Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
18-07-2024 08:51
Static task
static1
Behavioral task
behavioral1
Sample
56a5b0a28bb4b14956977dfe6def40a9_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
56a5b0a28bb4b14956977dfe6def40a9_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
56a5b0a28bb4b14956977dfe6def40a9_JaffaCakes118.exe
-
Size
6.5MB
-
MD5
56a5b0a28bb4b14956977dfe6def40a9
-
SHA1
59095e7afd64c91cc8f6d8a9eed3230d960f361e
-
SHA256
24c7ce219369223dada0233930938d06b805f45b7062fdcbc1bcef643a337b8d
-
SHA512
dd7803df4fd0b874b7239b28ff789b1e61fe3c62aab82a8c86489c4db3982bfebc371a5519412551a70996bffbd8e9d75ffcde0522229854e7431a21ea9a4d05
-
SSDEEP
196608:+ohfVGzTVG5ymVr66MJblv/FkYiJqr5UH:Nf+TVG5xrVMJhv/bxu
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\intoreview\perfnet.exe dcrat behavioral2/memory/5068-130-0x0000022EC2370000-0x0000022EC24A8000-memory.dmp dcrat -
Sets file to hidden 1 TTPs 3 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exeattrib.exepid process 5056 attrib.exe 472 attrib.exe 116 attrib.exe -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exeWScript.exeWScript.exeinstaller.exeSonarSolutionsBuild.exewAxlVMFS3VFYmsuYtMNI.exeWScript.exeWScript.exe56a5b0a28bb4b14956977dfe6def40a9_JaffaCakes118.exeSonar Solution bps.exeSonar Build.exesonarsolution.exeSonar Solution.exeinstaller.sfx.exeSonarSolutionsBuild.sfx.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation installer.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation SonarSolutionsBuild.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation wAxlVMFS3VFYmsuYtMNI.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 56a5b0a28bb4b14956977dfe6def40a9_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation Sonar Solution bps.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation Sonar Build.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation sonarsolution.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation Sonar Solution.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation installer.sfx.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation SonarSolutionsBuild.sfx.exe -
Executes dropped EXE 12 IoCs
Processes:
Sonar Solution bps.exeSonar Solution.exeSonar Build.exeinstaller.sfx.exeSonarSolutionsBuild.sfx.exeinstaller.exeSonarSolutionsBuild.exesonarsolution.exeSonar.exewAxlVMFS3VFYmsuYtMNI.exeperfnet.exeRuntimeBroker.exepid process 2104 Sonar Solution bps.exe 2476 Sonar Solution.exe 4784 Sonar Build.exe 4040 installer.sfx.exe 4536 SonarSolutionsBuild.sfx.exe 3096 installer.exe 2276 SonarSolutionsBuild.exe 2016 sonarsolution.exe 208 Sonar.exe 892 wAxlVMFS3VFYmsuYtMNI.exe 5068 perfnet.exe 1752 RuntimeBroker.exe -
Loads dropped DLL 1 IoCs
Processes:
Sonar.exepid process 208 Sonar.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\RarSFX0\sonarsolution.exe upx behavioral2/memory/2016-83-0x0000000000AC0000-0x0000000000B41000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\RarSFX1\Sonar.exe upx behavioral2/memory/208-99-0x0000000000400000-0x0000000000664000-memory.dmp upx behavioral2/memory/2016-112-0x0000000000AC0000-0x0000000000B41000-memory.dmp upx behavioral2/memory/208-131-0x0000000000400000-0x0000000000664000-memory.dmp upx -
