Analysis
-
max time kernel
51s -
max time network
68s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system -
submitted
21-06-2024 19:58
Static task
static1
Behavioral task
behavioral1
Sample
Loader.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
Loader.exe
Resource
win11-20240611-en
General
-
Target
Loader.exe
-
Size
1.8MB
-
MD5
289f27e7a02f8e76ebf39d2c0c3f09e4
-
SHA1
fb404a7a85d5fb617436f73832e4716556756d6a
-
SHA256
854d267aea33e8dc80021ac043b003ab7c6f99061e56e36572cba3548e6882c9
-
SHA512
38798cc71da6dfd8022dff2be635db8b938ba8d8dc5db8196802af2d9deb26dda145e0e581a6b8eb7022a1e0c33ff34c666cc4817f9f2ac50d1f362f434a75fe
-
SSDEEP
24576:KuDXTIGaPhEYzUzA0Dz46fMR/6Y/M3pPux8KVzVvu9JDcEL0NLpgjdyWhPOePTnK:9Djlabwz9PHMf/M3BuxbzuDQyBPXam0H
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
reg.exereg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, C:\\Users\\skeet\\AppData\\Local\\Temp\\Loader\\572stuOQ0pZG2Xj.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\WINDOWS\\system32\\explorer.exe, C:\\ProgramData\\SoftwareDistribution\\572stuOQ0pZG2Xj.exe" reg.exe -
Processes:
resource yara_rule C:\ProgramData\SoftwareDistribution\Bypass.exe dcrat behavioral2/memory/2656-47-0x0000000000240000-0x000000000040A000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE 3 IoCs
Processes:
572stuOQ0pZG2Xj.exeLoader.exeBypass.exepid process 1396 572stuOQ0pZG2Xj.exe 2068 Loader.exe 2656 Bypass.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
Bypass.exedescription ioc process File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf Bypass.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Loader.exedescription pid process target process PID 2068 set thread context of 2772 2068 Loader.exe RegAsm.exe -
Drops file in Program Files directory 64 IoCs
Processes:
Bypass.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_1.0.22.0_x64__8wekyb3d8bbwe\Microsoft.Apps.Stubs.winmd Bypass.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\components\DocumentCard\DocumentCardStatus.styles.js Bypass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\Images\contrast-white\PowerAutomateSquare70x70Logo.scale-180.png Bypass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsSmallTile.scale-100_contrast-black.png Bypass.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\MoveToFolderToastQuickAction.scale-80.png Bypass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.40978.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-20_altform-unplated.png Bypass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-64_contrast-black.png Bypass.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\Snooze.scale-80.png Bypass.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-48_altform-lightunplated.png Bypass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\Assets\AppTile.xml Bypass.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.Design.dll Bypass.exe File opened for modification C:\Program Files\Windows Media Player\WMPNSSUI.dll Bypass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_10.2.41172.0_x64__8wekyb3d8bbwe\Assets\TipsWideTile.scale-100_contrast-black.png Bypass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreAppList.targetsize-24_altform-unplated.png Bypass.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib-amd\styled.js Bypass.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib-amd\customizations\mergeCustomizations.js Bypass.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib-commonjs\customizations\CustomizerContext.js Bypass.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-80.png Bypass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.targetsize-256_altform-lightunplated.png Bypass.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\lib-amd\colors\index.js Bypass.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxLargeTile.scale-125.png Bypass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-72_altform-unplated.png Bypass.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_neutral_~_cw5n1h2txyewy\AppxBlockMap.xml Bypass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_10.2.41172.0_x64__8wekyb3d8bbwe\Assets\TipsAppList.targetsize-30.png Bypass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.40831.