Analysis
-
max time kernel
31s -
max time network
37s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
21-07-2024 09:38
Behavioral task
behavioral1
Sample
a57378db4d26609de5f519dd2659ae60N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
a57378db4d26609de5f519dd2659ae60N.exe
Resource
win10v2004-20240709-en
General
-
Target
a57378db4d26609de5f519dd2659ae60N.exe
-
Size
784KB
-
MD5
a57378db4d26609de5f519dd2659ae60
-
SHA1
56f0f96c01ca12792cea6b7ea0814f0f568fe095
-
SHA256
cb667550264f5028045377419da9a935006e09b136ebe69a409a520dbf8db587
-
SHA512
6bfa4635da5753f2713c826ade75910bd0d8488915c8b80e5893b52c7c8696538edb5d4a4fba68636b1a92de6d487a184fabafb945ee35eecb6015bf4163cf33
-
SSDEEP
12288:eqnO8YpD1oOJp+Ce1PSiG2jfIBoI5DyDwYMDxFesH0ioBw7oKk2:e+ORToOWSi5gBoS4wYUJ0eo2
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 17 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2832 2760 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2776 2760 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2524 2760 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2124 2760 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1204 2760 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1072 2760 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2572 2760 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1732 2760 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2028 2760 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1272 2760 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1608 2760 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2164 2760 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1196 2760 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2952 2760 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1160 2760 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 692 2760 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1896 2760 schtasks.exe -
Processes:
smss.exea57378db4d26609de5f519dd2659ae60N.exea57378db4d26609de5f519dd2659ae60N.exea57378db4d26609de5f519dd2659ae60N.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" a57378db4d26609de5f519dd2659ae60N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" a57378db4d26609de5f519dd2659ae60N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a57378db4d26609de5f519dd2659ae60N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" a57378db4d26609de5f519dd2659ae60N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" a57378db4d26609de5f519dd2659ae60N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a57378db4d26609de5f519dd2659ae60N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" a57378db4d26609de5f519dd2659ae60N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a57378db4d26609de5f519dd2659ae60N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" a57378db4d26609de5f519dd2659ae60N.exe -
Processes:
resource yara_rule behavioral1/memory/2292-1-0x0000000000FF0000-0x00000000010BA000-memory.dmp dcrat C:\Windows\System32\KBDSW\lsm.exe dcrat C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe dcrat behavioral1/memory/2932-143-0x00000000009F0000-0x0000000000ABA000-memory.dmp dcrat -
Executes dropped EXE 3 IoCs
Processes:
a57378db4d26609de5f519dd2659ae60N.exea57378db4d26609de5f519dd2659ae60N.exesmss.exepid process 2772 a57378db4d26609de5f519dd2659ae60N.exe 1548 a57378db4d26609de5f519dd2659ae60N.exe 2932 smss.exe -
Adds Run key to start application 2 TTPs 17 IoCs
Processes:
a57378db4d26609de5f519dd2659ae60N.exea57378db4d26609de5f519dd2659ae60N.exea57378db4d26609de5f519dd2659ae60N.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\ProgramData\\Start Menu\\Idle.exe\"" a57378db4d26609de5f519dd2659ae60N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\resources\\1033\\winlogon.exe\"" a57378db4d26609de5f519dd2659ae60N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Documents and Settings\\audiodg.exe\"" a57378db4d26609de5f519dd2659ae60N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\NlsLexicons0002\\dwm.exe\"" a57378db4d26609de5f519dd2659ae60N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files\\Windows Journal\\ja-JP\\lsass.exe\"" a57378db4d26609de5f519dd2659ae60N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\System32\\perfi010\\wininit.exe\"" a57378db4d26609de5f519dd2659ae60N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\PerfLogs\\Admin\\smss.exe\"" a57378db4d26609de5f519dd2659ae60N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\lsm.exe\"" a57378db4d26609de5f519dd2659ae60N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\System32\\KBDSW\\lsm.exe\"" a57378db4d26609de5f519dd2659ae60N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\System32\\C_936\\lsm.exe\"" a57378db4d26609de5f519dd2659ae60N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\System32\\lsm\\sppsvc.exe\"" a57378db4d26609de5f519dd2659ae60N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\System32\\wbem\\p2p-crp\\WmiPrvSE.exe\"" a57378db4d26609de5f519dd2659ae60N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\System32\\scesrv\\wininit.exe\"" a57378db4d26609de5f519dd2659ae60N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\scrobj\\winlogon.exe\"" a57378db4d26609de5f519dd2659ae60N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\Admin\\My Documents\\lsass.exe\"" a57378db4d26609de5f519dd2659ae60N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\ProgramData\\Application Data\\lsass.exe\"" a57378db4d26609de5f519dd2659ae60N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\System32\\wbem\\viewprov\\WmiPrvSE.exe\"" a57378db4d26609de5f519dd2659ae60N.exe -
Processes:
smss.exea57378db4d26609de5f519dd2659ae60N.exea57378db4d26609de5f519dd2659ae60N.exea57378db4d26609de5f519dd2659ae60N.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA a57378db4d26609de5f519dd2659ae60N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a57378db4d26609de5f519dd2659ae60N.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA a57378db4d26609de5f519dd2659ae60N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a57378db4d26609de5f519dd2659ae60N.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA a57378db4d26609de5f519dd2659ae60N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a57378db4d26609de5f519dd2659ae60N.exe -
Drops file in System32 directory 30 IoCs
Processes:
a57378db4d26609de5f519dd2659ae60N.exea57378db4d26609de5f519dd2659ae60N.exea57378db4d26609de5f519dd2659ae60N.exedescription ioc process File created C:\Windows\System32\NlsLexicons0002\6cb0b6c459d5d3455a3da700e713f2e2529862ff a57378db4d26609de5f519dd2659ae60N.exe File created C:\Windows\System32\perfi010\wininit.exe a57378db4d26609de5f519dd2659ae60N.exe File opened for modification C:\Windows\System32\perfi010\wininit.exe a57378db4d26609de5f519dd2659ae60N.exe File created C:\Windows\System32\C_936\101b941d020240259ca4912829b53995ad543df6 a57378db4d26609de5f519dd2659ae60N.exe File opened for modification C:\Windows\System32\scrobj\RCX3802.tmp a57378db4d26609de5f519dd2659ae60N.exe File opened for modification C:\Windows\System32\KBDSW\lsm.exe a57378db4d26609de5f519dd2659ae60N.exe File opened for modification C:\Windows\System32\C_936\lsm.exe a57378db4d26609de5f519dd2659ae60N.exe File created C:\Windows\System32\C_936\lsm.exe a57378db4d26609de5f519dd2659ae60N.exe File created C:\Windows\System32\wbem\p2p-crp\WmiPrvSE.exe a57378db4d26609de5f519dd2659ae60N.exe File opened for modification C:\Windows\System32\wbem\p2p-crp\WmiPrvSE.exe a57378db4d26609de5f519dd2659ae60N.exe File created C:\Windows\System32\lsm\0a1fd5f707cd16ea89afd3d6db52b2da58214a6c a57378db4d26609de5f519dd2659ae60N.exe File opened for modification C:\Windows\System32\wbem\viewprov\WmiPrvSE.exe