Analysis
-
max time kernel
146s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
21-07-2024 04:21
Behavioral task
behavioral1
Sample
F946CEB3DFBC4802323F045E77B9FC63.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
F946CEB3DFBC4802323F045E77B9FC63.exe
Resource
win10v2004-20240709-en
General
-
Target
F946CEB3DFBC4802323F045E77B9FC63.exe
-
Size
1.3MB
-
MD5
f946ceb3dfbc4802323f045e77b9fc63
-
SHA1
04beac37360d30c5ad933f82f80bfd41ae294cc4
-
SHA256
682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a
-
SHA512
7ad0db10f788d63d44a85981ccd9cf7c5acaadad66d1fd4c34554eb77bd1582e49549c917eb39e0c17e7b55b2fc0e262c059e1d85c188f1a3649879368a834e3
-
SSDEEP
24576:qwwpL4DsvfsODQY2mq7yTK32HbzpEOlM7RJFolBjvmPln0Ep9GKc6NC1t:qw8LnsvQKMzpEOlM7RJqlhgq8rC1
Malware Config
Signatures
-
DcRat 32 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
F946CEB3DFBC4802323F045E77B9FC63.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription ioc process File created C:\Program Files (x86)\Windows NT\Accessories\es-ES\csrss.exe F946CEB3DFBC4802323F045E77B9FC63.exe 768 schtasks.exe 3012 schtasks.exe 2192 schtasks.exe 2484 schtasks.exe 308 schtasks.exe 2960 schtasks.exe 1920 schtasks.exe 2688 schtasks.exe 2992 schtasks.exe 1552 schtasks.exe 2792 schtasks.exe 2804 schtasks.exe 2244 schtasks.exe 1124 schtasks.exe 2704 schtasks.exe 2716 schtasks.exe 1784 schtasks.exe 1856 schtasks.exe 2732 schtasks.exe 1872 schtasks.exe 2416 schtasks.exe 2888 schtasks.exe 628 schtasks.exe 3040 schtasks.exe File created C:\Program Files (x86)\Windows NT\Accessories\es-ES\886983d96e3d3e F946CEB3DFBC4802323F045E77B9FC63.exe 2096 schtasks.exe 2240 schtasks.exe 1968 schtasks.exe 1544 schtasks.exe 1868 schtasks.exe 1916 schtasks.exe -
Modifies WinLogon for persistence 2 TTPs 10 IoCs
Processes:
F946CEB3DFBC4802323F045E77B9FC63.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\csrss.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\sppsvc.exe\", \"C:\\Windows\\Branding\\ShellBrd\\csrss.exe\"" F946CEB3DFBC4802323F045E77B9FC63.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\csrss.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\sppsvc.exe\", \"C:\\Windows\\Branding\\ShellBrd\\csrss.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\services.exe\"" F946CEB3DFBC4802323F045E77B9FC63.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\csrss.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\sppsvc.exe\", \"C:\\Windows\\Branding\\ShellBrd\\csrss.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\explorer.exe\"" F946CEB3DFBC4802323F045E77B9FC63.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\csrss.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\sppsvc.exe\", \"C:\\Windows\\Branding\\ShellBrd\\csrss.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\winlogon.exe\"" F946CEB3DFBC4802323F045E77B9FC63.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\csrss.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\sppsvc.exe\", \"C:\\Windows\\Branding\\ShellBrd\\csrss.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\spoolsv.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\F946CEB3DFBC4802323F045E77B9FC63.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\lsm.exe\"" F946CEB3DFBC4802323F045E77B9FC63.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\csrss.exe\"" F946CEB3DFBC4802323F045E77B9FC63.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\csrss.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\sppsvc.exe\"" F946CEB3DFBC4802323F045E77B9FC63.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\csrss.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\sppsvc.exe\", \"C:\\Windows\\Branding\\ShellBrd\\csrss.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\spoolsv.exe\"" F946CEB3DFBC4802323F045E77B9FC63.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\csrss.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\sppsvc.exe\", \"C:\\Windows\\Branding\\ShellBrd\\csrss.