Overview
overview
10Static
static
10dc/10.exe
windows10-2004-x64
10dc/12.exe
windows10-2004-x64
7dc/13.exe
windows10-2004-x64
10dc/15.exe
windows10-2004-x64
8dc/16.exe
windows10-2004-x64
10dc/17.exe
windows10-2004-x64
3dc/19.exe
windows10-2004-x64
10dc/22.exe
windows10-2004-x64
10dc/23.exe
windows10-2004-x64
10dc/3.exe
windows10-2004-x64
10dc/4.exe
windows10-2004-x64
3dc/5.exe
windows10-2004-x64
10dc/6.exe
windows10-2004-x64
10dc/7.exe
windows10-2004-x64
9dc/9.exe
windows10-2004-x64
10Analysis
-
max time kernel
55s -
max time network
63s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21-08-2024 01:25
Behavioral task
behavioral1
Sample
dc/10.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral2
Sample
dc/12.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
dc/13.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral4
Sample
dc/15.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
dc/16.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral6
Sample
dc/17.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
dc/19.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral8
Sample
dc/22.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
dc/23.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral10
Sample
dc/3.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
dc/4.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral12
Sample
dc/5.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
dc/6.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral14
Sample
dc/7.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral15
Sample
dc/9.exe
Resource
win10v2004-20240802-en
General
-
Target
dc/16.exe
-
Size
2.1MB
-
MD5
7463afed528fc46f2ec9fa4fbe521161
-
SHA1
e635026d8642c6460152371b8a2a2cc95c93aeee
-
SHA256
d47573bf5a75f99f0a9dc5558b81fe5fd62dd78306dd62ef2869f0107ec885af
-
SHA512
4ac2da7664cb6b6dc441dee912d0dfc16652d486bc78fdc609ad5d611d3478af36eab050825e548500f14a09b6b365c55c227e1bcecc15ff5fef7a4bf90de605
-
SSDEEP
49152:IBJa3BXSZ9+EPrG7jyWXQptPCzBY7/FYttV4xTRtZwI:yM3BXPGrcyWXQQZttuxNwI
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Program Files\\Windows Defender\\it-IT\\fontdrvhost.exe\", \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\Registry.exe\", \"C:\\Windows\\Setup\\SearchApp.exe\", \"C:\\serverwebHost\\PortContainerProviderInto.exe\"" PortContainerProviderInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\spoolsv.exe\"" PortContainerProviderInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Program Files\\Windows Defender\\it-IT\\fontdrvhost.exe\"" PortContainerProviderInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Program Files\\Windows Defender\\it-IT\\fontdrvhost.exe\", \"C:\\Users\\Default User\\RuntimeBroker.exe\"" PortContainerProviderInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Program Files\\Windows Defender\\it-IT\\fontdrvhost.exe\", \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\Registry.exe\"" PortContainerProviderInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Program Files\\Windows Defender\\it-IT\\fontdrvhost.exe\", \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\Registry.exe\", \"C:\\Windows\\Setup\\SearchApp.exe\"" PortContainerProviderInto.exe -
