Analysis
-
max time kernel
143s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
22-07-2024 13:01
Behavioral task
behavioral1
Sample
3a7eb05a575ea6c0ebd97a42d6a77e66.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
3a7eb05a575ea6c0ebd97a42d6a77e66.exe
Resource
win10v2004-20240709-en
General
-
Target
3a7eb05a575ea6c0ebd97a42d6a77e66.exe
-
Size
2.5MB
-
MD5
3a7eb05a575ea6c0ebd97a42d6a77e66
-
SHA1
71e362bd1e833c7192c0f93d219f9727f1c98297
-
SHA256
25228b9b7646e3a44d0c0458b2d9f4dde89cb36ca52f69ae317edad02678678c
-
SHA512
0e4e9cc7d86949b349722e3e41d6e1686f8f55d44e98f93ff5f42f05a798c8300be75ff19ea0c369800c2cbc0fb4190a7138cbac5250ea812b11d185100403f6
-
SSDEEP
49152:dLajZyQosaw6JjUh94mLijLGroai47lLOBTh8YLX/tG6wY0F6SqcCN39XD:cZyQoK2j1mLijicSLeLPeYTNx
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 51 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3656 3784 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3560 3784 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1132 3784 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1524 3784 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3020 3784 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2544 3784 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4620 3784 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1460 3784 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1748 3784 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2776 3784 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2492 3784 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4868 3784 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 60 3784 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2604 3784 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4792 3784 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4932 3784 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4180 3784 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3024 3784 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4516 3784 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2684 3784 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3808 3784 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4720 3784 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 224 3784 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1080 3784 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4760 3784 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4332 3784 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1216 3784 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5092 3784 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3824 3784 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3896 3784 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1468 3784 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1236 3784 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1632 3784 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1008 3784 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2504 3784 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4524 3784 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4188 3784 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3972 3784 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2628 3784 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3280 3784 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4432 3784 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1456 3784 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2540 3784 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3496 3784 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2844 3784 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2916 3784 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2964 3784 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1196 3784 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2008 3784 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3384 3784 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1540 3784 schtasks.exe -
Processes:
SppExtComObj.exeSppExtComObj.exe3a7eb05a575ea6c0ebd97a42d6a77e66.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 3a7eb05a575ea6c0ebd97a42d6a77e66.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3a7eb05a575ea6c0ebd97a42d6a77e66.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 3a7eb05a575ea6c0ebd97a42d6a77e66.exe -
Processes:
resource yara_rule behavioral2/memory/4212-1-0x0000000000310000-0x0000000000590000-memory.dmp dcrat C:\Program Files (x86)\Windows NT\csrss.exe dcrat -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
3a7eb05a575ea6c0ebd97a42d6a77e66.exeSppExtComObj.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation 3a7eb05a575ea6c0ebd97a42d6a77e66.exe Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation SppExtComObj.exe -
Executes dropped EXE 2 IoCs
Processes:
SppExtComObj.exeSppExtComObj.exepid process 720 SppExtComObj.exe 4348 SppExtComObj.exe -
Processes:
3a7eb05a575ea6c0ebd97a42d6a77e66.exeSppExtComObj.exeSppExtComObj.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3a7eb05a575ea6c0ebd97a42d6a77e66.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 3a7eb05a575ea6c0ebd97a42d6a77e66.exe -
Drops file in Program Files directory 18 IoCs
Processes:
3a7eb05a575ea6c0ebd97a42d6a77e66.exedescription ioc process File created C:\Program Files (x86)\WindowsPowerShell\e1ef82546f0b02 3a7eb05a575ea6c0ebd97a42d6a77e66.exe File created C:\Program Files (x86)\Windows NT\886983d96e3d3e 3a7eb05a575ea6c0ebd97a42d6a77e66.exe File created C:\Program Files (x86)\Windows Portable Devices\csrss.exe 3a7eb05a575ea6c0ebd97a42d6a77e66.exe File opened for modification C:\Program Files\Windows Portable Devices\RuntimeBroker.exe 3a7eb05a575ea6c0ebd97a42d6a77e66.exe File created C:\Program Files\Windows Portable Devices\RuntimeBroker.exe 3a7eb05a575ea6c0ebd97a42d6a77e66.exe File created C:\Program Files (x86)\Adobe\5b884080fd4f94 3a7eb05a575ea6c0ebd97a42d6a77e66.exe File created C:\Program Files\Microsoft Office\Office16\winlogon.exe 3a7eb05a575ea6c0ebd97a42d6a77e66.exe File created C:\Program Files\Uninstall Information\121e5b5079f7c0 3a7eb05a575ea6c0ebd97a42d6a77e66.exe File opened for modification C:\Program Files\Windows Portable Devices\9e8d7a4ca61bd9 3a7eb05a575ea6c0ebd97a42d6a77e66.exe File created C:\Program Files (x86)\WindowsPowerShell\SppExtComObj.exe 3a7eb05a575ea6c0ebd97a42d6a77e66.exe File created C:\Program Files (x86)\Windows NT\csrss.exe 3a7eb05a575ea6c0ebd97a42d6a77e66.exe File created C:\Program Files (x86)\Adobe\fontdrvhost.exe 3a7eb05a575ea6c0ebd97a42d6a77e66.exe File created C:\Program Files\Microsoft Office\Office16\cc11b995f2a76d 3a7eb05a575ea6c0ebd97a42d6a77e66.exe File created C:\Program Files\Windows Portable Devices\Idle.exe 3a7eb05a575ea6c0ebd97a42d6a77e66.exe File created C:\Program Files\Windows Portable Devices\9e8d7a4ca61bd9 3a7eb05a575ea6c0ebd97a42d6a77e66.exe File created C:\Program Files (x86)\Windows Portable Devices\886983d96e3d3e 3a7eb05a575ea6c0ebd97a42d6a77e66.exe File created C:\Program Files\Windows Portable Devices\6ccacd8608530f 3a7eb05a575ea6c0ebd97a42d6a77e66.exe File created C:\Program Files\Uninstall Information\sysmon.exe 3a7eb05a575ea6c0ebd97a42d6a77e66.exe -
Drops file in Windows directory 2 IoCs
Processes:
3a7eb05a575ea6c0ebd97a42d6a77e66.exedescription ioc process File created C:\Windows\Prefetch\ReadyBoot\sysmon.exe 3a7eb05a575ea6c0ebd97a42d6a77e66.exe File created C:\Windows\Prefetch\ReadyBoot\121e5b5079f7c0 3a7eb05a575ea6c0ebd97a42d6a77e66.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
SppExtComObj.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings SppExtComObj.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1216 schtasks.exe 1468 schtasks.exe 2544 schtasks.exe 4180 schtasks.exe 1632 schtasks.exe 2844 schtasks.exe 3656 schtasks.exe 1132 schtasks.exe 4524 schtasks.exe 2964 schtasks.exe 1456 schtasks.exe 1524 schtasks.exe 2492 schtasks.exe 3024 schtasks.exe 4516 schtasks.exe 3972 schtasks.exe 3896 schtasks.exe 1236 schtasks.exe 2916 schtasks.exe 2008 schtasks.exe 1540 schtasks.exe 1460 schtasks.exe 3808 schtasks.exe 1080 schtasks.exe 3560 schtasks.exe 4792 schtasks.exe 5092 schtasks.exe 3496 schtasks.exe 1196 schtasks.exe 3020 schtasks.exe 4932 schtasks.exe 4332 schtasks.exe 4760 schtasks.exe 3824 schtasks.exe 4868 schtasks.exe 60 schtasks.exe 2604 schtasks.exe 2684 schtasks.exe 1008 schtasks.exe 4432 schtasks.exe 3280 schtasks.exe 2776 schtasks.exe 2540 schtasks.exe 4620 schtasks.exe 224 schtasks.exe 3384 schtasks.exe 1748 schtasks.exe 4188 schtasks.exe 2628 schtasks.exe 4720 schtasks.exe 2504 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 49 IoCs
Processes:
3a7eb05a575ea6c0ebd97a42d6a77e66.exeSppExtComObj.exeSppExtComObj.exepid process 4212 3a7eb05a575ea6c0ebd97a42d6a77e66.exe 4212 3a7eb05a575ea6c0ebd97a42d6a77e66.exe 4212 3a7eb05a575ea6c0ebd97a42d6a77e66.exe 4212 3a7eb05a575ea6c0ebd97a42d6a77e66.exe 4212 3a7eb05a575ea6c0ebd97a42d6a77e66.exe 4212 3a7eb05a575ea6c0ebd97a42d6a77e66.exe 4212 3a7eb05a575ea6c0ebd97a42d6a77e66.exe 4212 3a7eb05a575ea6c0ebd97a42d6a77e66.exe 4212 3a7eb05a575ea6c0ebd97a42d6a77e66.exe 4212 3a7eb05a575ea6c0ebd97a42d6a77e66.exe 4212 3a7eb05a575ea6c0ebd97a42d6a77e66.exe 4212 3a7eb05a575ea6c0ebd97a42d6a77e66.exe 4212 3a7eb05a575ea6c0ebd97a42d6a77e66.exe 4212 3a7eb05a575ea6c0ebd97a42d6a77e66.exe 4212 3a7eb05a575ea6c0ebd97a42d6a77e66.exe 4212 3a7eb05a575ea6c0ebd97a42d6a77e66.exe 4212 3a7eb05a575ea6c0ebd97a42d6a77e66.exe 4212 3a7eb05a575ea6c0ebd97a42d6a77e66.exe 4212 3a7eb05a575ea6c0ebd97a42d6a77e66.exe 4212 3a7eb05a575ea6c0ebd97a42d6a77e66.exe 4212 3a7eb05a575ea6c0ebd97a42d6a77e66.exe 4212 3a7eb05a575ea6c0ebd97a42d6a77e66.exe 4212 3a7eb05a575ea6c0ebd97a42d6a77e66.exe 4212 3a7eb05a575ea6c0ebd97a42d6a77e66.exe 4212 3a7eb05a575ea6c0ebd97a42d6a77e66.exe 4212 3a7eb05a575ea6c0ebd97a42d6a77e66.exe 720 SppExtComObj.exe 720 SppExtComObj.exe 720 SppExtComObj.exe 720 SppExtComObj.exe 720 SppExtComObj.exe 720 SppExtComObj.exe 720 SppExtComObj.exe 720 SppExtComObj.exe 720 SppExtComObj.exe 720 SppExtComObj.exe 720 SppExtComObj.exe 720 SppExtComObj.exe 720 SppExtComObj.exe 720 SppExtComObj.exe 720 SppExtComObj.exe 720 SppExtComObj.exe 4348 SppExtComObj.exe 4348 SppExtComObj.exe 4348 SppExtComObj.exe 4348 SppExtComObj.exe 4348 SppExtComObj.exe 4348 SppExtComObj.exe 4348 SppExtComObj.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
