3e8d98d5d75618970deccaeeae5e39123263ff22db1ae594b08dd4109828c7d1

Resubmissions

21-08-2024 01:30

240821-bw3pdsxcnq 10

21-08-2024 01:25

240821-bs432sxbjp 10

Analysis

max time kernel
38s
max time network
62s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-08-2024 01:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc/3.exe
Size

2.1MB
MD5

a0dad08f164eaa10775ee446d7609671
SHA1

3fddaf10e5776433aedceefbcfa422e2967d37e2
SHA256

6321ebebea1d093460221986382502f6c5bb0a26937d4587f7476993a087db81
SHA512

d404bddb06c9f38b8f9088cef8d63be392d928756a403e8f666ee1ce93fc7d6396e42fbc75db9a7f9f2aee39ccd5cc42a919baf594a873bef068c3146824fbc6
SSDEEP

49152:IBJ9RJN6XwzevCev8gTi5QIxDdetPmp0ndliBv1j51JqAq:ynwQeZTnewdliBvR3Qv

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

crtCommon.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\MoUsoCoreWorker.exe\""	crtCommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\MoUsoCoreWorker.exe\", \"C:\\SurrogateBroker\\fontdrvhost.exe\""	crtCommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\MoUsoCoreWorker.exe\", \"C:\\SurrogateBroker\\fontdrvhost.exe\", \"C:\\Windows\\Logs\\HomeGroup\\StartMenuExperienceHost.exe\""	crtCommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\MoUsoCoreWorker.exe\", \"C:\\SurrogateBroker\\fontdrvhost.exe\", \"C:\\Windows\\Logs\\HomeGroup\\StartMenuExperienceHost.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\WmiPrvSE.exe\""	crtCommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\MoUsoCoreWorker.exe\", \"C:\\SurrogateBroker\\fontdrvhost.exe\", \"C:\\Windows\\Logs\\HomeGroup\\StartMenuExperienceHost.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\WmiPrvSE.exe\", \"C:\\SurrogateBroker\\backgroundTaskHost.exe\""	crtCommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\MoUsoCoreWorker.exe\", \"C:\\SurrogateBroker\\fontdrvhost.exe\", \"C:\\Windows\\Logs\\HomeGroup\\StartMenuExperienceHost.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\WmiPrvSE.exe\", \"C:\\SurrogateBroker\\backgroundTaskHost.exe\", \"C:\\SurrogateBroker\\crtCommon.exe\""	crtCommon.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	3320	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	3320	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	980	3320	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	3320	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5104	3320	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3328	3320	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1896	3320	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	3320	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	3320	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3088	3320	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3776	3320	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5068	3320	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3768	3320	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4324	3320	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	3320	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3204	3320	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	3320	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	3320	schtasks.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3.exeWScript.execrtCommon.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	crtCommon.exe

Executes dropped EXE 2 IoCs

Processes:

crtCommon.exeWmiPrvSE.exe

pid process

4204 crtCommon.exe
1180 WmiPrvSE.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

crtCommon.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MoUsoCoreWorker = "\"C:\\Program Files\\Windows NT\\Accessories\\en-US\\MoUsoCoreWorker.exe\""	crtCommon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\SurrogateBroker\\fontdrvhost.exe\""	crtCommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Windows\\Logs\\HomeGroup\\StartMenuExperienceHost.exe\""	crtCommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files (x86)\\Windows Multimedia Platform\\WmiPrvSE.exe\""	crtCommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crtCommon = "\"C:\\SurrogateBroker\\crtCommon.exe\""	crtCommon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MoUsoCoreWorker = "\"C:\\Program Files\\Windows NT\\Accessories\\en-US\\MoUsoCoreWorker.exe\""	crtCommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\SurrogateBroker\\fontdrvhost.exe\""	crtCommon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Windows\\Logs\\HomeGroup\\StartMenuExperienceHost.exe\""	crtCommon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files (x86)\\Windows Multimedia Platform\\WmiPrvSE.exe\""	crtCommon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\SurrogateBroker\\backgroundTaskHost.exe\""	crtCommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\SurrogateBroker\\backgroundTaskHost.exe\""	crtCommon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crtCommon = "\"C:\\SurrogateBroker\\crtCommon.exe\""	crtCommon.exe