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4788 3584 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3740 3584 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4964 3584 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4464 3584 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1492 3584 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1792 3584 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1460 3584 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3800 3584 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4960 3584 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4324 3584 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3124 3584 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 208 3584 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3460 3584 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3004 3584 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3164 3584 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1500 3584 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4708 3584 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2948 3584 schtasks.exe 90 -
Checks computer location settings 2 TTPs 8 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation Registry.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation 16.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation PortContainerProviderInto.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation Registry.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation Registry.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation Registry.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation Registry.exe -
Executes dropped EXE 6 IoCs
pid Process 2520 PortContainerProviderInto.exe 4516 Registry.exe 2372 Registry.exe 1324 Registry.exe 4016 Registry.exe 4256 Registry.exe -
Adds Run key to start application 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Recovery\\WindowsRE\\spoolsv.exe\"" PortContainerProviderInto.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files\\Windows Defender\\it-IT\\fontdrvhost.exe\"" PortContainerProviderInto.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Default User\\RuntimeBroker.exe\"" PortContainerProviderInto.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Program Files\\Microsoft Office 15\\ClientX64\\Registry.exe\"" PortContainerProviderInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Program Files\\Microsoft Office 15\\ClientX64\\Registry.exe\"" PortContainerProviderInto.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PortContainerProviderInto = "\"C:\\serverwebHost\\PortContainerProviderInto.exe\"" PortContainerProviderInto.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Recovery\\WindowsRE\\spoolsv.exe\"" PortContainerProviderInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files\\Windows Defender\\it-IT\\fontdrvhost.exe\"" PortContainerProviderInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Default User\\RuntimeBroker.exe\"" PortContainerProviderInto.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Windows\\Setup\\SearchApp.exe\"" PortContainerProviderInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Windows\\Setup\\SearchApp.exe\"" PortContainerProviderInto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PortContainerProviderInto = "\"C:\\serverwebHost\\PortContainerProviderInto.exe\"" PortContainerProviderInto.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created \??\c:\Windows\System32\CSC70A1F03F97DA4D1EB83FA8BA798900.TMP csc.exe File created \??\c:\Windows\System32\9hsi6j.exe csc.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files\Windows Defender\it-IT\fontdrvhost.exe PortContainerProviderInto.exe File created C:\Program Files\Windows Defender\it-IT\5b884080fd4f94 PortContainerProviderInto.exe File created C:\Program Files\Microsoft Office 15\ClientX64\Registry.exe PortContainerProviderInto.exe File created C:\Program Files\Microsoft Office 15\ClientX64\ee2ad38f3d4382 PortContainerProviderInto.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\Setup\SearchApp.exe PortContainerProviderInto.exe File opened for modification C:\Windows\Setup\SearchApp.exe PortContainerProviderInto.exe File created C:\Windows\Setup\38384e6a620884 PortContainerProviderInto.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4888 PING.EXE 844 PING.EXE 1008 PING.EXE -
