Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
-
submitted
22-07-2024 14:34
General
-
Target
SheetRat/Server-cleaned.exe
-
Size
1.3MB
-
MD5
c1862c57cf6b6c302f71ef986950328f
-
SHA1
2b5df84beb75f758e2b50f9d8c1d73cc59bf9936
-
SHA256
f90bcd094d81b324edfa8413b4ae9a6a51a38058520b2572151a91205e9b788f
-
SHA512
de5cd2be9933e317d48b2b8556a260a5427ca88e8653975951d9d6364cebea91e3cc500a724a7d38c314d449c84ba9cb12988f3d2425905e149f1a095f90ef2d
-
SSDEEP
24576:YLysNT+f7momlEkmmsEnE7E7E7EUmemmmmmmIzme4jwnaKEmbToQ2:Y2sNTI7momSkmmtEQQQUmemmmmmmIzm/
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 47 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 9 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Modifies registry class 55 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 37 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 17 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\SheetRat\Server-cleaned.exe"C:\Users\Admin\AppData\Local\Temp\SheetRat\Server-cleaned.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Desktop\Client.exe"C:\Users\Admin\Desktop\Client.exe"1⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Visual Studio Code Host" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Visual Studio Code Host" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe"3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Google Drive" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Google Drive" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Node.js" /tr "C:\Users\Admin\Documents\xdwdPuTTY Update.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo 5 /tn "Node.js" /tr "C:\Users\Admin\Documents\xdwdPuTTY Update.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Google Drive" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Google Drive" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Google Drive" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Google Drive" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Google Drive" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Google Drive" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Google Drive" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Google Drive" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Google Drive" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Google Drive" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Google Drive" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Google Drive" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Google Drive" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Google Drive" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Google Drive" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Google Drive" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Google Drive" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Google Drive" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Google Drive" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Google Drive" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Google Drive" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Google Drive" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Google Drive" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Google Drive" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Google Drive" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Google Drive" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Google Drive" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Google Drive" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Google Drive" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Google Drive" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Google Drive" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Google Drive" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Google Drive" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Google Drive" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Google Drive" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Google Drive" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Google Drive" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Google Drive" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Google Drive" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Google Drive" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Google Drive" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Google Drive" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Google Drive" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Google Drive" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Google Drive" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Google Drive" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Google Drive" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Google Drive" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Google Drive" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Google Drive" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Google Drive" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Google Drive" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Google Drive" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Google Drive" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Google Drive" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Google Drive" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\Desktop\Client.exe"C:\Users\Admin\Desktop\Client.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Google Drive" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Google Drive" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Google Drive" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Google Drive" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Users\Admin\Desktop\Client.exe"C:\Users\Admin\Desktop\Client.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Google Drive" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Google Drive" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Google Drive" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Google Drive" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Users\Admin\Desktop\Client.exe"C:\Users\Admin\Desktop\Client.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Google Drive" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Google Drive" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Google Drive" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Google Drive" /tr "C:\Users\Public\Documents\xdwdAvast Antivirus Upgrade.exe" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\StartRename.bat" "1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1AppInit DLLs
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1AppInit DLLs
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD514393eb908e072fa3164597414bb0a75
SHA15e04e084ec44a0b29196d0c21213201240f11ba0
SHA25659b9d95ae42e35525fc63f93168fe304409463ee070a3cf21a427a2833564b80
SHA512f5fc3d9e98cca1fbbbe026707086a71f801016348d2355541d630879ad51a850f49eb4a5f7a94e12a844d7a7108d69fa6d762ee19f4805d6aafef16259b4330b
-
Filesize
871B
MD5386677f585908a33791517dfc2317f88
SHA12e6853b4560a9ac8a74cdd5c3124a777bc0d874e
SHA2567caf8779608c167ab6fa570df00c973aff6dee850bb63439770889a68c7cdae0
SHA512876d2269e25a4b2754bdf2c7e3c410050f885d7e6bd8abce41c5fc74ae1f8c549b2266dd1588c750f614063f36c8a8e5008cea610505897d04e4ef5c3adc52d9
-
Filesize
1KB
MD53e83308de9805817d7c747a0773199ab
SHA113bd5f4085f08bdadb67ad22bba2b4d62895d533
SHA256dae07fa593aaa1d8638c277d2e4c936986480528e5fb24bdfbf31971df19b81e
SHA51273643a5f42f2208bc2663b20b5b49aa74c328736c0ac395774d7aa72bad6d760e997c17f5c7d479e611c5ec0c23cb7b74415f9c95fca0973ef3c84c176bdb0f4
-
Filesize
797B
MD51dc25fcc9d2526c8def3bf40c1bfaf69
SHA18ea5d1e6b4f6aba87727fa313d40740071d46bce
SHA25662f5c0be8ea24233cf5660b2d1a0d1f0e7319415f5caf14e7ae84e3c9e2632c4
SHA512845b5f4eeb05d5bb57fd94fdac623d2a3b3ef9365ad4c712667f09912c21ed4d4ef242021124cef40a29fd4ecfb851e8668be854b78dae284a32ecb7e255c970
-
Filesize
1KB
MD57cf968e0ae06a462ba72a5d7d1fdc88a
SHA195dc2fe0f93f3952e808ca85a2e76b35e06b3878
SHA25687ca18aad1637b36c6e5aaa982110681d1c81e897667b9a38003f3c1052d289f
SHA51249e362871abd1ea9f0ffaaa764b479ed7efaf5e179d87e8f070d0cdebc7bce26f558b1bbe649d837f39d343cb0c4fc6a67cb313f19e4e06c03f4f7f43ad12fd9
-
Filesize
920B
MD5db822f44e045c6bce441574f8e8614e6
SHA1e74eb4fc67ddacbf01d66c82a776a04bffc13004
SHA2564984544e2fa632fc296eac6050f8ba3e2f60e585d6be6ef08b49d2bce47a51a5
SHA51280790a1c19b764d07243db826cbf38b224e40cf6be66984141f8d436c5f8be6af2a4be2db81eb2834cc9beb15313474c0f64d694603e1fc6287767b997adc922
-
Filesize
469KB
MD5353dc319756b4b9055570540565fee3a
SHA1a33bc6683e7c7f7c872fe2cf7954770ec53d6358
SHA25627c58d8ba3f12e38f036440381568c73339e0a01037e1cff5271373e5a8224d9
SHA5128ccb58583bf102aa59f86eb2649874897f0228599c966b21fb086218bdb213cd641d57c7663dcaf833a70cc75d4154565b6f825d09d5010279d65617adae293d
-
Filesize
136KB
MD516e5a492c9c6ae34c59683be9c51fa31
SHA197031b41f5c56f371c28ae0d62a2df7d585adaba
SHA25635c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66
SHA51220fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6
-
Filesize
712KB
-
Filesize
7.7MB
-
Filesize
2.9MB
-
Filesize
176KB
-
Filesize
3.3MB
-
Filesize
136KB
-
Filesize
680KB
-
Filesize
1.3MB
-
Filesize
304KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
2.3MB
-
Filesize
584KB
-
Filesize
240KB
-
Filesize
132KB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
1.1MB
-
Filesize
104KB
-
Filesize
7.7MB
-
Filesize
368KB
-
Filesize
1.3MB
-
Filesize
5.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
496KB