Drops file in System32 directory 2 IoCs

Processes:

csc.exe

description	ioc	process
File created	\??\c:\Windows\System32\gvmh1g.exe	csc.exe
File created	\??\c:\Windows\System32\CSC74F43F45D55344A0817EF829927C4C8.TMP	csc.exe

Drops file in Program Files directory 4 IoCs

Processes:

crtCommon.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Multimedia Platform\WmiPrvSE.exe	crtCommon.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\24dbde2999530e	crtCommon.exe
File created	C:\Program Files\Windows NT\Accessories\en-US\MoUsoCoreWorker.exe	crtCommon.exe
File created	C:\Program Files\Windows NT\Accessories\en-US\1f93f77a7f4778	crtCommon.exe

Drops file in Windows directory 2 IoCs

Processes:

crtCommon.exe

description	ioc	process
File created	C:\Windows\Logs\HomeGroup\StartMenuExperienceHost.exe	crtCommon.exe
File created	C:\Windows\Logs\HomeGroup\55b276f4edf653	crtCommon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

3.exeWScript.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

PING.EXE

pid process

4972 PING.EXE

pid	process
4972	PING.EXE

Modifies registry class 2 IoCs

Processes:

3.execrtCommon.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	3.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	crtCommon.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4972 PING.EXE

pid	process
4972	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
924	schtasks.exe
5068	schtasks.exe
3768	schtasks.exe
1264	schtasks.exe
3088	schtasks.exe
3776	schtasks.exe
4324	schtasks.exe
3204	schtasks.exe
3056	schtasks.exe
1796	schtasks.exe
980	schtasks.exe
760	schtasks.exe
5104	schtasks.exe
3328	schtasks.exe
1896	schtasks.exe
2208	schtasks.exe
1032	schtasks.exe
1552	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

crtCommon.exe

pid	process
4204	crtCommon.exe
4204	crtCommon.exe
4204	crtCommon.exe
4204	crtCommon.exe
4204	crtCommon.exe
4204	crtCommon.exe
4204	crtCommon.exe
4204	crtCommon.exe
4204	crtCommon.exe
4204	crtCommon.exe
4204	crtCommon.exe
4204	crtCommon.exe
4204	crtCommon.exe
4204	crtCommon.exe
4204	crtCommon.exe
4204	crtCommon.exe
4204	crtCommon.exe
4204	crtCommon.exe
4204	crtCommon.exe
4204	crtCommon.exe
4204	crtCommon.exe
4204	crtCommon.exe
4204	crtCommon.exe
4204	crtCommon.exe
4204	crtCommon.exe
4204	crtCommon.exe
4204	crtCommon.exe
4204	crtCommon.exe
4204	crtCommon.exe
4204	crtCommon.exe
4204	crtCommon.exe
4204	crtCommon.exe
4204	crtCommon.exe
4204	crtCommon.exe
4204	crtCommon.exe
4204	crtCommon.exe
4204	crtCommon.exe
4204	crtCommon.exe
4204	crtCommon.exe
4204	crtCommon.exe
4204	crtCommon.exe
4204	crtCommon.exe
4204	crtCommon.exe
4204	crtCommon.exe
4204	crtCommon.exe
4204	crtCommon.exe
4204	crtCommon.exe
4204	crtCommon.exe
4204	crtCommon.exe
4204	crtCommon.exe
4204	crtCommon.exe
4204	crtCommon.exe
4204	crtCommon.exe
4204	crtCommon.exe
4204	crtCommon.exe
4204	crtCommon.exe
4204	crtCommon.exe
4204	crtCommon.exe
4204	crtCommon.exe
4204	crtCommon.exe
4204	crtCommon.exe
4204	crtCommon.exe
4204	crtCommon.exe
4204	crtCommon.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

crtCommon.exeWmiPrvSE.exe

description pid process

Token: SeDebugPrivilege 4204 crtCommon.exe
Token: SeDebugPrivilege 1180 WmiPrvSE.exe

description	pid	process
Token: SeDebugPrivilege	4204	crtCommon.exe
Token: SeDebugPrivilege	1180	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

