Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
22-07-2024 18:41
Behavioral task
behavioral1
Sample
RustUpdater.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
RustUpdater.exe
Resource
win10v2004-20240709-en
General
-
Target
RustUpdater.exe
-
Size
2.3MB
-
MD5
50d955b49b2a8878cdd683365c83e183
-
SHA1
9ce5bc5c6d2d71eacdd88fbdd478dd241bb96244
-
SHA256
528a09f9d227d34e3ca3ada3286fbf3a651fd651d1028c981f5754f3dfa15d78
-
SHA512
6ddb253922211164c8a236e733fa80c596fc68e6a9b3cc79f4d0e60fc7b7c01978633dd84151ca85773a0c906d8e288a34ba5d017fef4e50b094a9d808033fb2
-
SSDEEP
49152:HYcIk1q0oClfViBnxZgY4PVOZovFNf5qcusO4Dmu657stUQ+h:HY1k1boAfVizZLoRvgcgQmubkh
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 24 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3000 2524 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2976 2524 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2988 2524 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1912 2524 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 560 2524 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1140 2524 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1460 2524 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1840 2524 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2040 2524 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2056 2524 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1440 2524 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1640 2524 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1784 2524 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 524 2524 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1888 2524 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2844 2524 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2784 2524 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2080 2524 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2368 2524 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2272 2524 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2624 2524 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2028 2524 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 320 2524 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 592 2524 schtasks.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe dcrat behavioral1/memory/2224-15-0x0000000000950000-0x0000000000A5A000-memory.dmp dcrat behavioral1/memory/1728-44-0x0000000000FE0000-0x00000000010EA000-memory.dmp dcrat behavioral1/memory/2236-108-0x00000000010D0000-0x00000000011DA000-memory.dmp dcrat behavioral1/memory/1448-120-0x0000000000160000-0x000000000026A000-memory.dmp dcrat behavioral1/memory/2576-132-0x0000000001080000-0x000000000118A000-memory.dmp dcrat behavioral1/memory/2972-155-0x00000000013B0000-0x00000000014BA000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2288 powershell.exe 844 powershell.exe 2020 powershell.exe 1844 powershell.exe 1764 powershell.exe 1220 powershell.exe 936 powershell.exe 1804 powershell.exe 704 powershell.exe 1476 powershell.exe 1060 powershell.exe 1456 powershell.exe -
Executes dropped EXE 10 IoCs
Processes:
componentdriver.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exepid process 2224 componentdriver.exe 1728 WmiPrvSE.exe 3012 WmiPrvSE.exe 2236 WmiPrvSE.exe 1448 WmiPrvSE.exe 2576 WmiPrvSE.exe 580 WmiPrvSE.exe 2972 WmiPrvSE.exe 1780 WmiPrvSE.exe 2928 WmiPrvSE.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 2684 cmd.exe 2684 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs
Processes:
flow ioc 4 pastebin.com 5 pastebin.com 12 pastebin.com 18 pastebin.com 8 pastebin.com 10 pastebin.com 14 pastebin.com 16 pastebin.com 20 pastebin.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
RustUpdater.exepid process 2120 RustUpdater.exe -
Drops file in Program Files directory 6 IoCs
Processes:
componentdriver.exedescription ioc process File created C:\Program Files\VideoLAN\886983d96e3d3e componentdriver.exe File created C:\Program Files\Windows Journal\de-DE\audiodg.exe componentdriver.exe File created C:\Program Files\Windows Journal\de-DE\42af1c969fbb7b componentdriver.exe File created C:\Program Files\Windows NT\TableTextService\Idle.exe componentdriver.exe File created C:\Program Files\Windows NT\TableTextService\6ccacd8608530f componentdriver.exe File created C:\Program Files\VideoLAN\csrss.exe componentdriver.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2844 schtasks.exe 592 schtasks.exe 2976 schtasks.exe 2040 schtasks.exe 1440 schtasks.exe 1784 schtasks.exe 1460 schtasks.exe 1640 schtasks.exe 524 schtasks.exe 2080 schtasks.exe 3000 schtasks.exe 2988 schtasks.exe 1912 schtasks.exe 560 schtasks.exe 2624 schtasks.exe 2028 schtasks.exe 320 schtasks.exe 1140 schtasks.exe 1840 schtasks.exe 2272 schtasks.exe 2056 schtasks.exe 1888 schtasks.exe 2784 schtasks.exe 2368 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
componentdriver.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeWmiPrvSE.exepid process 2224 componentdriver.exe 2224 componentdriver.exe 2224 componentdriver.exe 2224 componentdriver.exe 2224 componentdriver.exe 2224 componentdriver.exe 2224 componentdriver.exe 2224 componentdriver.exe 2224 componentdriver.exe 2224 componentdriver.exe 2224 componentdriver.exe 2224 componentdriver.exe 2224 componentdriver.exe 1764 powershell.exe 1456 powershell.exe 1476 powershell.exe 2288 powershell.exe 704 powershell.exe 2020 powershell.exe 1804 powershell.exe 1220 powershell.exe 1060 powershell.exe 844 powershell.exe 1844 powershell.exe 936 powershell.exe 1728 WmiPrvSE.exe 1728 WmiPrvSE.exe 1728 WmiPrvSE.exe 1728 WmiPrvSE.exe 1728 WmiPrvSE.exe 1728 WmiPrvSE.exe 1728 WmiPrvSE.exe 1728 WmiPrvSE.exe 1728 WmiPrvSE.exe 1728 WmiPrvSE.exe 1728 WmiPrvSE.exe 1728 WmiPrvSE.exe 1728 WmiPrvSE.exe 1728 WmiPrvSE.exe 1728 WmiPrvSE.exe 1728 WmiPrvSE.exe 1728 WmiPrvSE.exe 1728 WmiPrvSE.exe 1728 WmiPrvSE.exe 1728 WmiPrvSE.exe 1728 WmiPrvSE.exe 1728 WmiPrvSE.exe 1728 WmiPrvSE.exe 1728 WmiPrvSE.exe 1728 WmiPrvSE.exe 1728 WmiPrvSE.exe 1728 WmiPrvSE.exe 1728 WmiPrvSE.exe 1728 WmiPrvSE.exe 1728 WmiPrvSE.exe 1728 WmiPrvSE.exe 1728 WmiPrvSE.exe 1728 WmiPrvSE.exe 1728 WmiPrvSE.exe 1728 WmiPrvSE.exe 1728 WmiPrvSE.exe 1728 WmiPrvSE.exe 1728 WmiPrvSE.exe 1728 WmiPrvSE.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
Processes:
componentdriver.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exedescription pid process Token: SeDebugPrivilege 2224 componentdriver.exe Token: SeDebugPrivilege 1764 powershell.exe Token: SeDebugPrivilege 1456 powershell.exe Token: SeDebugPrivilege 1476 powershell.exe Token: SeDebugPrivilege 2288 powershell.exe Token: SeDebugPrivilege 704 powershell.exe Token: SeDebugPrivilege 2020 powershell.exe Token: SeDebugPrivilege 1804 powershell.exe Token: SeDebugPrivilege 1220 powershell.exe Token: SeDebugPrivilege 1060 powershell.exe Token: SeDebugPrivilege 844 powershell.exe Token: SeDebugPrivilege 1844 powershell.exe Token: SeDebugPrivilege 936 powershell.exe Token: SeDebugPrivilege 1728 WmiPrvSE.exe Token: SeDebugPrivilege 2236 WmiPrvSE.exe Token: SeDebugPrivilege 1448 WmiPrvSE.exe Token: SeDebugPrivilege 2576 WmiPrvSE.exe Token: SeDebugPrivilege 580 WmiPrvSE.exe Token: SeDebugPrivilege 2972 WmiPrvSE.exe Token: SeDebugPrivilege 1780 WmiPrvSE.exe Token: SeDebugPrivilege 2928 WmiPrvSE.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RustUpdater.exepid process 2120 RustUpdater.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
