Analysis
-
max time kernel
129s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
27-07-2024 08:02
Static task
static1
Behavioral task
behavioral1
Sample
EasyAnti-CheatAnalyzer.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
EasyAnti-CheatAnalyzer.exe
Resource
win10v2004-20240709-en
General
-
Target
EasyAnti-CheatAnalyzer.exe
-
Size
2.6MB
-
MD5
6f4697ceaa48de87c8463be064a41834
-
SHA1
129b599295e013389255c16126ae64afd42c9cb4
-
SHA256
098a170344a4ca7efe3e0c8b48c25a64fe0570b68eb0f3032c229e81597c1fbc
-
SHA512
b9ff325866976ab0270224f3b512c45b8c5442fb58eff0b883fdf54babfa4845f95eb01d7c6f73d73e08fd59fd0c21d039bd75c318bb30e843c2bef861267c40
-
SSDEEP
49152:lQQovM4NUTzrWlUMtHE772hZD9gtGIOSzAYpk8xKFxNWMjZuW:lgM4NOYt0iK8IOScYpP8WcD
Malware Config
Extracted
xworm
article-coal.gl.at.ply.gg:27263
main-although.gl.at.ply.gg:30970
-
Install_directory
%Public%
-
install_file
svchost.exe
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Xworm Payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/2576-27-0x00000000001D0000-0x00000000001EA000-memory.dmp family_xworm behavioral1/memory/2808-28-0x0000000000EB0000-0x0000000000EC8000-memory.dmp family_xworm C:\Users\Admin\AppData\Local\Temp\svchost.exe family_xworm C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe family_xworm behavioral1/memory/1616-103-0x00000000002A0000-0x00000000002BA000-memory.dmp family_xworm behavioral1/memory/2488-107-0x0000000001250000-0x000000000126A000-memory.dmp family_xworm -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe dcrat \SurrogatewinDrivernetsvc\portproviderperf.exe dcrat behavioral1/memory/1300-55-0x0000000000020000-0x00000000002D6000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2244 powershell.exe 1984 powershell.exe 544 powershell.exe 1100 powershell.exe 616 powershell.exe 756 powershell.exe 2852 powershell.exe 2384 powershell.exe -
Disables Task Manager via registry modification
-
Drops startup file 4 IoCs
Processes:
Windows Driver Foundation.exesvchost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk Windows Driver Foundation.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk Windows Driver Foundation.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk svchost.exe -
Executes dropped EXE 6 IoCs
Processes:
Runtime Broker.exeWindows Driver Foundation.exesvchost.exeportproviderperf.exesvchost.exesvchost.exepid process 2916 Runtime Broker.exe 2808 Windows Driver Foundation.exe 2576 svchost.exe 1300 portproviderperf.exe 1616 svchost.exe 2488 svchost.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 1412 cmd.exe 1412 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Public\\svchost.exe" svchost.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 ip-api.com 3 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Runtime Broker.exeWScript.execmd.exereg.