Analysis
-
max time kernel
43s -
max time network
19s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
22-07-2024 22:43
Behavioral task
behavioral1
Sample
ROBLOXFARMER.exe
Resource
win10-20240404-en
General
-
Target
ROBLOXFARMER.exe
-
Size
1.9MB
-
MD5
0cdc894447aa85d4b2c744c6825a2e0e
-
SHA1
a4fcb12fcfaa38c8656964749962c9cdc2b9d82d
-
SHA256
d89a9ab35a2173a4ec62cc98d54e2ffbff2f0d985386f98a8e11c5dc905bcb83
-
SHA512
b8be16d455166089c7463ea876bfc293cbb851a86bb0846427c0ad1e70e1e978531031e04064c1287d1aafebf01da32b605d6039ef1f33dc4a48a49ddca7dedd
-
SSDEEP
24576:u2G/nvxW3WieCgbyFbFdG74xU/FmYd3y7uQyBOueO9SEU5/UpdnrZ4Ef2w18:ubA3jgCgW+jxy79uz9SEWBCC
Malware Config
Signatures
-
DcRat 16 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeROBLOXFARMER.exepid process 3480 schtasks.exe 3804 schtasks.exe 4892 schtasks.exe 4396 schtasks.exe 4404 schtasks.exe 4488 schtasks.exe 2268 schtasks.exe 4208 schtasks.exe 1220 schtasks.exe 2760 schtasks.exe 1184 schtasks.exe 3032 schtasks.exe 4992 schtasks.exe 2512 schtasks.exe 3244 schtasks.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings ROBLOXFARMER.exe -
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4992 4528 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4208 4528 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4892 4528 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3480 4528 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1220 4528 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2512 4528 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2760 4528 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1184 4528 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4396 4528 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4404 4528 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4488 4528 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3032 4528 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3804 4528 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2268 4528 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3244 4528 schtasks.exe -
Processes:
driverdll.exesysmon.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" driverdll.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" driverdll.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" driverdll.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sysmon.exe -
Processes:
resource yara_rule C:\DriverintoPerfMonitor\driverdll.exe dcrat behavioral1/memory/3984-14-0x0000000000620000-0x00000000007C0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 4956 powershell.exe 4676 powershell.exe 4720 powershell.exe 5068 powershell.exe 2680 powershell.exe 4560 powershell.exe 4108 powershell.exe 5020 powershell.exe 4684 powershell.exe 2452 powershell.exe 2204 powershell.exe 2432 powershell.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 2 IoCs
Processes:
driverdll.exesysmon.exepid process 3984 driverdll.exe 1884 sysmon.exe -
Processes:
sysmon.exedriverdll.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sysmon.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA driverdll.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" driverdll.exe -
Drops file in Program Files directory 2 IoCs
Processes:
driverdll.exedescription ioc process File created C:\Program Files (x86)\Windows Defender\Offline\Idle.exe driverdll.exe File created C:\Program Files (x86)\Windows Defender\Offline\6ccacd8608530f driverdll.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
Processes:
ROBLOXFARMER.exedriverdll.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings ROBLOXFARMER.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings driverdll.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3804 schtasks.exe 4208 schtasks.exe 1184 schtasks.exe 4396 schtasks.exe 4488 schtasks.exe 4892 schtasks.exe 1220 schtasks.exe 4992 schtasks.exe 2512 schtasks.exe 2760 schtasks.exe 3244 schtasks.exe 3480 schtasks.exe 4404 schtasks.exe 3032 schtasks.exe 2268 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
driverdll.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesysmon.exepid process 3984 driverdll.exe 3984 driverdll.exe 3984 driverdll.exe 3984 driverdll.exe 3984 driverdll.exe 3984 driverdll.exe 3984 driverdll.exe 3984 driverdll.exe 4108 powershell.exe 4108 powershell.exe 4684 powershell.exe 4684 powershell.exe 2204 powershell.exe 2204 powershell.exe 2452 powershell.exe 2452 powershell.exe 2452 powershell.exe 4560 powershell.exe 4560 powershell.exe 4720 powershell.exe 4720 powershell.exe 5020 powershell.exe 5020 powershell.exe 2680 powershell.exe 2680 powershell.exe 4108 powershell.exe 4956 powershell.exe 4956 powershell.exe 5068 powershell.exe 5068 powershell.exe 2432 powershell.exe 2432 powershell.exe 4676 powershell.exe 4676 powershell.exe 4720 powershell.exe 4108 powershell.exe 2452 powershell.exe 5068 powershell.exe 4684 powershell.exe 4560 powershell.exe 2204 powershell.exe 2680 powershell.exe 5020 powershell.exe 4676 powershell.exe 2432 powershell.exe 4956 powershell.exe 5068 powershell.exe 4720 powershell.exe 4560 powershell.exe 4684 powershell.exe 2204 powershell.exe 5020 powershell.exe 2680 powershell.exe 4956 powershell.exe 4676 powershell.exe 2432 powershell.exe 1884 sysmon.exe 1884 sysmon.exe 1884 sysmon.exe 1884 sysmon.exe 1884 sysmon.exe 1884 sysmon.exe 1884 sysmon.exe 1884 sysmon.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
driverdll.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3984 driverdll.exe Token: SeDebugPrivilege 2452 powershell.exe Token: SeDebugPrivilege 4684 powershell.exe Token: SeDebugPrivilege 4108 powershell.exe Token: SeDebugPrivilege 2204 powershell.exe Token: SeDebugPrivilege 4560 powershell.exe Token: SeDebugPrivilege 4720 powershell.exe Token: SeDebugPrivilege 5020 powershell.exe Token: SeDebugPrivilege 2680 powershell.exe Token: SeDebugPrivilege 4956 powershell.exe Token: SeDebugPrivilege 5068 powershell.exe Token: SeDebugPrivilege 2432 powershell.exe Token: SeDebugPrivilege 4676 powershell.exe Token: SeIncreaseQuotaPrivilege 4108 powershell.exe Token: SeSecurityPrivilege 4108 powershell.exe Token: SeTakeOwnershipPrivilege 4108 powershell.exe Token: SeLoadDriverPrivilege 4108 powershell.exe Token: SeSystemProfilePrivilege 4108 powershell.exe Token: SeSystemtimePrivilege 4108 powershell.exe Token: SeProfSingleProcessPrivilege 4108 powershell.exe Token: SeIncBasePriorityPrivilege 4108 powershell.exe Token: SeCreatePagefilePrivilege 4108 powershell.exe Token: SeBackupPrivilege 4108 powershell.exe Token: SeRestorePrivilege 4108 powershell.exe Token: SeShutdownPrivilege 4108 powershell.exe Token: SeDebugPrivilege 4108 powershell.exe Token: SeSystemEnvironmentPrivilege 4108 powershell.exe Token: SeRemoteShutdownPrivilege 4108 powershell.exe Token: SeUndockPrivilege 4108 powershell.exe Token: SeManageVolumePrivilege 4108 powershell.exe Token: 33 4108 powershell.exe Token: 34 4108 powershell.exe Token: 35 4108 powershell.exe Token: 36 4108 powershell.exe Token: SeIncreaseQuotaPrivilege 2452 powershell.exe Token: SeSecurityPrivilege 2452 powershell.exe Token: SeTakeOwnershipPrivilege 2452 powershell.exe Token: SeLoadDriverPrivilege 2452 powershell.exe Token: SeSystemProfilePrivilege 2452 powershell.exe Token: SeSystemtimePrivilege 2452 powershell.exe Token: SeProfSingleProcessPrivilege 2452 powershell.exe