Analysis
-
max time kernel
146s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
22-07-2024 02:41
Behavioral task
behavioral1
Sample
40ac7d11ebb91612d8d5c16c05af0a13.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
40ac7d11ebb91612d8d5c16c05af0a13.exe
Resource
win10v2004-20240709-en
General
-
Target
40ac7d11ebb91612d8d5c16c05af0a13.exe
-
Size
2.0MB
-
MD5
40ac7d11ebb91612d8d5c16c05af0a13
-
SHA1
543a6c16f8f058fb6ba029ee3a9c5fde92aaa212
-
SHA256
4963827ab4881382f900255fa034f5c5f369cdc11d30863c69a04ed7f6abca5e
-
SHA512
223ecc008fe3b9818597c3870ef605674eb96c52f8f140edb1d7c878691ce16c604440be77107c795a2bbb4e1b5c28ba94141e5703d9488c3a06580e38bf953c
-
SSDEEP
49152:PbA3HdwWe2aSe6pcUwxE0G+dK7RB7/wWnm1Xl:Pbt2M4cUwxEII7RB0d1Xl
Malware Config
Signatures
-
DcRat 39 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2664 schtasks.exe 1752 schtasks.exe 2072 schtasks.exe 2448 schtasks.exe 2456 schtasks.exe 776 schtasks.exe 2680 schtasks.exe 2684 schtasks.exe 1104 schtasks.exe 2824 schtasks.exe 1704 schtasks.exe 1484 schtasks.exe 268 schtasks.exe 2884 schtasks.exe 1136 schtasks.exe 1844 schtasks.exe 1568 schtasks.exe 1592 schtasks.exe 560 schtasks.exe 2064 schtasks.exe 1072 schtasks.exe 2220 schtasks.exe 2616 schtasks.exe 1304 schtasks.exe 496 schtasks.exe 1076 schtasks.exe 1260 schtasks.exe 2948 schtasks.exe 1124 schtasks.exe 2692 schtasks.exe 1500 schtasks.exe 1848 schtasks.exe 2060 schtasks.exe 1744 schtasks.exe 1992 schtasks.exe 2732 schtasks.exe 1736 schtasks.exe 1152 schtasks.exe 2832 schtasks.exe -
Modifies WinLogon for persistence 2 TTPs 13 IoCs
Processes:
ComInto.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\7da403a2-3a8c-11ef-b191-d685e2345d05\\wininit.exe\", \"C:\\Users\\All Users\\Start Menu\\audiodg.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\7da403a2-3a8c-11ef-b191-d685e2345d05\\wininit.exe\", \"C:\\Users\\All Users\\Start Menu\\audiodg.exe\", \"C:\\Users\\Default User\\ComInto.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\7da403a2-3a8c-11ef-b191-d685e2345d05\\wininit.exe\", \"C:\\Users\\All Users\\Start Menu\\audiodg.exe\", \"C:\\Users\\Default User\\ComInto.exe\", \"C:\\Windows\\assembly\\GAC_32\\naphlpr\\6.1.0.0__31bf3856ad364e35\\conhost.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\7da403a2-3a8c-11ef-b191-d685e2345d05\\wininit.exe\", \"C:\\Users\\All Users\\Start Menu\\audiodg.exe\", \"C:\\Users\\Default User\\ComInto.exe\", \"C:\\Windows\\assembly\\GAC_32\\naphlpr\\6.1.0.0__31bf3856ad364e35\\conhost.exe\", \"C:\\Users\\Default\\Local Settings\\lsass.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\7da403a2-3a8c-11ef-b191-d685e2345d05\\wininit.exe\", \"C:\\Users\\All Users\\Start Menu\\audiodg.exe\", \"C:\\Users\\Default User\\ComInto.exe\", \"C:\\Windows\\assembly\\GAC_32\\naphlpr\\6.1.0.0__31bf3856ad364e35\\conhost.exe\", \"C:\\Users\\Default\\Local Settings\\lsass.exe\", \"C:\\componentCommon\\sppsvc.exe\", \"C:\\Users\\Admin\\Local Settings\\wininit.exe\", \"C:\\Recovery\\7da403a2-3a8c-11ef-b191-d685e2345d05\\conhost.exe\", \"C:\\Windows\\PolicyDefinitions\\ja-JP\\winlogon.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\7da403a2-3a8c-11ef-b191-d685e2345d05\\wininit.exe\", \"C:\\Users\\All Users\\Start Menu\\audiodg.exe\", \"C:\\Users\\Default User\\ComInto.exe\", \"C:\\Windows\\assembly\\GAC_32\\naphlpr\\6.1.0.0__31bf3856ad364e35\\conhost.exe\", \"C:\\Users\\Default\\Local Settings\\lsass.exe\", \"C:\\componentCommon\\sppsvc.exe\", \"C:\\Users\\Admin\\Local Settings\\wininit.exe\", \"C:\\Recovery\\7da403a2-3a8c-11ef-b191-d685e2345d05\\conhost.exe\", \"C:\\Windows\\PolicyDefinitions\\ja-JP\\winlogon.exe\", \"C:\\Users\\Default\\Links\\taskhost.exe\", \"C:\\componentCommon\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\OSPPSVC.exe\", \"C:\\Program Files\\Windows Media Player\\Media Renderer\\smss.