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-32_contrast-black.png Bypass.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-256_altform-lightunplated.png Bypass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_x64__8wekyb3d8bbwe\FeedbackHub.BackgroundTasks.winmd Bypass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-24_altform-lightunplated.png Bypass.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib-commonjs\dom\findElementRecursive.js Bypass.exe File opened for modification C:\Program Files\Common Files\System\msadc\msdaprst.dll Bypass.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxMailSplashLogo.scale-150.png Bypass.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\components\ComboBox\index.js Bypass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-32_altform-lightunplated.png Bypass.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2020.503.58.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\contrast-black\CameraSmallTile.scale-200.png Bypass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.6.3102.0_neutral_split.scale-200_8wekyb3d8bbwe\Win10\MicrosoftSolitaireBadgeLogo.scale-200.png Bypass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-16_altform-lightunplated.png Bypass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Todos_0.33.33351.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-24_altform-unplated_contrast-black.png Bypass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppValueProp.svg Bypass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Images\EdgeLogo.scale-100.png Bypass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2102.13.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\NotepadLargeTile.scale-100.png Bypass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_x64__8wekyb3d8bbwe\Assets\contrast-white\GetHelpAppList.targetsize-64_altform-lightunplated_contrast-white.png Bypass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-32_altform-lightunplated.png Bypass.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\CardUIBkg.scale-200.HCWhite.png Bypass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Microsoft.Terminal.Settings.Editor\Interaction.xaml Bypass.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib-amd\dom\getWindow.js Bypass.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Getstarted_10.2.41172.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\TipsStoreLogo.scale-200_contrast-black.png Bypass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingNews_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\NewsAppList.targetsize-60_altform-lightunplated.png Bypass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-36_altform-lightunplated_contrast-white.png Bypass.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-72.png Bypass.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxMediumTile.scale-400.png Bypass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_x64__8wekyb3d8bbwe\Assets\contrast-black\FeedbackHubAppList.targetsize-64.png Bypass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-30_altform-unplated.png Bypass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-black\WideLogo.scale-200_contrast-black.png Bypass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_1.0.6.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\WeatherAppList.scale-125_contrast-black.png Bypass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_x64__8wekyb3d8bbwe\Assets\PaintWideTile.scale-150.png Bypass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\Assets\PeopleAppList.targetsize-96.png Bypass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_4.0.2.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Icons\StickyNotesSplashScreen.scale-100_contrast-black.png Bypass.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Advanced-Dark.scale-250.png Bypass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2102.13.0_x64__8wekyb3d8bbwe\Assets\NotepadAppList.targetsize-48.png Bypass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.50.24002.0_x64__8wekyb3d8bbwe\GameBar.exe Bypass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-96_altform-unplated.png Bypass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-96_contrast-white.png Bypass.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols.xml Bypass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PaintWideTile.scale-150.png Bypass.exe -
