad364e35_10.0.19041.3636_none_ed91412UI917\swapdrives.exe" /RL HIGHEST
          4⤵
          • Creates scheduled task(s)
          PID:1236
      • C:\Windows\SYSTEM32\CMD.exe
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4564
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
          4⤵
          • Creates scheduled task(s)
          PID:2452
      • C:\Windows\SYSTEM32\CMD.exe
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:5020
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
          4⤵
          • Creates scheduled task(s)
          PID:4720
      • C:\Windows\SYSTEM32\CMD.exe
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4056
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
          4⤵
          • Creates scheduled task(s)
          PID:2500
      • C:\Windows\SYSTEM32\CMD.exe
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4164
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
          4⤵
          • Creates scheduled task(s)
          PID:3932
      • C:\Windows\SYSTEM32\CMD.exe
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1384
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
          4⤵
          • Creates scheduled task(s)
          PID:1628
      • C:\Windows\SYSTEM32\CMD.exe
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4404
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
          4⤵
          • Creates scheduled task(s)
          PID:3240
      • C:\Windows\SYSTEM32\CMD.exe
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1360
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
          4⤵
          • Creates scheduled task(s)
          PID:3952
      • C:\Windows\SYSTEM32\CMD.exe
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4224
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
          4⤵
          • Creates scheduled task(s)
          PID:1476
      • C:\Windows\SYSTEM32\CMD.exe
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2280
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
          4⤵
          • Creates scheduled task(s)
          PID:1844
      • C:\Windows\SYSTEM32\CMD.exe
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4356
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
          4⤵
          • Creates scheduled task(s)
          PID:4656
      • C:\Windows\SYSTEM32\CMD.exe
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4532
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
          4⤵
          • Creates scheduled task(s)
          PID:1072
      • C:\Windows\SYSTEM32\CMD.exe
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
        3⤵
          PID:640
          • C:\Windows\system32\schtasks.exe
            SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
            4⤵
            • Creates scheduled task(s)
            PID:2840
        • C:\Windows\SYSTEM32\CMD.exe
          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
          3⤵
            PID:2280
            • C:\Windows\system32\schtasks.exe
              SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
              4⤵
              • Creates scheduled task(s)
              PID:1568
          • C:\Windows\SYSTEM32\CMD.exe
            "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
            3⤵
              PID:2776
              • C:\Windows\system32\schtasks.exe
                SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
                4⤵
                • Creates scheduled task(s)
                PID:3852
            • C:\Windows\SYSTEM32\CMD.exe
              "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
              3⤵
                PID:3580
                • C:\Windows\system32\schtasks.exe
                  SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
                  4⤵
                  • Creates scheduled task(s)
                  PID:4452
              • C:\Windows\SYSTEM32\CMD.exe
                "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
                3⤵
                  PID:4564
                  • C:\Windows\system32\schtasks.exe
                    SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
                    4⤵
                    • Creates scheduled task(s)
                    PID:2856
                • C:\Windows\SYSTEM32\CMD.exe
                  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
                  3⤵
                    PID:424
                    • C:\Windows\system32\schtasks.exe
                      SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
                      4⤵
                      • Creates scheduled task(s)
                      PID:3300
                  • C:\Windows\SYSTEM32\CMD.exe
                    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
                    3⤵
                      PID:2724
                      • C:\Windows\system32\schtasks.exe
                        SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
                        4⤵
                        • Creates scheduled task(s)
                        PID:5044
                    • C:\Windows\SYSTEM32\CMD.exe
                      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
                      3⤵
                        PID:4168
                        • C:\Windows\system32\schtasks.exe
                          SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
                          4⤵
                          • Creates scheduled task(s)
                          PID:4364
                      • C:\Windows\SYSTEM32\CMD.exe
                        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
                        3⤵
                          PID:4476
                          • C:\Windows\system32\schtasks.exe
                            SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
                            4⤵
                            • Creates scheduled task(s)
                            PID:2988
                        • C:\Windows\SYSTEM32\CMD.exe
                          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
                          3⤵
                            PID:372
                            • C:\Windows\system32\schtasks.exe
                              SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
                              4⤵
                              • Creates scheduled task(s)
                              PID:2836
                          • C:\Windows\SYSTEM32\CMD.exe
                            "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
                            3⤵
                              PID:2756
                              • C:\Windows\system32\schtasks.exe
                                SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
                                4⤵
                                • Creates scheduled task(s)
                                PID:3136
                            • C:\Windows\SYSTEM32\CMD.exe
                              "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
                              3⤵
                                PID:5044
                                • C:\Windows\system32\schtasks.exe
                                  SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
                                  4⤵
                                  • Creates scheduled task(s)
                                  PID:5056
                              • C:\Windows\SYSTEM32\CMD.exe
                                "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
                                3⤵
                                  PID:752
                                  • C:\Windows\system32\schtasks.exe
                                    SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
                                    4⤵
                                    • Creates scheduled task(s)
                                    PID:2020
                                • C:\Windows\SYSTEM32\CMD.exe
                                  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
                                  3⤵
                                    PID:4512
                                    • C:\Windows\system32\schtasks.exe
                                      SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
                                      4⤵
                                      • Creates scheduled task(s)
                                      PID:1620
                                  • C:\Windows\SYSTEM32\CMD.exe
                                    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
                                    3⤵
                                      PID:2500
                                      • C:\Windows\system32\schtasks.exe
                                        SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
                                        4⤵
                                        • Creates scheduled task(s)
                                        PID:3680
                                    • C:\Windows\SYSTEM32\CMD.exe
                                      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
                                      3⤵
                                        PID:2708
                                        • C:\Windows\system32\schtasks.exe
                                          SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
                                          4⤵
                                          • Creates scheduled task(s)
                                          PID:1304
                                      • C:\Windows\SYSTEM32\CMD.exe
                                        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
                                        3⤵
                                          PID:3112
                                          • C:\Windows\system32\schtasks.exe
                                            SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
                                            4⤵
                                            • Creates scheduled task(s)