Drops file in Program Files directory 11 IoCs
Processes:
perfnet.exedescription ioc process File created C:\Program Files (x86)\Windows Portable Devices\e6c9b481da804f07baff8eff543b0a1441069b5d perfnet.exe File created C:\Program Files\Java\jre-1.8\lib\7a0fd90576e08807bde2cc57bcf9854bbce05fe3 perfnet.exe File created C:\Program Files\Uninstall Information\66fc9ff0ee96c2b21f0cfded48750ae9e3032bf3 perfnet.exe File created C:\Program Files\Windows Security\BrowserCore\9e8d7a4ca61bd92aff00cc37a7a4d62a2cac998d perfnet.exe File created C:\Program Files\Windows Sidebar\Gadgets\cmd.exe perfnet.exe File created C:\Program Files\Windows Sidebar\Gadgets\ebf1f9fa8afd6d1932bd65bc4cc3af89a4c8e228 perfnet.exe File created C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe perfnet.exe File created C:\Program Files\Windows Security\BrowserCore\RuntimeBroker.exe perfnet.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\cmd.exe perfnet.exe File created C:\Program Files\Java\jre-1.8\lib\explorer.exe perfnet.exe File created C:\Program Files\Uninstall Information\sihost.exe perfnet.exe -
Drops file in Windows directory 5 IoCs
Processes:
perfnet.exedescription ioc process File created C:\Windows\SoftwareDistribution\fontdrvhost.exe perfnet.exe File created C:\Windows\SoftwareDistribution\5b884080fd4f94e2695da25c503f9e33b9605b83 perfnet.exe File created C:\Windows\ServiceState\WinHttpAutoProxySvc\Data\sysmon.exe perfnet.exe File created C:\Windows\de-DE\sihost.exe perfnet.exe File created C:\Windows\de-DE\66fc9ff0ee96c2b21f0cfded48750ae9e3032bf3 perfnet.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 5 IoCs
Processes:
wAxlVMFS3VFYmsuYtMNI.exe56a5b0a28bb4b14956977dfe6def40a9_JaffaCakes118.exeSonar Solution.exeSonar Build.exesonarsolution.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings wAxlVMFS3VFYmsuYtMNI.exe Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings 56a5b0a28bb4b14956977dfe6def40a9_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings Sonar Solution.exe Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings Sonar Build.exe Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings sonarsolution.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 11 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 8 schtasks.exe 1204 schtasks.exe 4812 schtasks.exe 1652 schtasks.exe 2176 schtasks.exe 3664 schtasks.exe 548 schtasks.exe 4196 schtasks.exe 3976 schtasks.exe 376 schtasks.exe 2308 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
perfnet.exeRuntimeBroker.exepid process 5068 perfnet.exe 5068 perfnet.exe 1752 RuntimeBroker.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
perfnet.exeRuntimeBroker.exedescription pid process Token: SeDebugPrivilege 5068 perfnet.exe Token: SeDebugPrivilege 1752 RuntimeBroker.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
