3e8d98d5d75618970deccaeeae5e39123263ff22db1ae594b08dd4109828c7d1

Resubmissions

21-08-2024 01:30

240821-bw3pdsxcnq 10

21-08-2024 01:25

240821-bs432sxbjp 10

Analysis

max time kernel
55s
max time network
62s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-08-2024 01:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc/19.exe
Size

2.1MB
MD5

3e2a24aaa5d0f9bb10bfad986ce31279
SHA1

23aa6c2a838eb744f2cee356835eb1f04879e97c
SHA256

dcef31131a10eb3765f1da688fb233fe5fd82aecada26a5a4c003ed848f4ef5e
SHA512

bec737c6d27c77755ec962b46c69832bd25856e1029a54c3f79f4620e6123d9b63277b5c470bc921edfbe1503532f26c882b84315dc701874dc62c04bae4ac26
SSDEEP

49152:IBJ5BGELU3i6oUt8vLD51ncebaIFZRDiXP:ybFgS7U+lZPGIhD2

Score

10^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

HyperComponentbrowserwinRuntime.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\BrowserwinRef\\sppsvc.exe\", \"C:\\Windows\\Migration\\WTR\\Idle.exe\""	HyperComponentbrowserwinRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\BrowserwinRef\\sppsvc.exe\", \"C:\\Windows\\Migration\\WTR\\Idle.exe\", \"C:\\Program Files\\7-Zip\\Lang\\unsecapp.exe\""	HyperComponentbrowserwinRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\BrowserwinRef\\sppsvc.exe\", \"C:\\Windows\\Migration\\WTR\\Idle.exe\", \"C:\\Program Files\\7-Zip\\Lang\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\sysmon.exe\""	HyperComponentbrowserwinRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\BrowserwinRef\\sppsvc.exe\", \"C:\\Windows\\Migration\\WTR\\Idle.exe\", \"C:\\Program Files\\7-Zip\\Lang\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\sysmon.exe\", \"C:\\BrowserwinRef\\HyperComponentbrowserwinRuntime.exe\""	HyperComponentbrowserwinRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\""	HyperComponentbrowserwinRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\BrowserwinRef\\sppsvc.exe\""	HyperComponentbrowserwinRuntime.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4136	5016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	5016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	5016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4308	5016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1896	5016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4336	5016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4628	5016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	5016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	5016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3320	5016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4348	5016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5052	5016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	388	5016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4244	5016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3360	5016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1084	5016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4896	5016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	5016	schtasks.exe

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

19.exeWScript.exeHyperComponentbrowserwinRuntime.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	19.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	HyperComponentbrowserwinRuntime.exe

Executes dropped EXE 2 IoCs

Processes:

HyperComponentbrowserwinRuntime.exeHyperComponentbrowserwinRuntime.exe

pid process

404 HyperComponentbrowserwinRuntime.exe
3968 HyperComponentbrowserwinRuntime.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

HyperComponentbrowserwinRuntime.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Program Files\\7-Zip\\Lang\\unsecapp.exe\""	HyperComponentbrowserwinRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Program Files\\7-Zip\\Lang\\unsecapp.exe\""	HyperComponentbrowserwinRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HyperComponentbrowserwinRuntime = "\"C:\\BrowserwinRef\\HyperComponentbrowserwinRuntime.exe\""	HyperComponentbrowserwinRuntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\""	HyperComponentbrowserwinRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\""	HyperComponentbrowserwinRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\BrowserwinRef\\sppsvc.exe\""	HyperComponentbrowserwinRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Windows\\Migration\\WTR\\Idle.exe\""	HyperComponentbrowserwinRuntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HyperComponentbrowserwinRuntime = "\"C:\\BrowserwinRef\\HyperComponentbrowserwinRuntime.exe\""	HyperComponentbrowserwinRuntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\BrowserwinRef\\sppsvc.exe\""	HyperComponentbrowserwinRuntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Windows\\Migration\\WTR\\Idle.exe\""	HyperComponentbrowserwinRuntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Recovery\\WindowsRE\\sysmon.exe\""	HyperComponentbrowserwinRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Recovery\\WindowsRE\\sysmon.exe\""	HyperComponentbrowserwinRuntime.exe