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Runtime Broker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 64 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 1168 PING.EXE 532 PING.EXE 2772 PING.EXE 3024 PING.EXE 2780 PING.EXE 896 PING.EXE 2836 PING.EXE 1964 PING.EXE 2980 PING.EXE 1284 PING.EXE 2232 PING.EXE 1536 PING.EXE 2004 PING.EXE 2592 PING.EXE 1008 PING.EXE 580 PING.EXE 3028 PING.EXE 1008 PING.EXE 2068 PING.EXE 2648 PING.EXE 1744 PING.EXE 2560 PING.EXE 692 PING.EXE 2960 PING.EXE 1668 PING.EXE 2376 PING.EXE 1212 PING.EXE 1512 PING.EXE 1092 PING.EXE 1712 PING.EXE 2264 PING.EXE 2332 PING.EXE 1992 PING.EXE 888 PING.EXE 2992 PING.EXE 2400 PING.EXE 1168 PING.EXE 1000 PING.EXE 2756 PING.EXE 1612 PING.EXE 1816 PING.EXE 304 PING.EXE 2516 PING.EXE 2244 PING.EXE 2548 PING.EXE 480 PING.EXE 2704 PING.EXE 1092 PING.EXE 2192 PING.EXE 1504 PING.EXE 2292 PING.EXE 2404 PING.EXE 1804 PING.EXE 3004 PING.EXE 2044 PING.EXE 2148 PING.EXE 2272 PING.EXE 2644 PING.EXE 2560 PING.EXE 596 PING.EXE 2356 PING.EXE 1980 PING.EXE 2372 PING.EXE 2080 PING.EXE -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2560 timeout.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs ping.exe 1 TTPs 64 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 3024 PING.EXE 2332 PING.EXE 2076 PING.EXE 2344 PING.EXE 2372 PING.EXE 2356 PING.EXE 2272 PING.EXE 1804 PING.EXE 2704 PING.EXE 1992 PING.EXE 2548 PING.EXE 1996 PING.EXE 2368 PING.EXE 1940 PING.EXE 888 PING.EXE 1964 PING.EXE 2080 PING.EXE 1588 PING.EXE 1092 PING.EXE 1352 PING.EXE 2780 PING.EXE 2360 PING.EXE 1388 PING.EXE 596 PING.EXE 2756 PING.EXE 2960 PING.EXE 1612 PING.EXE 2824 PING.EXE 692 PING.EXE 2560 PING.EXE 1980 PING.EXE 2992 PING.EXE 636 PING.EXE 2044 PING.EXE 1008 PING.EXE 2772 PING.EXE 1212 PING.EXE 1168 PING.EXE 2548 PING.EXE 2556 PING.EXE 1168 PING.EXE 2676 PING.EXE 2068 PING.EXE 2264 PING.EXE 1504 PING.EXE 2004 PING.EXE 2560 PING.EXE 2488 PING.EXE 2336 PING.EXE 3028 PING.EXE 2168 PING.EXE 2628 PING.EXE 304 PING.EXE 2244 PING.EXE 836 PING.EXE 1732 PING.EXE 2516 PING.EXE 2068 PING.EXE 2376 PING.EXE 2404 PING.EXE 1008 PING.EXE 580 PING.EXE 2980 PING.EXE 1392 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost.exepid process 2852 powershell.exe 756 powershell.exe 2244 powershell.exe 2384 powershell.exe 1984 powershell.exe 544 powershell.exe 616 powershell.exe 1100 powershell.exe 2576 svchost.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
Windows Driver Foundation.exesvchost.exepowershell.exepowershell.exeportproviderperf.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost.exesvchost.exedescription pid process Token: SeDebugPrivilege 2808 Windows Driver Foundation.exe Token: SeDebugPrivilege 2576 svchost.exe Token: SeDebugPrivilege 2852 powershell.exe Token: SeDebugPrivilege 756 powershell.exe Token: SeDebugPrivilege 1300 portproviderperf.exe Token: SeDebugPrivilege 2244 powershell.exe Token: SeDebugPrivilege 2384 powershell.exe Token: SeDebugPrivilege 1984 powershell.exe Token: SeDebugPrivilege 544 powershell.exe Token: SeDebugPrivilege 616 powershell.exe Token: SeDebugPrivilege 1100 powershell.exe Token: SeDebugPrivilege 2808 Windows Driver Foundation.exe Token: SeDebugPrivilege 2576 svchost.exe Token: SeDebugPrivilege 1616 svchost.exe Token: SeDebugPrivilege 2488 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
svchost.exepid process 2576 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