56a5b0a28bb4b14956977dfe6def40a9_JaffaCakes118.exeWScript.execmd.execmd.exeSonar Solution bps.exeSonar Solution.exeSonar Build.exeWScript.exeWScript.execmd.execmd.execmd.execmd.exeinstaller.sfx.exeSonarSolutionsBuild.sfx.exeinstaller.exeSonarSolutionsBuild.exesonarsolution.exedescription pid process target process PID 3048 wrote to memory of 3444 3048 56a5b0a28bb4b14956977dfe6def40a9_JaffaCakes118.exe WScript.exe PID 3048 wrote to memory of 3444 3048 56a5b0a28bb4b14956977dfe6def40a9_JaffaCakes118.exe WScript.exe PID 3048 wrote to memory of 3444 3048 56a5b0a28bb4b14956977dfe6def40a9_JaffaCakes118.exe WScript.exe PID 3444 wrote to memory of 4916 3444 WScript.exe cmd.exe PID 3444 wrote to memory of 4916 3444 WScript.exe cmd.exe PID 3444 wrote to memory of 4916 3444 WScript.exe cmd.exe PID 4916 wrote to memory of 2980 4916 cmd.exe cmd.exe PID 4916 wrote to memory of 2980 4916 cmd.exe cmd.exe PID 4916 wrote to memory of 2980 4916 cmd.exe cmd.exe PID 2980 wrote to memory of 2104 2980 cmd.exe Sonar Solution bps.exe PID 2980 wrote to memory of 2104 2980 cmd.exe Sonar Solution bps.exe PID 2980 wrote to memory of 2104 2980 cmd.exe Sonar Solution bps.exe PID 2104 wrote to memory of 2476 2104 Sonar Solution bps.exe Sonar Solution.exe PID 2104 wrote to memory of 2476 2104 Sonar Solution bps.exe Sonar Solution.exe PID 2104 wrote to memory of 2476 2104 Sonar Solution bps.exe Sonar Solution.exe PID 2104 wrote to memory of 4784 2104 Sonar Solution bps.exe Sonar Build.exe PID 2104 wrote to memory of 4784 2104 Sonar Solution bps.exe Sonar Build.exe PID 2104 wrote to memory of 4784 2104 Sonar Solution bps.exe Sonar Build.exe PID 2980 wrote to memory of 472 2980 cmd.exe attrib.exe PID 2980 wrote to memory of 472 2980 cmd.exe attrib.exe PID 2980 wrote to memory of 472 2980 cmd.exe attrib.exe PID 2476 wrote to memory of 3964 2476 Sonar Solution.exe WScript.exe PID 2476 wrote to memory of 3964 2476 Sonar Solution.exe WScript.exe PID 2476 wrote to memory of 3964 2476 Sonar Solution.exe WScript.exe PID 4784 wrote to memory of 1864 4784 Sonar Build.exe WScript.exe PID 4784 wrote to memory of 1864 4784 Sonar Build.exe WScript.exe PID 4784 wrote to memory of 1864 4784 Sonar Build.exe WScript.exe PID 3964 wrote to memory of 1404 3964 WScript.exe cmd.exe PID 3964 wrote to memory of 1404 3964 WScript.exe cmd.exe PID 3964 wrote to memory of 1404 3964 WScript.exe cmd.exe PID 1864 wrote to memory of 984 1864 WScript.exe cmd.exe PID 1864 wrote to memory of 984 1864 WScript.exe cmd.exe PID 1864 wrote to memory of 984 1864 WScript.exe cmd.exe PID 1404 wrote to memory of 1652 1404 cmd.exe cmd.exe PID 1404 wrote to memory of 1652 1404 cmd.exe cmd.exe PID 1404 wrote to memory of 1652 1404 cmd.exe cmd.exe PID 984 wrote to memory of 1360 984 cmd.exe cmd.exe PID 984 wrote to memory of 1360 984 cmd.exe cmd.exe PID 984 wrote to memory of 1360 984 cmd.exe cmd.exe PID 1652 wrote to memory of 4040 1652 cmd.exe installer.sfx.exe PID 1652 wrote to memory of 4040 1652 cmd.exe installer.sfx.exe PID 1652 wrote to memory of 4040 1652 cmd.exe installer.sfx.exe PID 1360 wrote to memory of 4536 1360 cmd.exe SonarSolutionsBuild.sfx.exe PID 1360 wrote to memory of 4536 1360 cmd.exe SonarSolutionsBuild.sfx.exe PID 1360 wrote to memory of 4536 1360 cmd.exe SonarSolutionsBuild.sfx.exe PID 4040 wrote to memory of 3096 4040 installer.sfx.exe installer.exe PID 4040 wrote to memory of 3096 4040 installer.sfx.exe installer.exe PID 4040 wrote to memory of 3096 4040 installer.sfx.exe installer.exe PID 4536 wrote to memory of 2276 