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\7da403a2-3a8c-11ef-b191-d685e2345d05\\wininit.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\7da403a2-3a8c-11ef-b191-d685e2345d05\\wininit.exe\", \"C:\\Users\\All Users\\Start Menu\\audiodg.exe\", \"C:\\Users\\Default User\\ComInto.exe\", \"C:\\Windows\\assembly\\GAC_32\\naphlpr\\6.1.0.0__31bf3856ad364e35\\conhost.exe\", \"C:\\Users\\Default\\Local Settings\\lsass.exe\", \"C:\\componentCommon\\sppsvc.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\7da403a2-3a8c-11ef-b191-d685e2345d05\\wininit.exe\", \"C:\\Users\\All Users\\Start Menu\\audiodg.exe\", \"C:\\Users\\Default User\\ComInto.exe\", \"C:\\Windows\\assembly\\GAC_32\\naphlpr\\6.1.0.0__31bf3856ad364e35\\conhost.exe\", \"C:\\Users\\Default\\Local Settings\\lsass.exe\", \"C:\\componentCommon\\sppsvc.exe\", \"C:\\Users\\Admin\\Local Settings\\wininit.exe\", \"C:\\Recovery\\7da403a2-3a8c-11ef-b191-d685e2345d05\\conhost.exe\", \"C:\\Windows\\PolicyDefinitions\\ja-JP\\winlogon.exe\", \"C:\\Users\\Default\\Links\\taskhost.exe\", \"C:\\componentCommon\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\OSPPSVC.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\7da403a2-3a8c-11ef-b191-d685e2345d05\\wininit.exe\", \"C:\\Users\\All Users\\Start Menu\\audiodg.exe\", \"C:\\Users\\Default User\\ComInto.exe\", \"C:\\Windows\\assembly\\GAC_32\\naphlpr\\6.1.0.0__31bf3856ad364e35\\conhost.exe\", \"C:\\Users\\Default\\Local Settings\\lsass.exe\", \"C:\\componentCommon\\sppsvc.exe\", \"C:\\Users\\Admin\\Local Settings\\wininit.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\7da403a2-3a8c-11ef-b191-d685e2345d05\\wininit.exe\", \"C:\\Users\\All Users\\Start Menu\\audiodg.exe\", \"C:\\Users\\Default User\\ComInto.exe\", \"C:\\Windows\\assembly\\GAC_32\\naphlpr\\6.1.0.0__31bf3856ad364e35\\conhost.exe\", \"C:\\Users\\Default\\Local Settings\\lsass.exe\", \"C:\\componentCommon\\sppsvc.exe\", \"C:\\Users\\Admin\\Local Settings\\wininit.exe\", \"C:\\Recovery\\7da403a2-3a8c-11ef-b191-d685e2345d05\\conhost.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\7da403a2-3a8c-11ef-b191-d685e2345d05\\wininit.exe\", \"C:\\Users\\All Users\\Start Menu\\audiodg.exe\", \"C:\\Users\\Default User\\ComInto.exe\", \"C:\\Windows\\assembly\\GAC_32\\naphlpr\\6.1.0.0__31bf3856ad364e35\\conhost.exe\", \"C:\\Users\\Default\\Local Settings\\lsass.exe\", \"C:\\componentCommon\\sppsvc.exe\", \"C:\\Users\\Admin\\Local Settings\\wininit.exe\", \"C:\\Recovery\\7da403a2-3a8c-11ef-b191-d685e2345d05\\conhost.exe\", \"C:\\Windows\\PolicyDefinitions\\ja-JP\\winlogon.exe\", \"C:\\Users\\Default\\Links\\taskhost.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\7da403a2-3a8c-11ef-b191-d685e2345d05\\wininit.exe\", \"C:\\Users\\All Users\\Start Menu\\audiodg.exe\", \"C:\\Users\\Default User\\ComInto.exe\", \"C:\\Windows\\assembly\\GAC_32\\naphlpr\\6.1.0.0__31bf3856ad364e35\\conhost.exe\", \"C:\\Users\\Default\\Local Settings\\lsass.exe\", \"C:\\componentCommon\\sppsvc.exe\", \"C:\\Users\\Admin\\Local Settings\\wininit.exe\", \"C:\\Recovery\\7da403a2-3a8c-11ef-b191-d685e2345d05\\conhost.exe\", \"C:\\Windows\\PolicyDefinitions\\ja-JP\\winlogon.exe\", \"C:\\Users\\Default\\Links\\taskhost.exe\", \"C:\\componentCommon\\winlogon.exe\"" ComInto.exe -