RustUpdater.exeWScript.execmd.execomponentdriver.exeWmiPrvSE.exeWScript.exeWScript.exeWmiPrvSE.exedescription pid process target process PID 2120 wrote to memory of 2200 2120 RustUpdater.exe WScript.exe PID 2120 wrote to memory of 2200 2120 RustUpdater.exe WScript.exe PID 2120 wrote to memory of 2200 2120 RustUpdater.exe WScript.exe PID 2120 wrote to memory of 2200 2120 RustUpdater.exe WScript.exe PID 2200 wrote to memory of 2684 2200 WScript.exe cmd.exe PID 2200 wrote to memory of 2684 2200 WScript.exe cmd.exe PID 2200 wrote to memory of 2684 2200 WScript.exe cmd.exe PID 2200 wrote to memory of 2684 2200 WScript.exe cmd.exe PID 2684 wrote to memory of 2224 2684 cmd.exe componentdriver.exe PID 2684 wrote to memory of 2224 2684 cmd.exe componentdriver.exe PID 2684 wrote to memory of 2224 2684 cmd.exe componentdriver.exe PID 2684 wrote to memory of 2224 2684 cmd.exe componentdriver.exe PID 2224 wrote to memory of 936 2224 componentdriver.exe powershell.exe PID 2224 wrote to memory of 936 2224 componentdriver.exe powershell.exe PID 2224 wrote to memory of 936 2224 componentdriver.exe powershell.exe PID 2224 wrote to memory of 1804 2224 componentdriver.exe powershell.exe PID 2224 wrote to memory of 1804 2224 componentdriver.exe powershell.exe PID 2224 wrote to memory of 1804 2224 componentdriver.exe powershell.exe PID 2224 wrote to memory of 704 2224 componentdriver.exe powershell.exe PID 2224 wrote to memory of 704 2224 componentdriver.exe powershell.exe PID 2224 wrote to memory of 704 2224 componentdriver.exe powershell.exe PID 2224 wrote to memory of 1220 2224 componentdriver.exe powershell.exe PID 2224 wrote to memory of 1220 2224 componentdriver.exe powershell.exe PID 2224 wrote to memory of 1220 2224 componentdriver.exe powershell.exe PID 2224 wrote to memory of 2288 2224 componentdriver.exe powershell.exe PID 2224 wrote to memory of 2288 2224 componentdriver.exe powershell.exe PID 2224 wrote to memory of 2288 2224 componentdriver.exe powershell.exe PID 2224 wrote to memory of 1844 2224 componentdriver.exe powershell.exe PID 2224 wrote to memory of 1844 2224 componentdriver.exe powershell.exe PID 2224 wrote to memory of 1844 2224 componentdriver.exe powershell.exe PID 2224 wrote to memory of 1476 2224 componentdriver.exe powershell.exe PID 2224 wrote to memory of 1476 2224 componentdriver.exe powershell.exe PID 2224 wrote to memory of 1476 2224 componentdriver.exe powershell.exe PID 2224 wrote to memory of 844 2224 componentdriver.exe powershell.exe PID 2224 wrote to memory of 844 2224 componentdriver.exe powershell.exe PID 2224 wrote to memory of 844 2224 componentdriver.exe powershell.exe PID 2224 wrote to memory of 1764 2224 componentdriver.exe powershell.exe PID 2224 wrote to memory of 1764 2224 componentdriver.exe powershell.exe PID 2224 wrote to memory of 1764 2224 componentdriver.exe powershell.exe PID 2224 wrote to memory of 1060 2224 componentdriver.exe powershell.exe PID 2224 wrote to memory of 1060 2224 componentdriver.exe powershell.exe PID 2224 wrote to memory of 1060 2224 componentdriver.exe powershell.exe PID 2224 wrote to memory of 1456 2224 componentdriver.exe powershell.exe PID 2224 wrote to memory of 1456 2224 componentdriver.exe powershell.exe PID 2224 wrote to memory