Token: SeIncBasePriorityPrivilege 2452 powershell.exe Token: SeCreatePagefilePrivilege 2452 powershell.exe Token: SeBackupPrivilege 2452 powershell.exe Token: SeRestorePrivilege 2452 powershell.exe Token: SeShutdownPrivilege 2452 powershell.exe Token: SeDebugPrivilege 2452 powershell.exe Token: SeSystemEnvironmentPrivilege 2452 powershell.exe Token: SeRemoteShutdownPrivilege 2452 powershell.exe Token: SeUndockPrivilege 2452 powershell.exe Token: SeManageVolumePrivilege 2452 powershell.exe Token: 33 2452 powershell.exe Token: 34 2452 powershell.exe Token: 35 2452 powershell.exe Token: 36 2452 powershell.exe Token: SeIncreaseQuotaPrivilege 4720 powershell.exe Token: SeSecurityPrivilege 4720 powershell.exe Token: SeTakeOwnershipPrivilege 4720 powershell.exe Token: SeLoadDriverPrivilege 4720 powershell.exe Token: SeSystemProfilePrivilege 4720 powershell.exe Token: SeSystemtimePrivilege 4720 powershell.exe Token: SeProfSingleProcessPrivilege 4720 powershell.exe Token: SeIncBasePriorityPrivilege 4720 powershell.exe Token: SeCreatePagefilePrivilege 4720 powershell.exe -
Suspicious use of WriteProcessMemory 41 IoCs
Processes:
ROBLOXFARMER.exeWScript.execmd.exedriverdll.execmd.exedescription pid process target process PID 1680 wrote to memory of 164 1680 ROBLOXFARMER.exe WScript.exe PID 1680 wrote to memory of 164 1680 ROBLOXFARMER.exe WScript.exe PID 1680 wrote to memory of 164 1680 ROBLOXFARMER.exe WScript.exe PID 164 wrote to memory of 3532 164 WScript.exe cmd.exe PID 164 wrote to memory of 3532 164 WScript.exe cmd.exe PID 164 wrote to memory of 3532 164 WScript.exe cmd.exe PID 3532 wrote to memory of 3984 3532 cmd.exe driverdll.exe PID 3532 wrote to memory of 3984 3532 cmd.exe driverdll.exe PID 3984 wrote to memory of 2204 3984 driverdll.exe powershell.exe PID 3984 wrote to memory of 2204 3984 driverdll.exe powershell.exe PID 3984 wrote to memory of 2432 3984 driverdll.exe powershell.exe PID 3984 wrote to memory of 2432 3984 driverdll.exe powershell.exe PID 3984 wrote to memory of 2452 3984 driverdll.exe powershell.exe PID 3984 wrote to memory of 2452 3984 driverdll.exe powershell.exe PID 3984 wrote to memory of 2680 3984 driverdll.exe powershell.exe PID 3984 wrote to memory of 2680 3984 driverdll.exe powershell.exe PID 3984 wrote to memory of 4720 3984 driverdll.exe powershell.exe PID 3984 wrote to memory of 4720 3984 driverdll.exe powershell.exe PID 3984 wrote to memory of 5068 3984 driverdll.exe powershell.exe PID 3984 wrote to memory of 5068 3984 driverdll.exe powershell.exe PID 3984 wrote to memory of 4684 3984 driverdll.exe powershell.exe PID 3984 wrote to memory of 4684 3984 driverdll.exe powershell.exe PID 3984 wrote to memory of 5020 3984 driverdll.exe powershell.exe PID 3984 wrote to memory of 5020 3984 driverdll.exe powershell.exe PID 3984 wrote to memory of 4676 3984 driverdll.exe powershell.exe PID 3984 wrote to memory of 4676 3984 driverdll.exe powershell.exe PID 3984 wrote to memory of 4956 3984 driverdll.exe powershell.exe PID 3984 wrote to memory of 4956 3984 driverdll.exe powershell.exe PID 3984 wrote to memory of 4108 3984 driverdll.exe powershell.exe PID 3984 wrote to memory of 4108 3984 driverdll.exe powershell.exe PID 3984 wrote to memory of 4560 3984 driverdll.exe powershell.exe PID 3984 wrote to memory of 4560 3984 driverdll.exe powershell.exe PID 3984 wrote to memory of 4148 3984 driverdll.exe cmd.exe PID 3984 wrote to memory of 4148 3984 driverdll.exe cmd.exe PID 4148 wrote to memory of 1148 4148 cmd.exe w32tm.exe PID 4148 wrote to memory of 1148 4148 cmd.exe w32tm.exe PID 3532 wrote to memory of 1840 3532 cmd.exe reg.exe PID 3532 wrote to memory of 1840 3532 cmd.exe reg.exe PID 3532 wrote to memory of 1840 3532 cmd.exe reg.exe PID 4148 wrote to memory of 1884 4148 cmd.exe sysmon.exe PID 4148 wrote to memory of 1884 4148 cmd.exe sysmon.exe -