                                            PID:4560
                                        • C:\Windows\SYSTEM32\CMD.exe
                                          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
                                          3⤵
                                            PID:2776
                                            • C:\Windows\system32\schtasks.exe
                                              SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
                                              4⤵
                                              • Creates scheduled task(s)
                                              PID:2956
                                          • C:\Windows\SYSTEM32\CMD.exe
                                            "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
                                            3⤵
                                              PID:2388
                                              • C:\Windows\system32\schtasks.exe
                                                SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
                                                4⤵
                                                • Creates scheduled task(s)
                                                PID:380
                                            • C:\Windows\SYSTEM32\CMD.exe
                                              "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
                                              3⤵
                                                PID:3356
                                                • C:\Windows\system32\schtasks.exe
                                                  SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
                                                  4⤵
                                                  • Creates scheduled task(s)
                                                  PID:5032
                                              • C:\Windows\SYSTEM32\CMD.exe
                                                "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
                                                3⤵
                                                  PID:1044
                                                  • C:\Windows\system32\schtasks.exe
                                                    SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
                                                    4⤵
                                                    • Creates scheduled task(s)
                                                    PID:684
                                                • C:\Windows\SYSTEM32\CMD.exe
                                                  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
                                                  3⤵
                                                    PID:3812
                                                    • C:\Windows\system32\schtasks.exe
                                                      SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
                                                      4⤵
                                                      • Creates scheduled task(s)
                                                      PID:5088
                                                  • C:\Windows\SYSTEM32\CMD.exe
                                                    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
                                                    3⤵
                                                      PID:1612
                                                      • C:\Windows\system32\schtasks.exe
                                                        SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
                                                        4⤵
                                                        • Creates scheduled task(s)
                                                        PID:2168
                                                    • C:\Windows\SYSTEM32\CMD.exe
                                                      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
                                                      3⤵
                                                        PID:1476
                                                        • C:\Windows\system32\schtasks.exe
                                                          SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
                                                          4⤵
                                                          • Creates scheduled task(s)
                                                          PID:1060
                                                      • C:\Windows\SYSTEM32\CMD.exe
                                                        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
                                                        3⤵
                                                          PID:740
                                                          • C:\Windows\system32\schtasks.exe
                                                            SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
                                                            4⤵
                                                            • Creates scheduled task(s)
                                                            PID:2836
                                                        • C:\Windows\SYSTEM32\CMD.exe
                                                          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
                                                          3⤵
                                                            PID:4720
                                                            • C:\Windows\system32\schtasks.exe
                                                              SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
                                                              4⤵
                                                              • Creates scheduled task(s)
                                                              PID:2128
                                                          • C:\Windows\SYSTEM32\CMD.exe
                                                            "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
                                                            3⤵
                                                              PID:1360
                                                              • C:\Windows\system32\schtasks.exe
                                                                SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
                                                                4⤵
                                                                • Creates scheduled task(s)
                                                                PID:864
                                                            • C:\Windows\SYSTEM32\CMD.exe
                                                              "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
                                                              3⤵
                                                                PID:3680
                                                                • C:\Windows\system32\schtasks.exe
                                                                  SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
                                                                  4⤵
                                                                  • Creates scheduled task(s)
                                                                  PID:424
                                                              • C:\Windows\SYSTEM32\CMD.exe
                                                                "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
                                                                3⤵
                                                                  PID:1072
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
                                                                    4⤵
                                                                    • Creates scheduled task(s)
                                                                    PID:1100
                                                              • C:\Users\Admin\AppData\Local\Temp\extreme injector.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\extreme injector.exe"
                                                                2⤵
                                                                • Checks computer location settings
                                                                • Executes dropped EXE
                                                                • Modifies registry class
                                                                • Suspicious use of WriteProcessMemory
                                                                PID:3024
                                                                • C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
                                                                  3⤵
                                                                  • Executes dropped EXE
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:2052
                                                                • C:\Users\Admin\AppData\Local\Temp\Insidious.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
                                                                  3⤵
                                                                  • Executes dropped EXE
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:2376
                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3772,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=4124 /prefetch:8
                                                              1⤵
                                                                PID:4744