Drops file in Windows directory 64 IoCs
Processes:
Bypass.exedescription ioc process File opened for modification C:\Windows\Boot\EFI\pl-PL\memtest.efi.mui Bypass.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_winpe-mdac-package-..oyment-languagepack_31bf3856ad364e35_10.0.22000.348_tr-tr_d9930ba32c30bd80.manifest Bypass.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\System.Transactions.dll Bypass.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-l..terprises.resources_31bf3856ad364e35_10.0.22000.493_nb-no_b8c6ec823a751911.manifest Bypass.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-msmpeg2adec_31bf3856ad364e35_10.0.22000.120_none_8d3f84003c853cc8.manifest Bypass.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Microsoft-NanoServer-Containers-Bridge-Package~31bf3856ad364e35~amd64~it-IT~10.0.22000.184.mum Bypass.exe File opened for modification C:\Windows\ImmersiveControlPanel\images\logo.targetsize-32_altform-unplated_contrast-black.png Bypass.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Containers-Edition-UtilityVM-Package~31bf3856ad364e35~amd64~zh-TW~10.0.22000.184.mum Bypass.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Microsoft-OneCore-Console-Driver-Boot-Package~31bf3856ad364e35~amd64~~10.0.22000.71.mum Bypass.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Containers-Client-Manager-Package~31bf3856ad364e35~amd64~ko-KR~10.0.22000.37.mum Bypass.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-l..fessional.resources_31bf3856ad364e35_10.0.22000.493_es-es_58778a1edebc6c0d.manifest Bypass.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-migrationengine_31bf3856ad364e35_10.0.22000.348_none_53ff6ed560767984.manifest Bypass.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..fications.resources_31bf3856ad364e35_10.0.22000.184_pt-pt_b9273372fa420a14.manifest Bypass.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_winpe-wmi-package-o..oreadmin-deployment_31bf3856ad364e35_10.0.22000.493_none_586aa101c36cd1a3.manifest Bypass.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Containers-DisposableClientVM-Package~31bf3856ad364e35~amd64~ru-RU~10.0.22000.37.mum Bypass.exe File opened for modification C:\Windows\INF\mdmcom1.inf Bypass.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Containers-OptionalFeature-DisposableClientVM-Package~31bf3856ad364e35~amd64~ca-ES~10.0.22000.37.cat Bypass.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..stack-msg.resources_31bf3856ad364e35_10.0.22000.469_pt-pt_60068df684bc9aa6.manifest Bypass.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..dminflows.resources_31bf3856ad364e35_10.0.22000.184_eu-es_fce5d738345f0d24.manifest Bypass.exe File opened for modification C:\Windows\INF\mdmtexas.inf Bypass.exe File opened for modification C:\Windows\Provisioning\Packages\Power.EnergyEstimationEngine.StandbyActivation.ppkg Bypass.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..s-storage.resources_31bf3856ad364e35_10.0.22000.132_eu-es_f7ed7840c3bdd894.manifest Bypass.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-w..oyment-languagepack_31bf3856ad364e35_10.0.22000.376_eu-es_c47ecb97d1c23e20.manifest Bypass.exe File opened for modification C:\Windows\diagnostics\system\Audio\CL_RunDiagnosticScript.ps1 Bypass.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\TLBREF.DLL Bypass.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..oyment-languagepack_31bf3856ad364e35_10.0.22000.348_nb-no_d50998f9be333ea3.manifest Bypass.exe File opened for modification C:\Windows\INF\bth.inf Bypass.exe File opened for modification C:\Windows\INF\c_swdevice.inf Bypass.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\System.Windows.Controls.Ribbon.dll Bypass.exe File opened for modification C:\Windows\PolicyDefinitions\en-US\SkyDrive.adml Bypass.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Containers-Server-SDN-Package~31bf3856ad364e35~amd64~~10.0.22000.376.cat Bypass.exe File opened for modification C:\Windows\DiagTrack\analyticsevents.dat Bypass.