4536 SonarSolutionsBuild.sfx.exe SonarSolutionsBuild.exe PID 4536 wrote to memory of 2276 4536 SonarSolutionsBuild.sfx.exe SonarSolutionsBuild.exe PID 4536 wrote to memory of 2276 4536 SonarSolutionsBuild.sfx.exe SonarSolutionsBuild.exe PID 1652 wrote to memory of 116 1652 cmd.exe attrib.exe PID 1652 wrote to memory of 116 1652 cmd.exe attrib.exe PID 1652 wrote to memory of 116 1652 cmd.exe attrib.exe PID 1360 wrote to memory of 5056 1360 cmd.exe attrib.exe PID 1360 wrote to memory of 5056 1360 cmd.exe attrib.exe PID 1360 wrote to memory of 5056 1360 cmd.exe attrib.exe PID 3096 wrote to memory of 2016 3096 installer.exe sonarsolution.exe PID 3096 wrote to memory of 2016 3096 installer.exe sonarsolution.exe PID 3096 wrote to memory of 2016 3096 installer.exe sonarsolution.exe PID 2276 wrote to memory of 208 2276 SonarSolutionsBuild.exe Sonar.exe PID 2276 wrote to memory of 208 2276 SonarSolutionsBuild.exe Sonar.exe PID 2276 wrote to memory of 208 2276 SonarSolutionsBuild.exe Sonar.exe PID 2016 wrote to memory of 4704 2016 sonarsolution.exe WScript.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 3 IoCs
Processes:
attrib.exeattrib.exeattrib.exepid process 472 attrib.exe 116 attrib.exe 5056 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\56a5b0a28bb4b14956977dfe6def40a9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\56a5b0a28bb4b14956977dfe6def40a9_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\sonspamstart3.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3444 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\sonspam3.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Temp\sonspam3.bat" any_word4⤵
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Temp\Sonar Solution bps.exe"Sonar Solution bps.exe" -p123908VDS -dC:\Temp5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Temp\Sonar Solution.exe"C:\Temp\Sonar Solution.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\sonspamstart.vbs"7⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\sonspam.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Temp\sonspam.bat" any_word9⤵
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Temp\installer.sfx.exe"installer.sfx.exe" -p123908VDS -dC:\Temp10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Temp\installer.exe"C:\Temp\installer.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3096 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\sonarsolution.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\sonarsolution.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\intoreview\2vQqQbwd8RhA8xKo91WLCCkE4UKwEW.vbe"13⤵
- Checks computer location settings
PID:4704 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\intoreview\FSog5bgYZXx2rSOcSWQCeQM8Sp92ad.bat" "14⤵PID:3280
-
C:\Users\Admin\AppData\Roaming\intoreview\wAxlVMFS3VFYmsuYtMNI.exewAxlVMFS3VFYmsuYtMNI.exe -p172e198e773020af341caa2dc63175b338442b4515⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:892 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\intoreview\azAF0affuCzvkcFTrlYsaov0B4h3QE.vbe"16⤵
- Checks computer location settings
PID:988 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\intoreview\KmpmfO2s07oawbng8shc259m1CtPFQ.bat" "17⤵PID:2920