                                                              Network

                                                              MITRE ATT&CK Matrix ATT&CK v13

                                                              Initial Access

                                                              Execution

                                                              Scheduled Task/Job

                                                              1
                                                              T1053

                                                              Persistence

                                                              Boot or Logon Autostart Execution

                                                              3
                                                              T1547

                                                              Registry Run Keys / Startup Folder

                                                              2
                                                              T1547.001

                                                              Winlogon Helper DLL

                                                              1
                                                              T1547.004

                                                              Scheduled Task/Job

                                                              1
                                                              T1053

                                                              Privilege Escalation

                                                              Boot or Logon Autostart Execution

                                                              3
                                                              T1547

                                                              Registry Run Keys / Startup Folder

                                                              2
                                                              T1547.001

                                                              Winlogon Helper DLL

                                                              1
                                                              T1547.004

                                                              Scheduled Task/Job

                                                              1
                                                              T1053

                                                              Defense Evasion

                                                              Modify Registry

                                                              3
                                                              T1112

                                                              Credential Access

                                                              Unsecured Credentials

                                                              2
                                                              T1552

                                                              Credentials In Files

                                                              2
                                                              T1552.001

                                                              Discovery

                                                              Query Registry

                                                              2
                                                              T1012

                                                              System Information Discovery

                                                              2
                                                              T1082

                                                              Lateral Movement

                                                              Collection

                                                              Data from Local System

                                                              2
                                                              T1005

                                                              Exfiltration

                                                              Command and Control

                                                              Web Service

                                                              1
                                                              T1102

                                                              Impact

                                                              Resource Development

                                                              Reconnaissance

                                                              Replay Monitor

                                                              Loading Replay Monitor...

