Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
21-07-2024 07:50
Static task
static1
Behavioral task
behavioral1
Sample
371427ad07be3f9c39773c3c0c4b95c86f63dc2e427835565b159f3686818bd0.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
371427ad07be3f9c39773c3c0c4b95c86f63dc2e427835565b159f3686818bd0.exe
Resource
win10v2004-20240709-en
General
-
Target
371427ad07be3f9c39773c3c0c4b95c86f63dc2e427835565b159f3686818bd0.exe
-
Size
2.7MB
-
MD5
90094c2066f9e53cb9217876c833c269
-
SHA1
da9086b65e114257168e634cc921e1ab1c069144
-
SHA256
371427ad07be3f9c39773c3c0c4b95c86f63dc2e427835565b159f3686818bd0
-
SHA512
ef4a15be7efa9ac59c991c64c5afa5fb9e8015334f69e1c64315f788345c456fec5caf58605ccf08afaf16f1a2f7cc2fda1ffd85850d6c2ea268c63efc261aa8
-
SSDEEP
49152:+o0vjh94l17uf+lwSV64uaQ+AMqAXKM5VIZsTirMC6gOpkXF3eew0w2Gc2MAPRT0:+p87WSV69aQ+GW5CZsTirMjRkOow2H2U
Malware Config
Signatures
-
DcRat 30 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
MsHostsvc.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription ioc process File created C:\Windows\tracing\0a1fd5f707cd16 MsHostsvc.exe 1764 schtasks.exe 2864 schtasks.exe File created C:\Program Files\Common Files\56085415360792 MsHostsvc.exe 1724 schtasks.exe 1148 schtasks.exe 2876 schtasks.exe 2540 schtasks.exe 2260 schtasks.exe 580 schtasks.exe 924 schtasks.exe 2772 schtasks.exe 2316 schtasks.exe 1776 schtasks.exe 1848 schtasks.exe 1252 schtasks.exe 2276 schtasks.exe 1732 schtasks.exe 2208 schtasks.exe 1856 schtasks.exe 2028 schtasks.exe 1628 schtasks.exe 2828 schtasks.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MsHostsvc.exe 3068 schtasks.exe 1476 schtasks.exe 2792 schtasks.exe 680 schtasks.exe 744 schtasks.exe 1840 schtasks.exe -
Process spawned unexpected child process 27 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2792 2924 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2828 2924 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2876 2924 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 680 2924 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2864 2924 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2772 2924 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1148 2924 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2316 2924 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1628 2924 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2208 2924 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1776 2924 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1856 2924 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1848 2924 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 744 2924 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1724 2924 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1840 2924 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3068 2924 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1764 2924 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2540 2924 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2028 2924 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1252 2924 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2276 2924 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1732 2924 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2260 2924 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 580 2924 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 924 2924 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1476 2924 schtasks.exe -
Processes:
MsHostsvc.exeMsHostsvc.exewinlogon.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" MsHostsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" MsHostsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" MsHostsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" MsHostsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" MsHostsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" MsHostsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" winlogon.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe dcrat C:\bridgeServercomponentFontDriver\MsHostsvc.exe dcrat behavioral1/memory/2464-32-0x0000000000940000-0x0000000000C02000-memory.dmp dcrat behavioral1/memory/2072-62-0x0000000001360000-0x0000000001622000-memory.dmp dcrat behavioral1/memory/1592-83-0x0000000000D90000-0x0000000001052000-memory.dmp dcrat -