EasyAnti-CheatAnalyzer.execmd.exeRuntime Broker.exeWindows Driver Foundation.exesvchost.exeWScript.execmd.exedescription pid process target process PID 2648 wrote to memory of 2748 2648 EasyAnti-CheatAnalyzer.exe cmd.exe PID 2648 wrote to memory of 2748 2648 EasyAnti-CheatAnalyzer.exe cmd.exe PID 2648 wrote to memory of 2748 2648 EasyAnti-CheatAnalyzer.exe cmd.exe PID 2748 wrote to memory of 2560 2748 cmd.exe timeout.exe PID 2748 wrote to memory of 2560 2748 cmd.exe timeout.exe PID 2748 wrote to memory of 2560 2748 cmd.exe timeout.exe PID 2648 wrote to memory of 2916 2648 EasyAnti-CheatAnalyzer.exe Runtime Broker.exe PID 2648 wrote to memory of 2916 2648 EasyAnti-CheatAnalyzer.exe Runtime Broker.exe PID 2648 wrote to memory of 2916 2648 EasyAnti-CheatAnalyzer.exe Runtime Broker.exe PID 2648 wrote to memory of 2916 2648 EasyAnti-CheatAnalyzer.exe Runtime Broker.exe PID 2648 wrote to memory of 2808 2648 EasyAnti-CheatAnalyzer.exe Windows Driver Foundation.exe PID 2648 wrote to memory of 2808 2648 EasyAnti-CheatAnalyzer.exe Windows Driver Foundation.exe PID 2648 wrote to memory of 2808 2648 EasyAnti-CheatAnalyzer.exe Windows Driver Foundation.exe PID 2648 wrote to memory of 2576 2648 EasyAnti-CheatAnalyzer.exe svchost.exe PID 2648 wrote to memory of 2576 2648 EasyAnti-CheatAnalyzer.exe svchost.exe PID 2648 wrote to memory of 2576 2648 EasyAnti-CheatAnalyzer.exe svchost.exe PID 2916 wrote to memory of 3044 2916 Runtime Broker.exe WScript.exe PID 2916 wrote to memory of 3044 2916 Runtime Broker.exe WScript.exe PID 2916 wrote to memory of 3044 2916 Runtime Broker.exe WScript.exe PID 2916 wrote to memory of 3044 2916 Runtime Broker.exe WScript.exe PID 2748 wrote to memory of 1168 2748 cmd.exe PING.EXE PID 2748 wrote to memory of 1168 2748 cmd.exe PING.EXE PID 2748 wrote to memory of 1168 2748 cmd.exe PING.EXE PID 2748 wrote to memory of 1980 2748 cmd.exe PING.EXE PID 2748 wrote to memory of 1980 2748 cmd.exe PING.EXE PID 2748 wrote to memory of 1980 2748 cmd.exe PING.EXE PID 2808 wrote to memory of 756 2808 Windows Driver Foundation.exe powershell.exe PID 2808 wrote to memory of 756 2808 Windows Driver Foundation.exe powershell.exe PID 2808 wrote to memory of 756 2808 Windows Driver Foundation.exe powershell.exe PID 2576 wrote to memory of 2852 2576 svchost.exe powershell.exe PID 2576 wrote to memory of 2852 2576 svchost.exe powershell.exe PID 2576 wrote to memory of 2852 2576 svchost.exe powershell.exe PID 3044 wrote to memory of 1412 3044 WScript.exe cmd.exe PID 3044 wrote to memory of 1412 3044 WScript.exe cmd.exe PID 3044 wrote to memory of 1412 3044 WScript.exe cmd.exe PID 3044 wrote to memory of 1412 3044 WScript.exe cmd.exe PID 1412 wrote to memory of 1300 1412 cmd.exe portproviderperf.exe PID 1412 wrote to memory of 1300 1412 cmd.exe portproviderperf.exe PID 1412 wrote to memory of 1300 1412 cmd.exe portproviderperf.exe PID 1412 wrote to memory of 1300 1412 cmd.exe portproviderperf.exe PID 2748 wrote to memory of 2192 2748 cmd.exe PING.EXE PID 2748 wrote to memory of 2192 2748 cmd.exe PING.EXE PID 2748 wrote to memory of 2192 2748 cmd.exe PING.EXE PID 2576 wrote to memory of 2384 2576 svchost.exe powershell.exe PID 2576 wrote to memory of 2384 2576 svchost.exe powershell.exe PID 2576 wrote to memory of 2384 2576 svchost.exe powershell.exe PID 2808 wrote to memory of 2244 2808 Windows Driver Foundation.exe powershell.exe PID 2808 wrote to memory of 2244 2808 Windows Driver Foundation.exe