Analysis
-
max time kernel
137s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
20-07-2024 21:31
Behavioral task
behavioral1
Sample
AC9E1C7DECB45FA41C77E30543BC535E.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
AC9E1C7DECB45FA41C77E30543BC535E.exe
Resource
win10v2004-20240709-en
General
-
Target
AC9E1C7DECB45FA41C77E30543BC535E.exe
-
Size
827KB
-
MD5
ac9e1c7decb45fa41c77e30543bc535e
-
SHA1
b89c25859b9b195d8768868be6d4b029bd395d1f
-
SHA256
fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682
-
SHA512
32ad2b8385fbb5206be47bd55f8a3af55ce6fd84c48771fec8b7fc39862fb9133aaf99de5672a548454c17fd05a03a0f3c1813df65b65fdae73ca7881393c417
-
SSDEEP
12288:aRX/Vbdw0amUjO3t/6jf0eEHP2a1KP/CpvwfpKdXRJNJa:kXVamd96jf0/2apvwxKdXRJNJa
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence 2 TTPs 10 IoCs
Processes:
AC9E1C7DECB45FA41C77E30543BC535E.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\SetupMetrics\\sihost.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\sysmon.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\", \"C:\\Program Files\\MSBuild\\MusNotification.exe\", \"C:\\Windows\\en-US\\AC9E1C7DECB45FA41C77E30543BC535E.exe\"" AC9E1C7DECB45FA41C77E30543BC535E.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\explorer.exe\"" AC9E1C7DECB45FA41C77E30543BC535E.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\"" AC9E1C7DECB45FA41C77E30543BC535E.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\SetupMetrics\\sihost.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\sysmon.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\", \"C:\\Program Files\\MSBuild\\MusNotification.exe\"" AC9E1C7DECB45FA41C77E30543BC535E.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\SetupMetrics\\sihost.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\sysmon.exe\"" AC9E1C7DECB45FA41C77E30543BC535E.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\SetupMetrics\\sihost.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\sysmon.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\"" AC9E1C7DECB45FA41C77E30543BC535E.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\SetupMetrics\\sihost.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\sysmon.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\", \"C:\\Program Files\\MSBuild\\MusNotification.exe\", \"C:\\Windows\\en-US\\AC9E1C7DECB45FA41C77E30543BC535E.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\"" AC9E1C7DECB45FA41C77E30543BC535E.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RuntimeBroker.exe\"" AC9E1C7DECB45FA41C77E30543BC535E.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\"" AC9E1C7DECB45FA41C77E30543BC535E.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\SetupMetrics\\sihost.exe\"" AC9E1C7DECB45FA41C77E30543BC535E.exe -
Process spawned unexpected child process 30 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4504 3988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4528 3988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 680 3988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2280 3988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1536 3988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2096 3988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2980 3988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1784 3988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1748 3988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 216 3988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4300 3988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 208 3988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2984 3988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3664 3988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 244 3988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 396 3988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4272 3988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4500 3988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 380 3988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 872 3988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4000 3988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2364 3988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4620 3988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1036 3988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1908 3988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4480 3988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 512 3988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1420 3988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 372 3988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3744 3988 schtasks.exe -
