Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
21-07-2024 08:15
Behavioral task
behavioral1
Sample
5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe
Resource
win10v2004-20240709-en
General
-
Target
5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe
-
Size
2.0MB
-
MD5
6e4e01af6b88116f0c7331bba5e7b782
-
SHA1
756c0a5ea8aac86f41d118166452a011a608043c
-
SHA256
5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147
-
SHA512
f49b6146f313624606a9eb80287c23c68aaefcf7ffafacba83a87b333b4388dd38a423a179b7bcb0e1d555873681b405c781faf68e2d7169fa7bcefe4a73874b
-
SSDEEP
24576:jYe7C5QSBzoU/n15NuQtG+7IwzwT2wLqq12OBOa2WYO3QFSBztYSqEEU5oZUSzTO:jYemPM0tvmwGBF223ZztBqEqx9v
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence 2 TTPs 8 IoCs
Processes:
5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Multimedia Platform\\SppExtComObj.exe\", \"C:\\Windows\\GameBarPresenceWriter\\RuntimeBroker.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\lua\\playlist\\OfficeClickToRun.exe\", \"C:\\Users\\Public\\Downloads\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Defender\\es-ES\\Idle.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\es-ES\\spoolsv.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Multimedia Platform\\SppExtComObj.exe\", \"C:\\Windows\\GameBarPresenceWriter\\RuntimeBroker.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\lua\\playlist\\OfficeClickToRun.exe\", \"C:\\Users\\Public\\Downloads\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Defender\\es-ES\\Idle.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\es-ES\\spoolsv.exe\", \"C:\\Users\\Public\\Desktop\\RuntimeBroker.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Multimedia Platform\\SppExtComObj.exe\", \"C:\\Windows\\GameBarPresenceWriter\\RuntimeBroker.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\lua\\playlist\\OfficeClickToRun.exe\", \"C:\\Users\\Public\\Downloads\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Defender\\es-ES\\Idle.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\es-ES\\spoolsv.exe\", \"C:\\Users\\Public\\Desktop\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\wininit.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Multimedia Platform\\SppExtComObj.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Multimedia Platform\\SppExtComObj.exe\", \"C:\\Windows\\GameBarPresenceWriter\\RuntimeBroker.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Multimedia Platform\\SppExtComObj.exe\", \"C:\\Windows\\GameBarPresenceWriter\\RuntimeBroker.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\lua\\playlist\\OfficeClickToRun.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Multimedia Platform\\SppExtComObj.exe\", \"C:\\Windows\\GameBarPresenceWriter\\RuntimeBroker.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\lua\\playlist\\OfficeClickToRun.exe\", \"C:\\Users\\Public\\Downloads\\StartMenuExperienceHost.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Multimedia Platform\\SppExtComObj.exe\", \"C:\\Windows\\GameBarPresenceWriter\\RuntimeBroker.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\lua\\playlist\\OfficeClickToRun.exe\", \"C:\\Users\\Public\\Downloads\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Defender\\es-ES\\Idle.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe -
Process spawned unexpected child process 24 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2700 3776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2844 3776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2132 3776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4848 3776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5100 3776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4780 3776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4468 3776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4788 3776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 392 3776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4696 3776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4200 3776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3656 3776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4876 3776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2756 3776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2916 3776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 760 3776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3600 3776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2180 3776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3012 3776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3188 3776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4036 3776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4128 3776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 828 3776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1036 3776 schtasks.exe -
Processes:
resource yara_rule behavioral2/memory/1632-1-0x00000000008E0000-0x0000000000AEE000-memory.dmp dcrat C:\Program Files\Windows Defender\es-ES\Idle.exe dcrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe -
Executes dropped EXE 1 IoCs
Processes:
Idle.exepid process 4904 Idle.exe -
Adds Run key to start application 2 TTPs 16 IoCs
Processes:
5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Program Files\\Windows Multimedia Platform\\SppExtComObj.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Users\\Public\\Downloads\\StartMenuExperienceHost.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\es-ES\\spoolsv.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Public\\Desktop\\RuntimeBroker.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Program Files\\Windows Multimedia Platform\\SppExtComObj.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files\\VideoLAN\\VLC\\lua\\playlist\\OfficeClickToRun.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Users\\Public\\Downloads\\StartMenuExperienceHost.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Public\\Desktop\\RuntimeBroker.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\wininit.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\wininit.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\GameBarPresenceWriter\\RuntimeBroker.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files\\VideoLAN\\VLC\\lua\\playlist\\OfficeClickToRun.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Windows Defender\\es-ES\\Idle.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\GameBarPresenceWriter\\RuntimeBroker.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Windows Defender\\es-ES\\Idle.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\es-ES\\spoolsv.exe\"" 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 ip-api.com -