powershell.exe PID 2808 wrote to memory of 2244 2808 Windows Driver Foundation.exe powershell.exe PID 2808 wrote to memory of 1984 2808 Windows Driver Foundation.exe powershell.exe PID 2808 wrote to memory of 1984 2808 Windows Driver Foundation.exe powershell.exe PID 2808 wrote to memory of 1984 2808 Windows Driver Foundation.exe powershell.exe PID 2576 wrote to memory of 544 2576 svchost.exe powershell.exe PID 2576 wrote to memory of 544 2576 svchost.exe powershell.exe PID 2576 wrote to memory of 544 2576 svchost.exe powershell.exe PID 2808 wrote to memory of 616 2808 Windows Driver Foundation.exe powershell.exe PID 2808 wrote to memory of 616 2808 Windows Driver Foundation.exe powershell.exe PID 2808 wrote to memory of 616 2808 Windows Driver Foundation.exe powershell.exe PID 2576 wrote to memory of 1100 2576 svchost.exe powershell.exe PID 2576 wrote to memory of 1100 2576 svchost.exe powershell.exe PID 2576 wrote to memory of 1100 2576 svchost.exe powershell.exe PID 2748 wrote to memory of 1008 2748 cmd.exe PING.EXE PID 2748 wrote to memory of 1008 2748 cmd.exe PING.EXE PID 2748 wrote to memory of 1008 2748 cmd.exe PING.EXE -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\EasyAnti-CheatAnalyzer.exe"C:\Users\Admin\AppData\Local\Temp\EasyAnti-CheatAnalyzer.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\EasyAntiCheat.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout /t 3 /nobreak3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\FI5uMh3ETeLxf7f5t3w.vbe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\SurrogatewinDrivernetsvc\gA0MRjUus87.bat" "4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\SurrogatewinDrivernetsvc\portproviderperf.exe"C:\SurrogatewinDrivernetsvc\portproviderperf.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f5⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
-
C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Driver Foundation.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Public\svchost.exe"3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\taskeng.exetaskeng.exe {2EA81006-DCA5-4FAB-B38A-D779CC2D27F1} S-1-5-21-3502430532-24693940-2469786940-1000:PSBQWFYT\Admin:Interactive:[1]1⤵
-
C:\Users\Public\svchost.exeC:\Users\Public\svchost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Public\svchost.exeC:\Users\Public\svchost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\SurrogatewinDrivernetsvc\FI5uMh3ETeLxf7f5t3w.vbeFilesize
212B
MD5bdae1284d1499c147434adaab8e15667
SHA1b4ac30b9c6f0542067dffccee0794d4ea546b583
SHA25626d933d81e56ceacb4cced22c680c22f4c12d2b4ce3a489303fc2aec67632f88
SHA5123b86e7ba47b3b6041fe7e5aa9a7ffc3a0049ade5cbd6b3b58668c70c08513382373ef5c2432628a421076aade3de953af34423a80e6041cb110b248bb6ef31e3
-
C:\SurrogatewinDrivernetsvc\gA0MRjUus87.batFilesize
162B
MD5e01ef91219b266b14d1ae415d30256d5
SHA1cad006a2efee48fcad1166e7ce3bc118ff139808
SHA256db58b3dde8508ecbe59d938545246355b52d9cdec29f76657b66638c4d7aeeb2
SHA5127826ca4bda02431bff87c7c72bd1ea53bc769b8574302a37445318360326e5a89e309c35dbc8f9981ec35c5067b4a459195b78d0289f5d93f6ec54be4c3f1e7b
-
C:\Users\Admin\AppData\Local\Temp\EasyAntiCheat.batFilesize
659B
MD52d4e81e15ccf4579be60dc575f28ec72
SHA10312d732322ad6e0b3ea68462ba1ef4b24a3ddcb