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-l..essionaln.resources_31bf3856ad364e35_10.0.22000.493_hr-hr_a0cfd1d699225d95.manifest Bypass.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-propsys.resources_31bf3856ad364e35_7.0.22000.184_ar-sa_5e9497139d956fb3.manifest Bypass.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-search-adm.resources_31bf3856ad364e35_7.0.22000.120_it-it_86a93694608dfb55.manifest Bypass.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Data.DataSetExtensions.dll Bypass.exe File opened for modification C:\Windows\INF\UsbccidDriver.inf Bypass.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Build.Utilities.v4.0.dll Bypass.exe File opened for modification C:\Windows\INF\netwtw10.inf Bypass.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-networkicon.resources_31bf3856ad364e35_10.0.22000.184_nb-no_a0b5b21722e5a57e.manifest Bypass.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_winpe-hta-package-o..oyment-languagepack_31bf3856ad364e35_10.0.22000.348_ar-sa_1a1ee2a15c4c70bd.manifest Bypass.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Microsoft-OneCore-CoreSystem-Core-merged-Package~31bf3856ad364e35~amd64~lv-LV~10.0.22000.434.mum Bypass.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\icudt40.dll Bypass.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Containers-DisposableClientVM-Package~31bf3856ad364e35~amd64~da-DK~10.0.22000.37.mum Bypass.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Microsoft-OneCore-Connectivity-UsbHost-Package~31bf3856ad364e35~amd64~~10.0.22000.469.mum Bypass.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-web-app-host.resources_31bf3856ad364e35_10.0.22000.348_bg-bg_a5455e1717d95a61.manifest Bypass.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-w..oyment-languagepack_31bf3856ad364e35_10.0.22000.184_nl-nl_66ee149122c88935.manifest Bypass.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Composition-Core-Package~31bf3856ad364e35~amd64~zh-CN~10.0.22000.184.cat Bypass.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\IEExecRemote.dll Bypass.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-p..iagnostic.resources_31bf3856ad364e35_10.0.22000.120_pt-br_28dd89a0c5afefc4.manifest Bypass.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Web.Routing.dll Bypass.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Windows.dll Bypass.exe File opened for modification C:\Windows\Cursors\aero_ew_l.cur Bypass.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\HyperV-Networking-Containers-Package~31bf3856ad364e35~amd64~en-GB~10.0.22000.37.cat Bypass.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-u..oyment-languagepack_31bf3856ad364e35_10.0.22000.258_ro-ro_8802edaefe23a867.manifest Bypass.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_networking-mpssvc-svc.resources_31bf3856ad364e35_10.0.22000.184_hu-hu_6c8459dbeb2b8f8d.manifest Bypass.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-l..skmanager.resources_31bf3856ad364e35_10.0.22000.120_pt-pt_ed1ca243ad72285f.manifest Bypass.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-wcmapi_31bf3856ad364e35_10.0.22000.37_none_219f19881e2329dc.manifest Bypass.exe File opened for modification C:\Windows\INF\cht4nulx64.inf Bypass.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-mlang.resources_31bf3856ad364e35_10.0.22000.348_uk-ua_aba3690dc6205acd.manifest Bypass.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..ndlers-nt.resources_31bf3856ad364e35_10.0.22000.160_sk-sk_e55d39a828a64c42.manifest Bypass.exe File opened for modification C:\Windows\Boot\EFI\bootmgfw.efi Bypass.exe File opened for modification C:\Windows\Fonts\smaf1255.fon Bypass.exe File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-l..skmanager.resources_31bf3856ad364e35_10.0.22000.120_fr-fr_8d216f363447c2eb.manifest Bypass.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