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\spoolsv.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\F946CEB3DFBC4802323F045E77B9FC63.exe\"" F946CEB3DFBC4802323F045E77B9FC63.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\csrss.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\sppsvc.exe\", \"C:\\Windows\\Branding\\ShellBrd\\csrss.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\winlogon.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\spoolsv.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\F946CEB3DFBC4802323F045E77B9FC63.exe\", \"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\lsm.exe\", \"C:\\Users\\Default User\\winlogon.exe\"" F946CEB3DFBC4802323F045E77B9FC63.exe -
Process spawned unexpected child process 30 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2792 2856 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1920 2856 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2960 2856 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3040 2856 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2804 2856 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2704 2856 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2688 2856 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2732 2856 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2716 2856 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1968 2856 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1872 2856 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2244 2856 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2416 2856 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1868 2856 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1124 2856 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2096 2856 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2992 2856 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3012 2856 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2240 2856 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2192 2856 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2888 2856 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2484 2856 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1784 2856 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1552 2856 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 768 2856 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 628 2856 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 308 2856 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1856 2856 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1916 2856 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1544 2856 schtasks.exe -
Processes:
resource yara_rule behavioral1/memory/884-1-0x0000000000AB0000-0x0000000000C0A000-memory.dmp dcrat C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe dcrat C:\Recovery\61b388a2-3b13-11ef-902f-d2f1755c8afd\services.exe dcrat C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe dcrat C:\Users\Default\winlogon.exe dcrat behavioral1/memory/1752-156-0x00000000010B0000-0x000000000120A000-memory.dmp dcrat behavioral1/memory/2640-168-0x0000000000100000-0x000000000025A000-memory.dmp dcrat behavioral1/memory/3028-180-0x0000000000110000-0x000000000026A000-memory.dmp dcrat behavioral1/memory/2556-192-0x0000000001380000-0x00000000014DA000-memory.dmp dcrat behavioral1/memory/2352-226-0x00000000002A0000-0x00000000003FA000-memory.dmp dcrat behavioral1/memory/1552-238-0x0000000000060000-0x00000000001BA000-memory.dmp dcrat behavioral1/memory/1028-250-0x0000000000D10000-0x0000000000E6A000-memory.dmp dcrat behavioral1/memory/2880-262-0x00000000011F0000-0x000000000134A000-memory.dmp dcrat behavioral1/memory/2680-274-0x00000000000A0000-0x00000000001FA000-memory.dmp dcrat behavioral1/memory/3000-286-0x0000000000300000-0x000000000045A000-memory.dmp dcrat behavioral1/memory/1884-298-0x0000000000E00000-0x0000000000F5A000-memory.dmp dcrat behavioral1/memory/3040-310-0x0000000001130000-0x000000000128A000-memory.dmp dcrat -
