Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
17-07-2024 02:56
Behavioral task
behavioral1
Sample
cdb363f810ebeea6e40abc725c14e9bf78a3014559ec3.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
cdb363f810ebeea6e40abc725c14e9bf78a3014559ec3.exe
Resource
win10v2004-20240709-en
General
-
Target
cdb363f810ebeea6e40abc725c14e9bf78a3014559ec3.exe
-
Size
3.3MB
-
MD5
af4cd8f5b99d7e371a6ddd880aec1079
-
SHA1
caba9083a0128266b477330c2e5d8874646a915d
-
SHA256
cdb363f810ebeea6e40abc725c14e9bf78a3014559ec32903c15fd7576fcac20
-
SHA512
c0fbb42b516c4a83a3dbeab47199fb603330929788008a314c222ec1585845a40538cd2f2b18ace200436beeed2b7428fe23fd9e19bb2f5a3f48939ab93432ff
-
SSDEEP
98304:PbD91o0GWLMJo5sZB8MDJ2RZeeD+Gvl/ndA:PXbnGWLMTZyjnCg/i
Malware Config
Signatures
-
DcRat 20 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exereviewcommon.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2812 schtasks.exe 1460 schtasks.exe 2804 schtasks.exe 1132 schtasks.exe 856 schtasks.exe 1780 schtasks.exe 1288 schtasks.exe File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\explorer.exe reviewcommon.exe 2080 schtasks.exe 2768 schtasks.exe 2392 schtasks.exe 1672 schtasks.exe 664 schtasks.exe 2876 schtasks.exe 2712 schtasks.exe 2000 schtasks.exe 2072 schtasks.exe 2864 schtasks.exe File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\7a0fd90576e088 reviewcommon.exe 2972 schtasks.exe -
Modifies WinLogon for persistence 2 TTPs 6 IoCs
Processes:
reviewcommon.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\explorer.exe\", \"C:\\Users\\Public\\Desktop\\services.exe\", \"C:\\Windows\\assembly\\GAC_32\\System.Printing\\3.0.0.0__31bf3856ad364e35\\wininit.exe\", \"C:\\Program Files\\Java\\jdk1.7.0_80\\db\\reviewcommon.exe\"" reviewcommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\explorer.exe\", \"C:\\Users\\Public\\Desktop\\services.exe\", \"C:\\Windows\\assembly\\GAC_32\\System.Printing\\3.0.0.0__31bf3856ad364e35\\wininit.exe\", \"C:\\Program Files\\Java\\jdk1.7.0_80\\db\\reviewcommon.exe\", \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\dllhost.exe\"" reviewcommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\explorer.exe\", \"C:\\Users\\Public\\Desktop\\services.exe\", \"C:\\Windows\\assembly\\GAC_32\\System.Printing\\3.0.0.0__31bf3856ad364e35\\wininit.exe\", \"C:\\Program Files\\Java\\jdk1.7.0_80\\db\\reviewcommon.exe\", \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\dllhost.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\Idle.exe\"" reviewcommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\explorer.exe\"" reviewcommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\explorer.exe\", \"C:\\Users\\Public\\Desktop\\services.exe\"" reviewcommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\explorer.exe\", \"C:\\Users\\Public\\Desktop\\services.exe\", \"C:\\Windows\\assembly\\GAC_32\\System.Printing\\3.0.0.0__31bf3856ad364e35\\wininit.exe\"" reviewcommon.exe -
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2972 332 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2812 332 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1460 332 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2804 332 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2876 332 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1288 332 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2864 332 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2712 332 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2768 332 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2392 332 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1132 332 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 856 332 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1780 332 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2000 332 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1672 332 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2080 332 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 664 332 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2072 332 schtasks.exe -