Executes dropped EXE 5 IoCs
Processes:
CrackLauncher.exeíóòèïàõóé.exeMsHostsvc.exeMsHostsvc.exewinlogon.exepid process 340 CrackLauncher.exe 2672 íóòèïàõóé.exe 2464 MsHostsvc.exe 2072 MsHostsvc.exe 1592 winlogon.exe -
Loads dropped DLL 5 IoCs
Processes:
371427ad07be3f9c39773c3c0c4b95c86f63dc2e427835565b159f3686818bd0.execmd.exepid process 2888 371427ad07be3f9c39773c3c0c4b95c86f63dc2e427835565b159f3686818bd0.exe 2888 371427ad07be3f9c39773c3c0c4b95c86f63dc2e427835565b159f3686818bd0.exe 2888 371427ad07be3f9c39773c3c0c4b95c86f63dc2e427835565b159f3686818bd0.exe 2572 cmd.exe 2572 cmd.exe -
Processes:
MsHostsvc.exeMsHostsvc.exewinlogon.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MsHostsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" MsHostsvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MsHostsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" MsHostsvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe -
Drops file in Program Files directory 7 IoCs
Processes:
MsHostsvc.exeMsHostsvc.exedescription ioc process File opened for modification C:\Program Files\Common Files\wininit.exe MsHostsvc.exe File created C:\Program Files\Common Files\56085415360792 MsHostsvc.exe File created C:\Program Files\Microsoft Office\Office14\1033\spoolsv.exe MsHostsvc.exe File created C:\Program Files\Microsoft Office\Office14\1033\f3b6ecef712a24 MsHostsvc.exe File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\winlogon.exe MsHostsvc.exe File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\cc11b995f2a76d MsHostsvc.exe File created C:\Program Files\Common Files\wininit.exe MsHostsvc.exe -
Drops file in Windows directory 3 IoCs
Processes:
MsHostsvc.exeMsHostsvc.exedescription ioc process File created C:\Windows\tracing\0a1fd5f707cd16 MsHostsvc.exe File created C:\Windows\schemas\EAPMethods\services.exe MsHostsvc.exe File created C:\Windows\tracing\sppsvc.exe MsHostsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2864 schtasks.exe 1628 schtasks.exe 2208 schtasks.exe 744 schtasks.exe 2540 schtasks.exe 1252 schtasks.exe 680 schtasks.exe 924 schtasks.exe 1148 schtasks.exe 3068 schtasks.exe 1724 schtasks.exe 1764 schtasks.exe 2260 schtasks.exe 2792 schtasks.exe 2316 schtasks.exe 1856 schtasks.exe 2028 schtasks.exe 2276 schtasks.exe 1776 schtasks.exe 1840 schtasks.exe 580 schtasks.exe 1476 schtasks.exe 2828 schtasks.exe 2876 schtasks.exe 2772 schtasks.exe 1848 schtasks.exe 1732 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 29 IoCs
Processes:
MsHostsvc.exeMsHostsvc.exewinlogon.exepid process 2464 MsHostsvc.exe 2464 MsHostsvc.exe 2464 MsHostsvc.exe 2072 MsHostsvc.exe 2072 MsHostsvc.exe 2072 MsHostsvc.exe 2072 MsHostsvc.exe 2072 MsHostsvc.exe 1592 winlogon.exe 1592 winlogon.exe 1592 winlogon.exe 1592 winlogon.exe 1592 winlogon.exe 1592 winlogon.exe 1592 winlogon.exe 1592 winlogon.exe 1592 winlogon.exe 1592 winlogon.exe 1592 winlogon.exe 1592 winlogon.exe 1592 winlogon.exe 1592 winlogon.exe 1592 winlogon.exe 1592 winlogon.exe 1592 winlogon.exe 1592 winlogon.exe 1592 winlogon.exe 1592 winlogon.exe 1592 winlogon.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
MsHostsvc.exeMsHostsvc.exewinlogon.exedescription pid process Token: SeDebugPrivilege 2464 MsHostsvc.exe Token: SeDebugPrivilege 2072 MsHostsvc.exe Token: SeDebugPrivilege 1592 winlogon.exe -
Suspicious use of WriteProcessMemory 41 IoCs
Processes:
371427ad07be3f9c39773c3c0c4b95c86f63dc2e427835565b159f3686818bd0.exeíóòèïàõóé.exeWScript.execmd.exeMsHostsvc.execmd.exeMsHostsvc.execmd.exedescription pid process target process PID 2888 wrote to memory of 340 2888 371427ad07be3f9c39773c3c0c4b95c86f63dc2e427835565b159f3686818bd0.exe CrackLauncher.exe PID 2888 wrote to memory of 340 2888 371427ad07be3f9c39773c3c0c4b95c86f63dc2e427835565b159f3686818bd0.exe CrackLauncher.exe PID 2888 wrote to memory of 340 2888 371427ad07be3f9c39773c3c0c4b95c86f63dc2e427835565b159f3686818bd0.exe CrackLauncher.exe PID 2888 wrote to memory of 340 2888 371427ad07be3f9c39773c3c0c4b95c86f63dc2e427835565b159f3686818bd0.exe CrackLauncher.exe PID 2888 wrote to memory of 340 2888 371427ad07be3f9c39773c3c0c4b95c86f63dc2e427835565b159f3686818bd0.exe CrackLauncher.exe PID 2888 wrote to memory of 340 2888 371427ad07be3f9c39773c3c0c4b95c86f63dc2e427835565b159f3686818bd0.exe CrackLauncher.exe PID 2888 wrote to memory of 340 2888 371427ad07be3f9c39773c3c0c4b95c86f63dc2e427835565b159f3686818bd0.exe CrackLauncher.exe PID 2888 wrote to memory of 2672 2888 371427ad07be3f9c39773c3c0c4b95c86f63dc2e427835565b159f3686818bd0.exe íóòèïàõóé.exe PID 2888 wrote to memory of 2672 2888 371427ad07be3f9c39773c3c0c4b95c86f63dc2e427835565b159f3686818bd0.exe íóòèïàõóé.exe PID 2888 wrote to memory of 2672 2888 371427ad07be3f9c39773c3c0c4b95c86f63dc2e427835565b159f3686818bd0.exe íóòèïàõóé.exe PID 2888 wrote to memory of 2672 2888 371427ad07be3f9c39773c3c0c4b95c86f63dc2e427835565b159f3686818bd0.exe íóòèïàõóé.exe PID 2672 wrote to memory of 2468 2672 íóòèïàõóé.exe WScript.exe PID 2672 wrote to memory of 2468 2672 íóòèïàõóé.exe WScript.exe PID 2672 wrote to memory of 2468 2672 íóòèïàõóé.exe WScript.exe PID 2672 wrote to memory of 2468 2672 íóòèïàõóé.exe WScript.exe PID 2468 wrote to memory of 2572 2468 WScript.exe cmd.exe PID 2468 wrote to memory of 2572 2468 WScript.exe cmd.exe PID 2468 wrote to memory of 2572 2468 WScript.exe cmd.exe PID 2468 wrote to memory of 2572 2468 WScript.exe cmd.exe PID 2572 wrote to memory of 2464 2572 cmd.exe MsHostsvc.exe PID 2572 wrote to memory of 2464 2572 cmd.exe MsHostsvc.exe PID 2572 wrote to memory of 2464 2572 cmd.exe MsHostsvc.exe PID 2572 wrote to memory of 2464 2572 cmd.exe MsHostsvc.exe PID 2464 wrote to memory of 1780 2464 MsHostsvc.exe cmd.exe PID 2464 wrote to memory of 1780 2464 MsHostsvc.exe cmd.exe PID 2464 wrote to memory of 1780 2464 MsHostsvc.exe cmd.exe PID 1780 wrote to memory of 1900 1780 cmd.exe w32tm.exe PID 1780 wrote to memory of 1900 1780 cmd.exe w32tm.exe PID 1780 wrote to memory of 1900 1780 cmd.exe w32tm.exe PID 1780 wrote to memory of 2072 1780 cmd.exe MsHostsvc.exe PID 1780 wrote to memory of 2072 1780 cmd.exe MsHostsvc.exe PID 1780 wrote to memory of 2072 1780 cmd.exe MsHostsvc.exe PID 2072 wrote to memory of 1912 2072 MsHostsvc.exe cmd.exe PID 2072 wrote to memory of 1912 2072 MsHostsvc.exe cmd.exe PID 2072 wrote to memory of 1912 2072 MsHostsvc.exe cmd.exe PID 1912 wrote to memory of 1648 1912 cmd.exe w32tm.exe PID 1912 wrote to memory of 1648 1912 cmd.exe w32tm.exe PID 1912 wrote to memory of 1648 1912 cmd.exe w32tm.exe PID 1912 wrote to memory of 1592 1912 cmd.exe winlogon.exe PID 1912 wrote to memory of 1592 1912 cmd.exe winlogon.exe PID 1912 wrote to memory of 1592 1912 cmd.exe winlogon.exe -
System policy modification 1 TTPs 9 IoCs
Processes:
MsHostsvc.exewinlogon.exeMsHostsvc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" MsHostsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" MsHostsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" MsHostsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" MsHostsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" MsHostsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" MsHostsvc.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\371427ad07be3f9c39773c3c0c4b95c86f63dc2e427835565b159f3686818bd0.exe"C:\Users\Admin\AppData\Local\Temp\371427ad07be3f9c39773c3c0c4b95c86f63dc2e427835565b159f3686818bd0.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"2⤵
- Executes dropped EXE
PID:340 -
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"3⤵
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"5⤵
- DcRat
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2464 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mqKWPsdws2.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:1900
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"7⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2072 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cWkBSqzw3R.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:1648
-