                                                              Downloads

                                                              • C:\ProgramData\extreme.exe
                                                                Filesize

                                                                610KB

                                                                MD5

                                                                fc171c6dc3d5569ff7edd101a5e3b595

                                                                SHA1

                                                                ee7a10dcf4337812a07525b3158deca522d25f54

                                                                SHA256

                                                                2d267d4437ddd0caa02357b90606f4db625940e77029d898576c8e0f9f4e7a9b

                                                                SHA512

                                                                c01f725c290145982de52047d1c30148c15a41b146c7b6bf420d2f841da9fd413107edd0eac25ba836e83de1124768248fb2243860004b9e1bfe7a60d0d254c4

                                                                Download Submit
                                                              • C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
                                                                Filesize

                                                                1.9MB

                                                                MD5

                                                                ec801a7d4b72a288ec6c207bb9ff0131

                                                                SHA1

                                                                32eec2ae1f9e201516fa7fcdc16c4928f7997561

                                                                SHA256

                                                                b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46

                                                                SHA512

                                                                a07dd5e8241de73ce65ff8d74acef4942b85fc45cf6a7baafd3c0f9d330b08e7412f2023ba667e99b40e732a65e8fb4389f7fe73c7b6256ca71e63afe46cdcac

                                                                Download Submit
                                                              • C:\Users\Admin\AppData\Local\Temp\Insidious.exe
                                                                Filesize

                                                                281KB

                                                                MD5

                                                                b3cc053a740c79d2844a542e951b3335

                                                                SHA1

                                                                44fa83e0bfd8c7761ba8fbe0f687a53a062d89a0

                                                                SHA256

                                                                278704c25e1f4fb26e09a663ea2e0762510d02837ced1771d72c0240e3f9b993

                                                                SHA512

                                                                b7ffb66a9b7fa366dfc4b12978ad8d3555859ff526d8d1f8f9557ff22cf0cdf44369796722b22f0da28c79850f3cb16b3e9c49c8db2f8ab64e66661322f46cbe

                                                                Download Submit
                                                              • C:\Users\Admin\AppData\Local\Temp\extreme injector.exe
                                                                Filesize

                                                                3.3MB

                                                                MD5

                                                                2ffea9e69ec40e9f4337787a953e02f1

                                                                SHA1

                                                                5d2df0bec27c916a95b39d90f2c4cbfe485a4e29

                                                                SHA256

                                                                a0c52d8be54a2437a28412f63fd7bb700b15b10a6cf8640630fd35ed6bf68204

                                                                SHA512

                                                                6ecd979f26ef0095825dfe40123129a973dd2daccfa2e04eb0b71e8615d2abf439b134200abdec4794216d237b12c961520eb11f76277660807a859a919e1698

                                                                Download Submit
                                                              • C:\Windows\xdwd.dll
                                                                Filesize

                                                                136KB

                                                                MD5

                                                                16e5a492c9c6ae34c59683be9c51fa31

                                                                SHA1

                                                                97031b41f5c56f371c28ae0d62a2df7d585adaba

                                                                SHA256

                                                                35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

                                                                SHA512

                                                                20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

                                                                Download Submit
                                                              • memory/1472-0-0x0000000000400000-0x00000000008E6000-memory.dmp
                                                                Filesize

                                                                4.9MB

                                                                Download
                                                              • memory/2052-236-0x000000001C150000-0x000000001C18C000-memory.dmp
                                                                Filesize

                                                                240KB

                                                                Download
                                                              • memory/2052-235-0x000000001BED0000-0x000000001BEE2000-memory.dmp
                                                                Filesize

                                                                72KB

                                                                Download
                                                              • memory/2052-196-0x00000000000D0000-0x00000000002B6000-memory.dmp
                                                                Filesize

                                                                1.9MB

                                                                Download
                                                              • memory/2076-77-0x0000000000F90000-0x000000000102C000-memory.dmp
                                                                Filesize

                                                                624KB

                                                                Download
                                                              • memory/2076-80-0x00007FFC049D3000-0x00007FFC049D5000-memory.dmp
                                                                Filesize

                                                                8KB

                                                                Download
                                                              • memory/2076-369-0x00007FFC049D3000-0x00007FFC049D5000-memory.dmp
                                                                Filesize

                                                                8KB

                                                                Download
                                                              • memory/2376-208-0x0000021594C60000-0x0000021594CAC000-memory.dmp
                                                                Filesize

                                                                304KB

                                                                Download
                                                              • memory/3024-87-0x0000000000400000-0x0000000000743000-memory.dmp
                                                                Filesize

                                                                3.3MB

                                                                Download