aabbf9a7992565949206be325ddae632b6ed6a7e2376a4a3c35f4631cbe7326d

Analysis

max time kernel
134s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17-08-2024 03:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-17_0e275e10d98d838332ad0fd726b06420_poet-rat_snatch.exe
Size

7.7MB
MD5

0e275e10d98d838332ad0fd726b06420
SHA1

be09a452f9b971d6732f8b268971f10dde4f57fc
SHA256

aabbf9a7992565949206be325ddae632b6ed6a7e2376a4a3c35f4631cbe7326d
SHA512

ea874919fb559535338a87936a26ccba9f92b3191456c3f91f0d4b35b8ed64d9a99a6c968110bd26749db36cb2a4a496ac4a9dbb063376b4dd2895d8cec8ddb5
SSDEEP

98304:gX960BV8Bfv1EGgoevqoeIf8UXk8ZAWXBJxnZxEskO1bONC+9:WBV8B2G0veIFXkqvXB/ZxV8NC+

Score

10^/10

credential_access execution persistence spyware stealer

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\terarium\\MoUsoCoreWorker.exe\", \"C:\\terarium\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\WmiPrvSE.exe\", \"C:\\Users\\All Users\\USOShared\\Logs\\User\\RuntimeBroker.exe\", \"C:\\terarium\\SearchApp.exe\", \"C:\\terarium\\eral.exe\""	eral.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\terarium\\MoUsoCoreWorker.exe\""	eral.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\terarium\\MoUsoCoreWorker.exe\", \"C:\\terarium\\SppExtComObj.exe\""	eral.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\terarium\\MoUsoCoreWorker.exe\", \"C:\\terarium\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\WmiPrvSE.exe\""	eral.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\terarium\\MoUsoCoreWorker.exe\", \"C:\\terarium\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\WmiPrvSE.exe\", \"C:\\Users\\All Users\\USOShared\\Logs\\User\\RuntimeBroker.exe\""	eral.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\terarium\\MoUsoCoreWorker.exe\", \"C:\\terarium\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\WmiPrvSE.exe\", \"C:\\Users\\All Users\\USOShared\\Logs\\User\\RuntimeBroker.exe\", \"C:\\terarium\\SearchApp.exe\""	eral.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	540	4156	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4016	4156	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	4156	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4528	4156	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	452	4156	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4552	4156	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3160	4156	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	4156	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4872	4156	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3500	4156	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4864	4156	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	4156	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3276	4156	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	4156	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1368	4156	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4196	4156	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	4156	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3280	4156	schtasks.exe	98

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2388	powershell.exe
4560	powershell.exe
3036	powershell.exe
388	powershell.exe
1928	powershell.exe
1180	powershell.exe
3840	powershell.exe
1928	powershell.exe
1180	powershell.exe
3840	powershell.exe
2388	powershell.exe
4560	powershell.exe
3036	powershell.exe
388	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	eral.exe