Executes dropped EXE 14 IoCs
Processes:
explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exepid process 1752 explorer.exe 2640 explorer.exe 3028 explorer.exe 2556 explorer.exe 1056 explorer.exe 2172 explorer.exe 2352 explorer.exe 1552 explorer.exe 1028 explorer.exe 2880 explorer.exe 2680 explorer.exe 3000 explorer.exe 1884 explorer.exe 3040 explorer.exe -
Adds Run key to start application 2 TTPs 20 IoCs
Processes:
F946CEB3DFBC4802323F045E77B9FC63.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\csrss.exe\"" F946CEB3DFBC4802323F045E77B9FC63.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\services.exe\"" F946CEB3DFBC4802323F045E77B9FC63.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\lsm.exe\"" F946CEB3DFBC4802323F045E77B9FC63.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\winlogon.exe\"" F946CEB3DFBC4802323F045E77B9FC63.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\lsm.exe\"" F946CEB3DFBC4802323F045E77B9FC63.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\Branding\\ShellBrd\\csrss.exe\"" F946CEB3DFBC4802323F045E77B9FC63.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\services.exe\"" F946CEB3DFBC4802323F045E77B9FC63.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\explorer.exe\"" F946CEB3DFBC4802323F045E77B9FC63.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\spoolsv.exe\"" F946CEB3DFBC4802323F045E77B9FC63.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\F946CEB3DFBC4802323F045E77B9FC63 = "\"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\F946CEB3DFBC4802323F045E77B9FC63.exe\"" F946CEB3DFBC4802323F045E77B9FC63.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\F946CEB3DFBC4802323F045E77B9FC63 = "\"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\F946CEB3DFBC4802323F045E77B9FC63.exe\"" F946CEB3DFBC4802323F045E77B9FC63.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Default User\\winlogon.exe\"" F946CEB3DFBC4802323F045E77B9FC63.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\csrss.exe\"" F946CEB3DFBC4802323F045E77B9FC63.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\sppsvc.exe\"" F946CEB3DFBC4802323F045E77B9FC63.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\explorer.exe\"" F946CEB3DFBC4802323F045E77B9FC63.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\spoolsv.exe\"" F946CEB3DFBC4802323F045E77B9FC63.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Default User\\winlogon.exe\"" F946CEB3DFBC4802323F045E77B9FC63.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\61b388a2-3b13-11ef-902f-d2f1755c8afd\\sppsvc.exe\"" F946CEB3DFBC4802323F045E77B9FC63.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\Branding\\ShellBrd\\csrss.exe\"" F946CEB3DFBC4802323F045E77B9FC63.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\winlogon.exe\"" F946CEB3DFBC4802323F045E77B9FC63.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs
Processes:
flow ioc 16 pastebin.com 20 pastebin.com 24 pastebin.com 28 pastebin.com 3 pastebin.com 8 pastebin.com 12 pastebin.com 14 pastebin.com 22 pastebin.com 6 pastebin.com 10 pastebin.com 18 pastebin.com 26 pastebin.com 2 pastebin.com -
Drops file in Program Files directory 15 IoCs
Processes:
F946CEB3DFBC4802323F045E77B9FC63.exedescription ioc process File created C:\Program Files (x86)\Windows NT\Accessories\es-ES\csrss.exe F946CEB3DFBC4802323F045E77B9FC63.