Process spawned unexpected child process 39 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2680 2656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1260 2656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2664 2656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2692 2656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2684 2656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1752 2656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1484 2656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1072 2656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1500 2656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2948 2656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 268 2656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1104 2656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2884 2656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2072 2656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2448 2656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1124 2656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2064 2656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1136 2656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1848 2656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2732 2656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2824 2656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2456 2656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2220 2656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1736 2656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2060 2656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1844 2656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2616 2656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1152 2656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2832 2656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1304 2656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 496 2656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 776 2656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1568 2656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1704 2656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1744 2656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1992 2656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1592 2656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 560 2656 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1076 2656 schtasks.exe -
Processes:
resource yara_rule \componentCommon\ComInto.exe dcrat behavioral1/memory/2088-13-0x0000000000BB0000-0x0000000000D5C000-memory.dmp dcrat behavioral1/memory/2548-61-0x0000000000D80000-0x0000000000F2C000-memory.dmp dcrat -
Executes dropped EXE 2 IoCs
Processes:
ComInto.exewininit.exepid process 2088 ComInto.exe 2548 wininit.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 1404 cmd.exe 1404 cmd.exe -
Adds Run key to start application 2 TTPs 26 IoCs
Processes:
ComInto.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\7da403a2-3a8c-11ef-b191-d685e2345d05\\wininit.exe\"" ComInto.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\ComInto = "\"C:\\Users\\Default User\\ComInto.exe\"" ComInto.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Admin\\Local Settings\\wininit.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\Windows Media Player\\Media Renderer\\smss.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Users\\All Users\\Start Menu\\audiodg.exe\"" ComInto.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\Default\\Local Settings\\lsass.exe\"" ComInto.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Users\\Default\\Links\\taskhost.exe\"" ComInto.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\OSPPSVC.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\7da403a2-3a8c-11ef-b191-d685e2345d05\\wininit.exe\"" ComInto.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\componentCommon\\sppsvc.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\componentCommon\\sppsvc.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\PolicyDefinitions\\ja-JP\\winlogon.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\componentCommon\\winlogon.exe\"" ComInto.