Executes dropped EXE 2 IoCs

pid	Process
4020	eral.exe
3796	MoUsoCoreWorker.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\terarium\\SppExtComObj.exe\""	eral.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\terarium\\SppExtComObj.exe\""	eral.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\WmiPrvSE.exe\""	eral.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\All Users\\USOShared\\Logs\\User\\RuntimeBroker.exe\""	eral.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\terarium\\SearchApp.exe\""	eral.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eral = "\"C:\\terarium\\eral.exe\""	eral.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MoUsoCoreWorker = "\"C:\\terarium\\MoUsoCoreWorker.exe\""	eral.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\WmiPrvSE.exe\""	eral.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\All Users\\USOShared\\Logs\\User\\RuntimeBroker.exe\""	eral.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\terarium\\SearchApp.exe\""	eral.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eral = "\"C:\\terarium\\eral.exe\""	eral.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MoUsoCoreWorker = "\"C:\\terarium\\MoUsoCoreWorker.exe\""	eral.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
3	raw.githubusercontent.com
4	raw.githubusercontent.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSCA8AF99CF8FB0425291E08062AD73773.TMP	csc.exe
File created	\??\c:\Windows\System32\gvmh1g.exe	csc.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\WmiPrvSE.exe	eral.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\24dbde2999530e	eral.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	eral.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
452	schtasks.exe
4872	schtasks.exe
2888	schtasks.exe
4196	schtasks.exe
2948	schtasks.exe
3280	schtasks.exe
4552	schtasks.exe
4528	schtasks.exe
2316	schtasks.exe
3500	schtasks.exe
1880	schtasks.exe
540	schtasks.exe
4016	schtasks.exe
2760	schtasks.exe
3160	schtasks.exe
4864	schtasks.exe
3276	schtasks.exe
1368	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1180	powershell.exe
1180	powershell.exe
3840	powershell.exe
3840	powershell.exe
2388	powershell.exe
2388	powershell.exe
4560	powershell.exe
4560	powershell.exe
3036	powershell.exe
3036	powershell.exe
388	powershell.exe
388	powershell.exe
1928	powershell.exe
1928	powershell.exe
4020	eral.exe
4020	eral.exe
4020	eral.exe
4020	eral.exe
4020	eral.exe
4020	eral.exe
4020	eral.exe
4020	eral.exe
4020	eral.exe
4020	eral.exe
4020	eral.exe
4020	eral.exe
4020	eral.exe
4020	eral.exe
4020	eral.exe
4020	eral.exe
4020	eral.exe
4020	eral.exe
4020	eral.exe
4020	eral.exe
4020	eral.exe
4020	eral.exe
4020	eral.exe
4020	eral.exe
4020	eral.exe
4020	eral.exe
4020	eral.exe
4020	eral.exe
4020	eral.exe
4020	eral.exe
4020	eral.exe
4020	eral.exe
4020	eral.exe
4020	eral.exe
4020	eral.exe
4020	eral.exe
4020	eral.exe
4020	eral.exe
4020	eral.exe
4020	eral.exe
4020	eral.exe
4020	eral.exe
4020	eral.exe
4020	eral.exe
4020	eral.exe
4020	eral.exe
4020	eral.exe
4020	eral.exe
4020	eral.exe
4020	eral.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3796	MoUsoCoreWorker.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	1180	powershell.exe
Token: SeDebugPrivilege	3840	powershell.exe
Token: SeDebugPrivilege	2388	powershell.exe
Token: SeDebugPrivilege	4560	powershell.exe
Token: SeDebugPrivilege	3036	powershell.exe
Token: SeDebugPrivilege	388	powershell.exe
Token: SeDebugPrivilege	1928	powershell.exe
Token: SeDebugPrivilege	4020	eral.exe
Token: SeDebugPrivilege	3796	MoUsoCoreWorker.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 1180	2792	2024-08-17_0e275e10d98d838332ad0fd726b06420_poet-rat_snatch.exe	87
PID 2792 wrote to memory of 1180	2792	2024-08-17_0e275e10d98d838332ad0fd726b06420_poet-rat_snatch.exe	87
PID 2792 wrote to memory of 3840	2792	2024-08-17_0e275e10d98d838332ad0fd726b06420_poet-rat_snatch.exe	89
PID 2792 wrote to memory of 3840	2792	2024-08-17_0e275e10d98d838332ad0fd726b06420_poet-rat_snatch.exe	89
PID 2792 wrote to memory of 2388	2792	2024-08-17_0e275e10d98d838332ad0fd726b06420_poet-rat_snatch.exe	90
PID 2792 wrote to memory of 2388	2792	2024-08-17_0e275e10d98d838332ad0fd726b06420_poet-rat_snatch.exe	90
PID 2792 wrote to memory of 4560	2792	2024-08-17_0e275e10d98d838332ad0fd726b06420_poet-rat_snatch.exe	93
PID 2792 wrote to memory of 4560	2792	2024-08-17_0e275e10d98d838332ad0fd726b06420_poet-rat_snatch.exe	93
PID 2792 wrote to memory of 3036	2792	2024-08-17_0e275e10d98d838332ad0fd726b06420_poet-rat_snatch.exe	94
PID 2792 wrote to memory of 3036	2792	2024-08-17_0e275e10d98d838332ad0fd726b06420_poet-rat_snatch.exe	94
PID 2792 wrote to memory of 388	2792	2024-08-17_0e275e10d98d838332ad0fd726b06420_poet-rat_snatch.exe	95
PID 2792 wrote to memory of 388	2792	2024-08-17_0e275e10d98d838332ad0fd726b06420_poet-rat_snatch.exe	95
PID 2792 wrote to memory of 1928	2792	2024-08-17_0e275e10d98d838332ad0fd726b06420_poet-rat_snatch.exe	96
PID 2792 wrote to memory of 1928	2792	2024-08-17_0e275e10d98d838332ad0fd726b06420_poet-rat_snatch.exe	96
PID 2792 wrote to memory of 4020	2792	2024-08-17_0e275e10d98d838332ad0fd726b06420_poet-rat_snatch.exe	102
PID 2792 wrote to memory of 4020	2792	2024-08-17_0e275e10d98d838332ad0fd726b06420_poet-rat_snatch.exe	102
PID 4020 wrote to memory of 3064	4020	eral.exe	106
PID 4020 wrote to memory of 3064	4020	eral.exe	106
PID 3064 wrote to memory of 4740	3064	csc.exe	108
PID 3064 wrote to memory of 4740	3064	csc.exe	108
PID 4020 wrote to memory of 2944	4020	eral.exe	124
PID 4020 wrote to memory of 2944	4020	eral.exe	124
PID 2944 wrote to memory of 4712	2944	cmd.exe	126
PID 2944 wrote to memory of 4712	2944	cmd.exe	126
PID 2944 wrote to memory of 3096	2944	cmd.exe	127
PID 2944 wrote to memory of 3096	2944	cmd.exe	127
PID 2944 wrote to memory of 3796	2944	cmd.exe	128
PID 2944 wrote to memory of 3796	2944	cmd.exe	128