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RCX9848.tmp F946CEB3DFBC4802323F045E77B9FC63.exe File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\f3b6ecef712a24 F946CEB3DFBC4802323F045E77B9FC63.exe File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\RCX9643.tmp F946CEB3DFBC4802323F045E77B9FC63.exe File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\RCX9644.tmp F946CEB3DFBC4802323F045E77B9FC63.exe File opened for modification C:\Program Files (x86)\Windows NT\Accessories\es-ES\csrss.exe F946CEB3DFBC4802323F045E77B9FC63.exe File created C:\Program Files (x86)\MSBuild\Microsoft\cc11b995f2a76d F946CEB3DFBC4802323F045E77B9FC63.exe File opened for modification C:\Program Files (x86)\Windows NT\Accessories\es-ES\RCX8AD4.tmp F946CEB3DFBC4802323F045E77B9FC63.exe File opened for modification C:\Program Files (x86)\Windows NT\Accessories\es-ES\RCX8AD5.tmp F946CEB3DFBC4802323F045E77B9FC63.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RCX9849.tmp F946CEB3DFBC4802323F045E77B9FC63.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\spoolsv.exe F946CEB3DFBC4802323F045E77B9FC63.exe File created C:\Program Files (x86)\Windows NT\Accessories\es-ES\886983d96e3d3e F946CEB3DFBC4802323F045E77B9FC63.exe File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\spoolsv.exe F946CEB3DFBC4802323F045E77B9FC63.exe File created C:\Program Files (x86)\MSBuild\Microsoft\winlogon.exe F946CEB3DFBC4802323F045E77B9FC63.exe File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\winlogon.exe F946CEB3DFBC4802323F045E77B9FC63.exe -
Drops file in Windows directory 5 IoCs
Processes:
F946CEB3DFBC4802323F045E77B9FC63.exedescription ioc process File created C:\Windows\Branding\ShellBrd\886983d96e3d3e F946CEB3DFBC4802323F045E77B9FC63.exe File opened for modification C:\Windows\Branding\ShellBrd\RCX8F4B.tmp F946CEB3DFBC4802323F045E77B9FC63.exe File opened for modification C:\Windows\Branding\ShellBrd\RCX8F4C.tmp F946CEB3DFBC4802323F045E77B9FC63.exe File opened for modification C:\Windows\Branding\ShellBrd\csrss.exe F946CEB3DFBC4802323F045E77B9FC63.exe File created C:\Windows\Branding\ShellBrd\csrss.exe F946CEB3DFBC4802323F045E77B9FC63.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2688 schtasks.exe 308 schtasks.exe 1552 schtasks.exe 628 schtasks.exe 2960 schtasks.exe 3040 schtasks.exe 2416 schtasks.exe 2240 schtasks.exe 1920 schtasks.exe 2992 schtasks.exe 3012 schtasks.exe 2792 schtasks.exe 2716 schtasks.exe 2888 schtasks.exe 768 schtasks.exe 1856 schtasks.exe 1916 schtasks.exe 2804 schtasks.exe 1868 schtasks.exe 1784 schtasks.exe 1544 schtasks.exe 1968 schtasks.exe 2244 schtasks.exe 2484 schtasks.exe 2096 schtasks.exe 2704 schtasks.exe 1872 schtasks.exe 1124 schtasks.exe 2732 schtasks.exe 2192 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
Processes:
F946CEB3DFBC4802323F045E77B9FC63.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exepid process 884 F946CEB3DFBC4802323F045E77B9FC63.exe 884 F946CEB3DFBC4802323F045E77B9FC63.exe 884 F946CEB3DFBC4802323F045E77B9FC63.exe 1752 explorer.exe 2640 explorer.exe 3028 explorer.exe 2556 explorer.exe 1056 explorer.exe 2172 explorer.exe 2352 explorer.exe 1552 explorer.exe 1028 explorer.exe 2880 explorer.exe 2680 explorer.exe 3000 explorer.exe 1884 explorer.exe 3040 explorer.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
F946CEB3DFBC4802323F045E77B9FC63.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exedescription pid process Token: SeDebugPrivilege 884 F946CEB3DFBC4802323F045E77B9FC63.exe Token: SeDebugPrivilege 1752 explorer.exe Token: SeDebugPrivilege 2640 explorer.exe Token: SeDebugPrivilege 3028 explorer.exe Token: SeDebugPrivilege 2556 explorer.exe Token: SeDebugPrivilege 1056 explorer.exe Token: SeDebugPrivilege 2172 explorer.exe Token: SeDebugPrivilege 2352 explorer.exe Token: SeDebugPrivilege 1552 explorer.exe Token: SeDebugPrivilege 1028 explorer.exe Token: SeDebugPrivilege 2880 explorer.exe Token: SeDebugPrivilege 2680 explorer.exe Token: SeDebugPrivilege 3000 explorer.exe Token: SeDebugPrivilege 1884 explorer.exe Token: SeDebugPrivilege 3040 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