C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\winlogon.exe"C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\winlogon.exe"9⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\wininit.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Common Files\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Desktop\smss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\Desktop\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Desktop\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Windows\tracing\sppsvc.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\tracing\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Windows\tracing\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Recovery\61b388a2-3b13-11ef-902f-d2f1755c8afd\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\61b388a2-3b13-11ef-902f-d2f1755c8afd\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\61b388a2-3b13-11ef-902f-d2f1755c8afd\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MsHostsvcM" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Templates\MsHostsvc.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MsHostsvc" /sc ONLOGON /tr "'C:\Users\Admin\Templates\MsHostsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MsHostsvcM" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Templates\MsHostsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\61b388a2-3b13-11ef-902f-d2f1755c8afd\Idle.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\61b388a2-3b13-11ef-902f-d2f1755c8afd\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Recovery\61b388a2-3b13-11ef-902f-d2f1755c8afd\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\Office14\1033\spoolsv.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\Office14\1033\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\winlogon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Recovery\61b388a2-3b13-11ef-902f-d2f1755c8afd\OSPPSVC.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\61b388a2-3b13-11ef-902f-d2f1755c8afd\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Recovery\61b388a2-3b13-11ef-902f-d2f1755c8afd\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD578f38e4700f08a5a56a3bd422ba8fe9f
SHA125993fbf617830c23592ee0adff340c3f76dc641
SHA2560f207fe33eaa8a486a50938a7c4668f61762fbac383a9b5005af545dd18265af
SHA512d865387fe14d7bebd6a3bacc26a34af2e3d05d1521ddc839cdbcd00413b6147a15895f9f5b40b44055a416aa55030a28f068b6c80abc698ac2179d0f69bcecbb
-
Filesize
251B
MD597897433c5ea6e5203a6a7836df35093
SHA1905bb79e0a51702d9c75419b0950cd15d527ed64
SHA256bb1392c3babfb0b0a0632efecd2c1de56c62d1215574bac712cdf4791d4e21d6
SHA5121d6facfd43260851a49c5ec1fb2eba4122831025c7af1fbc824b002e52cf1c9ad53b93d0302c0b2c4f0f9e0decd59c61f8d49bd00985446aac182e42530d97b6
-
Filesize
213B
MD59f7739c37f5011ad015d0b1ed0f47949
SHA17f83225eeedef5ef05f13e9466ee2a7d885db0ff
SHA2568f4ccc347c6c732766c42fe210714618212bf5d0e93c4dc8356b273a4369b114
SHA512e59b64a47723cf64904c1b94752a8865ffa2f51c9b41801d1646f325e5729613d6678d1f3ba79d91a31a728ebccc7223f5743f16711ed196c91397f6181a8512
-
Filesize
50B
MD521b5523fa5a489444309d54f4f58ec98
SHA14b9f2c6c37e428a6c504d38bf404fbe7613b900c
SHA256f3816eaf5c2710018fea5d788601d9c31d0b21d4c25f44284da0d3641eda8dd5
SHA512ef25536cc3c27e22b2e6cb1834a8279ebb95c5a06d3c2ebab46ad2d0b88c6dc7a1f3c4069d16b747d4108b859bb3776575414e3aeefaca1cd768274b887b2738
-
Filesize
2.7MB
MD5a7a6c9f410573c8fbd408170eab6aa33
SHA199354c9e2c7fc978abd47e8d2ec1a403bcc5dfd6
SHA2569d5aaaf2551239a60ec1a383a3512be976cfaa866573e86687c59412ae167974
SHA512f3dbb349ed88f1d9b7c6d1e0ffc2fa12b3d2f68209eaf97ff8bf4344c5a87e39ba3588584df4b656acdcf1b1526415b0a06e921f405bc836792c9b55a794d6b5
-
Filesize
215B
MD5bd091f4d8a1df91d73b0c65a4ba02330
SHA1bef757dc154e1d4a0fc91f8ce1e4072c4c12d6df
SHA2567eeb92d6b5e2faca9ea5763051aac81b7851f4aefe76680ccb25a3aec7e05be2
SHA5120559ece912e8d3f061e615dd55ced1ddb75c743014b99f4589421c192a4aadf58c41c5b8d72cb96ac3b40f4326e7a7c5791691d557036fb3df2df8f78ff2a98c
-
Filesize
3.0MB
MD5d80301cde99009a601e22c0f9cb3433a
SHA1d82a05a75f31ec11ced2f6c5e0b945510dbfcd5a
SHA256334e48543f8c2d0203135f7820116b676467ae1c1a3d6eabd8b17f96308e5574
SHA51202b744e15834b654b1d4772d8f2ddc26ca773a9139d9d12fec12c2749e09e69c904014c8464762a7bd97aa8413971193a8c386bb2bfecc14fc8aabd78383888b