3.exeWScript.execmd.execrtCommon.execsc.execmd.exe

description	pid	process	target process
PID 2036 wrote to memory of 3588	2036	3.exe	WScript.exe
PID 2036 wrote to memory of 3588	2036	3.exe	WScript.exe
PID 2036 wrote to memory of 3588	2036	3.exe	WScript.exe
PID 3588 wrote to memory of 728	3588	WScript.exe	cmd.exe
PID 3588 wrote to memory of 728	3588	WScript.exe	cmd.exe
PID 3588 wrote to memory of 728	3588	WScript.exe	cmd.exe
PID 728 wrote to memory of 4204	728	cmd.exe	crtCommon.exe
PID 728 wrote to memory of 4204	728	cmd.exe	crtCommon.exe
PID 4204 wrote to memory of 4512	4204	crtCommon.exe	csc.exe
PID 4204 wrote to memory of 4512	4204	crtCommon.exe	csc.exe
PID 4512 wrote to memory of 3468	4512	csc.exe	cvtres.exe
PID 4512 wrote to memory of 3468	4512	csc.exe	cvtres.exe
PID 4204 wrote to memory of 4000	4204	crtCommon.exe	cmd.exe
PID 4204 wrote to memory of 4000	4204	crtCommon.exe	cmd.exe
PID 4000 wrote to memory of 3244	4000	cmd.exe	chcp.com
PID 4000 wrote to memory of 3244	4000	cmd.exe	chcp.com
PID 4000 wrote to memory of 4972	4000	cmd.exe	PING.EXE
PID 4000 wrote to memory of 4972	4000	cmd.exe	PING.EXE
PID 4000 wrote to memory of 1180	4000	cmd.exe	WmiPrvSE.exe
PID 4000 wrote to memory of 1180	4000	cmd.exe	WmiPrvSE.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\dc\3.exe
"C:\Users\Admin\AppData\Local\Temp\dc\3.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\SurrogateBroker\WQvQ4rx0fbpv9Ezt6WggfBmo1lRVEZ48dO.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3588
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\SurrogateBroker\o4sZ7CSxS8G8o846TWeqd2QBw2.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:728
  - - C:\SurrogateBroker\crtCommon.exe
      "C:\SurrogateBroker/crtCommon.exe"
      4⤵
      Modifies WinLogon for persistence
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4204
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0jac43bu\0jac43bu.cmdline"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4512
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDE6.tmp" "c:\Windows\System32\CSC74F43F45D55344A0817EF829927C4C8.TMP"
        6⤵
        
        PID:3468
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AexqHVCTb1.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4000
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:3244
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4972
      - C:\Program Files (x86)\Windows Multimedia Platform\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Windows Multimedia Platform\WmiPrvSE.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\Accessories\en-US\MoUsoCoreWorker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\en-US\MoUsoCoreWorker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\Accessories\en-US\MoUsoCoreWorker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\SurrogateBroker\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\SurrogateBroker\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\SurrogateBroker\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Windows\Logs\HomeGroup\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\Logs\HomeGroup\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Windows\Logs\HomeGroup\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\SurrogateBroker\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\SurrogateBroker\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\SurrogateBroker\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "crtCommonc" /sc MINUTE /mo 5 /tr "'C:\SurrogateBroker\crtCommon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "crtCommon" /sc ONLOGON /tr "'C:\SurrogateBroker\crtCommon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "crtCommonc" /sc MINUTE /mo 7 /tr "'C:\SurrogateBroker\crtCommon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\SurrogateBroker\WQvQ4rx0fbpv9Ezt6WggfBmo1lRVEZ48dO.vbe

Filesize
220B

MD5
9377cb5a423cf8bfff6477cc4985c483

SHA1
f7ffbb4cbfdd1064e87bba710ca230389b180b9b

SHA256
0f4f9f3080a603d52e9f8eb0cc899c152602bf3402aba9c996c61d757b07b64c

SHA512
b27c273a536ed702ab47c37981508d9059d1a9cbdeb8cee9a58141c3cf76454d999a23dbf59445fc01d3713f832085277168a1da65651a8f78c7758b6321628e

Download Submit
C:\SurrogateBroker\crtCommon.exe

Filesize
1.8MB

MD5
b8f8339599b59bb50e3da14c35eb3522

SHA1
b945a6989385bda8ff50502fc16ac6a78919c304

SHA256
e66daf4326469fedb93e1dac80b21218822885b460dcd5e2bcc2735cf4494955

SHA512
4456056f633e812200d2f13b58e698c0d8e2fd146880629600f5e69d21b4fc4822820331717b747af9f449cb9f31e69b7e3f4a9f7f584861b440f2d7b8eecad6