Processes:
resource yara_rule \Surrogatewebref\reviewcommon.exe dcrat behavioral1/memory/2872-18-0x0000000000A60000-0x0000000000D6A000-memory.dmp dcrat behavioral1/memory/2248-57-0x00000000003D0000-0x00000000006DA000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2300 powershell.exe 2340 powershell.exe 2088 powershell.exe 2168 powershell.exe 1984 powershell.exe 2184 powershell.exe 2908 powershell.exe -
Executes dropped EXE 2 IoCs
Processes:
reviewcommon.exewininit.exepid process 2872 reviewcommon.exe 2248 wininit.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 2748 cmd.exe 2748 cmd.exe -
Adds Run key to start application 2 TTPs 12 IoCs
Processes:
reviewcommon.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\explorer.exe\"" reviewcommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\Public\\Desktop\\services.exe\"" reviewcommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\Public\\Desktop\\services.exe\"" reviewcommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\assembly\\GAC_32\\System.Printing\\3.0.0.0__31bf3856ad364e35\\wininit.exe\"" reviewcommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\reviewcommon = "\"C:\\Program Files\\Java\\jdk1.7.0_80\\db\\reviewcommon.exe\"" reviewcommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\Idle.exe\"" reviewcommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\explorer.exe\"" reviewcommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\assembly\\GAC_32\\System.Printing\\3.0.0.0__31bf3856ad364e35\\wininit.exe\"" reviewcommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reviewcommon = "\"C:\\Program Files\\Java\\jdk1.7.0_80\\db\\reviewcommon.exe\"" reviewcommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\dllhost.exe\"" reviewcommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\dllhost.exe\"" reviewcommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\Idle.exe\"" reviewcommon.exe -
Drops file in Program Files directory 7 IoCs
Processes:
reviewcommon.exedescription ioc process File created C:\Program Files\Java\jdk1.7.0_80\db\05a592a64ec401 reviewcommon.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\Idle.exe reviewcommon.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\6ccacd8608530f reviewcommon.exe File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\explorer.exe reviewcommon.exe File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\explorer.exe reviewcommon.exe File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\7a0fd90576e088 reviewcommon.exe File created C:\Program Files\Java\jdk1.7.0_80\db\reviewcommon.exe reviewcommon.exe -
Drops file in Windows directory 2 IoCs
Processes:
reviewcommon.exedescription ioc process File created C:\Windows\assembly\GAC_32\System.Printing\3.0.0.0__31bf3856ad364e35\wininit.exe reviewcommon.exe File created C:\Windows\assembly\GAC_32\System.Printing\3.0.0.0__31bf3856ad364e35\56085415360792 reviewcommon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2864 schtasks.exe 1288 schtasks.exe 856 schtasks.exe 1780 schtasks.exe 1672 schtasks.exe 2080 schtasks.exe 1460 schtasks.exe 2804 schtasks.exe 2768 schtasks.exe 2000 schtasks.exe 664 schtasks.exe 2972 schtasks.exe 2876 schtasks.exe 2712 schtasks.exe 2392 schtasks.exe 1132 schtasks.exe 2072 schtasks.exe 2812 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
reviewcommon.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exewininit.exepid process 2872 reviewcommon.exe 2872 reviewcommon.exe 2872 reviewcommon.exe 2872 reviewcommon.exe 2872 reviewcommon.exe 2300 powershell.exe 1984 powershell.exe 2908 powershell.exe 2184 powershell.exe 2168 powershell.exe 2340 powershell.exe 2088 powershell.exe 2248 wininit.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