Modifies registry class 7 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings 16.exe Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings PortContainerProviderInto.exe Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings Registry.exe Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings Registry.exe Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings Registry.exe Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings Registry.exe Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings Registry.exe -
Runs ping.exe 1 TTPs 3 IoCs
pid Process 4888 PING.EXE 844 PING.EXE 1008 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 208 schtasks.exe 1500 schtasks.exe 2948 schtasks.exe 4960 schtasks.exe 1492 schtasks.exe 4324 schtasks.exe 3164 schtasks.exe 4964 schtasks.exe 3740 schtasks.exe 4464 schtasks.exe 3124 schtasks.exe 3460 schtasks.exe 4788 schtasks.exe 1460 schtasks.exe 3800 schtasks.exe 3004 schtasks.exe 4708 schtasks.exe 1792 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2520 PortContainerProviderInto.exe 2520 PortContainerProviderInto.exe 2520 PortContainerProviderInto.exe 2520 PortContainerProviderInto.exe 2520 PortContainerProviderInto.exe 2520 PortContainerProviderInto.exe 2520 PortContainerProviderInto.exe 2520 PortContainerProviderInto.exe 2520 PortContainerProviderInto.exe 2520 PortContainerProviderInto.exe 2520 PortContainerProviderInto.exe 2520 PortContainerProviderInto.exe 2520 PortContainerProviderInto.exe 2520 PortContainerProviderInto.exe 2520 PortContainerProviderInto.exe 2520 PortContainerProviderInto.exe 2520 PortContainerProviderInto.exe 2520 PortContainerProviderInto.exe 2520 PortContainerProviderInto.exe 2520 PortContainerProviderInto.exe 2520 PortContainerProviderInto.exe 2520 PortContainerProviderInto.exe 2520 PortContainerProviderInto.exe 2520 PortContainerProviderInto.exe 2520 PortContainerProviderInto.exe 2520 PortContainerProviderInto.exe 2520 PortContainerProviderInto.exe 2520 PortContainerProviderInto.exe 2520 PortContainerProviderInto.exe 2520 PortContainerProviderInto.exe 2520 PortContainerProviderInto.exe 2520 PortContainerProviderInto.exe 2520 PortContainerProviderInto.exe 2520 PortContainerProviderInto.exe 2520 PortContainerProviderInto.exe 2520 PortContainerProviderInto.exe 2520 PortContainerProviderInto.exe 2520 PortContainerProviderInto.exe 2520 PortContainerProviderInto.exe 2520 PortContainerProviderInto.exe 2520 PortContainerProviderInto.exe 2520 PortContainerProviderInto.exe 2520 PortContainerProviderInto.exe 2520 PortContainerProviderInto.exe 2520 PortContainerProviderInto.exe 2520 PortContainerProviderInto.exe 2520 PortContainerProviderInto.exe 2520 PortContainerProviderInto.exe 2520 PortContainerProviderInto.exe 2520 PortContainerProviderInto.exe 2520 PortContainerProviderInto.exe 2520 PortContainerProviderInto.exe 2520 PortContainerProviderInto.exe 2520 PortContainerProviderInto.exe 2520 PortContainerProviderInto.exe 2520 PortContainerProviderInto.exe 2520 PortContainerProviderInto.exe 2520 PortContainerProviderInto.exe 4516 Registry.exe 4516 Registry.exe 4516 Registry.exe 4516 Registry.exe 4516 Registry.exe 4516 Registry.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2520 PortContainerProviderInto.exe Token: SeDebugPrivilege 4516 Registry.exe Token: SeDebugPrivilege 2372 Registry.exe Token: SeDebugPrivilege 1324 Registry.exe Token: SeDebugPrivilege 4016 Registry.exe Token: SeDebugPrivilege 4256 Registry.exe -