System policy modification 1 TTPs 6 IoCs
Processes:
driverdll.exesysmon.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" driverdll.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" driverdll.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" driverdll.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ROBLOXFARMER.exe"C:\Users\Admin\AppData\Local\Temp\ROBLOXFARMER.exe"1⤵
- DcRat
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\DriverintoPerfMonitor\rBZTKR2mYRfNEbvt9Nbq33ykB0q3.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:164 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\DriverintoPerfMonitor\7tBtpkweNP1.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:3532 -
C:\DriverintoPerfMonitor\driverdll.exe"C:\DriverintoPerfMonitor\driverdll.exe"4⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3984 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2204
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2432
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2452
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/DriverintoPerfMonitor/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2680
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4720
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5068
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4684
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5020
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4676
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4956
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4108
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4560
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Lxd1LPk0iB.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:4148 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:1148
-
-
C:\Users\Admin\sysmon.exe"C:\Users\Admin\sysmon.exe"6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:1884
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- Modifies registry key
PID:1840
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\DriverintoPerfMonitor\Idle.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\DriverintoPerfMonitor\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\DriverintoPerfMonitor\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Saved Games\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\Saved Games\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Saved Games\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\Offline\Idle.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\Offline\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\Offline\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ApplicationFrameHostA" /sc MINUTE /mo 6 /tr "'C:\DriverintoPerfMonitor\ApplicationFrameHost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ApplicationFrameHost" /sc ONLOGON /tr "'C:\DriverintoPerfMonitor\ApplicationFrameHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ApplicationFrameHostA" /sc MINUTE /mo 9 /tr "'C:\DriverintoPerfMonitor\ApplicationFrameHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\sysmon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Admin\sysmon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\sysmon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3244
-
C:\Windows\system32\notepad.exe"C:\Windows\system32\notepad.exe"1⤵PID:992
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5e6cdcd7d35111e728abce425b094d0c3
SHA16aafefc2fc9aac870765642ce3e0c6baaf973a87