reviewcommon.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exewininit.exepowershell.exedescription pid process Token: SeDebugPrivilege 2872 reviewcommon.exe Token: SeDebugPrivilege 2300 powershell.exe Token: SeDebugPrivilege 1984 powershell.exe Token: SeDebugPrivilege 2908 powershell.exe Token: SeDebugPrivilege 2184 powershell.exe Token: SeDebugPrivilege 2168 powershell.exe Token: SeDebugPrivilege 2340 powershell.exe Token: SeDebugPrivilege 2248 wininit.exe Token: SeDebugPrivilege 2088 powershell.exe -
Suspicious use of WriteProcessMemory 40 IoCs
Processes:
cdb363f810ebeea6e40abc725c14e9bf78a3014559ec3.exeWScript.execmd.exereviewcommon.exedescription pid process target process PID 3004 wrote to memory of 2564 3004 cdb363f810ebeea6e40abc725c14e9bf78a3014559ec3.exe WScript.exe PID 3004 wrote to memory of 2564 3004 cdb363f810ebeea6e40abc725c14e9bf78a3014559ec3.exe WScript.exe PID 3004 wrote to memory of 2564 3004 cdb363f810ebeea6e40abc725c14e9bf78a3014559ec3.exe WScript.exe PID 3004 wrote to memory of 2564 3004 cdb363f810ebeea6e40abc725c14e9bf78a3014559ec3.exe WScript.exe PID 3004 wrote to memory of 2668 3004 cdb363f810ebeea6e40abc725c14e9bf78a3014559ec3.exe WScript.exe PID 3004 wrote to memory of 2668 3004 cdb363f810ebeea6e40abc725c14e9bf78a3014559ec3.exe WScript.exe PID 3004 wrote to memory of 2668 3004 cdb363f810ebeea6e40abc725c14e9bf78a3014559ec3.exe WScript.exe PID 3004 wrote to memory of 2668 3004 cdb363f810ebeea6e40abc725c14e9bf78a3014559ec3.exe WScript.exe PID 2564 wrote to memory of 2748 2564 WScript.exe cmd.exe PID 2564 wrote to memory of 2748 2564 WScript.exe cmd.exe PID 2564 wrote to memory of 2748 2564 WScript.exe cmd.exe PID 2564 wrote to memory of 2748 2564 WScript.exe cmd.exe PID 2748 wrote to memory of 2872 2748 cmd.exe reviewcommon.exe PID 2748 wrote to memory of 2872 2748 cmd.exe reviewcommon.exe PID 2748 wrote to memory of 2872 2748 cmd.exe reviewcommon.exe PID 2748 wrote to memory of 2872 2748 cmd.exe reviewcommon.exe PID 2872 wrote to memory of 2168 2872 reviewcommon.exe powershell.exe PID 2872 wrote to memory of 2168 2872 reviewcommon.exe powershell.exe PID 2872 wrote to memory of 2168 2872 reviewcommon.exe powershell.exe PID 2872 wrote to memory of 1984 2872 reviewcommon.exe powershell.exe PID 2872 wrote to memory of 1984 2872 reviewcommon.exe powershell.exe PID 2872 wrote to memory of 1984 2872 reviewcommon.exe powershell.exe PID 2872 wrote to memory of 2184 2872 reviewcommon.exe powershell.exe PID 2872 wrote to memory of 2184 2872 reviewcommon.exe powershell.exe PID 2872 wrote to memory of 2184 2872 reviewcommon.exe powershell.exe PID 2872 wrote to memory of 2088 2872 reviewcommon.exe powershell.exe PID 2872 wrote to memory of 2088 2872 reviewcommon.exe powershell.exe PID 2872 wrote to memory of 2088 2872 reviewcommon.exe powershell.exe PID 2872 wrote to memory of 2340 2872 reviewcommon.exe powershell.exe PID 2872 wrote to memory of 2340 2872 reviewcommon.exe powershell.exe PID 2872 wrote to memory of 2340 2872 reviewcommon.exe powershell.exe PID 2872 wrote to memory of 2300 2872 reviewcommon.exe powershell.exe PID 2872 wrote to memory of 2300 2872 reviewcommon.exe powershell.exe PID 2872 wrote to memory of 2300 2872 reviewcommon.exe powershell.exe PID 2872 wrote to memory of 2908 2872 reviewcommon.exe powershell.exe PID 2872 wrote to memory of 2908 2872 reviewcommon.exe powershell.exe PID 2872 wrote to memory of 2908 2872 reviewcommon.exe powershell.exe PID 2872 wrote to memory of 2248 2872 reviewcommon.exe wininit.exe PID 2872 wrote to memory of 2248 2872 reviewcommon.exe wininit.exe PID 2872 wrote to memory of 2248 2872 reviewcommon.exe wininit.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\cdb363f810ebeea6e40abc725c14e9bf78a3014559ec3.exe"C:\Users\Admin\AppData\Local\Temp\cdb363f810ebeea6e40abc725c14e9bf78a3014559ec3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Surrogatewebref\0OThNUtq.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Surrogatewebref\W7CNC.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Surrogatewebref\reviewcommon.exe"C:\Surrogatewebref\reviewcommon.exe"4⤵