a57378db4d26609de5f519dd2659ae60N.exe File created C:\Windows\System32\scesrv\wininit.exe a57378db4d26609de5f519dd2659ae60N.exe File created C:\Windows\System32\scrobj\winlogon.exe a57378db4d26609de5f519dd2659ae60N.exe File created C:\Windows\System32\scrobj\cc11b995f2a76da408ea6a601e682e64743153ad a57378db4d26609de5f519dd2659ae60N.exe File created C:\Windows\System32\wbem\viewprov\WmiPrvSE.exe a57378db4d26609de5f519dd2659ae60N.exe File created C:\Windows\System32\wbem\viewprov\24dbde2999530ef5fd907494bc374d663924116c a57378db4d26609de5f519dd2659ae60N.exe File created C:\Windows\System32\scesrv\560854153607923c4c5f107085a7db67be01f252 a57378db4d26609de5f519dd2659ae60N.exe File created C:\Windows\System32\NlsLexicons0002\dwm.exe a57378db4d26609de5f519dd2659ae60N.exe File created C:\Windows\System32\wbem\p2p-crp\24dbde2999530ef5fd907494bc374d663924116c a57378db4d26609de5f519dd2659ae60N.exe File opened for modification C:\Windows\System32\lsm\sppsvc.exe a57378db4d26609de5f519dd2659ae60N.exe File created C:\Windows\System32\KBDSW\lsm.exe a57378db4d26609de5f519dd2659ae60N.exe File opened for modification C:\Windows\System32\KBDSW\RCX413A.tmp a57378db4d26609de5f519dd2659ae60N.exe File opened for modification C:\Windows\System32\C_936\RCX47E1.tmp a57378db4d26609de5f519dd2659ae60N.exe File created C:\Windows\System32\lsm\sppsvc.exe a57378db4d26609de5f519dd2659ae60N.exe File opened for modification C:\Windows\System32\scrobj\winlogon.exe a57378db4d26609de5f519dd2659ae60N.exe File opened for modification C:\Windows\System32\NlsLexicons0002\dwm.exe a57378db4d26609de5f519dd2659ae60N.exe File opened for modification C:\Windows\System32\scesrv\wininit.exe a57378db4d26609de5f519dd2659ae60N.exe File created C:\Windows\System32\KBDSW\101b941d020240259ca4912829b53995ad543df6 a57378db4d26609de5f519dd2659ae60N.exe File created C:\Windows\System32\perfi010\560854153607923c4c5f107085a7db67be01f252 a57378db4d26609de5f519dd2659ae60N.exe -
Drops file in Program Files directory 6 IoCs
Processes:
a57378db4d26609de5f519dd2659ae60N.exea57378db4d26609de5f519dd2659ae60N.exedescription ioc process File created C:\Program Files\Windows Journal\ja-JP\lsass.exe a57378db4d26609de5f519dd2659ae60N.exe File created C:\Program Files\Windows Journal\ja-JP\6203df4a6bafc7c328ee7f6f8ca0a8a838a8a1b9 a57378db4d26609de5f519dd2659ae60N.exe File opened for modification C:\Program Files\Windows Journal\ja-JP\lsass.exe a57378db4d26609de5f519dd2659ae60N.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\1033\winlogon.exe a57378db4d26609de5f519dd2659ae60N.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\1033\cc11b995f2a76da408ea6a601e682e64743153ad a57378db4d26609de5f519dd2659ae60N.exe File opened for modification C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\1033\winlogon.exe a57378db4d26609de5f519dd2659ae60N.exe -
Drops file in Windows directory 1 IoCs
Processes:
a57378db4d26609de5f519dd2659ae60N.exedescription ioc process File created C:\Windows\winsxs\lsass.exe a57378db4d26609de5f519dd2659ae60N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Processes:
smss.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 smss.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 smss.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 17 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1732 schtasks.exe 2028 schtasks.exe 2164 schtasks.exe 1204 schtasks.exe 1272 schtasks.exe 692 schtasks.exe 2952 schtasks.exe 1160 schtasks.exe 2832 schtasks.exe 2776 schtasks.exe 2524 schtasks.exe 1196 schtasks.exe 1896 schtasks.exe 2124 schtasks.exe 1072 schtasks.exe 2572 schtasks.exe 1608 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 48 IoCs
Processes:
a57378db4d26609de5f519dd2659ae60N.exea57378db4d26609de5f519dd2659ae60N.exea57378db4d26609de5f519dd2659ae60N.exesmss.exepid process 2292 a57378db4d26609de5f519dd2659ae60N.exe 2292 a57378db4d26609de5f519dd2659ae60N.exe 2292 a57378db4d26609de5f519dd2659ae60N.exe 2292 a57378db4d26609de5f519dd2659ae60N.exe 2292 a57378db4d26609de5f519dd2659ae60N.exe 2292 a57378db4d26609de5f519dd2659ae60N.exe 2292 a57378db4d26609de5f519dd2659ae60N.exe 2292 a57378db4d26609de5f519dd2659ae60N.exe 2292 a57378db4d26609de5f519dd2659ae60N.exe 2292 a57378db4d26609de5f519dd2659ae60N.exe 2292 a57378db4d26609de5f519dd2659ae60N.exe 2292 a57378db4d26609de5f519dd2659ae60N.exe 2292 a57378db4d26609de5f519dd2659ae60N.exe 2292 a57378db4d26609de5f519dd2659ae60N.exe 2292 a57378db4d26609de5f519dd2659ae60N.exe 2292 a57378db4d26609de5f519dd2659ae60N.exe 2292 a57378db4d26609de5f519dd2659ae60N.exe 2292 a57378db4d26609de5f519dd2659ae60N.exe 2292 a57378db4d26609de5f519dd2659ae60N.exe 2772 a57378db4d26609de5f519dd2659ae60N.exe 2772 a57378db4d26609de5f519dd2659ae60N.exe 2772 a57378db4d26609de5f519dd2659ae60N.exe 2772 a57378db4d26609de5f519dd2659ae60N.exe 2772 a57378db4d26609de5f519dd2659ae60N.exe 2772 a57378db4d26609de5f519dd2659ae60N.exe 2772 a57378db4d26609de5f519dd2659ae60N.exe 2772 a57378db4d26609de5f519dd2659ae60N.exe 2772 a57378db4d26609de5f519dd2659ae60N.exe 2772 a57378db4d26609de5f519dd2659ae60N.exe 1548 a57378db4d26609de5f519dd2659ae60N.exe 1548 a57378db4d26609de5f519dd2659ae60N.exe 1548 a57378db4d26609de5f519dd2659ae60N.exe 1548 a57378db4d26609de5f519dd2659ae60N.exe 1548 a57378db4d26609de5f519dd2659ae60N.exe 1548 a57378db4d26609de5f519dd2659ae60N.exe 1548 a57378db4d26609de5f519dd2659ae60N.exe 1548 a57378db4d26609de5f519dd2659ae60N.exe 1548 a57378db4d26609de5f519dd2659ae60N.exe 2932 smss.exe 2932 smss.exe 2932 smss.exe 2932 smss.exe 2932 smss.exe 2932 smss.exe 2932 smss.exe 2932 smss.exe 2932 smss.exe 2932 smss.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
a57378db4d26609de5f519dd2659ae60N.exea57378db4d26609de5f519dd2659ae60N.exea57378db4d26609de5f519dd2659ae60N.exesmss.exedescription pid process Token: SeDebugPrivilege 2292 a57378db4d26609de5f519dd2659ae60N.exe Token: SeDebugPrivilege 2772 a57378db4d26609de5f519dd2659ae60N.exe Token: SeDebugPrivilege 1548 a57378db4d26609de5f519dd2659ae60N.exe Token: SeDebugPrivilege 2932 smss.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
a57378db4d26609de5f519dd2659ae60N.exea57378db4d26609de5f519dd2659ae60N.exea57378db4d26609de5f519dd2659ae60N.execmd.exedescription pid process target process PID 2292 wrote to memory of 2772 2292 a57378db4d26609de5f519dd2659ae60N.exe a57378db4d26609de5f519dd2659ae60N.exe PID 2292 wrote to memory of 2772 2292 a57378db4d26609de5f519dd2659ae60N.exe a57378db4d26609de5f519dd2659ae60N.exe PID 2292 wrote to memory of 2772 2292 a57378db4d26609de5f519dd2659ae60N.exe a57378db4d26609de5f519dd2659ae60N.exe PID 2772 wrote to memory of 1548 2772 a57378db4d26609de5f519dd2659ae60N.exe a57378db4d26609de5f519dd2659ae60N.exe PID 2772 wrote to memory of 1548 2772 a57378db4d26609de5f519dd2659ae60N.exe a57378db4d26609de5f519dd2659ae60N.exe PID 2772 wrote to memory of 1548 2772 a57378db4d26609de5f519dd2659ae60N.exe a57378db4d26609de5f519dd2659ae60N.exe PID 1548 wrote to memory of 2480 1548 a57378db4d26609de5f519dd2659ae60N.exe cmd.exe PID 1548 wrote to memory of 2480 1548 a57378db4d26609de5f519dd2659ae60N.exe cmd.exe PID 1548 wrote to memory of 2480 1548 a57378db4d26609de5f519dd2659ae60N.exe cmd.exe PID 2480 wrote to memory of 2356 2480 cmd.exe w32tm.exe PID 2480 wrote to memory of 2356 2480 cmd.exe w32tm.exe PID 2480 wrote to memory of 2356 2480 cmd.exe w32tm.exe PID 2480 wrote to memory of 2932 2480 cmd.exe smss.exe PID 2480 wrote to memory of 2932 2480 cmd.exe smss.exe PID 2480 wrote to memory of 2932 2480 cmd.exe smss.exe -
System policy modification 1 TTPs 12 IoCs
Processes:
a57378db4d26609de5f519dd2659ae60N.exesmss.exea57378db4d26609de5f519dd2659ae60N.exea57378db4d26609de5f519dd2659ae60N.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a57378db4d26609de5f519dd2659ae60N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" a57378db4d26609de5f519dd2659ae60N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" a57378db4d26609de5f519dd2659ae60N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a57378db4d26609de5f519dd2659ae60N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" a57378db4d26609de5f519dd2659ae60N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" a57378db4d26609de5f519dd2659ae60N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" a57378db4d26609de5f519dd2659ae60N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a57378db4d26609de5f519dd2659ae60N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" a57378db4d26609de5f519dd2659ae60N.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\a57378db4d26609de5f519dd2659ae60N.exe"C:\Users\Admin\AppData\Local\Temp\a57378db4d26609de5f519dd2659ae60N.exe"1⤵
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2292 -
C:\Users\Admin\AppData\Local\Temp\a57378db4d26609de5f519dd2659ae60N.exe"C:\Users\Admin\AppData\Local\Temp\a57378db4d26609de5f519dd2659ae60N.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2772 -
C:\Users\Admin\AppData\Local\Temp\a57378db4d26609de5f519dd2659ae60N.exe"C:\Users\Admin\AppData\Local\Temp\a57378db4d26609de5f519dd2659ae60N.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1548 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GkAKG2zvN3.bat"4⤵
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:25⤵PID:2356
-
-
C:\PerfLogs\Admin\smss.exe"C:\PerfLogs\Admin\smss.exe"5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2932
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\scrobj\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Documents and Settings\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\My Documents\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\System32\KBDSW\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\ProgramData\Application Data\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\ProgramData\Start Menu\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\System32\C_936\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\NlsLexicons0002\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\System32\wbem\viewprov\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\ja-JP\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\System32\lsm\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\System32\perfi010\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\System32\wbem\p2p-crp\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\PerfLogs\Admin\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\1033\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\System32\scesrv\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1896
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
784KB
MD5fb8104610be9ea8a2ddf11cdc0ce113c
SHA1ebea110bf75e1380c733e1835dc79d40a620ced0
SHA256da388067d60cce1c8d81d2601009e41a08d49a9cd1f5c0499b6f460f90a2d054
SHA512488c1590dc859e97290a24dde2f5b4bf6a0992153ba2d92bf168058c33fcd0724b84ba03bb618f9d4cd770d575889f08d6ad03d48df9dd338a75b37956186904
-
Filesize
190B
MD54f19d9fef634fae3c1c390206d0d9385
SHA1e5b912d2523b686a39114495e70567a5e657c5b6
SHA256abaa5299eb02abb2a0f0355fe1be28cc194bc60418b70e970921583b77ab765b
SHA512d98bca6e94e3fc777d2e1fc6a9bf51596232bd9e7d66bea5f93b7690c35ebe464ac71e87a8ee2620f72e0ad8f3f72e7502a1ceafa29c45d802aeec4ce9114673
-
Filesize
784KB
MD5a57378db4d26609de5f519dd2659ae60
SHA156f0f96c01ca12792cea6b7ea0814f0f568fe095
SHA256cb667550264f5028045377419da9a935006e09b136ebe69a409a520dbf8db587
SHA5126bfa4635da5753f2713c826ade75910bd0d8488915c8b80e5893b52c7c8696538edb5d4a4fba68636b1a92de6d487a184fabafb945ee35eecb6015bf4163cf33