-
C:\Users\Admin\AppData\Roaming\intoreview\perfnet.exe"C:\Users\Admin\AppData\Roaming\intoreview\perfnet.exe"18⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5068 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\cmd.exe'" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:1204 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\de-DE\sihost.exe'" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:4812 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "'C:\PerfLogs\System.exe'" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:1652 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\fontdrvhost.exe'" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:376 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe'" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:2176 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Temp\RuntimeBroker.exe'" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:3664 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "sihost" /sc ONLOGON /tr "'C:\PerfLogs\sihost.exe'" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:548 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:4196 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Java\jre-1.8\lib\explorer.exe'" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:2308 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\sihost.exe'" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:8 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\RuntimeBroker.exe'" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:3976 -
C:\Program Files\Windows Security\BrowserCore\RuntimeBroker.exe"C:\Program Files\Windows Security\BrowserCore\RuntimeBroker.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1752 -
C:\Windows\SysWOW64\attrib.exeATTRIB +S +H -R C:\Temp10⤵
- Sets file to hidden
- Views/modifies file attributes
PID:116 -
C:\Temp\Sonar Build.exe"C:\Temp\Sonar Build.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\sonspamstart2.vbs"7⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\sonspam2.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:984 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Temp\sonspam2.bat" any_word9⤵
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Temp\SonarSolutionsBuild.sfx.exe"SonarSolutionsBuild.sfx.exe" -p123908VDS -dC:\Temp10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Temp\SonarSolutionsBuild.exe"C:\Temp\SonarSolutionsBuild.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Sonar.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Sonar.exe"12⤵
- Executes dropped EXE
- Loads dropped DLL
PID:208 -
C:\Windows\SysWOW64\attrib.exeATTRIB +S +H -R C:\Temp10⤵
- Sets file to hidden
- Views/modifies file attributes
PID:5056 -
C:\Windows\SysWOW64\attrib.exeATTRIB +S +H -R C:\Temp5⤵
- Sets file to hidden
- Views/modifies file attributes
PID:472
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.7MB
MD5b4b602c182251256d93cd3ac38c80ea1
SHA1702caa8790a2dc43302bf4a837f1a1ffda558121
SHA256dd0ac90dc00a212e95eb4ec74475cdde57e1575195a369335cbbdbe8a367927c
SHA512947e661d7a8af1ac6a0cc5eb98826d56aeb6048458c1db0891e5d00fe34ed9aad1d0bdddb31d84a12ef2b6585efd4ef08842c5a1fb0b086afc9d4982a7d693e0