- DcRat
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Surrogatewebref\reviewcommon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2168 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1984 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop\services.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2184 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\assembly\GAC_32\System.Printing\3.0.0.0__31bf3856ad364e35\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2088 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jdk1.7.0_80\db\reviewcommon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2340 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2300 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2908 -
C:\Windows\assembly\GAC_32\System.Printing\3.0.0.0__31bf3856ad364e35\wininit.exe"C:\Windows\assembly\GAC_32\System.Printing\3.0.0.0__31bf3856ad364e35\wininit.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2248 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Surrogatewebref\file.vbs"2⤵PID:2668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\explorer.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Desktop\services.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\Desktop\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Desktop\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Windows\assembly\GAC_32\System.Printing\3.0.0.0__31bf3856ad364e35\wininit.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\assembly\GAC_32\System.Printing\3.0.0.0__31bf3856ad364e35\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Windows\assembly\GAC_32\System.Printing\3.0.0.0__31bf3856ad364e35\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "reviewcommonr" /sc MINUTE /mo 6 /tr "'C:\Program Files\Java\jdk1.7.0_80\db\reviewcommon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "reviewcommon" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\db\reviewcommon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1132
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "reviewcommonr" /sc MINUTE /mo 6 /tr "'C:\Program Files\Java\jdk1.7.0_80\db\reviewcommon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\Idle.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
197B
MD5013e4068fecbf70a6305a10f4baac7d0
SHA1113ac6511cb6965dc872d284552ea129e1e41973
SHA256f087215bae0916b3575743a62c0d6722e6e78623f8046a53f8914661b3c6a10e
SHA512f50fb4b24aa8846c94fba07e07b0f5e71b7c67b9843c34951eb4b4fbb7de8309d1441c16359621402659b3c4a406dccc93ea79056030f63adf8a359934cd3940
-
Filesize
37B
MD5b0d15fb085639d7d63a9556af4bdfced
SHA18a5498b0d47fbeae2c9452ceb8f413f4b1d3ac0b
SHA2562e7b9e10897a9224a935716fbefe4c362d8a09ef9176a8ed794741e7418521b5
SHA512d88ab6f23c8e08dd82443239451b84de849a967d08d20b84894e8cf134ad2789c2e9c9e92d6d1c3da0b9e3e0bcecd4a86d5b24fe167f4f6f8a3a5ad8f5b0e146
-
Filesize
34B
MD5677cc4360477c72cb0ce00406a949c61
SHA1b679e8c3427f6c5fc47c8ac46cd0e56c9424de05
SHA256f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b
SHA5127cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5e641cc6515ffcfb1560c3218c3b25420
SHA13eef975f89027a39c22405de798e564030285b64
SHA256922e7c881b6296f547274e86663027abba2a750a82b5f6ad001cb71f427e8497
SHA5125605a329f946b3f8f83301ab44c591ec1716b550a7e86dcd9f9dd01258b4ff2e13f51e20b0f415de5023693c5bc6c071dccd51e5f27de5fb007c0f48505290e1
-
Filesize
3.0MB
MD52691a48220ece165313a2096d4be7788
SHA1bb9d65345c7aae09cd340e8b2eae8e3a8ff45f96
SHA25620a6875053a9b02e3dca4c650b698f5eb0f22119b6d51317043c5953aab00a55
SHA51213c70c3a44aa67a29e066d6c7e283574d165fa2a1e6bfc4be992ff6fcfc9c1a126b97fd64f18dfbe4e5d27eae75e8b6e6325f3ae96871afb2aef006e6589023f