Suspicious use of WriteProcessMemory 58 IoCs
description pid Process procid_target PID 2624 wrote to memory of 4088 2624 16.exe 86 PID 2624 wrote to memory of 4088 2624 16.exe 86 PID 2624 wrote to memory of 4088 2624 16.exe 86 PID 4088 wrote to memory of 3084 4088 WScript.exe 94 PID 4088 wrote to memory of 3084 4088 WScript.exe 94 PID 4088 wrote to memory of 3084 4088 WScript.exe 94 PID 3084 wrote to memory of 2520 3084 cmd.exe 96 PID 3084 wrote to memory of 2520 3084 cmd.exe 96 PID 2520 wrote to memory of 2172 2520 PortContainerProviderInto.exe 100 PID 2520 wrote to memory of 2172 2520 PortContainerProviderInto.exe 100 PID 2172 wrote to memory of 2464 2172 csc.exe 102 PID 2172 wrote to memory of 2464 2172 csc.exe 102 PID 2520 wrote to memory of 1752 2520 PortContainerProviderInto.exe 118 PID 2520 wrote to memory of 1752 2520 PortContainerProviderInto.exe 118 PID 1752 wrote to memory of 4900 1752 cmd.exe 120 PID 1752 wrote to memory of 4900 1752 cmd.exe 120 PID 1752 wrote to memory of 4888 1752 cmd.exe 121 PID 1752 wrote to memory of 4888 1752 cmd.exe 121 PID 1752 wrote to memory of 4516 1752 cmd.exe 122 PID 1752 wrote to memory of 4516 1752 cmd.exe 122 PID 4516 wrote to memory of 2888 4516 Registry.exe 123 PID 4516 wrote to memory of 2888 4516 Registry.exe 123 PID 2888 wrote to memory of 4908 2888 cmd.exe 125 PID 2888 wrote to memory of 4908 2888 cmd.exe 125 PID 2888 wrote to memory of 1332 2888 cmd.exe 126 PID 2888 wrote to memory of 1332 2888 cmd.exe 126 PID 2888 wrote to memory of 2372 2888 cmd.exe 128 PID 2888 wrote to memory of 2372 2888 cmd.exe 128 PID 2372 wrote to memory of 2120 2372 Registry.exe 129 PID 2372 wrote to memory of 2120 2372 Registry.exe 129 PID 2120 wrote to memory of 64 2120 cmd.exe 131 PID 2120 wrote to memory of 64 2120 cmd.exe 131 PID 2120 wrote to memory of 1240 2120 cmd.exe 132 PID 2120 wrote to memory of 1240 2120 cmd.exe 132 PID 2120 wrote to memory of 1324 2120 cmd.exe 135 PID 2120 wrote to memory of 1324 2120 cmd.exe 135 PID 1324 wrote to memory of 4444 1324 Registry.exe 136 PID 1324 wrote to memory of 4444 1324 Registry.exe 136 PID 4444 wrote to memory of 3700 4444 cmd.exe 138 PID 4444 wrote to memory of 3700 4444 cmd.exe 138 PID 4444 wrote to memory of 1512 4444 cmd.exe 139 PID 4444 wrote to memory of 1512 4444 cmd.exe 139 PID 4444 wrote to memory of 4016 4444 cmd.exe 140 PID 4444 wrote to memory of 4016 4444 cmd.exe 140 PID 4016 wrote to memory of 768 4016 Registry.exe 141 PID 4016 wrote to memory of 768 4016 Registry.exe 141 PID 768 wrote to memory of 528 768 cmd.exe 143 PID 768 wrote to memory of 528 768 cmd.exe 143 PID 768 wrote to memory of 844 768 cmd.exe 144 PID 768 wrote to memory of 844 768 cmd.exe 144 PID 768 wrote to memory of 4256 768 cmd.exe 145 PID 768 wrote to memory of 4256 768 cmd.exe 145 PID 4256 wrote to memory of 2396 4256 Registry.exe 146 PID 4256 wrote to memory of 2396 4256 Registry.exe 146 PID 2396 wrote to memory of 4868 2396 cmd.exe 148 PID 2396 wrote to memory of 4868 2396 cmd.exe 148 PID 2396 wrote to memory of 1008 2396 cmd.exe 149 PID 2396 wrote to memory of 1008 2396 cmd.exe 149 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\dc\16.exe"C:\Users\Admin\AppData\Local\Temp\dc\16.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\serverwebHost\4oKdtudTUCn1xfZVNRnKk1uuQ04SOimsBP5zIw03.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4088 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\serverwebHost\h9CP0oVIg2Hs0PNd7TTvOG4hPFiXmLBqtAJW0GDjd4JYStxqYf0SYrF.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3084 -