F946CEB3DFBC4802323F045E77B9FC63.exeexplorer.exeWScript.exeexplorer.exeWScript.exeexplorer.exeWScript.exeexplorer.exeWScript.exeexplorer.exeWScript.exeexplorer.exeWScript.exeexplorer.exeWScript.exedescription pid process target process PID 884 wrote to memory of 1752 884 F946CEB3DFBC4802323F045E77B9FC63.exe explorer.exe PID 884 wrote to memory of 1752 884 F946CEB3DFBC4802323F045E77B9FC63.exe explorer.exe PID 884 wrote to memory of 1752 884 F946CEB3DFBC4802323F045E77B9FC63.exe explorer.exe PID 1752 wrote to memory of 2988 1752 explorer.exe WScript.exe PID 1752 wrote to memory of 2988 1752 explorer.exe WScript.exe PID 1752 wrote to memory of 2988 1752 explorer.exe WScript.exe PID 1752 wrote to memory of 2724 1752 explorer.exe WScript.exe PID 1752 wrote to memory of 2724 1752 explorer.exe WScript.exe PID 1752 wrote to memory of 2724 1752 explorer.exe WScript.exe PID 2988 wrote to memory of 2640 2988 WScript.exe explorer.exe PID 2988 wrote to memory of 2640 2988 WScript.exe explorer.exe PID 2988 wrote to memory of 2640 2988 WScript.exe explorer.exe PID 2640 wrote to memory of 2716 2640 explorer.exe WScript.exe PID 2640 wrote to memory of 2716 2640 explorer.exe WScript.exe PID 2640 wrote to memory of 2716 2640 explorer.exe WScript.exe PID 2640 wrote to memory of 2308 2640 explorer.exe WScript.exe PID 2640 wrote to memory of 2308 2640 explorer.exe WScript.exe PID 2640 wrote to memory of 2308 2640 explorer.exe WScript.exe PID 2716 wrote to memory of 3028 2716 WScript.exe explorer.exe PID 2716 wrote to memory of 3028 2716 WScript.exe explorer.exe PID 2716 wrote to memory of 3028 2716 WScript.exe explorer.exe PID 3028 wrote to memory of 2240 3028 explorer.exe WScript.exe PID 3028 wrote to memory of 2240 3028 explorer.exe WScript.exe PID 3028 wrote to memory of 2240 3028 explorer.exe WScript.exe PID 3028 wrote to memory of 2300 3028 explorer.exe WScript.exe PID 3028 wrote to memory of 2300 3028 explorer.exe WScript.exe PID 3028 wrote to memory of 2300 3028 explorer.exe WScript.exe PID 2240 wrote to memory of 2556 2240 WScript.exe explorer.exe PID 2240 wrote to memory of 2556 2240 WScript.exe explorer.exe PID 2240 wrote to memory of 2556 2240 WScript.exe explorer.exe PID 2556 wrote to memory of 2380 2556 explorer.exe WScript.exe PID 2556 wrote to memory of 2380 2556 explorer.exe WScript.exe PID 2556 wrote to memory of 2380 2556 explorer.exe WScript.exe PID 2556 wrote to memory of 1528 2556 explorer.exe WScript.exe PID 2556 wrote to memory of 1528 2556 explorer.exe WScript.exe PID 2556 wrote to memory of 1528 2556 explorer.exe WScript.exe PID 2380 wrote to memory of 1056 2380 WScript.exe explorer.exe PID 2380 wrote to memory of 1056 2380 WScript.exe explorer.exe PID 2380 wrote to memory of 1056 2380 WScript.exe explorer.exe PID 1056 wrote to memory of 2488 1056 explorer.exe WScript.exe PID 1056 wrote to memory of 2488 1056 explorer.exe WScript.exe PID 1056 wrote to memory of 2488 1056 explorer.exe WScript.exe PID 1056 wrote to memory of 1516 1056 explorer.exe WScript.exe PID 1056 wrote to memory of 1516 1056 explorer.exe WScript.exe PID 1056 wrote to memory of 1516 1056 explorer.exe WScript.exe PID 2488 wrote to memory of 2172 2488 WScript.exe explorer.exe PID 2488 wrote to memory of 2172 2488 WScript.exe explorer.exe PID 2488 wrote to memory of 2172 2488 WScript.exe explorer.exe PID 2172 wrote to memory of 2996 2172 explorer.exe WScript.exe PID 2172 wrote to memory of 2996 2172 explorer.exe WScript.exe PID 2172 wrote to memory of 2996 2172 explorer.exe WScript.exe PID 2172 wrote to memory of 1968 2172 explorer.exe WScript.exe PID 2172 wrote to memory of 1968 2172 explorer.exe WScript.exe PID 2172 wrote to memory of 1968 2172 explorer.exe WScript.exe PID 2996 wrote to memory of 2352 2996 WScript.exe explorer.exe PID 2996 wrote to memory of 2352 2996 WScript.exe explorer.exe PID 2996 wrote to memory of 2352 2996 WScript.exe explorer.exe PID 2352 wrote to memory of 2316 2352 explorer.exe WScript.exe PID 2352 wrote to memory of 2316 2352 explorer.exe WScript.exe PID 2352 wrote to memory of 2316 2352 explorer.exe WScript.exe PID 2352 wrote to memory of 2076 2352 explorer.exe WScript.exe PID 2352 wrote to memory of 2076 2352 explorer.exe WScript.exe PID 2352 wrote to memory of 2076 2352 explorer.exe WScript.exe PID 2316 wrote to memory of 1552 2316 WScript.exe explorer.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe"C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe"1⤵