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\Windows Media Player\\Media Renderer\\smss.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ComInto = "\"C:\\Users\\Default User\\ComInto.exe\"" ComInto.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\assembly\\GAC_32\\naphlpr\\6.1.0.0__31bf3856ad364e35\\conhost.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\assembly\\GAC_32\\naphlpr\\6.1.0.0__31bf3856ad364e35\\conhost.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Admin\\Local Settings\\wininit.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Recovery\\7da403a2-3a8c-11ef-b191-d685e2345d05\\conhost.exe\"" ComInto.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\PolicyDefinitions\\ja-JP\\winlogon.exe\"" ComInto.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\componentCommon\\winlogon.exe\"" ComInto.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Users\\All Users\\Start Menu\\audiodg.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\Default\\Local Settings\\lsass.exe\"" ComInto.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Recovery\\7da403a2-3a8c-11ef-b191-d685e2345d05\\conhost.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Users\\Default\\Links\\taskhost.exe\"" ComInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\OSPPSVC.exe\"" ComInto.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 ipinfo.io 7 ipinfo.io -
Drops file in Program Files directory 2 IoCs
Processes:
ComInto.exedescription ioc process File created C:\Program Files\Windows Media Player\Media Renderer\smss.exe ComInto.exe File created C:\Program Files\Windows Media Player\Media Renderer\69ddcba757bf72 ComInto.exe -
Drops file in Windows directory 4 IoCs
Processes:
ComInto.exedescription ioc process File created C:\Windows\assembly\GAC_32\naphlpr\6.1.0.0__31bf3856ad364e35\conhost.exe ComInto.exe File created C:\Windows\assembly\GAC_32\naphlpr\6.1.0.0__31bf3856ad364e35\088424020bedd6 ComInto.exe File created C:\Windows\PolicyDefinitions\ja-JP\winlogon.exe ComInto.exe File created C:\Windows\PolicyDefinitions\ja-JP\cc11b995f2a76d ComInto.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Processes:
wininit.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 wininit.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 wininit.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2884 schtasks.exe 2616 schtasks.exe 1500 schtasks.exe 1104 schtasks.exe 1736 schtasks.exe 2832 schtasks.exe 268 schtasks.exe 1848 schtasks.exe 2072 schtasks.exe 1072 schtasks.exe 2732 schtasks.exe 2220 schtasks.exe 1304 schtasks.exe 496 schtasks.exe 1744 schtasks.exe 1260 schtasks.exe 2692 schtasks.exe 2448 schtasks.exe 2824 schtasks.exe 2456 schtasks.exe 2060 schtasks.exe 776 schtasks.exe 1568 schtasks.exe 2664 schtasks.exe 2684 schtasks.exe 1704 schtasks.exe 1592 schtasks.exe 2948 schtasks.exe 1076 schtasks.exe 2680 schtasks.exe 1484 schtasks.exe 1152 schtasks.exe 2064 schtasks.exe 1844 schtasks.exe 1136 schtasks.exe 1992 schtasks.exe 560 schtasks.exe 1752 schtasks.exe 1124 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
ComInto.exewininit.exepid process 2088 ComInto.exe 2548 wininit.exe 2548 wininit.exe 2548 wininit.exe 2548 wininit.exe 2548 wininit.exe 2548 wininit.exe 2548 wininit.exe 2548 wininit.exe 2548 wininit.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
wininit.exepid process 2548 wininit.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
ComInto.exewininit.exedescription pid process Token: SeDebugPrivilege 2088 ComInto.exe Token: SeDebugPrivilege 2548 wininit.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