powershell.exeBypass.exepid process 1936 powershell.exe 1936 powershell.exe 2656 Bypass.exe 2656 Bypass.exe 2656 Bypass.exe 2656 Bypass.exe 2656 Bypass.exe 2656 Bypass.exe 2656 Bypass.exe 2656 Bypass.exe 2656 Bypass.exe 2656 Bypass.exe 2656 Bypass.exe 2656 Bypass.exe 2656 Bypass.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exeBypass.exedescription pid process Token: SeDebugPrivilege 1936 powershell.exe Token: SeDebugPrivilege 2656 Bypass.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
Loader.execmd.execmd.exe572stuOQ0pZG2Xj.exeLoader.exedescription pid process target process PID 3192 wrote to memory of 1180 3192 Loader.exe cmd.exe PID 3192 wrote to memory of 1180 3192 Loader.exe cmd.exe PID 1180 wrote to memory of 2056 1180 cmd.exe cacls.exe PID 1180 wrote to memory of 2056 1180 cmd.exe cacls.exe PID 1180 wrote to memory of 2884 1180 cmd.exe cmd.exe PID 1180 wrote to memory of 2884 1180 cmd.exe cmd.exe PID 2884 wrote to memory of 1936 2884 cmd.exe powershell.exe PID 2884 wrote to memory of 1936 2884 cmd.exe powershell.exe PID 2884 wrote to memory of 2508 2884 cmd.exe choice.exe PID 2884 wrote to memory of 2508 2884 cmd.exe choice.exe PID 2884 wrote to memory of 4972 2884 cmd.exe reg.exe PID 2884 wrote to memory of 4972 2884 cmd.exe reg.exe PID 2884 wrote to memory of 4508 2884 cmd.exe reg.exe PID 2884 wrote to memory of 4508 2884 cmd.exe reg.exe PID 2884 wrote to memory of 1396 2884 cmd.exe 572stuOQ0pZG2Xj.exe PID 2884 wrote to memory of 1396 2884 cmd.exe 572stuOQ0pZG2Xj.exe PID 2884 wrote to memory of 2068 2884 cmd.exe Loader.exe PID 2884 wrote to memory of 2068 2884 cmd.exe Loader.exe PID 2884 wrote to memory of 2068 2884 cmd.exe Loader.exe PID 1396 wrote to memory of 2656 1396 572stuOQ0pZG2Xj.exe Bypass.exe PID 1396 wrote to memory of 2656 1396 572stuOQ0pZG2Xj.exe Bypass.exe PID 2068 wrote to memory of 2132 2068 Loader.exe RegAsm.exe PID 2068 wrote to memory of 2132 2068 Loader.exe RegAsm.exe PID 2068 wrote to memory of 2132 2068 Loader.exe RegAsm.exe PID 2068 wrote to memory of 3436 2068 Loader.exe RegAsm.exe PID 2068 wrote to memory of 3436 2068 Loader.exe RegAsm.exe PID 2068 wrote to memory of 3436 2068 Loader.exe RegAsm.exe PID 2068 wrote to memory of 2772 2068 Loader.exe RegAsm.exe PID 2068 wrote to memory of 2772 2068 Loader.exe RegAsm.exe PID 2068 wrote to memory of 2772 2068 Loader.exe RegAsm.exe PID 2068 wrote to memory of 2772 2068 Loader.exe RegAsm.exe PID 2068 wrote to memory of 2772 2068 Loader.exe RegAsm.exe PID 2068 wrote to memory of 2772 2068 Loader.exe RegAsm.exe PID 2068 wrote to memory of 2772 2068 Loader.exe RegAsm.exe PID 2068 wrote to memory of 2772 2068 Loader.exe RegAsm.exe PID 2068 wrote to memory of 2772 2068 Loader.exe RegAsm.exe PID 2884 wrote to memory of 2136 2884 cmd.exe WScript.exe PID 2884 wrote to memory of 2136 2884 cmd.exe WScript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3192 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Loader\AntiCheatBypass.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Windows\system32\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"3⤵PID:2056
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Loader\AntiCheatBypasss.bat3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1936 -
C:\Windows\system32\choice.exechoice /c y /n /t 10 /d y4⤵PID:2508
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d "C:\WINDOWS\system32\userinit.exe, C:\Users\skeet\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe" /f4⤵
- Modifies WinLogon for persistence
PID:4972 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d "C:\WINDOWS\system32\explorer.exe, C:\ProgramData\SoftwareDistribution\572stuOQ0pZG2Xj.exe" /f4⤵
- Modifies WinLogon for persistence
PID:4508 -
C:\Users\Admin\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exeC:\Users\Admin\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\ProgramData\SoftwareDistribution\Bypass.exe"C:\ProgramData\SoftwareDistribution\Bypass.exe"5⤵
- Executes dropped EXE
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2656 -
C:\Users\Admin\AppData\Local\Temp\Loader\Loader.exeC:\Users\Admin\AppData\Local\Temp\Loader\Loader.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵PID:2132
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵PID:3436
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵PID:2772
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Loader\vO7REz65fRBWcJa.vbs"4⤵PID:2136