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2024-08-17_0e275e10d98d838332ad0fd726b06420_poet-rat_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-17_0e275e10d98d838332ad0fd726b06420_poet-rat_snatch.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users\%s\Desktop'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1180
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3840
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Windows'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2388
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Program Files'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4560
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Program Files (x86)'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Recovery'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:388
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\terarium'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1928
- C:\terarium\eral.exe
  C:\terarium\eral.exe
  2⤵
  - Modifies WinLogon for persistence
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4020
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0pajntnr\0pajntnr.cmdline"
    3⤵
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3064
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEB79.tmp" "c:\Windows\System32\CSCA8AF99CF8FB0425291E08062AD73773.TMP"
      4⤵
      PID:4740
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oUn70fSky2.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:4712
  - - C:\Windows\system32\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      PID:3096
  - - C:\terarium\MoUsoCoreWorker.exe
      "C:\terarium\MoUsoCoreWorker.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:3796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 10 /tr "'C:\terarium\MoUsoCoreWorker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\terarium\MoUsoCoreWorker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 10 /tr "'C:\terarium\MoUsoCoreWorker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\terarium\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\terarium\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\terarium\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\USOShared\Logs\User\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\USOShared\Logs\User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\USOShared\Logs\User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\terarium\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\terarium\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\terarium\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "erale" /sc MINUTE /mo 7 /tr "'C:\terarium\eral.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "eral" /sc ONLOGON /tr "'C:\terarium\eral.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "erale" /sc MINUTE /mo 10 /tr "'C:\terarium\eral.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9c740b7699e2363ac4ecdf496520ca35

SHA1
aa8691a8c56500d82c5fc8c35209bc6fe50ab1d9

SHA256
be96c91b62ba9ba7072ab89e66543328c9e4395150f9dbe8067332d94a3ecc61

SHA512
8885683f96353582eb871209e766e7eba1a72a2837ce27ea298b7b5b169621d1fa3fce25346b6bfd258b52642644234da9559d4e765a2023a5a5fc1f544cc7af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d8cb3e9459807e35f02130fad3f9860d

SHA1
5af7f32cb8a30e850892b15e9164030a041f4bd6

SHA256
2b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68

SHA512
045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
dbb22d95851b93abf2afe8fb96a8e544

SHA1
920ec5fdb323537bcf78f7e29a4fc274e657f7a4

SHA256
e1ee9af6b9e3bfd41b7d2c980580bb7427883f1169ed3df4be11293ce7895465

SHA512
16031134458bf312509044a3028be46034c544163c4ca956aee74d2075fbeb5873754d2254dc1d0b573ce1a644336ac4c8bd7147aba100bfdac8c504900ef3fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1db603eb97fe7f53cec494c6bda708fa

SHA1
62eae65be71e756be720c83d846a0ec6cc4a7da6

SHA256
b1381bb40f4d49928f025366439d38f18a0683ee0e100a5fc38ad22639bfdf4c

SHA512
13d8cfc5eacc9e7ad5761614472dc7d1d1108be3dd2e1a036ec2d64be35b44480365a040c506bbf5a3b93cfdb3a25a7b9376f6771dd79d0d8eeea8abe98a98b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESEB79.tmp

Filesize
1KB

MD5
5361c9050211d1bce61bb878fb037601

SHA1
5bdf227aa94420988eae18fb9d48706844795751

SHA256
3df510e8d4d7eac8fcbd0162bb2044a65dd70577a253171f25fadefc4ad7da74

SHA512
0a3b44a329db744a2144ca914eb203aa76bd585c144b538450b4d0db1e4a5d583c40ae92563e2f3fae214579a8bee0a213640eed058b3dc84e5bf3b881965f08

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3tcxtgy0.jbl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\oUn70fSky2.bat