SHA256082f209b74dbcb68202df3759e716dcf7efe546dd267e472190ffcf0fbcfdaa7
SHA51293e3861cd244f94baa80dc06448eb70e426d835dc0657ef5ce2501f85fe80b0dece67b87b2fe883cdb0640937e653c57859a9fe730d8386a6ccd2f699386e124
-
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exeFilesize
3.0MB
MD5e752ea010d6bb2c6afebe6d1f915feda
SHA1a5737dfc7b7d6fa6509f3a0e79544b170d9476e2
SHA25618e279bca944d2ba87ff29c8df967e27621db9e4a6a4914fe635e5b7e4d305d4
SHA51201a203da6717e1b164c2f7002252bb08df6dcc8ed40e5d1f97cacf1b9371568a6a2b2b1ff4635f263854cd993cbc28d1177fd558565881c065cf595c05e6e866
-
C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exeFilesize
69KB
MD599088d7d8b409b4039b02295e64a686f
SHA1f58dad3090854f8ab5cc3de89d6cdaeb151883d4
SHA256a9f1d82a7954d86d746086969c0d7b7b5ca65ccfd0d6a375931a6826eca1a8c7
SHA512a485b749f096a63bcc733b848317ceca918ee46516bcf17593c8358303a80aa0fb15c99b444fbeac02f79ac69c165e8a2fbb614265a56d99b5c098bd48d388b7
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
77KB
MD584f35bb606e5d8049b4c7d57d4a9148a
SHA1385862c81fb695799b7cdd5199a212f8de2e1cb7
SHA2566e3c920e6115f3b386883ef1d439eec2691923504b42d863bc43de929435f627
SHA512dee62c8a3b5fadaec1ba91757de1bf78ce9caf4d9e9c5a4226997f15fb3e3387ce5e3bc2ff019a361b3a5b30b9e03246cfbccdf10f586f068d111988445e999d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LD9X4Y9QH02XZJT3HHG9.tempFilesize
7KB
MD52836921189855c0431565563ec9e0fbe
SHA16a0384e2e078bb16bdeb1bd10f003feb4e97cf5f
SHA2565a97cf07409ef96b51d3cdb4799d77128486624935d15727b8e787c6626281fc
SHA512364eddbb549c1682c5af3fa2a78e3e119d3e7ed87573b878c6ee9950473506d820ce6e5f3168932d8b816243b08e311e660fb954968a164bfd256258a169981c
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\SurrogatewinDrivernetsvc\portproviderperf.exeFilesize
2.7MB
MD551cbb36089b836f1cfe94e1ee88e344d
SHA166cfd5986f79d85be3d2424ac53d6e0b484f2791
SHA2569e81ddf406a5afea06ef9d412ee55c58d39a609ea7c5464378a5b5ab96670998
SHA51239ad09295cc6171646d508cb81503e17dac4bda780f482a09a72b3cf80b2a37ab6e097c298970d3bac41a6b20514481fac1eb53b71d27a9e89769074dfc8d52b
-
memory/1300-55-0x0000000000020000-0x00000000002D6000-memory.dmpFilesize
2.7MB
-
memory/1300-80-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/1616-103-0x00000000002A0000-0x00000000002BA000-memory.dmpFilesize
104KB
-
memory/1984-73-0x000000001B670000-0x000000001B952000-memory.dmpFilesize
2.9MB
-
memory/2244-67-0x00000000027E0000-0x00000000027E8000-memory.dmpFilesize
32KB
-
memory/2384-66-0x000000001B560000-0x000000001B842000-memory.dmpFilesize
2.9MB
-
memory/2488-107-0x0000000001250000-0x000000000126A000-memory.dmpFilesize
104KB
-
memory/2576-27-0x00000000001D0000-0x00000000001EA000-memory.dmpFilesize
104KB
-
memory/2648-29-0x000007FEF5540000-0x000007FEF5F2C000-memory.dmpFilesize
9.9MB
-
memory/2648-0-0x000007FEF5543000-0x000007FEF5544000-memory.dmpFilesize
4KB
-
memory/2648-22-0x000007FEF5540000-0x000007FEF5F2C000-memory.dmpFilesize
9.9MB
-
memory/2648-1-0x000000013FF20000-0x00000001401BA000-memory.dmpFilesize
2.6MB
-
memory/2808-28-0x0000000000EB0000-0x0000000000EC8000-memory.dmpFilesize
96KB
-
memory/2852-50-0x0000000002960000-0x0000000002968000-memory.dmpFilesize
32KB
-
memory/2852-49-0x000000001B480000-0x000000001B762000-memory.dmpFilesize
2.9MB