of 1456 2224 componentdriver.exe powershell.exe PID 2224 wrote to memory of 2020 2224 componentdriver.exe powershell.exe PID 2224 wrote to memory of 2020 2224 componentdriver.exe powershell.exe PID 2224 wrote to memory of 2020 2224 componentdriver.exe powershell.exe PID 2224 wrote to memory of 1728 2224 componentdriver.exe WmiPrvSE.exe PID 2224 wrote to memory of 1728 2224 componentdriver.exe WmiPrvSE.exe PID 2224 wrote to memory of 1728 2224 componentdriver.exe WmiPrvSE.exe PID 1728 wrote to memory of 1128 1728 WmiPrvSE.exe WScript.exe PID 1728 wrote to memory of 1128 1728 WmiPrvSE.exe WScript.exe PID 1728 wrote to memory of 1128 1728 WmiPrvSE.exe WScript.exe PID 1728 wrote to memory of 1020 1728 WmiPrvSE.exe WScript.exe PID 1728 wrote to memory of 1020 1728 WmiPrvSE.exe WScript.exe PID 1728 wrote to memory of 1020 1728 WmiPrvSE.exe WScript.exe PID 1128 wrote to memory of 3012 1128 WScript.exe WmiPrvSE.exe PID 1128 wrote to memory of 3012 1128 WScript.exe WmiPrvSE.exe PID 1128 wrote to memory of 3012 1128 WScript.exe WmiPrvSE.exe PID 2784 wrote to memory of 2236 2784 WScript.exe WmiPrvSE.exe PID 2784 wrote to memory of 2236 2784 WScript.exe WmiPrvSE.exe PID 2784 wrote to memory of 2236 2784 WScript.exe WmiPrvSE.exe PID 2236 wrote to memory of 2380 2236 WmiPrvSE.exe WScript.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\RustUpdater.exe"C:\Users\Admin\AppData\Local\Temp\RustUpdater.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\agentruntimeperf\vgGiWu1V4QvpHl7.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\agentruntimeperf\Dq65rEdkW9pnD0L6fJOs9W.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe"C:\Users\Admin\AppData\Roaming\agentruntimeperf\componentdriver.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:936
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1804
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:704
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1220
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2288
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1844
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1476
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:844
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1764
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1060
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1456
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2020
-
-
C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe"C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f56115f-ce3a-49cf-96d4-9426d4747b4d.vbs"6⤵
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exeC:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe7⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e2272794-943d-4c7a-83dc-6444fe2ad2c5.vbs"8⤵
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exeC:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f8fd66b-2d9d-4903-a017-ad07949edca8.vbs"10⤵PID:2380
-
C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exeC:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe11⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1448 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\91dab18d-5f61-4f74-b29d-ec1aaaba0669.vbs"12⤵PID:1308
-
C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exeC:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe13⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2576 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c12ceac-15b7-486c-8413-b4c83a9f62d3.vbs"14⤵PID:936
-