Filesize
207B

MD5
5c898c644eaea416e536fedeb7a5ee8a

SHA1
26933ec698f93f16f5a2b2a64f71c6f8eba8387a

SHA256
cd6fde6d4d066a6d1342e85fc7a9abbe2ee152824fa266ae1ff60dff93714fc3

SHA512
2992eba07db641c3a019d8a8f37b35de464ba2d40f5a51ddd2f5c7fc22062a88c4a58fe8028bc89fc3be80c6cf5d6622c1a028ef057d43ef0a97850c8d61fa85

Download Submit
C:\terarium\eral.exe

Filesize
769KB

MD5
ecc81828c53f56493f2639091888a0db

SHA1
fd3352977eace7938474eb5d2361cc91d60cb38c

SHA256
103d2edc948773430aafd5c51c17dcd06db39412ccc20e4d4f1f86701cb8b2f0

SHA512
808d4bb960c159664f5f1099517044ec53b5cae47a5c33ce5e001f1a4e41b22cac0534480b20629f5440b027fd327719730775f519badc3821fcd7205a6942ed

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0pajntnr\0pajntnr.0.cs

Filesize
363B

MD5
c059951d9245d6fafd81724b96ee3815

SHA1
272b9647e67d39e803eaa1db55fb7bda1ec92e66

SHA256
be103161d1638dc112e558c36f3607fd52cde84e4cda9cf7c151c953f1532431

SHA512
68a1ddd4d56864a30f2bce082c4f18ab8735bf64e2df77eb33e797dc4d51b931139edbbf0b2fc70dec7b51632ddd20ab7c6c5e3c98184ebfe6bd58ea9b071c40

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0pajntnr\0pajntnr.cmdline

Filesize
235B

MD5
b288e9675e5eee39e227484e072861fb

SHA1
a25de449d72925f74f8f6a46f032e70fca93b8e5

SHA256
17079a677da273a6969c998c619c0ff11024ecfc48da601068f8f490c76a1de5

SHA512
acccdbd02d04e9734ecf63069bed9247e72e41e08f9737d3b999803f25229057dfc1025cd0d8f484b38f8bbd34ca33db6546d1d6ad626154381e985a5a7c02d8

Download Submit
\??\c:\Windows\System32\CSCA8AF99CF8FB0425291E08062AD73773.TMP

Filesize
1KB

MD5
0f37e03cd32ff163eb3c300b5d572049

SHA1
e3f2b27901d597e93d54a501a5177f0a4c7c79e8

SHA256
7f334ea7247b02eaa85b4ab1e9ce73fa4dc153c0c58ad370a76613d086d979d9

SHA512
f24a0555965787dccb418350e1281af4181ea3c698375c0ce9c741cc0cdd4281f24c959cae526a44889f3186305a3f35fc0cb9895cc41715c14f528358a71bd1

Download Submit
memory/1180-11-0x00007FF8D3B20000-0x00007FF8D45E1000-memory.dmp

Filesize
10.8MB

Download
memory/1180-15-0x00007FF8D3B20000-0x00007FF8D45E1000-memory.dmp

Filesize
10.8MB

Download
memory/1180-1-0x000001E673C20000-0x000001E673C42000-memory.dmp

Filesize
136KB

Download
memory/1180-0-0x00007FF8D3B23000-0x00007FF8D3B25000-memory.dmp

Filesize
8KB

Download
memory/1180-12-0x00007FF8D3B20000-0x00007FF8D45E1000-memory.dmp

Filesize
10.8MB

Download
memory/3840-31-0x00007FF8D3CB0000-0x00007FF8D4771000-memory.dmp

Filesize
10.8MB

Download
memory/3840-17-0x00007FF8D3CB3000-0x00007FF8D3CB5000-memory.dmp

Filesize
8KB

Download
memory/3840-18-0x00007FF8D3CB0000-0x00007FF8D4771000-memory.dmp

Filesize
10.8MB

Download
memory/3840-19-0x00007FF8D3CB0000-0x00007FF8D4771000-memory.dmp

Filesize
10.8MB

Download
memory/4020-93-0x0000000000390000-0x0000000000456000-memory.dmp

Filesize
792KB

Download
memory/4020-102-0x00000000025C0000-0x00000000025CC000-memory.dmp

Filesize
48KB

Download
memory/4020-100-0x0000000002600000-0x0000000002618000-memory.dmp

Filesize
96KB

Download
memory/4020-98-0x00000000027C0000-0x0000000002810000-memory.dmp

Filesize
320KB

Download
memory/4020-97-0x00000000025E0000-0x00000000025FC000-memory.dmp

Filesize
112KB

Download
memory/4020-95-0x00000000025B0000-0x00000000025BE000-memory.dmp

Filesize
56KB

Download