40ac7d11ebb91612d8d5c16c05af0a13.exeWScript.execmd.exeComInto.execmd.exewininit.exedescription pid process target process PID 2556 wrote to memory of 2292 2556 40ac7d11ebb91612d8d5c16c05af0a13.exe WScript.exe PID 2556 wrote to memory of 2292 2556 40ac7d11ebb91612d8d5c16c05af0a13.exe WScript.exe PID 2556 wrote to memory of 2292 2556 40ac7d11ebb91612d8d5c16c05af0a13.exe WScript.exe PID 2556 wrote to memory of 2292 2556 40ac7d11ebb91612d8d5c16c05af0a13.exe WScript.exe PID 2292 wrote to memory of 1404 2292 WScript.exe cmd.exe PID 2292 wrote to memory of 1404 2292 WScript.exe cmd.exe PID 2292 wrote to memory of 1404 2292 WScript.exe cmd.exe PID 2292 wrote to memory of 1404 2292 WScript.exe cmd.exe PID 1404 wrote to memory of 2088 1404 cmd.exe ComInto.exe PID 1404 wrote to memory of 2088 1404 cmd.exe ComInto.exe PID 1404 wrote to memory of 2088 1404 cmd.exe ComInto.exe PID 1404 wrote to memory of 2088 1404 cmd.exe ComInto.exe PID 2088 wrote to memory of 2136 2088 ComInto.exe cmd.exe PID 2088 wrote to memory of 2136 2088 ComInto.exe cmd.exe PID 2088 wrote to memory of 2136 2088 ComInto.exe cmd.exe PID 2136 wrote to memory of 2440 2136 cmd.exe w32tm.exe PID 2136 wrote to memory of 2440 2136 cmd.exe w32tm.exe PID 2136 wrote to memory of 2440 2136 cmd.exe w32tm.exe PID 2136 wrote to memory of 2548 2136 cmd.exe wininit.exe PID 2136 wrote to memory of 2548 2136 cmd.exe wininit.exe PID 2136 wrote to memory of 2548 2136 cmd.exe wininit.exe PID 2548 wrote to memory of 2556 2548 wininit.exe WScript.exe PID 2548 wrote to memory of 2556 2548 wininit.exe WScript.exe PID 2548 wrote to memory of 2556 2548 wininit.exe WScript.exe PID 2548 wrote to memory of 2148 2548 wininit.exe WScript.exe PID 2548 wrote to memory of 2148 2548 wininit.exe WScript.exe PID 2548 wrote to memory of 2148 2548 wininit.exe WScript.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\40ac7d11ebb91612d8d5c16c05af0a13.exe"C:\Users\Admin\AppData\Local\Temp\40ac7d11ebb91612d8d5c16c05af0a13.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\componentCommon\TsZJDcKjHujznUYiyXhQefVwV2.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\componentCommon\j1nvYpGjbyEFrc.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\componentCommon\ComInto.exe"C:\componentCommon\ComInto.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gmjwMz7FMV.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2440
-
-
C:\Users\Admin\Local Settings\wininit.exe"C:\Users\Admin\Local Settings\wininit.exe"6⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c51487f-3437-4245-b467-1e6b69ff926d.vbs"7⤵PID:2556
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6d367d19-e695-46d1-831c-52f7dc49389f.vbs"7⤵PID:2148
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Recovery\7da403a2-3a8c-11ef-b191-d685e2345d05\wininit.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\7da403a2-3a8c-11ef-b191-d685e2345d05\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\7da403a2-3a8c-11ef-b191-d685e2345d05\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Start Menu\audiodg.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\audiodg.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Start Menu\audiodg.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ComIntoC" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\ComInto.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ComInto" /sc ONLOGON /tr "'C:\Users\Default User\ComInto.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ComIntoC" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\ComInto.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Windows\assembly\GAC_32\naphlpr\6.1.0.0__31bf3856ad364e35\conhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\assembly\GAC_32\naphlpr\6.1.0.0__31bf3856ad364e35\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Windows\assembly\GAC_32\naphlpr\6.1.0.0__31bf3856ad364e35\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Local Settings\lsass.