Processes:
resource yara_rule behavioral2/memory/468-1-0x0000000000FF0000-0x00000000010C6000-memory.dmp dcrat C:\Program Files\Google\Chrome\Application\SetupMetrics\sihost.exe dcrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
AC9E1C7DECB45FA41C77E30543BC535E.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation AC9E1C7DECB45FA41C77E30543BC535E.exe -
Executes dropped EXE 1 IoCs
Processes:
RuntimeBroker.exepid process 1264 RuntimeBroker.exe -
Adds Run key to start application 2 TTPs 20 IoCs
Processes:
AC9E1C7DECB45FA41C77E30543BC535E.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\Offline Web Pages\\csrss.exe\"" AC9E1C7DECB45FA41C77E30543BC535E.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\Offline Web Pages\\csrss.exe\"" AC9E1C7DECB45FA41C77E30543BC535E.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MusNotification = "\"C:\\Program Files\\MSBuild\\MusNotification.exe\"" AC9E1C7DECB45FA41C77E30543BC535E.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Recovery\\WindowsRE\\Registry.exe\"" AC9E1C7DECB45FA41C77E30543BC535E.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RuntimeBroker.exe\"" AC9E1C7DECB45FA41C77E30543BC535E.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\"" AC9E1C7DECB45FA41C77E30543BC535E.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\"" AC9E1C7DECB45FA41C77E30543BC535E.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Program Files\\Google\\Chrome\\Application\\SetupMetrics\\sihost.exe\"" AC9E1C7DECB45FA41C77E30543BC535E.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Program Files\\Windows NT\\TableTextService\\sysmon.exe\"" AC9E1C7DECB45FA41C77E30543BC535E.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MusNotification = "\"C:\\Program Files\\MSBuild\\MusNotification.exe\"" AC9E1C7DECB45FA41C77E30543BC535E.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Recovery\\WindowsRE\\Registry.exe\"" AC9E1C7DECB45FA41C77E30543BC535E.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RuntimeBroker.exe\"" AC9E1C7DECB45FA41C77E30543BC535E.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Program Files\\Windows NT\\TableTextService\\sysmon.exe\"" AC9E1C7DECB45FA41C77E30543BC535E.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AC9E1C7DECB45FA41C77E30543BC535E = "\"C:\\Windows\\en-US\\AC9E1C7DECB45FA41C77E30543BC535E.exe\"" AC9E1C7DECB45FA41C77E30543BC535E.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\explorer.exe\"" AC9E1C7DECB45FA41C77E30543BC535E.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\WindowsRE\\Idle.exe\"" AC9E1C7DECB45FA41C77E30543BC535E.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\explorer.exe\"" AC9E1C7DECB45FA41C77E30543BC535E.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Program Files\\Google\\Chrome\\Application\\SetupMetrics\\sihost.exe\"" AC9E1C7DECB45FA41C77E30543BC535E.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AC9E1C7DECB45FA41C77E30543BC535E = "\"C:\\Windows\\en-US\\AC9E1C7DECB45FA41C77E30543BC535E.exe\"" AC9E1C7DECB45FA41C77E30543BC535E.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\WindowsRE\\Idle.exe\"" AC9E1C7DECB45FA41C77E30543BC535E.exe -
Drops file in Program Files directory 9 IoCs
Processes:
AC9E1C7DECB45FA41C77E30543BC535E.exedescription ioc process File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RuntimeBroker.exe AC9E1C7DECB45FA41C77E30543BC535E.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RuntimeBroker.exe AC9E1C7DECB45FA41C77E30543BC535E.exe File created C:\Program Files\MSBuild\MusNotification.exe AC9E1C7DECB45FA41C77E30543BC535E.exe File created C:\Program Files\MSBuild\aa97147c4c782d AC9E1C7DECB45FA41C77E30543BC535E.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\9e8d7a4ca61bd9 AC9E1C7DECB45FA41C77E30543BC535E.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\explorer.exe AC9E1C7DECB45FA41C77E30543BC535E.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\7a0fd90576e088 AC9E1C7DECB45FA41C77E30543BC535E.exe File created C:\Program Files\Windows NT\TableTextService\sysmon.exe AC9E1C7DECB45FA41C77E30543BC535E.exe File created C:\Program Files\Windows NT\TableTextService\121e5b5079f7c0 AC9E1C7DECB45FA41C77E30543BC535E.exe -
Drops file in Windows directory 4 IoCs
Processes:
AC9E1C7DECB45FA41C77E30543BC535E.exedescription ioc process File created C:\Windows\Offline Web Pages\886983d96e3d3e AC9E1C7DECB45FA41C77E30543BC535E.exe File created C:\Windows\en-US\AC9E1C7DECB45FA41C77E30543BC535E.exe AC9E1C7DECB45FA41C77E30543BC535E.exe File created C:\Windows\en-US\1ab398893b1fe2 AC9E1C7DECB45FA41C77E30543BC535E.exe File created C:\Windows\Offline Web Pages\csrss.exe AC9E1C7DECB45FA41C77E30543BC535E.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
AC9E1C7DECB45FA41C77E30543BC535E.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings AC9E1C7DECB45FA41C77E30543BC535E.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1536 schtasks.exe 4000 schtasks.exe 372 schtasks.exe 4480 schtasks.exe 1420 schtasks.exe 2280 schtasks.exe 2096 schtasks.exe 2980 schtasks.exe 3664 schtasks.exe 380 schtasks.exe 3744 schtasks.exe 4504 schtasks.exe 4300 schtasks.exe 208 schtasks.exe 4500 schtasks.exe 216 schtasks.exe 4620 schtasks.exe 512 schtasks.exe 1784 schtasks.exe 244 schtasks.exe 872 schtasks.exe 1036 schtasks.exe 1908 schtasks.exe 4528 schtasks.exe 2984 schtasks.exe 396 schtasks.exe 4272 schtasks.exe 680 schtasks.exe 2364 schtasks.exe 1748 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
AC9E1C7DECB45FA41C77E30543BC535E.exeRuntimeBroker.exepid process 468 AC9E1C7DECB45FA41C77E30543BC535E.exe 468 AC9E1C7DECB45FA41C77E30543BC535E.exe 468 AC9E1C7DECB45FA41C77E30543BC535E.exe 468 AC9E1C7DECB45FA41C77E30543BC535E.exe 468 AC9E1C7DECB45FA41C77E30543BC535E.exe 468 AC9E1C7DECB45FA41C77E30543BC535E.exe 468 AC9E1C7DECB45FA41C77E30543BC535E.exe 468 AC9E1C7DECB45FA41C77E30543BC535E.exe 468 AC9E1C7DECB45FA41C77E30543BC535E.exe 1264 RuntimeBroker.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
AC9E1C7DECB45FA41C77E30543BC535E.exeRuntimeBroker.exedescription pid process Token: SeDebugPrivilege 468 AC9E1C7DECB45FA41C77E30543BC535E.exe Token: SeDebugPrivilege 1264 RuntimeBroker.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
AC9E1C7DECB45FA41C77E30543BC535E.execmd.exedescription pid process target process PID 468 wrote to memory of 4492 468 AC9E1C7DECB45FA41C77E30543BC535E.exe cmd.exe PID 468 wrote to memory of 4492 468 AC9E1C7DECB45FA41C77E30543BC535E.exe cmd.exe PID 4492 wrote to memory of 64 4492 cmd.exe w32tm.exe PID 4492 wrote to memory of 64 4492 cmd.exe w32tm.exe PID 4492 wrote to memory of 1264 4492 cmd.exe RuntimeBroker.exe PID 4492 wrote to memory of 1264 4492 cmd.exe RuntimeBroker.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\AC9E1C7DECB45FA41C77E30543BC535E.exe"C:\Users\Admin\AppData\Local\Temp\AC9E1C7DECB45FA41C77E30543BC535E.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:468 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\q0XCbRBZ91.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:4492 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:64
-
C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RuntimeBroker.exe"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RuntimeBroker.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4504
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\TableTextService\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\TableTextService\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\Offline Web Pages\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\Offline Web Pages\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 5 /tr "'C:\Program Files\MSBuild\MusNotification.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\Program Files\MSBuild\MusNotification.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\MusNotification.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "AC9E1C7DECB45FA41C77E30543BC535EA" /sc MINUTE /mo 8 /tr "'C:\Windows\en-US\AC9E1C7DECB45FA41C77E30543BC535E.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "AC9E1C7DECB45FA41C77E30543BC535E" /sc ONLOGON /tr "'C:\Windows\en-US\AC9E1C7DECB45FA41C77E30543BC535E.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "AC9E1C7DECB45FA41C77E30543BC535EA" /sc MINUTE /mo 6 /tr "'C:\Windows\en-US\AC9E1C7DECB45FA41C77E30543BC535E.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3744
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
827KB
MD5ac9e1c7decb45fa41c77e30543bc535e
SHA1b89c25859b9b195d8768868be6d4b029bd395d1f
SHA256fa39dd1b81fd531008083264294a6acddc409035850619c966f5bcb4c16cc682
SHA51232ad2b8385fbb5206be47bd55f8a3af55ce6fd84c48771fec8b7fc39862fb9133aaf99de5672a548454c17fd05a03a0f3c1813df65b65fdae73ca7881393c417
-
Filesize
245B
MD5778d3d4aeaf201a4e0ff78fbb9efc39d
SHA11654a53e2f2811c8e5e20e1a50eace7fcbaa9c7e
SHA256554e1fb94154f34930cf0cbe8464bb6e47c0ccb0b1cefe0988618741a581c9a0
SHA512900b5d0cd657f2d30e66ccd8899c2d6bee86329002cfbd5530befa7ef6a71c324f3d9bab9b2d533473cf5abef4f073c836f356ca7e7b661d9f36a3d645ee719e