Drops file in Program Files directory 11 IoCs
Processes:
5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exedescription ioc process File created C:\Program Files\Windows Defender\es-ES\6ccacd8608530f 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe File created C:\Program Files (x86)\Windows Photo Viewer\es-ES\spoolsv.exe 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe File created C:\Program Files\Windows NT\TableTextService\en-US\56085415360792 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe File created C:\Program Files\Windows Multimedia Platform\SppExtComObj.exe 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe File created C:\Program Files\Windows Multimedia Platform\e1ef82546f0b02 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe File created C:\Program Files\VideoLAN\VLC\lua\playlist\e6c9b481da804f 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe File created C:\Program Files\Windows Defender\es-ES\Idle.exe 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe File created C:\Program Files (x86)\Windows Photo Viewer\es-ES\f3b6ecef712a24 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe File created C:\Program Files\Windows NT\TableTextService\en-US\wininit.exe 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe File opened for modification C:\Program Files\Windows Multimedia Platform\SppExtComObj.exe 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe File created C:\Program Files\VideoLAN\VLC\lua\playlist\OfficeClickToRun.exe 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe -
Drops file in Windows directory 2 IoCs
Processes:
5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exedescription ioc process File created C:\Windows\GameBarPresenceWriter\RuntimeBroker.exe 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe File created C:\Windows\GameBarPresenceWriter\9e8d7a4ca61bd9 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3656 schtasks.exe 828 schtasks.exe 4780 schtasks.exe 4788 schtasks.exe 4468 schtasks.exe 392 schtasks.exe 2756 schtasks.exe 2916 schtasks.exe 3600 schtasks.exe 2180 schtasks.exe 2844 schtasks.exe 2132 schtasks.exe 4036 schtasks.exe 1036 schtasks.exe 4696 schtasks.exe 4200 schtasks.exe 4876 schtasks.exe 760 schtasks.exe 3012 schtasks.exe 4848 schtasks.exe 5100 schtasks.exe 4128 schtasks.exe 2700 schtasks.exe 3188 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exeIdle.exepid process 1632 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe 1632 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe 1632 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe 1632 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe 1632 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe 1632 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe 1632 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe 1632 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe 1632 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe 1632 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe 1632 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe 1632 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe 1632 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe 1632 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe 1632 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe 4904 Idle.exe 4904 Idle.exe 4904 Idle.exe 4904 Idle.exe 4904 Idle.exe 4904 Idle.exe 4904 Idle.exe 4904 Idle.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exeIdle.exedescription pid process Token: SeDebugPrivilege 1632 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe Token: SeDebugPrivilege 4904 Idle.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.execmd.exedescription pid process target process PID 1632 wrote to memory of 3252 1632 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe cmd.exe PID 1632 wrote to memory of 3252 1632 5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe cmd.exe PID 3252 wrote to memory of 4496 3252 cmd.exe w32tm.exe PID 3252 wrote to memory of 4496 3252 cmd.exe w32tm.exe PID 3252 wrote to memory of 4904 3252 cmd.exe Idle.exe PID 3252 wrote to memory of 4904 3252 cmd.exe Idle.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe"C:\Users\Admin\AppData\Local\Temp\5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HPrHHnYVoS.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:3252 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:4496
-
-
C:\Program Files\Windows Defender\es-ES\Idle.exe"C:\Program Files\Windows Defender\es-ES\Idle.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4904
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Multimedia Platform\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Multimedia Platform\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Windows\GameBarPresenceWriter\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\GameBarPresenceWriter\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Windows\GameBarPresenceWriter\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\VLC\lua\playlist\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\lua\playlist\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\VLC\lua\playlist\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Downloads\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Public\Downloads\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Downloads\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Defender\es-ES\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\es-ES\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Defender\es-ES\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Desktop\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\Desktop\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Desktop\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\en-US\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.0MB
MD56e4e01af6b88116f0c7331bba5e7b782
SHA1756c0a5ea8aac86f41d118166452a011a608043c
SHA2565a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147
SHA512f49b6146f313624606a9eb80287c23c68aaefcf7ffafacba83a87b333b4388dd38a423a179b7bcb0e1d555873681b405c781faf68e2d7169fa7bcefe4a73874b
-
Filesize
213B
MD545b9f0350f051d06404e44581e8b58c2
SHA1ab9f9b1084ba8144063ae4f21a44c4ca3b37c890
SHA256bc4583c0f128c8454558fdbef196a545334a446a8dee6913ef4c1cdb04bf8eb3
SHA5129c74aaf02c46ca2794c477b94992f397834bf62ee60fafd549145fc538800888f62496fe126019b2aad73f29ecc361995cef92fbc252ad112681df26d5393ee4