C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exeC:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe15⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:580 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d44d7382-56d4-417b-bdb7-bc6953367a24.vbs"16⤵PID:1380
-
C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exeC:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe17⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2972 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8b3d5d39-1590-4997-b779-71857d6230ec.vbs"18⤵PID:1372
-
C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exeC:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe19⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1780 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c0719aa-1de7-45f8-9711-78d60cff2e8d.vbs"20⤵PID:2960
-
C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exeC:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe21⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2928 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\674d2b82-bb28-48a1-9828-ad3ef457ba31.vbs"22⤵PID:2552
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bbf51341-2ddc-48f5-88cf-940b30e4dbc2.vbs"22⤵PID:320
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1146f048-5f6f-49e0-a8db-71131ae7e874.vbs"20⤵PID:768
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\be350d3f-f96c-409a-ab9f-c44436e1ec9d.vbs"18⤵PID:2964
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a1f0fe6-9609-4a0a-abde-ccf405df4d4d.vbs"16⤵PID:560
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a09c97be-d4e8-4e99-8092-826d407dbeaa.vbs"14⤵PID:2808
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9ec9501b-fa7e-4b95-8345-f47d1b7926fe.vbs"12⤵PID:2200
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9fb04e69-6569-494c-84fb-04c8ec21d6f2.vbs"10⤵PID:2220
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\54a7ae00-5997-4939-8367-a728442dbde3.vbs"8⤵PID:1952
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bce03413-b6dd-4ae3-9a6c-69b16ec75c78.vbs"6⤵PID:1020
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "componentdriverc" /sc MINUTE /mo 9 /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\componentdriver.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "componentdriver" /sc ONLOGON /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\componentdriver.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "componentdriverc" /sc MINUTE /mo 11 /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\componentdriver.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1140
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Journal\de-DE\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\de-DE\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Journal\de-DE\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\TableTextService\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\TableTextService\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Recorded TV\Sample Media\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\Sample Media\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Recorded TV\Sample Media\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
737B
MD547cf841788510b1f8ed743b5f8e5ab48
SHA16b8533afb27d9540e4cd6d101f2246a453c07dad
SHA25697e3b0c2033a03ca223cd798cc5b71ba4e878de737ad4f8d29e1f98c0858cf4d
SHA5120db850e3c6736dea0c6fd315928b8705e1a85030e1c95cd6afff6a710d582da5b3bdddfed4775f9715d3219d2c0ad282a36d9aac972b75c589ac33b927a8d266
-
Filesize
737B
MD5de691c8b44752ce738aeeedebbaa260e
SHA19579da9ae1814d64f9043fd8fcd51321615372fd