3a7eb05a575ea6c0ebd97a42d6a77e66.exeSppExtComObj.exeSppExtComObj.exedescription pid process Token: SeDebugPrivilege 4212 3a7eb05a575ea6c0ebd97a42d6a77e66.exe Token: SeDebugPrivilege 720 SppExtComObj.exe Token: SeDebugPrivilege 4348 SppExtComObj.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
3a7eb05a575ea6c0ebd97a42d6a77e66.exeSppExtComObj.exeWScript.exedescription pid process target process PID 4212 wrote to memory of 720 4212 3a7eb05a575ea6c0ebd97a42d6a77e66.exe SppExtComObj.exe PID 4212 wrote to memory of 720 4212 3a7eb05a575ea6c0ebd97a42d6a77e66.exe SppExtComObj.exe PID 720 wrote to memory of 2728 720 SppExtComObj.exe WScript.exe PID 720 wrote to memory of 2728 720 SppExtComObj.exe WScript.exe PID 720 wrote to memory of 4116 720 SppExtComObj.exe WScript.exe PID 720 wrote to memory of 4116 720 SppExtComObj.exe WScript.exe PID 2728 wrote to memory of 4348 2728 WScript.exe SppExtComObj.exe PID 2728 wrote to memory of 4348 2728 WScript.exe SppExtComObj.exe -
System policy modification 1 TTPs 9 IoCs
Processes:
SppExtComObj.exeSppExtComObj.exe3a7eb05a575ea6c0ebd97a42d6a77e66.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3a7eb05a575ea6c0ebd97a42d6a77e66.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 3a7eb05a575ea6c0ebd97a42d6a77e66.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 3a7eb05a575ea6c0ebd97a42d6a77e66.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SppExtComObj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SppExtComObj.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe"C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4212 -
C:\Program Files (x86)\WindowsPowerShell\SppExtComObj.exe"C:\Program Files (x86)\WindowsPowerShell\SppExtComObj.exe"2⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:720 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\00c8b267-5832-4e35-8bf1-0787c5b4d6ea.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Program Files (x86)\WindowsPowerShell\SppExtComObj.exe"C:\Program Files (x86)\WindowsPowerShell\SppExtComObj.exe"4⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4348
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36e040ab-fbe7-4e52-a301-4a7490819e7f.vbs"3⤵PID:4116
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1132
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\WindowsPowerShell\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\WindowsPowerShell\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:60
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1080
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\Office16\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office16\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office\Office16\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Windows\Prefetch\ReadyBoot\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Windows\Prefetch\ReadyBoot\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Pictures\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\Pictures\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Pictures\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.5MB
MD53a7eb05a575ea6c0ebd97a42d6a77e66
SHA171e362bd1e833c7192c0f93d219f9727f1c98297
SHA25625228b9b7646e3a44d0c0458b2d9f4dde89cb36ca52f69ae317edad02678678c
SHA5120e4e9cc7d86949b349722e3e41d6e1686f8f55d44e98f93ff5f42f05a798c8300be75ff19ea0c369800c2cbc0fb4190a7138cbac5250ea812b11d185100403f6
-
Filesize
1KB
MD53690a1c3b695227a38625dcf27bd6dac
SHA1c2ed91e98b120681182904fa2c7cd504e5c4b2f5
SHA2562ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73
SHA51215ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1
-
Filesize
732B
MD53d173d11cbfe8ea295450e5de033772d
SHA165ea1035e97f1b05d8c692860e2ca64bfc6093bc
SHA25656ae5ceec20c722cb275569edc570f0fd9a2d984fdb1b80474cba2227585f280
SHA5123240ddcf655e379445bb98556a1ab13baf2fb3f0f67b4fe4953c340724519bff642b901a88bd4bd26da3f198bfc6697ee1946da18185f996061abc4066fd310d
-
Filesize
509B
MD5ebd22e11b1c625ae098b8e489eedefff
SHA1a0fee9f15489e25359ba3da77e48627dd9325d33
SHA25643052049403ea9e1c64eb8719d229caa40501f37572d9fa00e2e2f1cd2fe3fbd
SHA5125d088ff657c9e3c1965711bf46115affa6d34bb46e80190dbe62d63e1f285f16b9ac93cc788017b02ee701b58ba0fda23d6c89e5a6543674f4d234ef1f382f64