- DcRat
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:884 -
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c992be04-a7ce-4e75-aa3e-cc8a031cd069.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\554a812c-6e64-4976-917b-b8c217eef133.vbs"5⤵
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02b2c8dd-a004-4603-aae9-80f7cfaf0392.vbs"7⤵
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d7cba06e-41cb-4db8-bd47-19334d3baca4.vbs"9⤵
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b2065a06-8de0-4c35-ba5e-115d6eba6aa5.vbs"11⤵
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3a3c1dbd-3802-4b93-97d8-13aecdd021d0.vbs"13⤵
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4288ef1-593e-4530-874f-a7d329b8d268.vbs"15⤵
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1552 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\db346c40-d642-45cf-9849-6518e8cf2d1c.vbs"17⤵PID:1268
-
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1028 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7c7e21e4-935b-4538-b9de-dfb21e87e37e.vbs"19⤵PID:2432
-
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2880 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\da7b8004-084d-4484-91d8-006a680f7608.vbs"21⤵PID:2512
-
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2680 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\25e4086b-0909-44d8-9b28-9637afc4b55c.vbs"23⤵PID:2120
-
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3000 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\04563bed-1553-414e-ae78-d3a15bcae18a.vbs"25⤵PID:1480
-
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe"26⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1884 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\701ffe59-342a-4b24-9915-1193aba6b6cb.vbs"27⤵PID:872
-
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe"C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe"28⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3040 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0c03932-f6df-44ec-816b-da7d74c9a7b9.vbs"29⤵PID:2492
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\060e3119-32c4-45e5-a453-18e83237504a.vbs"29⤵PID:3020
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\85d00136-e2a1-4724-9072-777c88869235.vbs"27⤵PID:2832
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3febb715-348b-4270-8162-8dd91bebd902.vbs"25⤵PID:1768
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\401b26d2-a76d-4803-b5c0-74def1be72dc.vbs"23⤵PID:1544
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\487c5c4b-c9b4-428f-9414-65e1a9d3824a.vbs"21⤵PID:1440
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9cd8beea-55b8-4c0e-b305-4fa2a37e99b4.vbs"19⤵PID:2428
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\85bdd41b-1b41-4b50-9844-8e3048458ffd.vbs"17⤵PID:764
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\370c6f9d-4807-41f6-8dfd-e3673cf6179e.vbs"15⤵PID:2076
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\46f9be5c-d198-4e86-a936-ed56cd874a47.vbs"13⤵PID:1968
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bf82d430-7ab2-4ae4-97d0-8f3645633a4f.vbs"11⤵PID:1516
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f39ea6c1-342a-4663-9d88-171aa9b5d1a7.vbs"9⤵PID:1528
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd2db0de-0ca3-464d-9c91-ecf7699dd997.vbs"7⤵PID:2300
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5d7ba31a-a58b-4465-9145-6a8f84fbacba.vbs"5⤵PID:2308