SHA256883a7214ef6bcc1627cc88a01d606d6695c1e0af957c4d85fa341ffdc7bc2957
SHA5122201abd28c099780067a622ddd3f7c794a898f0a163730a5cdd41e571f6688bfd4af67ce725538a431589141e9235efd263e30cf5ed0689f4f92a60aca25704d
-
Filesize
737B
MD5fc61d564f4b377c91e97f1bc6b53aaf5
SHA1dc02b1691cebf73b55e284bf9691a7b877598c43
SHA25674128f19c5d027ca0c29601345bc605c59373128e54fa7f00a022382a4a49b17
SHA512f8f96600c9f4dd90ecbdc29cd7d3095ce2a34df40517cef9bf846cad1a19d8f61fe9cd36e56d5f0885e3381f01fc74fe626d63232e3b0b4b978e765ad35d49ae
-
Filesize
737B
MD5c96473a2ea30cba35f095c63fc1d1334
SHA1590a00c9d74f8a1303cb9273f613a1a11385acc0
SHA2561e5ae4e3c23396abf96766f577442237f599fb77618a7870b2e978809eda2e71
SHA51234d667fa3fa13bfc0fe335d9b35b4efc6b90ab73761d48acc42880f07e7013a126d2627af93147302079ad5d517abdc2386ca61340cd0f4ec1e1eb8f562f9c32
-
Filesize
737B
MD5e6dcc86cc0253ef69ffed2ef374c2e7c
SHA1579905f2271139d74a7fb78a6a7dbdbb78842f35
SHA256903aabab0a6c3f8bfd274e55ddbf61b8006685f454faaefc17377c603331d7df
SHA5127dc607088fb7d051848618527df2335667da5586def92d3175097305fc0b519be658999adf7896e86b0877fb452598e11e6a292d4c924a9793f115f9067245d4
-
Filesize
737B
MD5c0c93a87229dc495b8934d866b9eda58
SHA14c02bcfe02973b876e80fe28728be0885babcd61
SHA2564fa9d4fbefcbacc9022861a0a6ec669ec1a43a7184cc358692fb49c1575ff7ed
SHA512706d6a6c621cee732becf76e15afd3081ab8d09bebdf6429e24296241fd840267da9c4efef7c40b007c270de914d8ffe435d13084aa2e91ac4f59e8d0cf54054
-
Filesize
737B
MD5c9feda25bc37c97ad5fa8ed0950354ad
SHA180be72d6ece74c4098b2d182d0da24a83b81eef7
SHA256e80115a4dbeccc533a20e1acd0cc8358cacce35308c458f813ed86a1d8464b02
SHA51296c4c0c4897ef6a104e8af325281b658fd6f1388dd35a5fdecef9319964d727582153199e459f736392664cdee8378f22a9e8e937ee7d2b7adc3f062bed60489
-
Filesize
513B
MD5005d2b2b236c5cc4c1cbe808da565f60
SHA1b0d99c72d1d7c6385d9670abc005f9c84e4485d3
SHA25613c0ec6dd8ab27216a078bcf2c8c618315e52058ab55fe4783e367602a7fa8b7
SHA51246cdf35f8d8d05b4ecabf0de5a55446047269648b6fbc16b8ea46a1ccc07ba1df88ff2f512342668eb47564570f70de7c13b6d90b6e0feeb6a8b3f0b9f9e3225
-
Filesize
736B
MD57e9c6a7326f699fd671e274d56209b8d
SHA15071f0c88ec24fd80871b8e26d2295bffc3f10c7
SHA2560fa5981bf91e15eca9dfa8346ef3a80751c09f309dadf691cb63ce9484eef681
SHA5127a8eb5bb282afdaf19c9c2574eb135de123ec8e33d4d2f53016c75b3e24a2ce57cfb76d453f056c3427d97ff8c365b91e4244d0a89c3ca86dcef0439eb59a04d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5793dfb09b26e41d5bee79e137e250e17
SHA1f4bda56f65601e2ecdfc3af1df6ce0c8da25c9e2
SHA256c65d94b081f07e67af3780f2b0d77f9de809d65f084826238444069c13c804a4
SHA5128a182a8dfa794f4da6cec4758254f8b16ff6902461f40005a6d3813eb370aab0ca16240b7b3c24f3fa7b9ce17c7943adbd7750b34acd9b2db0bcaed929f7c949
-
Filesize
48B
MD58f2fe00117d8cf1e8f32eb7bf7c5ab82
SHA1952f7ed0a7bcc5ccc8a3dda8d32d12d3777f6be9
SHA25602e8d359193b0ae24c55786b196b81fa9ca8851c0b36944547ab1c766ecf53ba
SHA5126fd6a26b107c1542e84649a016ad6e523ed43f9b63b33b6efe96e89a73c0fdadcba4aa9786a399e8df4d2e7d8af79dbabfd4534648e76aae948b082e97a1e077
-
Filesize
1.0MB
MD550c3534dacb3359079f8fca6b702e98e
SHA185cd176c6f7c97017547aaf9b1133ca3d1fb1885
SHA256867cfd96b563631e0e2a1d89d784b47bf723194595b6dd301225fe608f6186de
SHA512a3cb0ff747332f0d91a2126f63cf12ea44e00de2221ec83fcbec86dfff90384c62299a77e97916572ad723132123168505e005884c6c8329713eb3db9cbf2750
-
Filesize
222B
MD54dad95df8fa0e085b45537e5be8778f6
SHA1044c0c326db9f180d8c79f7fd7719fac3abc69d3
SHA256b4c3908e82e611ee34d5b27906b7ea428f31cf3c6e37d19e49032ac5af938f0b
SHA5124a089ec1b661a1b996781fcd813971b9ba43a4a0c4ba356dc0d78072bb03e62ceb8bda1f21f579c1a82662eeece15f2515a73b11863eeed5c11b5176e920d376