-
Filesize
6.3MB
MD5042e5cb5d7b65e74dccd2e353058bb4f
SHA1e91f4bfd50dbf648a6c90799615d177fa4bdc9a9
SHA256e36d1de190713bf60677894938ec31b1115f106cb3155eea129bab9f7ab15674
SHA51236d39fe0287a43377ac479049e9e91d5cc2d78fcd620e1b95c26440b62ff70abfe9fc8180bfd0e630d53472d22a75888063cb67228680554ffe246232335f247
-
Filesize
1.5MB
MD5557d4c09c4da24b8d5c59a91c3033093
SHA1d0a604bbfe5638138cc76644c8762563762eedb0
SHA256b33051a22664cdea693fbc3d6f6fa017505e6a40a65f5ebe484281d6bf661de3
SHA5120aeff6d7376dafd0bcb04e62921ad4333cbaa792b81ec8a748bf9c198c43fccfc7534e6309335f1e66b50bcbb43729e6f53dc711163113e4ffc9e628b045206e
-
Filesize
4.4MB
MD59b8723149c4c4aee50f53a2f08be3a02
SHA1a06614bd0e1bb8856b8fdc1b941b3adad9e58194
SHA256db0b39d546fdbfe699c81dbf6f14b705bd00314102438ee5d101a2918cfc38bd
SHA51226cc5abcc47d46a756fa489eb1237b6af420c8a6167372d6789be96a8b833c4a9814882bb07d829b21139e000b2ef59058422c89641fa0b3893f8eb8a150abe2
-
Filesize
4.6MB
MD53174874c54ba496c13faeaf3c9a89e57
SHA12b871e0e3540eb0ecfe2288777b9e7dc76c3cce7
SHA2563810a8fdb92b8a253d858772c0d34796b9b326a01820d1ca6afb2dfe777d2541
SHA51252f9df197394057a5fb495ac662c942b6177462f8ae952fedc507ab60e8ff5828fb4a439f2cb20e22dfdfd336e7290337f043da3e93be7d1a06a3dfcc80caf36
-
Filesize
1.2MB
MD5849eb64e16678f93dab5d31e6f62eb95
SHA1ee92d61555b766921daa006a56c62d2e43e01fb5
SHA2563724cd2e908f3a69f1f55c41d6e6e1cfb2bad3fcba3557138e0eadd5e5e9e058
SHA512d9cded5e8d425f5528981d1faa5820f1f2330f00c80d2699947a5eedb3895a24d9f6cf4b2c8a9fec523d9746131f608f270a717baf4b5631eeb0d1ce8aab6c8a
-
Filesize
1.4MB
MD5eb3b0596ae7cb54396a1815beaede97f
SHA1f5116c7e301dd50b0c2eeb3c4459ed75321a603e
SHA256c6f2cf9b85b2ffe92ba9e2f525f024b953fa325f024c8801e3ac9523490fcf10
SHA512ce004159f8080278db308d8046e1616e997631617fd7c8928709e2fb8a4d8ded04de4bc3321d8cdf78a8f538726adb1e56c1bc4b1279d9454ace8ba257fba231
-
Filesize
167B
MD5b85cf59bcba86d882ff114d44ce2789d
SHA1efdd4b718ed0d0f8af4caabad936afb03a5447df
SHA256e26d9dec5f2cd1a0d4975da2976923c258b3edde78af028e65bd58129199a597
SHA512e466ff1c1ee7ccecaa8dcd00e1ebe809bcb51df412e25c4bf06a940f72a29105485effe7789b152ba85048882c32438ebc8cca6c06df23d8b172d96bdc70e2ef
-
Filesize
178B
MD5397b15d0dc10df35388eeaabf030bff1
SHA16d4c5835723063203fe43bd5cd5872acf5b84e47
SHA2567cfb2f6ab63ab48188df3066b3a537273b77271dbfd5f22480f2f503e338adb9
SHA5122147a3a9248873e87dd97555b33672f33d36c661460ebda1bfbd08cbd6066274f03b7969323ce94c205f557bdbe7a743bb938e95eedd484069dfb7c6df757e97
-
Filesize
173B
MD5d03ef1a5b47192022b84cf3cbe846746
SHA169fe029ecc4b2b54668cac671327f47898a16098
SHA25601fb9348f5ac22ba4c66238383e0f3282afb73426e58a008d982c796115ca43f
SHA512b8cb805dffc485f0b83f18d801454f7e1b5bf04266d3685a0da5c0ad3d22cc3e81329a5e03b2f3b1c125220b5653418112b7239138eb3e6b423517b7cf29711a
-
Filesize
98B
MD568f47f42c9c8df4f547695c0060f7663
SHA101e85ff16492d39879958fa9471a9fd0e0013206
SHA256cb9f11054febd994ffc33d95139a5f3dc11cd6cb7ab8f87c02452854eae8081e
SHA5127ddc5350f703ca3dfa1791fdcb36475a1cf7385864e97ada728f56803e5d3fa8d4b73235241734c3dbcccb9030fb89bb0cca356a3baa9b173c6060bfd95c200d
-
Filesize
99B
MD51f44ba5ac2e01f3db75315c14585b636
SHA13ae7ef5ec39345c7d25fbbe5e225f8fbdc4b019d
SHA25616d9996f0ee8e527a6bc5304581d8a4761b1e93edc7f8fb52074219c00c6a1f2