Download Submit
C:\SurrogateBroker\o4sZ7CSxS8G8o846TWeqd2QBw2.bat

Filesize
79B

MD5
8282f62b782d639ece324e590c34e3b4

SHA1
f045ce5b289d40bb09343693ee1b8203e4c01ef0

SHA256
a09fbd6fea0c4a09c191e714a2bd3802b56cea01622e5a110587668c46f150b7

SHA512
a0cedb6106bf25f8737cdb9407c44fd4c09d5054e4eb453b3789b7acae6e26751376cc1ee9c04a5e2f13ae70ef24581262839d68849492dae8a1d23c7d39fba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\AexqHVCTb1.bat

Filesize
191B

MD5
5e1a1f758141bd6563b69d067efed734

SHA1
ef8277557538f0c576ec932bc086c89a9c66a13b

SHA256
51ae4845523af8153dd5a14c120373b1f7340d8f45cd543e97ebb4e567460ad0

SHA512
5c7038249631555a7697dc97a64dd160ccec76f300a3cff7c27369256c6bb5a6fda0ff4e3dac0e0ebf7a980706083edbb64ed4cd74cdff6332569a17006ac553

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESDE6.tmp

Filesize
1KB

MD5
e904eea84c64b9f02e2200108b620f10

SHA1
3883585cfdd911afb5828060431a80c424ad4c01

SHA256
b9e0a549a293925866cf45375649696ffdf20f18a7a433db9fbeb3f0b6209313

SHA512
0cb7884d3bc4ec1b95ed47c1efd1c947098c1161883d4276146bf96963f51ff49a4d40ea0e40567079779442b4b8e7aa452410597a6e96aee74b234460dfb7ca

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0jac43bu\0jac43bu.0.cs

Filesize
397B

MD5
cd41e260a4981af8bcdaeb130f70477c

SHA1
e7d41dd7ba85c8d65a131394619795ad479c4275

SHA256
507abd0334ad63d83393e1b314e068a4d4ac7630444575c108782ff00dfe4b6e

SHA512
dc3a301e416baab0b9917fafdf344e0fb2e0105d68da9cd6d60446a974d81ab125db87c8b1df48074eb2b3126e9ac31b0a242afcaddb0b9cc9a913df7bf1674e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0jac43bu\0jac43bu.cmdline

Filesize
235B

MD5
5877ab88e5cdb902305c5848bf2071df

SHA1
0e893633f2d4feb0c47f0cf630089a32d3bb23eb

SHA256
60dfe82bdb1e4f6cb629e918a80f609ec9f550840656631530ae1825ccac474e

SHA512
e1858ba73356df333db9e74a3860610fc3b7b8acce1aa8f238e806ac30464a9f29c77f9b82224250ad989d4322ac262eaa9caf99fb8852536e9e143baaf07638

Download Submit
\??\c:\Windows\System32\CSC74F43F45D55344A0817EF829927C4C8.TMP

Filesize
1KB

MD5
0f37e03cd32ff163eb3c300b5d572049

SHA1
e3f2b27901d597e93d54a501a5177f0a4c7c79e8

SHA256
7f334ea7247b02eaa85b4ab1e9ce73fa4dc153c0c58ad370a76613d086d979d9

SHA512
f24a0555965787dccb418350e1281af4181ea3c698375c0ce9c741cc0cdd4281f24c959cae526a44889f3186305a3f35fc0cb9895cc41715c14f528358a71bd1

Download Submit
memory/4204-17-0x000000001B730000-0x000000001B74C000-memory.dmp

Filesize
112KB

Download
memory/4204-22-0x0000000002D10000-0x0000000002D1C000-memory.dmp

Filesize
48KB

Download
memory/4204-20-0x000000001BA60000-0x000000001BA78000-memory.dmp

Filesize
96KB

Download
memory/4204-18-0x000000001BAB0000-0x000000001BB00000-memory.dmp

Filesize
320KB

Download
memory/4204-15-0x0000000002CC0000-0x0000000002CCE000-memory.dmp

Filesize
56KB

Download
memory/4204-13-0x0000000000920000-0x0000000000AFA000-memory.dmp

Filesize
1.9MB

Download
memory/4204-12-0x00007FFACB513000-0x00007FFACB515000-memory.dmp

Filesize
8KB

Download