Analysis
-
max time kernel
147s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
20-06-2024 01:08
Behavioral task
behavioral1
Sample
29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe
Resource
win10v2004-20240611-en
General
-
Target
29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe
-
Size
2.5MB
-
MD5
0dfb562500251ae8c085e6e8db7fe3d1
-
SHA1
00a1c6bb0bd7d99d54e96b714592f4a070b81641
-
SHA256
29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a
-
SHA512
05578a1553b38cd22570cb5b8bc6e3d4064ab6cf5d05a8537a5a4dd849aac4eda933ccf94d7f765ed03c40b67c6cd89412e15bdbad3a493681cad17387270004
-
SSDEEP
49152:aozCQ2xc1knReFIs/2M0HVcg+Fk1gMO9:aozCQ31YK+HKvH
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 51 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3436 4600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2964 4600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4496 4600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3324 4600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2860 4600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2288 4600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4984 4600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2896 4600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4756 4600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4740 4600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1344 4600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4404 4600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 780 4600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4076 4600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4988 4600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2740 4600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4932 4600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1512 4600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4088 4600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4760 4600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3540 4600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 404 4600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1168 4600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 744 4600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4840 4600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2128 4600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4400 4600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5100 4600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4448 4600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3688 4600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4568 4600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4488 4600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2792 4600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4412 4600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3532 4600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3924 4600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1412 4600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3952 4600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3476 4600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2292 4600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1300 4600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4820 4600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3736 4600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 432 4600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4632 4600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2700 4600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2816 4600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2260 4600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2228 4600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2376 4600 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3404 4600 schtasks.exe -
Processes:
29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exebackgroundTaskHost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" backgroundTaskHost.exe -
Processes:
resource yara_rule behavioral2/memory/3840-1-0x00000000003B0000-0x0000000000636000-memory.dmp dcrat C:\Program Files (x86)\Windows Media Player\Skins\RuntimeBroker.exe dcrat -
Detects executables packed with SmartAssembly 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3840-8-0x000000001B2C0000-0x000000001B2CA000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral2/memory/3840-14-0x000000001B9B0000-0x000000001B9BC000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation 29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe -
Executes dropped EXE 1 IoCs
Processes:
backgroundTaskHost.exepid process 464 backgroundTaskHost.exe -
Processes:
29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exebackgroundTaskHost.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe -
Drops file in Program Files directory 21 IoCs
Processes:
29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exedescription ioc process File created C:\Program Files (x86)\Internet Explorer\ja-JP\dllhost.exe 29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe File created C:\Program Files (x86)\Windows Media Player\Skins\RuntimeBroker.exe 29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe File created C:\Program Files\Microsoft Office 15\ClientX64\eddb19405b7ce1 29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe File created C:\Program Files (x86)\Common Files\Adobe\HelpCfg\eddb19405b7ce1 29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe File created C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe 29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe File created C:\Program Files (x86)\WindowsPowerShell\dllhost.exe 29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe File created C:\Program Files\Internet Explorer\sihost.exe 29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe File created C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_neutral_~_8wekyb3d8bbwe\29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe 29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe File created C:\Program Files (x86)\WindowsPowerShell\5940a34987c991 29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe File created C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backgroundTaskHost.exe 29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe File created C:\Program Files (x86)\Windows Defender\de-DE\RuntimeBroker.exe 29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe File created C:\Program Files (x86)\Windows Defender\de-DE\9e8d7a4ca61bd9 29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe File created C:\Program Files (x86)\Windows Media Player\Skins\9e8d7a4ca61bd9 29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe File created C:\Program Files (x86)\MSBuild\29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe 29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe File created C:\Program Files (x86)\MSBuild\3bf1eba947256e 29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe File created C:\Program Files (x86)\Internet Explorer\ja-JP\5940a34987c991 29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Idle.exe 29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe File created C:\Program Files\Internet Explorer\66fc9ff0ee96c2 29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe File created C:\Program