C:\serverwebHost\PortContainerProviderInto.exe"C:\serverwebHost/PortContainerProviderInto.exe"4⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pxqbn1wk\pxqbn1wk.cmdline"5⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD234.tmp" "c:\Windows\System32\CSC70A1F03F97DA4D1EB83FA8BA798900.TMP"6⤵PID:2464
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jYMvmX4VsC.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:4900
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4888
-
-
C:\Program Files\Microsoft Office 15\ClientX64\Registry.exe"C:\Program Files\Microsoft Office 15\ClientX64\Registry.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0H3zCkvC0l.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:4908
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:1332
-
-
C:\Program Files\Microsoft Office 15\ClientX64\Registry.exe"C:\Program Files\Microsoft Office 15\ClientX64\Registry.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4len57naH7.bat"9⤵
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:64
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:1240
-
-
C:\Program Files\Microsoft Office 15\ClientX64\Registry.exe"C:\Program Files\Microsoft Office 15\ClientX64\Registry.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jlnOMvOYTO.bat"11⤵
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Windows\system32\chcp.comchcp 6500112⤵PID:3700
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:1512
-
-
C:\Program Files\Microsoft Office 15\ClientX64\Registry.exe"C:\Program Files\Microsoft Office 15\ClientX64\Registry.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aRcytkisn9.bat"13⤵
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\system32\chcp.comchcp 6500114⤵PID:528
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:844
-
-
C:\Program Files\Microsoft Office 15\ClientX64\Registry.exe"C:\Program Files\Microsoft Office 15\ClientX64\Registry.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4256 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mESeKRNGrE.bat"15⤵
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\system32\chcp.comchcp 6500116⤵PID:4868
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1008
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Defender\it-IT\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\it-IT\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Defender\it-IT\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Windows\Setup\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\Setup\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Windows\Setup\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "PortContainerProviderIntoP" /sc MINUTE /mo 13 /tr "'C:\serverwebHost\PortContainerProviderInto.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "PortContainerProviderInto" /sc ONLOGON /tr "'C:\serverwebHost\PortContainerProviderInto.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "PortContainerProviderIntoP" /sc MINUTE /mo 10 /tr "'C:\serverwebHost\PortContainerProviderInto.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5f8b2fca3a50771154571c11f1c53887b
SHA12e83b0c8e2f4c10b145b7fb4832ed1c78743de3f
SHA2560efa72802031a8f902c3a4ab18fe3d667dafc71c93eb3a1811e78353ecf4a6b6
SHA512b98b8d5516593d13415199d4ac6fbe4ff924488487c4bd863cb677601048785d872a3ff30129148e2961cb6fb2fc33117540302980a132f57f7ec9a497813f1a
-
Filesize
235B
MD51cf630c02fda1b05ba14be19adfedeff
SHA1f7fa3b267e91b055d44ab69efd73d1b76b0572a2
SHA256cda218888726ec92249ad808b8229458eb953e4a272f587f831c18708f48dc55
SHA512909c4e98c50b6d53e60e9acb8e9e91eb94b00b64c809beb777a9e43468dae462badcf1548e5fe87cf45aa6ed301eabdb9d023ecaef1f3467f02d84e086949cdc