SHA2560adb99738e12fc866bee55a4ad3aa614fe819fface03af273743e377c41899a5
SHA5125d4b93d3aed63d68281406568344c76478a2a98e65c94c1eb7acd3b51715d458651c9c7fc70908c56c90a45e2d0480f78d621ac494655d00bbcae7c63fe8fd7c
-
Filesize
1.6MB
MD50bdab38cf92a980d9682c00c384690fb
SHA1fb9b9bed33eef416f594a9afee0721315295b12d
SHA256e1d82f52161a36132915a860388b430bb8a1a129140ec03c3cab417593706032
SHA5123a793187a4ae93b2a10102893e5095d3a8b48acd33e802c35974aa68a10758db6057a2e623d35c3d9cc07f0c1ff1a72c0bc24b399d5dcb7d496f49db7de69790
-
Filesize
209B
MD5529296e248ff3230c9b1ced537b7bf5d
SHA1e5d534cb4125e530f4428b24483ec970e3d7f563
SHA25653fdb76d26b6e3e3d9e6438bf42e21f96564cbb316b3addd781e6fd628199779
SHA5127a197e20c4af21cfae6b0f628afa2be7d4a9b1acb19d1dab8bc5198f2b514ed5dcbdc54ce8d013a538f1d00c21f9fce93293aebab51fd256dd1ed507824437a7
-
Filesize
3KB
MD58592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
Filesize
1KB
MD50049d3f6418af68942fe70d66df26cc0
SHA177f4aa1ddf54d284d25a109366a2ad49c20ca9cd
SHA256668805a11935c70be46aa9a20e37f43ed77b7920a8aaa97f6878889fdb1ffe57
SHA51272d2cbd69695a526002defe0daca4f5e1b456976a0baa53ece1afa3091b7364474c3cb0636c23551bff621c069e950f5da26e18d992f3fc92a5993aa7cc7c2b3
-
Filesize
1KB
MD5127e9623b9a9a064b66f89901266ae4a
SHA1a6f74bc3306fc0d5eafd7f1e74f827cd0ac88757
SHA256bcf03f938569c0c4fa25aa0eb80547975b9c73040e2642c6cf93fc7efe1c5d98
SHA512c49cf11d2131ed0cb379a663e6207ba73fcbfa0c6698262d1eb25ce5804fe73a5b1c80ee2a5d478541c2418d013ba9e685aa243c90b97e5c9db6d66e5944fc66
-
Filesize
1KB
MD5954472ae77869f2907b924f8e496fa70
SHA1d27b2e528d53e4f56fdd1542ad5f67cea5a19251
SHA256b3cb4c4c083c4d605541899fbd41d09f3efb32ff6ae1c980fcb060bda2cb9304
SHA5129d7afaad76cdc20117c8fe1da118bc80549d14d53fbfd15ea6d7439e9dce9e35659b397bbd25f846fd2623136f2ed8b6ed65c4ab87fbafc823a179956ed47768
-
Filesize
1KB
MD5f3acd17c5c0e091e64df0fd4294e9fbf
SHA188d8cfb391dd7249ce9f43e7b1027f120bec7c0c
SHA2569a08bc360227dd00b57415902dbf35eaf65e0940ae87734775f04513534eca08
SHA51269d8f732b04dff27a26e11c4cc8aa4c8c8b38e115efcb9ad8e3b3c5abfd5538498bf6dff1a1e2cf7ca4b09bbd7d4f94cbc0644ddc6d0c839fac2bc06b3aa9862
-
Filesize
1KB
MD5cd61dc8f9f145bb85d2c406fc6c34ded
SHA1365987e5acc5d25cd33a12b29f2ad12decaa8330
SHA2560647cf7307c472144500797e8f4938aeaf2c78550956445a3b200d13c795ab12
SHA51233192f01e00f34fbd2c03a5334ced4791af20a0032d7bb62d7f2221770f64b2312d975a6c6e3406f041ef517592b882e41f02e0c2844547f896cb18c9e47a23c
-
Filesize
1KB
MD5cca714f154d362fe9bf0aac437b9f979
SHA13310322b74a5cff769aff7b0b421c1d688633be1
SHA2566c0fde4a1d14c75cbf6cae68617191384d1c9c0f75ca7659b98361b93d17ba70
SHA5122c1712c4dd670993f15a24b9ec7e35c78ad1bf95075807977e47d1774ee9887202cb954c84c011c63c6cd3f17fdf1782329b6309bb36424519b3688365652f59
-
Filesize
1KB
MD51d5ea3b46362261e127a3b54bebc4f22
SHA199b5e2c60722b40951cffdf24b7630364cdf6475
SHA2565de9c52f11d80c46db18c0238415d11a1f088bb1ef9c5942fa02627c72efe117
SHA51250f4f0fee0e4966a7d2c3f038ea2985c7cbd9e6a68aca40173b67e89e7f66bc417574b95ad98aca596c9f5146749517b3a3775cbf0013a7959a23139687eed1f
-
Filesize
1KB
MD525bb2c187db92c38cfc6333ccc1ad710
SHA1bb27ee06b75535aa1d7ea44c49cde588c67122b0
SHA2560bcc971fa7c59ec061b228ab04f6c37428978b4ad3958fb9e33eb1fa5ae7b1b5
SHA512f3e07248ad1cb20ad26f0ccf7037460e47e67c408269b0250cb3839a840e5df3069a74062058df56be4e1b55e905a1508df2683f21fbaa29b493898a189f4b00
-
Filesize
190B
MD56b692839e7e2e39f71c80bbdbe1dd86d
SHA140d52afdae5500bf275eb5e93ca1e6a10b892ed1
SHA2565186abdced10702f2d837a5b90f0ebeb6a6ab50ec362d946e3b3b6ca9910edf7
SHA512e3ada85f4118e73ff80fcc325452266f1c53bb53bb3dbc5ffda797b0b0e7caf4c4a925f93faeecc27498113232cea2a9681e806da313b21143ae1551cce4222b
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a