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c4720d6e-a386-4669-aa34-12891b5e9cb6.vbs"3⤵PID:2724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\Accessories\es-ES\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\es-ES\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\Accessories\es-ES\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Recovery\61b388a2-3b13-11ef-902f-d2f1755c8afd\sppsvc.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\61b388a2-3b13-11ef-902f-d2f1755c8afd\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\61b388a2-3b13-11ef-902f-d2f1755c8afd\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\Branding\ShellBrd\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Branding\ShellBrd\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\Branding\ShellBrd\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\61b388a2-3b13-11ef-902f-d2f1755c8afd\services.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\61b388a2-3b13-11ef-902f-d2f1755c8afd\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\61b388a2-3b13-11ef-902f-d2f1755c8afd\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\winlogon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\spoolsv.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "F946CEB3DFBC4802323F045E77B9FC63F" /sc MINUTE /mo 12 /tr "'C:\Recovery\61b388a2-3b13-11ef-902f-d2f1755c8afd\F946CEB3DFBC4802323F045E77B9FC63.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "F946CEB3DFBC4802323F045E77B9FC63" /sc ONLOGON /tr "'C:\Recovery\61b388a2-3b13-11ef-902f-d2f1755c8afd\F946CEB3DFBC4802323F045E77B9FC63.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "F946CEB3DFBC4802323F045E77B9FC63F" /sc MINUTE /mo 10 /tr "'C:\Recovery\61b388a2-3b13-11ef-902f-d2f1755c8afd\F946CEB3DFBC4802323F045E77B9FC63.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Recovery\61b388a2-3b13-11ef-902f-d2f1755c8afd\lsm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\61b388a2-3b13-11ef-902f-d2f1755c8afd\lsm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Recovery\61b388a2-3b13-11ef-902f-d2f1755c8afd\lsm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\winlogon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5f946ceb3dfbc4802323f045e77b9fc63
SHA104beac37360d30c5ad933f82f80bfd41ae294cc4
SHA256682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a
SHA5127ad0db10f788d63d44a85981ccd9cf7c5acaadad66d1fd4c34554eb77bd1582e49549c917eb39e0c17e7b55b2fc0e262c059e1d85c188f1a3649879368a834e3
-
Filesize
1.3MB
MD5d20b47cd8c8fb7139bc0df797bc0f4a5
SHA1df0fb41b0c82fb1350b844c2e7f76ba005780c3e
SHA256655d70548ffe3d4d304c22d9d749d9f33dcf0bfee98be38bdc44dfacab484789
SHA51247700b4bc9aa0cd41ddf67bc43fe160dcf3df713a0cec0958d0535e5fbd63beddf6cb146dfd3e026a8b7d8612936fe518f602c70a3cb87abdb30345ac79c946a
-
Filesize
1.3MB
MD533908b9c8646f108b874ee2120df8794
SHA1b6e2b18df8c32135700418be1a39163d38b1a59f
SHA256c58850c918f008acf1338ad19e465a7a5a914b6e8b7b0678265d4e0bdde269e4
SHA512fe2d4f7423c7cbcbb2fb9dd5a4363247d46bd33501424e78f6a7779cefa7848d8b81b181089174e5f8d9413d349e729aaca6086e57a97c1af85abceb7e27a8e8
-
Filesize
751B
MD5620ab848e9f58536086699e18fa21b1c
SHA14115f07d04a9a41cc7b0fe5cfd2ce6fde08acf93
SHA25616636201dabcb39d0e9bc447010d4a3b71456c5288dbe1ad188e20b239fd83e3
SHA512bdca00a4a31f71a23496a6c63a7c8220ceb5b4d432fca925a159db87db8ed47af7ee9e504cbe132282e7223fd431c6118bb4fd260195845bb00cb5f4e5d024f6
-
Filesize
751B
MD5b6b3d77090ed5220e1158edb2810f4c0
SHA17161a9aaad13dda5adf982708dae8ef5316a2017
SHA256e08a43ac3512d7e821a418379f9877961328444c865edb4153810d0df3fd9e21
SHA512b22b0ed29507685cb45d8ef8406bd6cd57a5e1904c43175e2ac9bca706d3f8133e052dca23073b873d7415bee4322da5364d060962c9d6c13391d8f361b420a6
-
Filesize
751B
MD535d47c774109985e617af58e5a998a9a
SHA1de2ecac583dd48539260efd2cae7429f10181674
SHA2564c189b40fb52e13c569128a01c7e70bc5b762ecaaab4b733c13201249cbb7e69
SHA512b2a9cdb9fc6bbf6df7bdfb3faeb16af4fab8e490c2fb5d86ff7ea59cf000b9733bc9f57be033edef0167ff08b3a07a0a5b1aa7e000cedaad3949ea16c21eac4f
-
Filesize
751B