Files (x86)\Common Files\csrss.exe 29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe File created C:\Program Files (x86)\Common Files\886983d96e3d3e 29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\6ccacd8608530f 29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4760 schtasks.exe 1300 schtasks.exe 3324 schtasks.exe 1168 schtasks.exe 3736 schtasks.exe 2260 schtasks.exe 2896 schtasks.exe 4448 schtasks.exe 432 schtasks.exe 2816 schtasks.exe 2376 schtasks.exe 3404 schtasks.exe 4756 schtasks.exe 4488 schtasks.exe 3952 schtasks.exe 2292 schtasks.exe 4632 schtasks.exe 4984 schtasks.exe 3924 schtasks.exe 1412 schtasks.exe 3476 schtasks.exe 4988 schtasks.exe 1512 schtasks.exe 404 schtasks.exe 4404 schtasks.exe 4932 schtasks.exe 3688 schtasks.exe 2288 schtasks.exe 780 schtasks.exe 2128 schtasks.exe 2228 schtasks.exe 3436 schtasks.exe 1344 schtasks.exe 3540 schtasks.exe 744 schtasks.exe 4568 schtasks.exe 3532 schtasks.exe 4740 schtasks.exe 2740 schtasks.exe 4400 schtasks.exe 2792 schtasks.exe 4412 schtasks.exe 4076 schtasks.exe 4088 schtasks.exe 4840 schtasks.exe 4820 schtasks.exe 2964 schtasks.exe 4496 schtasks.exe 2860 schtasks.exe 5100 schtasks.exe 2700 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 36 IoCs
Processes:
29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exebackgroundTaskHost.exepid process 3840 29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe 3840 29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe 3840 29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe 3840 29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe 3840 29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe 3840 29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe 3840 29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe 3840 29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe 3840 29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe 3840 29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe 3840 29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe 3840 29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe 3840 29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe 3840 29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe 3840 29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe 3840 29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe 3840 29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe 3840 29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe 3840 29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe 464 backgroundTaskHost.exe 464 backgroundTaskHost.exe 464 backgroundTaskHost.exe 464 backgroundTaskHost.exe 464 backgroundTaskHost.exe 464 backgroundTaskHost.exe 464 backgroundTaskHost.exe 464 backgroundTaskHost.exe 464 backgroundTaskHost.exe 464 backgroundTaskHost.exe 464 backgroundTaskHost.exe 464 backgroundTaskHost.exe 464 backgroundTaskHost.exe 464 backgroundTaskHost.exe 464 backgroundTaskHost.exe 464 backgroundTaskHost.exe 464 backgroundTaskHost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exebackgroundTaskHost.exedescription pid process Token: SeDebugPrivilege 3840 29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe Token: SeDebugPrivilege 464 backgroundTaskHost.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exedescription pid process target process PID 3840 wrote to memory of 464 3840 29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe backgroundTaskHost.exe PID 3840 wrote to memory of 464 3840 29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe backgroundTaskHost.exe -
System policy modification 1 TTPs 6 IoCs
Processes:
29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exebackgroundTaskHost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" backgroundTaskHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe"C:\Users\Admin\AppData\Local\Temp\29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3840 -
C:\Users\Default\NetHood\backgroundTaskHost.exe"C:\Users\Default\NetHood\backgroundTaskHost.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Users\Default\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Default\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Users\Default\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Music\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\Music\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1344
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Music\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Media Player\Skins\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Skins\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Media Player\Skins\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Common Files\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1168
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a2" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a2" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\29c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\WindowsPowerShell\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\WindowsPowerShell\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4412
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\Adobe\HelpCfg\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1412
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\de-DE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Users\Default\NetHood\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\Default\NetHood\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Users\Default\NetHood\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Program Files\Internet Explorer\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3404
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Windows Media Player\Skins\RuntimeBroker.exeFilesize
2.5MB
MD50dfb562500251ae8c085e6e8db7fe3d1
SHA100a1c6bb0bd7d99d54e96b714592f4a070b81641
SHA25629c1eca587a0180b5cdfc0e939ef5b1bb201335d2dea2a1c6427ce37af68325a
SHA51205578a1553b38cd22570cb5b8bc6e3d4064ab6cf5d05a8537a5a4dd849aac4eda933ccf94d7f765ed03c40b67c6cd89412e15bdbad3a493681cad17387270004
-
memory/3840-8-0x000000001B2C0000-0x000000001B2CA000-memory.dmpFilesize
40KB
-
memory/3840-6-0x000000001B170000-0x000000001B182000-memory.dmpFilesize
72KB
-
memory/3840-9-0x000000001B960000-0x000000001B9B6000-memory.dmpFilesize
344KB
-
memory/3840-4-0x000000001B810000-0x000000001B860000-memory.dmpFilesize
320KB
-
memory/3840-10-0x000000001B190000-0x000000001B19C000-memory.dmpFilesize
48KB
-
memory/3840-5-0x000000001B150000-0x000000001B166000-memory.dmpFilesize
88KB
-
memory/3840-7-0x000000001B180000-0x000000001B188000-memory.dmpFilesize
32KB
-
memory/3840-11-0x000000001B1A0000-0x000000001B1A8000-memory.dmpFilesize
32KB
-
memory/3840-3-0x00000000028D0000-0x00000000028EC000-memory.dmpFilesize
112KB
-
memory/3840-2-0x00007FF8C28E0000-0x00007FF8C33A1000-memory.dmpFilesize
10.8MB
-
memory/3840-0-0x00007FF8C28E3000-0x00007FF8C28E5000-memory.dmpFilesize
8KB
-
memory/3840-12-0x000000001B2D0000-0x000000001B2E2000-memory.dmpFilesize
72KB
-
memory/3840-13-0x000000001C1E0000-0x000000001C708000-memory.dmpFilesize
5.2MB
-
memory/3840-14-0x000000001B9B0000-0x000000001B9BC000-memory.dmpFilesize
48KB
-
memory/3840-15-0x000000001BB30000-0x000000001BB3C000-memory.dmpFilesize
48KB
-
memory/3840-1-0x00000000003B0000-0x0000000000636000-memory.dmpFilesize
2.5MB
-
memory/3840-62-0x00007FF8C28E0000-0x00007FF8C33A1000-memory.dmpFilesize
10.8MB