-
Filesize
235B
MD5132b1a003f54d79e33c7c27d23378ecc
SHA1b2334c3b6eb57fe8aaaee68c76afc03b34f47af2
SHA25628274bac7d6d26762cfa5057b0a03f7f3851668cb19c43952fa8a038ba9bb0db
SHA512223d930a65661688cd67cf6d785a3f3fba9bd978765a0c8cb63e2b7c3a0880ff6642a6d76c9e2384a8356e261ae9e8ec0831cec89f538fcde6dae1df4357187f
-
Filesize
1KB
MD5bbe4e23675add4131a3d7663df557cd2
SHA19625e8380f338520bcc11a9071c9761540f0e1b6
SHA2564e02fa423ba20c66ec8c8227f4d0f63ab6ab9044f077efc3831388bc98413d01
SHA51294cfe35ab716034edea7bd721e121eb0cc4f8b9faf676703b56a119493881e3b4e07f41ea39e67e30b295b8236307be9b2b5d80cfdedb82122c9cf7b46d40db1
-
Filesize
187B
MD5f996394b65524b45b9061746355fd4d2
SHA118b1534605c659583b9eaa24126bdf67bfffda16
SHA256857b48f9a1bae56e89e850c069caab0078c72ff0ca09860045f0629d47aa2aca
SHA5123242ab1d2aca03951c945675fb2918bc829d9d1a7da775dc557010e05d235fd355fa0d8705a6d484d12ecb990085c3a46ed414192d86bbaee6939f2a872d5c69
-
Filesize
187B
MD519955fb5f2bc2782f4886a55e9f1cc8c
SHA1cf62439624bc70eb988c025c1796815ef03fec09
SHA25654a18a774e39caae960cdd26aa03589d808806785fb0a665f124a04ab3f054e5
SHA51256270d1672cc70d0d61ee6434d14b9a38842c639a0d922d2d8e1a8dcdea9ba184d89250ce54c019b0a2e9e292c6d8d0be50f6db65425c479fd1bd3463fba7fd5
-
Filesize
235B
MD56559abfa7a42bb15172f28b3faa0b37e
SHA13b8d9b7d2d6928dbcf9b84bc1fe49b7841c7ff86
SHA256a0b72df12ac2651c4367dc4135deac4880ec78e1d0aa35f1c099d885afe1570a
SHA512c3a9701087d7ebff9506a8a3e651c4f7c97029db903183d1bf4cd9a65d01eb532ba1410b385eedf6ff4ef396dcafe8d3ebc5c3b8923832191b23d635b6dcd9f4
-
Filesize
187B
MD5141f5e3be57bf0961e534512753eaf3c
SHA167091a566577fcc24b6f3bc5ca5aa2029b91c35a
SHA256175fae8f81a35c8717563864679f0b5ac6c361141c7bb006d3a229e84da9ceca
SHA51235de6b628b998168fe5174ab10d8d6e6c0c360ecc170d750be271ec2e84ac787aad68093150f5e785c506649f29af50536877244b0fc73704cf6ca1c88c9cc05
-
Filesize
247B
MD53823f17b31accd12a1a1674c7704ceb7
SHA1840537e7d0e1210756385450c11d8989d4f9bbd1
SHA256381dbb5c2ea5bbd8d8022abe6ff8a73f5dd9ece50e52b420aa68f1fc80bffe9b
SHA5121b1850ecb711b34ac2e1bfaa982fd3b26f3e6fef091f87486d970c50845bd5d5a6ea4e8324c4255096bc41686a1ae8d9ec825837184effd6fe8c7aadf78a8b97
-
Filesize
1.8MB
MD5d857cb1c1230177206443b6a097afc30
SHA1789710390a5a94f25a1138fae9ca160a6cd2667e
SHA25691dd0de06c2cb475dad004eb6e619117ae6427d2950228f39013daad3b02d720
SHA512554eee18ca415c09e2cd187a64f68c17d59bf7bb2e4931badadf719592d7be3fd50987a5d409974f12e8634e47ef820b29e4cbad3136fef87fda4f82828a5ce8
-
Filesize
86B
MD574e02382e2448b31df81b7122da202b6
SHA1be1614cd751b2b137710ff6b033552c9c816ae4b
SHA256ed94d9198953be4d9f3d0639b3ed335b0f3ad65881cd0581a27ffebd4551f0bd
SHA512072449316141c15a2239f9ac6b17bfa081703260ecfd4c494f3653375c4ce9dba14d9538d3ed09d5113d5f8344eb5a0769e8ee089c518962bbc749a484f105c6
-
Filesize
365B
MD58db41f288358aa33e67d25734cd86195
SHA170ebd43e48a5e002e52fed2fbc9a4f90f1ae4a7b
SHA256421d3d89a4099903f525ec1dbe286be991ef083d9f1ba9a32f6b95c5e30375a6
SHA512629b271fb301eba2adef34b15d7667cac9915aaef74b7548136f895735e52bc9523b8eeea04411d2a95ab22a7dbdb17096ad1323f35617a4a624295e19673a5f
-
Filesize
235B
MD56851e27f18b1f8586a46a128b3804b9b
SHA12c61a5c2e9afd0d1f2758f745edab092770999d1
SHA256833e6a4eb3b3f98162b9afea7f77780c0d7854f347ed62c31bfce5ba7e94f707
SHA512f6c5e250358bf5051c8ebfc908dd7bc8d208749c1d2e4ed4e67e38132bebd01284505bd720313deebfa046b495e3e037c02967b72a553d8c50823764aa575295
-
Filesize
1KB
MD5da358acc1c776804f760de9f97ab5559
SHA1038168a232be9db3c170b6d8dccac62cfbb8e969
SHA256f46ed0361ae7838e338b8dad157daf7c0848d76dfe0f2d9db12bb64bed6ef343
SHA51297cea7270ba86a760adf14409ecad511999f591b680fb6ac62c6c75957257feb22f6a2fefe673b2c648a3935ffe192bc3cb16e965c2bdf83d6140b38dfeb9f3b