MD501bfeef315acd31cacd6407b5221582e
SHA1b0411d47839dd3daca1106220f25843b217fcd03
SHA256d90ea2b8dad11187a7ad502e83416fef409bbf070497da4709751b0b9d35d6d0
SHA5126604350155f82e87b0b4f7a3ed3cf6a454166ab84d530dd4419f8a0b11fe78c74020c933f6f2fa8fd833c4cdc1ebb0e850319c7926bca6783a11c14448a18c04
-
Filesize
751B
MD5b4b9793e171d73f4f53bf62446019dc0
SHA1572bd8d223028dd90d3723a52f9384631a68bd51
SHA256008b29395e00983e73c7081983a32206deb22b82c186d560d708787d126d2aff
SHA5123fd83db78d20023ede1e0309b4e56b7306343bfb5316478407fd3067740ef91e68dfae7b11beb3a0d4c9f3e462613faa00c52c7a6a11991517de290196a9dbad
-
Filesize
751B
MD5de664c5440f3ff742145f65e7ad2203a
SHA1bbb90f9f6a3ca7067154a327fd07169de2f953cc
SHA25684c73cf298d6c4b94d43e194f214f2002695c958fed08248b00a47a608aa3b72
SHA512ffa6f11266bf8b195cf5d06f09a66acce11af4863c9022fbb0ebc63ece9416d78497d5ce37bbc8d563734775fe9489c39c0e2810440391ba96fac0bdd2533405
-
Filesize
751B
MD54efa9f3e47e11638ff92fae33b96f9f9
SHA11d5aa9ddfc544de20043585d6e59afb3fb816874
SHA25618dc5b6055eb49d4b911fcdefa61f780cff60f781f88fe671286909f31a2db80
SHA5120fda27eb05a9b375070d98ade87000706e53e9c8843b8cfd0c276834d3f3f0d22bf9cd2c3681b7c7ae024437398dc99b4c2ed8f92f718fbafcb69a6297031223
-
Filesize
751B
MD5378b50a5a9479e5b7f105e4618bc9db1
SHA18a0b3432a558587b35497cc231b56bcea5291682
SHA256f4534ea6f308b4238266c4c811ee794316a5ac7c270623cc926257ea5b49e4ba
SHA512bbf3bce80155d902c73b263955efd2a4944e046a863257924e9f13416782d0401a2b57ff42f6b976fe48c0306808706f43f12b5153c35c891a20ca65386742cc
-
Filesize
527B
MD5fd345ab88a3a24ceb40d4e572563071c
SHA19f09a0fc06ab1c9d7858c721ccda6aeee52b141f
SHA256658d5a9f24811e2c1671214b25c0641e5b88f4f15d0c1fa4ad965df2a0a30092
SHA5122265842ec4cc595fcb857fdb568fe8c9643cc22d04cf88e30eaf7e1a8c9e08fa1fb3c1840291f288bf0fa8fdf22ba58105721693e9ff8e4f435940b51db248fe
-
Filesize
751B
MD507b08814d9ab26b307a3a35a6340aac9
SHA1676d3e39ba17dd133e82a18863acad09768cd4fc
SHA256da7dd779eb062f0c2af8478628f4621510b503a1e819230266ee6e7f0a719fd6
SHA5120727c8cc15cd69626fc7d7f47056466bfcf5b12d65f06db58539c8995400f44264e33b17e0e5c6b222a4535fce4c6b224c303754ca72c3934129b9bcc5a49ca8
-
Filesize
751B
MD5e52c83bd74eb5bc872a04326f6d76f15
SHA1a641181fa7038021da59198a12f4c63bb3d9e34e
SHA2569919b82f4339215a18802f725eb51e794260296137e92a4f7089778d62629ebf
SHA512a6141f11b6aa1f3a5e896e52893949aa3921a88926db334eb0246ae37b1d7b22730c6bba9278ec55111b4e9b10393b1e31c83c038b799e0d343607503daf0079
-
Filesize
751B
MD5ca17a62ca57f5e5da5a82e9fc501d06c
SHA1b745830bb0d7305923991c89b324803d478e3141
SHA256f8fc4d22013fefa0fe812a8f5549351d4afd907c6bfc408ce6995376379777c9
SHA512f8167f1966b698cf9ef386c6efc22bc85b9e06e0c982460709bddc4874d10065b9f0d71b911e491623e88e48102e8fb1c0984711f984e7e6268d05622e400702
-
Filesize
751B
MD5996ed5069a54aebd9793e793476be7bc
SHA1868b1aa1c437c4d7d3aeffb0461d4401396516f6
SHA256a805d71571ce6746505bf5e626fff76c89af8296bfa05be6b6ce08a384df434e
SHA5124ebcca56c3f4fa32c8786080340aa2cd3e8b8effb419a0f9e929517a34b2b8dbc91fd5543f4670d5437f54e94500e9a03d7a4e3eac8c6aa79ef106286050ec64
-
Filesize
751B
MD5c3aa4be60fc2518b170904ce4421fcd5
SHA15f7e428be348d501d00b975347a4f39cf0e6e81d
SHA256e0bc8cafd2bfdd67d016253f556b631c33ccf51b99001e5d582b0f4ddc1fb868
SHA51275e1a65723f96360e85761e612dd85b822fbff8cd20044b2c5103302b85b4a6569330a271992836f7a892b54c4772f3e6037b154eb9f3a824d57477996dbf1d2
-
Filesize
751B
MD5db00feccbeec544cfe8003790ad8bbad
SHA124b0e0e306efda4df0303b42e19316ee36096c4f
SHA256548046919c71044c7d782c2aa31a08f40a3d50b75747b8207b4517d7b1142339
SHA5127fc0f3d518adbd876a0f9da14982ff1be7b602d2dec95ef4c593a16f0851de2ecc731c127579e51f39b4479ff1cbba47cd5db909438327cff39dd518bac326b8
-
Filesize
1.3MB
MD59d85ea32d592002b1bf3a6c84c63132e
SHA10bf3d081e789ef9b0def8584548600a39210632d
SHA2568bdd1737e6baa661940c3db3c40a0039b7f12950acd07124f76c6698dc2b11b2
SHA512e5e9df1a84dd8fabce056a394c45beda5c2f219d2399ca3ea025403b78f7c59dc9626e7630cb9b8c865a87981a490a8d27fcd46c03a51d0c30296e719734e98a