SHA5124fa90f5e97ad9e31c34229bc03b21ccc7a0a203246d2c7c7690b110ee2b8cf89c5d484f01150a43998481f2ad4879f3e83fbf5a06fe3b298f52a7e14a718aabd
-
Filesize
99B
MD52bbf5501471e1aac194788329d51c1f6
SHA1d6567dac174a790c4c9c0260ebc26f1e907e11c6
SHA256b30b02a7f47e28833f61fae076a6f5d4f65ad8be8a2f7e149823f16865f24c84
SHA5122ef72434ac17b1b5f9cd6acb75bba79694b8b07707a4f8627f32b490e0c28c85a4aecc96af0888e0e3783478d91d5de96ae6d08a380a26b5b5bc36e70f7ce2c5
-
Filesize
944KB
MD5b44452a72e44157f12e331bd4623052e
SHA1e02b7cfd576c64938827925fe215f9fce6075ac4
SHA2568f0cfa70cb8e16d2ea45230505617978bf044940cb7fd66c9ddac41c7929dd7c
SHA512698a36fb6347013ac827d3930b0d570e36870b9f40910653e72b50fec536c8429bcdcb31e9b1a7cd37bc4626402da564507307114ee2b07ba32ef701f3c27aa4
-
Filesize
1.8MB
MD50bb0a48942451a8258bc7087fd24a2a7
SHA1b69aa2a06e26754ea43a4763dd300b358331e29c
SHA256dedeee5bb27b2884138832f38f2e93298224cca0ed6fae80b4b08de9c24c2cd7
SHA512b41318045fddc4c113a1ff30021a2f1ea442f72ed1eac8946d5b5e598b94b31ffb18e32fcfcf4fe3c097a5258c4bf72a5abf2048b83fbc2b54151d7e3b4fd585
-
Filesize
6.5MB
MD5c9aff68f6673fae7580527e8c76805b6
SHA1bb62cc1db82cfe07a8c08a36446569dfc9c76d10
SHA2569b2c8b8c4cec301c4303f58ca4e8b261d516f10feb24573b092dfccc263baea4
SHA512c7836f46e535046562046fdd8d3264cd712a78c0f41eab152c88ea91b17d34f000e2387ded7e9e7b3410332354aabf8ca7d37729eb68e46ab5ce58936e63ac56
-
Filesize
153B
MD51b9c939adc33ae74ac644998287149cc
SHA1633bd684184d9e12d13aa6c3267d80bd5d87393c
SHA2565af62663f4979b00b469cbe2f54205027a61198207ed9ac673edbc3a818e55cb
SHA512142da58ffa84e6a849247c6c593e70a405e944a171e9b1247af633fc2272a0c15b6d1fef20f35a757d8d0a6a49da8d4b9a2b0e9585288b9af1acabdb7e0fd3ae
-
Filesize
484B
MD568dc7eb71a7f95c046a63052c8331e92
SHA177224c83ad1398efab03ccfca520a83460e16d03
SHA2561d300057e2e7b1d5452d2a1eda0f95ec44b81909c02f9b3e21f86fa9001299e7
SHA5129aa8970385ba3f8e5356699486304c54432d9535b67cef37e670ae611897c2abad58fcee6e665906c62d962fc9f773363ebe36d66666cbef1e8c35aea4ccc128
-
Filesize
34B
MD58c56e629a1aec270a35c4e9958b43bfb
SHA1aa0b74c4d84fecdc34556bd4c7713bb618a5ba92
SHA256ec8e5b756c10b043930c325e6765e969aa54609b8caba84f3f2d67430d1ae7bc
SHA512a9e50c407c5c5cb621ee9aab8124bf38707d103aa21875a5fd07c7cdb7c4bce1a049ce70d0bbc75ce8008526cc3fe02a48165dcf4cb124a7ab69784b2750c43a
-
Filesize
229B
MD53d85f3996a95493013590846632e86f6
SHA19b9e935e3ae296a16d0fb08b7809d39d17f715e5
SHA256b19f5cce6fe7ac54964e3dc373a4c54020ca89f9f7eb602a06f830c9be70f00a
SHA512bcaf9930653a75640daec31a839c9a38fc1678abf8e2c96ffb56fbe05dfb15abbbb3040ac066003e5bd485c56aac9d3ee89f689d49b72a5fc328d64f13b8df65
-
Filesize
1.2MB
MD5a1f2423f375be02b22175a9de219a17e
SHA1d3f0dcee37bce0952a8841dea578ba431588f621
SHA256d7da0aa06c6167b3d04faa2c808b1b68adacfb5fdd4475df76f0c75eb47eac71
SHA512e10e3be553e698edb5ef10ecac0b132203248e9b3792a3749f78c46acea0d9d4932ac07c874eb6ffd46d837bdf580d8f8778245f97c8efe7bb1fd975375537a4
-
Filesize
908KB
MD531e8f1b92ffcdd66676fcb134b225e15
SHA15c5e5795a4671c0dd1702fc4e7d1ad63f9643c58
SHA2563dd4b0cb1041bc1948404df23c0d2d362da355a90c1d2ef472a7b298cda39110
SHA512fcb0dc3b0b9893fe954fda85f36a1aae77ecc290d95db4e7844b73061f6364e1e3a5fe4ea8054185f54116052fc6ab6c0e05a1a3c31136bb904febc43c2c542f