Drops file in System32 directory 2 IoCs

Processes:

csc.exe

description	ioc	process
File created	\??\c:\Windows\System32\CSCA69C83CEE1434EF5BC32C069D2DB711.TMP	csc.exe
File created	\??\c:\Windows\System32\eemqzy.exe	csc.exe

Drops file in Program Files directory 2 IoCs

Processes:

HyperComponentbrowserwinRuntime.exe

description	ioc	process
File created	C:\Program Files\7-Zip\Lang\unsecapp.exe	HyperComponentbrowserwinRuntime.exe
File created	C:\Program Files\7-Zip\Lang\29c1c3cc0f7685	HyperComponentbrowserwinRuntime.exe

Drops file in Windows directory 2 IoCs

Processes:

HyperComponentbrowserwinRuntime.exe

description	ioc	process
File created	C:\Windows\Migration\WTR\Idle.exe	HyperComponentbrowserwinRuntime.exe
File created	C:\Windows\Migration\WTR\6ccacd8608530f	HyperComponentbrowserwinRuntime.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

19.exeWScript.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	19.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

PING.EXE

pid process

4432 PING.EXE

pid	process
4432	PING.EXE

Modifies registry class 2 IoCs

Processes:

HyperComponentbrowserwinRuntime.exe19.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	HyperComponentbrowserwinRuntime.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	19.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4432 PING.EXE

pid	process
4432	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
4308	schtasks.exe
1952	schtasks.exe
3320	schtasks.exe
4244	schtasks.exe
1364	schtasks.exe
4336	schtasks.exe
4348	schtasks.exe
388	schtasks.exe
4136	schtasks.exe
2372	schtasks.exe
3360	schtasks.exe
4896	schtasks.exe
536	schtasks.exe
1896	schtasks.exe
4628	schtasks.exe
1928	schtasks.exe
5052	schtasks.exe
1084	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

HyperComponentbrowserwinRuntime.exeHyperComponentbrowserwinRuntime.exe

pid	process
404	HyperComponentbrowserwinRuntime.exe
404	HyperComponentbrowserwinRuntime.exe
404	HyperComponentbrowserwinRuntime.exe
404	HyperComponentbrowserwinRuntime.exe
404	HyperComponentbrowserwinRuntime.exe
404	HyperComponentbrowserwinRuntime.exe
404	HyperComponentbrowserwinRuntime.exe
404	HyperComponentbrowserwinRuntime.exe
404	HyperComponentbrowserwinRuntime.exe
404	HyperComponentbrowserwinRuntime.exe
404	HyperComponentbrowserwinRuntime.exe
404	HyperComponentbrowserwinRuntime.exe
404	HyperComponentbrowserwinRuntime.exe
404	HyperComponentbrowserwinRuntime.exe
404	HyperComponentbrowserwinRuntime.exe
404	HyperComponentbrowserwinRuntime.exe
404	HyperComponentbrowserwinRuntime.exe
404	HyperComponentbrowserwinRuntime.exe
404	HyperComponentbrowserwinRuntime.exe
404	HyperComponentbrowserwinRuntime.exe
404	HyperComponentbrowserwinRuntime.exe
404	HyperComponentbrowserwinRuntime.exe
404	HyperComponentbrowserwinRuntime.exe
404	HyperComponentbrowserwinRuntime.exe
404	HyperComponentbrowserwinRuntime.exe
404	HyperComponentbrowserwinRuntime.exe
404	HyperComponentbrowserwinRuntime.exe
404	HyperComponentbrowserwinRuntime.exe
404	HyperComponentbrowserwinRuntime.exe
404	HyperComponentbrowserwinRuntime.exe
404	HyperComponentbrowserwinRuntime.exe
404	HyperComponentbrowserwinRuntime.exe
404	HyperComponentbrowserwinRuntime.exe
404	HyperComponentbrowserwinRuntime.exe
404	HyperComponentbrowserwinRuntime.exe
404	HyperComponentbrowserwinRuntime.exe
404	HyperComponentbrowserwinRuntime.exe
404	HyperComponentbrowserwinRuntime.exe
404	HyperComponentbrowserwinRuntime.exe
404	HyperComponentbrowserwinRuntime.exe
404	HyperComponentbrowserwinRuntime.exe
404	HyperComponentbrowserwinRuntime.exe
404	HyperComponentbrowserwinRuntime.exe
404	HyperComponentbrowserwinRuntime.exe
404	HyperComponentbrowserwinRuntime.exe
404	HyperComponentbrowserwinRuntime.exe
404	HyperComponentbrowserwinRuntime.exe
404	HyperComponentbrowserwinRuntime.exe
404	HyperComponentbrowserwinRuntime.exe
404	HyperComponentbrowserwinRuntime.exe
404	HyperComponentbrowserwinRuntime.exe
404	HyperComponentbrowserwinRuntime.exe
404	HyperComponentbrowserwinRuntime.exe
404	HyperComponentbrowserwinRuntime.exe
404	HyperComponentbrowserwinRuntime.exe
404	HyperComponentbrowserwinRuntime.exe
404	HyperComponentbrowserwinRuntime.exe
3968	HyperComponentbrowserwinRuntime.exe
3968	HyperComponentbrowserwinRuntime.exe
3968	HyperComponentbrowserwinRuntime.exe
3968	HyperComponentbrowserwinRuntime.exe
3968	HyperComponentbrowserwinRuntime.exe
3968	HyperComponentbrowserwinRuntime.exe
3968	HyperComponentbrowserwinRuntime.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

HyperComponentbrowserwinRuntime.exeHyperComponentbrowserwinRuntime.exe

description pid process

Token: SeDebugPrivilege 404 HyperComponentbrowserwinRuntime.exe
Token: SeDebugPrivilege 3968 HyperComponentbrowserwinRuntime.exe

description	pid	process
Token: SeDebugPrivilege	404	HyperComponentbrowserwinRuntime.exe
Token: SeDebugPrivilege	3968	HyperComponentbrowserwinRuntime.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

19.exeWScript.execmd.exeHyperComponentbrowserwinRuntime.execsc.execmd.exe

description	pid	process	target process
PID 3148 wrote to memory of 3132	3148	19.exe	WScript.exe
PID 3148 wrote to memory of 3132	3148	19.exe	WScript.exe
PID 3148 wrote to memory of 3132	3148	19.exe	WScript.exe
PID 3132 wrote to memory of 448	3132	WScript.exe	cmd.exe
PID 3132 wrote to memory of 448	3132	WScript.exe	cmd.exe
PID 3132 wrote to memory of 448	3132	WScript.exe	cmd.exe
PID 448 wrote to memory of 404	448	cmd.exe	HyperComponentbrowserwinRuntime.exe
PID 448 wrote to memory of 404	448	cmd.exe	HyperComponentbrowserwinRuntime.exe
PID 404 wrote to memory of 2540	404	HyperComponentbrowserwinRuntime.exe	csc.exe
PID 404 wrote to memory of 2540	404	HyperComponentbrowserwinRuntime.exe	csc.exe
PID 2540 wrote to memory of 3924	2540	csc.exe	cvtres.exe
PID 2540 wrote to memory of 3924	2540	csc.exe	cvtres.exe
PID 404 wrote to memory of 2204	404	HyperComponentbrowserwinRuntime.exe	cmd.exe
PID 404 wrote to memory of 2204	404	HyperComponentbrowserwinRuntime.exe	cmd.exe
PID 2204 wrote to memory of 3036	2204	cmd.exe	chcp.com
PID 2204 wrote to memory of 3036	2204	cmd.exe	chcp.com
PID 2204 wrote to memory of 4432	2204	cmd.exe	PING.EXE
PID 2204 wrote to memory of 4432	2204	cmd.exe	PING.EXE
PID 2204 wrote to memory of 3968	2204	cmd.exe	HyperComponentbrowserwinRuntime.exe
PID 2204 wrote to memory of 3968	2204	cmd.exe	HyperComponentbrowserwinRuntime.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\dc\19.exe
"C:\Users\Admin\AppData\Local\Temp\dc\19.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3148
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\BrowserwinRef\tHfYIcJEPrAe4W4Mb92xXs3G610U6bqi.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3132
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\BrowserwinRef\tgoBzi59fjjPhHwozUoC.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:448
  - - C:\BrowserwinRef\HyperComponentbrowserwinRuntime.exe
      "C:\BrowserwinRef/HyperComponentbrowserwinRuntime.exe"
      4⤵
      Modifies WinLogon for persistence
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:404
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\znuiqiyh\znuiqiyh.cmdline"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2540
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB6AD.tmp" "c:\Windows\System32\CSCA69C83CEE1434EF5BC32C069D2DB711.TMP"
        6⤵
        
        PID:3924
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HHO8HQe0Dq.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2204
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:3036
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4432
      - C:\BrowserwinRef\HyperComponentbrowserwinRuntime.exe
        
        "C:\BrowserwinRef\HyperComponentbrowserwinRuntime.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\BrowserwinRef\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\BrowserwinRef\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\BrowserwinRef\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\Migration\WTR\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Windows\Migration\WTR\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\Lang\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\Lang\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "HyperComponentbrowserwinRuntimeH" /sc MINUTE /mo 14 /tr "'C:\BrowserwinRef\HyperComponentbrowserwinRuntime.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "HyperComponentbrowserwinRuntime" /sc ONLOGON /tr "'C:\BrowserwinRef\HyperComponentbrowserwinRuntime.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "HyperComponentbrowserwinRuntimeH" /sc MINUTE /mo 11 /tr "'C:\BrowserwinRef\HyperComponentbrowserwinRuntime.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\BrowserwinRef\HyperComponentbrowserwinRuntime.exe

Filesize
1.8MB

MD5
ab7bfd003313405a8ce166ede217cf0b

SHA1
5520cb0f72bd3c9978f30b72614976aa2c03bd4a

SHA256
c7cfe7c9b93222025a69ae2ca873b12272d4d2dbccadc7e55698df163087569f

SHA512
1cbfe8e7209efe88e43f80269d3b985776b1029ff20e1618ac87a0331537586cda9923e76000930a7ddf4ea7463d84788fe564a6a9c0f0c8082946b67927fdf8

Download Submit
C:\BrowserwinRef\tHfYIcJEPrAe4W4Mb92xXs3G610U6bqi.vbe

Filesize
212B

MD5
8e35d244c726b8fd66aea8ac55b2bf44

SHA1
ec54327244da28bcfe8abfcfe776572f11c04e9b

SHA256
d9e77b54b8d87b50bb47e84b80f6051d5052e89cf89baa597d4c41bea1f5fc8f

SHA512
13d9c89a8dbe030744ce2db17162d1530457c6c947c00aa846fd2424e773bf94058a04d6d88b391830ce1faa50966fec30d6864790e40b25c3d174b2c8b12723

Download Submit
C:\BrowserwinRef\tgoBzi59fjjPhHwozUoC.bat

Filesize
116B

MD5
cd2035abc4ecf6aa875c5ead9c0a4794

SHA1
4d4f282cc7f06413e22d3416c9ef339c68f6200d

SHA256
0b0b8d95494a628fe38d06251b7295330e3962c05e81386057521d21091cf8de

SHA512
6279e14401609b3fb6a277deea15a9bae44a572650fa19aafaae8d01b764a51d1b7287a6d2fc24b4a23357f758b4299630f2b0b376162a203ec66e29ee0d8654

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\HyperComponentbrowserwinRuntime.exe.log

Filesize
1KB

MD5
af6acd95d59de87c04642509c30e81c1

SHA1
f9549ae93fdb0a5861a79a08f60aa81c4b32377b

SHA256
7521ee2d065a78efcab55a194fbd78492f84b70595f139263875f4ea92b194d6

SHA512
93ab99bcf588fde553de3240e0d2b0cbd4e4bc5ef5e99d53f45a267d7ff30103a80b5a7aa1c52d6eff1e070af0ec82d2c0b8aafb7099742aa16810edc1815c3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\HHO8HQe0Dq.bat

Filesize
180B

MD5
b6851c40948e6584d402942ddc13b2a5

SHA1
296f9e02453e89be7223763da117f1a4b0ed3c8b

SHA256
a86633e31880386fcd95fce0136b7bccb99629fd08013adc3db38ce977d77696

SHA512
cdc4637af4b3023901168e5f460440f22c1d402d4e2b961acbc8106492dd23a54488f0ccf678c9f38ad0a1fdd487671b724f771c0e38fdbf6737f71c13a4a304

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB6AD.tmp

Filesize
1KB

MD5
aed6f96426fecd8b6fda1be764364542

SHA1
8981a289bf8cb41c8ea46e1e078f5a323f333213

SHA256
621331fbdc1aa168e7f12a14a07efd2560516130ab61ded4d8e218246e5f7d8b

SHA512
37cb500f7dc698f14814da41e720200290e1d437c65aaff1295cf66a2823fc286d9a1a7a190890fedc2ed0bbec078b30eaec775bf3f8c682c32d161dc6b4818e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\znuiqiyh\znuiqiyh.0.cs

Filesize
376B

MD5
2ab3db72843623f35dc6efb7faa66861

SHA1
3136f08ac40b3568d9ba60434d945c0240b2a3fe

SHA256
2753fc2e38a8ec91f4766a3a30b9c934901d064ee416fa9c4d92bf1144845292

SHA512
b4e4f20d624ac78ea0fda9fa4d479fdc70e14dcf1d01993d69c3de613c441f1da25c065af0554af813059f720c08838008d69901d2631b95f549394fc4f77c40

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\znuiqiyh\znuiqiyh.cmdline

Filesize
235B

MD5
16b10d147252acf57b0bfbbcf6014647

SHA1
576d22416e14349b827864d19bb3ff53d3e77c5b

SHA256
1f1e6831aaef8ef7819c928539cc36fec4782e884d71e367df551b459cc2232a

SHA512
5f8b1e3791490151100c604e07d34fb6d6d37b63a25aa709e03c8054d8c3a60e935c9726df7f5a84aebc4c0e948fe2f66bbac6dcc657654636fbaa8cd0d0a300

Download Submit
\??\c:\Windows\System32\CSCA69C83CEE1434EF5BC32C069D2DB711.TMP

Filesize
1KB

MD5
aaedb470feff0ca43ba622b01d0e7b4f

SHA1
e88615dbe9a5c74b28a0cb38666ddb91bd014dd4

SHA256
deb4e21657569076441e2f2ed83756a093bb6588a75d8febbabedd64d96d183f

SHA512
cf825cfd11de31c4faa0516b0d3b6bc54290f5c5d1098950a6f82fbdc02b8235c2dcae53df823c00def7d47bdada06970cceee01cb5db183ff83879d98977910

Download Submit
memory/404-13-0x0000000000B30000-0x0000000000D0A000-memory.dmp

Filesize
1.9MB

Download
memory/404-22-0x000000001BA20000-0x000000001BA2C000-memory.dmp

Filesize
48KB

Download
memory/404-20-0x000000001BD80000-0x000000001BD98000-memory.dmp

Filesize
96KB

Download
memory/404-18-0x000000001BDD0000-0x000000001BE20000-memory.dmp

Filesize
320KB

Download
memory/404-17-0x000000001BD60000-0x000000001BD7C000-memory.dmp

Filesize
112KB

Download
memory/404-15-0x000000001BA10000-0x000000001BA1E000-memory.dmp

Filesize
56KB

Download
memory/404-12-0x00007FFE20CC3000-0x00007FFE20CC5000-memory.dmp

Filesize
8KB

Download