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Local Settings\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\componentCommon\sppsvc.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\componentCommon\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\componentCommon\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Local Settings\wininit.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\Local Settings\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Local Settings\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Recovery\7da403a2-3a8c-11ef-b191-d685e2345d05\conhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\7da403a2-3a8c-11ef-b191-d685e2345d05\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Recovery\7da403a2-3a8c-11ef-b191-d685e2345d05\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Windows\PolicyDefinitions\ja-JP\winlogon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\ja-JP\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Windows\PolicyDefinitions\ja-JP\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Links\taskhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default\Links\taskhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Links\taskhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\componentCommon\winlogon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\componentCommon\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\componentCommon\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\OSPPSVC.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Media Player\Media Renderer\smss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Media Renderer\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Media Player\Media Renderer\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1076
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
717B
MD57d485ef6fadddd9785eac7bfc3defa63
SHA154a9f1db23eb49e846dc25c7a0e14e6a2dc1d666
SHA256f91c4bf31f14c8b6396bfb2b0d216cea5cb8479a57955ffa9ec32043875f5f45
SHA512fe65b3f42370df42efa2dfecfbcb431b9cbaf013c148a49693407440f1955ae1bac1c0d7cafa9c698e34de957b74609725d7ff59abaeb1bb8dd8fb7440285cae
-
Filesize
493B
MD5997a9496842abd3a663c879eec7ba910
SHA135773e9b4c9cf1a8127a0382494ba3ee933c953a
SHA25638ad21df386af0bda426225ac5a800f5f2a5cf905d3f5e6784c47d15a7edf63d
SHA512d0506e3157d49533b21cd874d7e0048986763d98fdcef72dc48208fc42d983bca7f7fd043e50b2e37ad4a2167757a2e1e6d10e9fd9d9fc54e5688225e698ba83
-
Filesize
206B
MD5a519014f7c570c368279419a676eeb98
SHA108da53bbf7ee157856cde9a0e9923640e75f1029
SHA256c552c6bea4c9b475f1dbbbdb1dda4350081e271040bcf3be6bd0d5137bc3cae0
SHA5122fcf11d77623e061c228b5b9072e7771d368e31cd45b74981a621722af15c834770e4ddc8ec83b009cf8e06c8460468f32ac1c43bf0fed268da82b212d3a7cb7
-
Filesize
206B
MD5e986ea5d4cac976a6de65d3f1ef8b332
SHA16465da0abcfac05b8ed1f32b9cca57e2e2f54aea
SHA2563ad8783bacfea22158df341d1bbedf8f6f0dcc4d9504555b36a756d2fcd83831
SHA512896934c1a2941a8edfd38b03a858fc589cfb6622ae75019a542638be0c9c4e436aacd0916196dd71442d1a90404afa29d2864c92401222ff5ec2a712d873fa11
-
Filesize
32B
MD5a0b9b0891c2cae67cd1beae705d09d4f
SHA1997953188d6226de19faa0ab4e8fdbddf1fb5617
SHA25613593fab7a2113730fdbe4cbf436dde9a26116cda0bd4a33dff27d5678e9f9fc
SHA512bdcd0c6a765c3927180706f7b30f2ea0f7cab6f27e512433839ebe3f6cb148923a6733ae954c24fa6eedeca97b8dc01cae945eea07e1121ff74885a69b34f2bb
-
Filesize
1.6MB
MD59a0cee5a5ce317b7a70f88bb6aaa49e1
SHA195a779063656075a8ddc2f2164393fa59e3c93d9
SHA256701924dd5d93b99a1e90fcd92f399c4453455e78375125f7a06aca20b84956bc
SHA512d9c6240b6809c3decbdf4d97aca246f308670097b704b47449c53d8dc121f391d3ec6596f7947c36a01a388eeefe6f9ac9785698cf743f8a89c7cbf7b9da41a4