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.131⤵PID:3884
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3a2b855 /state1:0x41c64e6d1⤵PID:4692
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\SoftwareDistribution\Bypass.exeFilesize
1.8MB
MD593e99fb34ac2cd9d6e867e24dcafb2ab
SHA1c6ee148abc972494c2912e68534512160372f4a6
SHA2568cf7a779191a6b146749de10a52303201d4c72621f04d1336d51f400256d662e
SHA51265ade8226509bdf7b160f04bc6cbb12c790c7a960ddee6776aa0e6094246062f323a80dd2d858a49aafef5cc5db2ade00a8a42d939ff3571029172aa7d34d877
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5d0a4a3b9a52b8fe3b019f6cd0ef3dad6
SHA1fed70ce7834c3b97edbd078eccda1e5effa527cd
SHA25621942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31
SHA5121a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\b651c4cd-cd72-474c-abf3-9ef5fd5d724d.down_dataFilesize
555KB
MD55683c0028832cae4ef93ca39c8ac5029
SHA1248755e4e1db552e0b6f8651b04ca6d1b31a86fb
SHA256855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e
SHA512aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3
-
C:\Users\Admin\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exeFilesize
1.2MB
MD543af303e1f32ce8c477abbfb07887ea2
SHA1c69b0f73b6219d05cec8258c445af5f39d3313c9
SHA25637493d6b5fd0f186bb2e70edfafe91f28b43938293965461a7eefb5cca4c36bf
SHA51268d0ed901c7aa8bc6de3f8d83fea9c0a362d6582ea54b052941f9a02c25b9bb32b096bd8efe73506985ad7b94eea0757a35cb3924e845d8f69216ce999327774
-
C:\Users\Admin\AppData\Local\Temp\Loader\AntiCheatBypass.batFilesize
9KB
MD54c44aab923a5c7719850e5138ecb64c0
SHA19634bb1db8ed400b033225a849c88c7908d61b3d
SHA25663047a792bde6efb6aab1a6dbb178f55b6ae86317d75cb4470e51dd0ef76be2e
SHA51298fd476c2b48be92a6101ff71514818eca6c7849ad17097b86babbbae9ecc9ff60a0a88c143a6ccbb67f002798531ab3717ad3fd7246de53c49b8daaeebad8f0
-
C:\Users\Admin\AppData\Local\Temp\Loader\AntiCheatBypasss.batFilesize
8KB
MD567789813c0d52fa2d7bfbffd5d572e6e
SHA152389d023f55bda8aba2efdbe82ee48c17f19639
SHA256ab044df54893f5f2e54233fc6ea4ef6dd8a9a0731a893734f287e62eeae0c3cf
SHA512467f875a6bf70a39fcb4918952706d41f92c0166c4c2ad2a9c6b2207c7ac076a155dbc9b7682e65f9f9498c3636bd2b04e2aad5b2b89a185ea22bb6146980527
-
C:\Users\Admin\AppData\Local\Temp\Loader\Loader.exeFilesize
594KB
MD5b6c3c00d7cf6d8d13f20dbc590a675ad
SHA1a36e5c3c94f7abe3cbdfd3418e3ae03e66aa5323
SHA2560021b20ecb3a2d562118bae38f00d1bdffc8facda49c8e1d1995966e1cd7957c
SHA512e6f5165b9678cc6818d0213e84a6fdfb606af69dd6be67ea3db12dbb4a8b3503afcb9dc729a727691bef2374a355ea3ab7d8f8864adcab87d0cfee892c660eba
-
C:\Users\Admin\AppData\Local\Temp\Loader\vO7REz65fRBWcJa.vbsFilesize
1KB
MD5f6c38031293030ef28e5806abb9d072d
SHA11c5c39f986c9e717d85321536e44541aa3a6f33b
SHA25676166b3a990a0f6606fa9ad1ed52daa04ce37f813865c539e5d1f68da9ebeba1
SHA5128bfbac376e92ce870310926bdf42fbcce4ec10829e508c6e2b546d25da77b78ad8f2b7718c5cc1409962da7214d83f379b3ee6cba6b9849a3a525aa4029035b2
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zhjiu5uw.apk.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/1936-19-0x000001C9266C0000-0x000001C9266E2000-memory.dmpFilesize
136KB
-
memory/2656-50-0x000000001AF90000-0x000000001AFA0000-memory.dmpFilesize
64KB
-
memory/2656-93-0x000000001B940000-0x000000001B949000-memory.dmpFilesize
36KB
-
memory/2656-51-0x000000001AFA0000-0x000000001AFB6000-memory.dmpFilesize
88KB
-
memory/2656-52-0x000000001B6A0000-0x000000001B6F6000-memory.dmpFilesize
344KB
-
memory/2656-49-0x000000001AFE0000-0x000000001B030000-memory.dmpFilesize
320KB
-
memory/2656-53-0x000000001AFC0000-0x000000001AFCE000-memory.dmpFilesize
56KB
-
memory/2656-94-0x000000001C500000-0x000000001C50D000-memory.dmpFilesize
52KB
-
memory/2656-48-0x0000000002690000-0x00000000026AC000-memory.dmpFilesize
112KB
-
memory/2656-96-0x000000001C530000-0x000000001C53B000-memory.dmpFilesize
44KB
-
memory/2656-95-0x000000001C510000-0x000000001C52E000-memory.dmpFilesize
120KB
-
memory/2656-92-0x000000001C2B0000-0x000000001C2F6000-memory.dmpFilesize
280KB
-
memory/2656-47-0x0000000000240000-0x000000000040A000-memory.dmpFilesize
1.8MB
-
memory/2772-46-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/2772-45-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB