16a0bd2dadf13568bd4c8a25f6061ca2237833a7ccbafddecbc68ac739665100

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2024, 19:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WebDriverDll.exe
Size

5.6MB
MD5

4a389c958e4a3e41c5d5540568503ee2
SHA1

a9df8b991266cc4eccd71b90f53403ac17b26eab
SHA256

16a0bd2dadf13568bd4c8a25f6061ca2237833a7ccbafddecbc68ac739665100
SHA512

beb91dbdef0cecb5c9d69c13c2a352ef853e250a0952df0804441ea37c4249bb77cdc537b1990fea4b3c279e60ca2894a26956a67539689ba0717aaddd803b3e
SSDEEP

98304:BJwAsH3Dsg8Ui7to9/gbzMO+KYfQM9N+T5vLD:BJwAszVUI/2zMO+8MGlLD

Score

10^/10

credential_access discovery execution persistence spyware stealer

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\WebDriverDll.exe\""	WebDriverDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\WebDriverDll.exe\", \"C:\\Users\\Default\\Application Data\\unsecapp.exe\""	WebDriverDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\WebDriverDll.exe\", \"C:\\Users\\Default\\Application Data\\unsecapp.exe\", \"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\backgroundTaskHost.exe\""	WebDriverDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\WebDriverDll.exe\", \"C:\\Users\\Default\\Application Data\\unsecapp.exe\", \"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\""	WebDriverDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\WebDriverDll.exe\", \"C:\\Users\\Default\\Application Data\\unsecapp.exe\", \"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Program Files\\Windows Mail\\lsass.exe\""	WebDriverDll.exe

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5052	1780	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1232	1780	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4972	1780	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	412	1780	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4312	1780	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	440	1780	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4900	1780	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	1780	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3660	1780	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	1780	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3468	1780	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3508	1780	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4400	1780	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4616	1780	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	1780	schtasks.exe	87

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3656	powershell.exe
4532	powershell.exe
3752	powershell.exe
3792	powershell.exe
4388	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	WebDriverDll.exe

Executes dropped EXE 1 IoCs

pid	Process
2148	backgroundTaskHost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WebDriverDll = "\"C:\\Recovery\\WindowsRE\\WebDriverDll.exe\""	WebDriverDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\WindowsRE\\lsass.exe\""	WebDriverDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files\\Windows Mail\\lsass.exe\""	WebDriverDll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files\\Windows Mail\\lsass.exe\""	WebDriverDll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WebDriverDll = "\"C:\\Recovery\\WindowsRE\\WebDriverDll.exe\""	WebDriverDll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Users\\Default\\Application Data\\unsecapp.exe\""	WebDriverDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Users\\Default\\Application Data\\unsecapp.exe\""	WebDriverDll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\backgroundTaskHost.exe\""	WebDriverDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\backgroundTaskHost.exe\""	WebDriverDll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\WindowsRE\\lsass.exe\""	WebDriverDll.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSCF508D8ED17244289B7DC3F6CEE1AB47.TMP	csc.exe
File created	\??\c:\Windows\System32\y5ppvo.exe	csc.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\backgroundTaskHost.exe	WebDriverDll.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\eddb19405b7ce1	WebDriverDll.exe
File created	C:\Program Files\Windows Mail\lsass.exe	WebDriverDll.exe
File created	C:\Program Files\Windows Mail\6203df4a6bafc7	WebDriverDll.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4024	PING.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	WebDriverDll.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4024	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5052	schtasks.exe
1232	schtasks.exe
4900	schtasks.exe
4616	schtasks.exe
440	schtasks.exe
316	schtasks.exe
3468	schtasks.exe
3508	schtasks.exe
412	schtasks.exe
1720	schtasks.exe
4400	schtasks.exe
1156	schtasks.exe
4972	schtasks.exe
4312	schtasks.exe
3660	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1368	WebDriverDll.exe
1368	WebDriverDll.exe
1368	WebDriverDll.exe
1368	WebDriverDll.exe
1368	WebDriverDll.exe
1368	WebDriverDll.exe
1368	WebDriverDll.exe
1368	WebDriverDll.exe
1368	WebDriverDll.exe
1368	WebDriverDll.exe
1368	WebDriverDll.exe
1368	WebDriverDll.exe
1368	WebDriverDll.exe
1368	WebDriverDll.exe
1368	WebDriverDll.exe
1368	WebDriverDll.exe
1368	WebDriverDll.exe
1368	WebDriverDll.exe
1368	WebDriverDll.exe
1368	WebDriverDll.exe
1368	WebDriverDll.exe
1368	WebDriverDll.exe
1368	WebDriverDll.exe
1368	WebDriverDll.exe
1368	WebDriverDll.exe
1368	WebDriverDll.exe
1368	WebDriverDll.exe
1368	WebDriverDll.exe
1368	WebDriverDll.exe
1368	WebDriverDll.exe
1368	WebDriverDll.exe
1368	WebDriverDll.exe
1368	WebDriverDll.exe
1368	WebDriverDll.exe
1368	WebDriverDll.exe
1368	WebDriverDll.exe
1368	WebDriverDll.exe
1368	WebDriverDll.exe
1368	WebDriverDll.exe
1368	WebDriverDll.exe
1368	WebDriverDll.exe
1368	WebDriverDll.exe
1368	WebDriverDll.exe
1368	WebDriverDll.exe
1368	WebDriverDll.exe
1368	WebDriverDll.exe
1368	WebDriverDll.exe
1368	WebDriverDll.exe
1368	WebDriverDll.exe
1368	WebDriverDll.exe
1368	WebDriverDll.exe
1368	WebDriverDll.exe
1368	WebDriverDll.exe
1368	WebDriverDll.exe
1368	WebDriverDll.exe
1368	WebDriverDll.exe
1368	WebDriverDll.exe
1368	WebDriverDll.exe
1368	WebDriverDll.exe
1368	WebDriverDll.exe
1368	WebDriverDll.exe
1368	WebDriverDll.exe
1368	WebDriverDll.exe
1368	WebDriverDll.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1368	WebDriverDll.exe
Token: SeDebugPrivilege	3656	powershell.exe
Token: SeDebugPrivilege	4388	powershell.exe
Token: SeDebugPrivilege	3752	powershell.exe
Token: SeDebugPrivilege	4532	powershell.exe
Token: SeDebugPrivilege	3792	powershell.exe
Token: SeDebugPrivilege	2148	backgroundTaskHost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2148	backgroundTaskHost.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 4668	1368	WebDriverDll.exe	91
PID 1368 wrote to memory of 4668	1368	WebDriverDll.exe	91
PID 4668 wrote to memory of 928	4668	csc.exe	93
PID 4668 wrote to memory of 928	4668	csc.exe	93
PID 1368 wrote to memory of 3792	1368	WebDriverDll.exe	106
PID 1368 wrote to memory of 3792	1368	WebDriverDll.exe	106
PID 1368 wrote to memory of 3752	1368	WebDriverDll.exe	107
PID 1368 wrote to memory of 3752	1368	WebDriverDll.exe	107
PID 1368 wrote to memory of 4532	1368	WebDriverDll.exe	108
PID 1368 wrote to memory of 4532	1368	WebDriverDll.exe	108
PID 1368 wrote to memory of 3656	1368	WebDriverDll.exe	109
PID 1368 wrote to memory of 3656	1368	WebDriverDll.exe	109
PID 1368 wrote to memory of 4388	1368	WebDriverDll.exe	110
PID 1368 wrote to memory of 4388	1368	WebDriverDll.exe	110
PID 1368 wrote to memory of 1384	1368	WebDriverDll.exe	116
PID 1368 wrote to memory of 1384	1368	WebDriverDll.exe	116
PID 1384 wrote to memory of 1152	1384	cmd.exe	118
PID 1384 wrote to memory of 1152	1384	cmd.exe	118
PID 1384 wrote to memory of 4024	1384	cmd.exe	119
PID 1384 wrote to memory of 4024	1384	cmd.exe	119
PID 1384 wrote to memory of 2148	1384	cmd.exe	124
PID 1384 wrote to memory of 2148	1384	cmd.exe	124

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\WebDriverDll.exe
"C:\Users\Admin\AppData\Local\Temp\WebDriverDll.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zotzcvup\zotzcvup.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4668
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES98F4.tmp" "c:\Windows\System32\CSCF508D8ED17244289B7DC3F6CEE1AB47.TMP"
    3⤵
    PID:928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\WebDriverDll.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Application Data\unsecapp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3752
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Microsoft Shared\backgroundTaskHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3656
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4388
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YX7jbKe3gA.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1384
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1152
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4024
- - C:\Program Files (x86)\Common Files\Microsoft Shared\backgroundTaskHost.exe
    "C:\Program Files (x86)\Common Files\Microsoft Shared\backgroundTaskHost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WebDriverDllW" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\WebDriverDll.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WebDriverDll" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\WebDriverDll.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WebDriverDllW" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\WebDriverDll.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Application Data\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Default\Application Data\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Application Data\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Mail\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Mail\lsass.exe

Filesize
5.6MB

MD5
4a389c958e4a3e41c5d5540568503ee2

SHA1
a9df8b991266cc4eccd71b90f53403ac17b26eab

SHA256
16a0bd2dadf13568bd4c8a25f6061ca2237833a7ccbafddecbc68ac739665100

SHA512
beb91dbdef0cecb5c9d69c13c2a352ef853e250a0952df0804441ea37c4249bb77cdc537b1990fea4b3c279e60ca2894a26956a67539689ba0717aaddd803b3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES98F4.tmp

Filesize
1KB

MD5
da5f07c9a0c8ae1bc21f0c8b919b7543

SHA1
066324493a68bba5cdbd949622e164a7f3de38fd

SHA256
51f646e04a12bd8953bbcf27f6d82932b3a6fc3238bee5a1b0659beed9aff779

SHA512
7531f98ac60ae7dfa29d70467ad03026f70d553c33cb30f49b772e86e25672b57ffa309f01c48fa321d802f2070881910ed60540f698c2cd4c15334808310bcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\YX7jbKe3gA.bat

Filesize
203B

MD5
8534eb5c8e56f028b2837bf6c6afb901

SHA1
bbe086bc8e9aa622febd3db4bfda3ed8077ee8a1

SHA256
e0f3b7b26a11817b653523e6f5abd8cde45e58b6c4217a4aca8f461d851cca1f

SHA512
f76b993d31f55242d79a6640837539d754e8e9c754ab09c7ab57cb8e334f0b52a604301fc27719a8f58a11aacca29f1eca6273ea91db13ad55e89ca64fbadef7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rog5z3nw.xjz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zotzcvup\zotzcvup.0.cs

Filesize
370B

MD5
b3185bf8ed41e7e0ebd17782ded32a8c

SHA1
a2526ca1d1529b64f5623968d1e476b4db108c48

SHA256
e3f86368e52ec1aa0db62f524411c53bdfa4b646a5a7d14ce89df64c2508756f

SHA512
c3c1d1e63346eeae3690fc2c2013d65e68f4b93464a2449a673ab37e7e167e7d7783cf14fa0288a4ebad2d1537c22be0d928edb78ffa114776fcc485e495c01b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zotzcvup\zotzcvup.cmdline

Filesize
235B

MD5
0207497b03be7b57c55d9bd8f5f99599

SHA1
cd90f35c6d8e59a713fed759b5fd9ef2808193f7

SHA256
a24af1cae316f4f1f881ada5c4ef4131643292b55b8fdca2c41cfe6c36e99876

SHA512
81c881a6137c0b01a37b3bb8b61bec68ef30b0b197c3a9454df918efaa9830fcdd2ba8773a15f18cceeb0350e776af1ccc94e7d7e600cb89c14168a3f5aa1010

Download Submit
\??\c:\Windows\System32\CSCF508D8ED17244289B7DC3F6CEE1AB47.TMP

Filesize
1KB

MD5
2b360caedb5df1cdd9486a9823fc8d8e

SHA1
7eba99dc43b6bf09bd46af2e3bf2a25df1ef228c

SHA256
5b1baff46985559aeec3471a3cd544195c5505833a2c22164e80e3c3175f5320

SHA512
750895cce657d334133aec24b8743eec83c261e004844fe8f4d90c7348406663f834c987cf116d5ea839025114ca16eb68d4adf0410d54e6b6bdd5efac573147

Download Submit
memory/1368-35-0x0000000002F30000-0x0000000002F3C000-memory.dmp

Filesize
48KB

Download
memory/1368-32-0x000000001B980000-0x000000001B992000-memory.dmp

Filesize
72KB

Download
memory/1368-8-0x00007FFAA3C60000-0x00007FFAA4721000-memory.dmp

Filesize
10.8MB

Download
memory/1368-10-0x0000000002E00000-0x0000000002E0E000-memory.dmp

Filesize
56KB

Download
memory/1368-11-0x00007FFAA3C60000-0x00007FFAA4721000-memory.dmp

Filesize
10.8MB

Download
memory/1368-13-0x0000000002EB0000-0x0000000002ECC000-memory.dmp

Filesize
112KB

Download
memory/1368-14-0x000000001B930000-0x000000001B980000-memory.dmp

Filesize
320KB

Download
memory/1368-16-0x0000000002E10000-0x0000000002E20000-memory.dmp

Filesize
64KB

Download
memory/1368-18-0x0000000002EE0000-0x0000000002EF8000-memory.dmp

Filesize
96KB

Download
memory/1368-19-0x00007FFAA3C60000-0x00007FFAA4721000-memory.dmp

Filesize
10.8MB

Download
memory/1368-21-0x0000000002E90000-0x0000000002EA0000-memory.dmp

Filesize
64KB

Download
memory/1368-23-0x0000000002EA0000-0x0000000002EB0000-memory.dmp

Filesize
64KB

Download
memory/1368-24-0x00007FFAA3C60000-0x00007FFAA4721000-memory.dmp

Filesize
10.8MB

Download
memory/1368-26-0x0000000002F00000-0x0000000002F0E000-memory.dmp

Filesize
56KB

Download
memory/1368-28-0x0000000002F10000-0x0000000002F1E000-memory.dmp

Filesize
56KB

Download
memory/1368-30-0x0000000002F20000-0x0000000002F2C000-memory.dmp

Filesize
48KB

Download
memory/1368-6-0x0000000002E60000-0x0000000002E86000-memory.dmp

Filesize
152KB

Download
memory/1368-33-0x00007FFAA3C60000-0x00007FFAA4721000-memory.dmp

Filesize
10.8MB

Download
memory/1368-38-0x00007FFAA3C60000-0x00007FFAA4721000-memory.dmp

Filesize
10.8MB

Download
memory/1368-40-0x000000001B9C0000-0x000000001B9D6000-memory.dmp

Filesize
88KB

Download
memory/1368-37-0x0000000002F40000-0x0000000002F50000-memory.dmp

Filesize
64KB

Download
memory/1368-7-0x00007FFAA3C60000-0x00007FFAA4721000-memory.dmp

Filesize
10.8MB

Download
memory/1368-41-0x00007FFAA3C60000-0x00007FFAA4721000-memory.dmp

Filesize
10.8MB

Download
memory/1368-43-0x000000001CDB0000-0x000000001CDC2000-memory.dmp

Filesize
72KB

Download
memory/1368-44-0x00007FFAA3C60000-0x00007FFAA4721000-memory.dmp

Filesize
10.8MB

Download
memory/1368-47-0x000000001B9A0000-0x000000001B9AE000-memory.dmp

Filesize
56KB

Download
memory/1368-45-0x000000001D300000-0x000000001D828000-memory.dmp

Filesize
5.2MB

Download
memory/1368-50-0x000000001B9B0000-0x000000001B9C0000-memory.dmp

Filesize
64KB

Download
memory/1368-48-0x00007FFAA3C60000-0x00007FFAA4721000-memory.dmp

Filesize
10.8MB

Download
memory/1368-54-0x000000001CE30000-0x000000001CE8A000-memory.dmp

Filesize
360KB

Download
memory/1368-52-0x000000001B9E0000-0x000000001B9F0000-memory.dmp

Filesize
64KB

Download
memory/1368-56-0x000000001CDD0000-0x000000001CDDE000-memory.dmp

Filesize
56KB

Download
memory/1368-58-0x000000001CDE0000-0x000000001CDF0000-memory.dmp

Filesize
64KB

Download
memory/1368-60-0x000000001CDF0000-0x000000001CDFE000-memory.dmp

Filesize
56KB

Download
memory/1368-62-0x000000001D090000-0x000000001D0A8000-memory.dmp

Filesize
96KB

Download
memory/1368-64-0x000000001CE00000-0x000000001CE0C000-memory.dmp

Filesize
48KB

Download
memory/1368-66-0x000000001D100000-0x000000001D14E000-memory.dmp

Filesize
312KB

Download
memory/1368-1-0x0000000000990000-0x0000000000D3C000-memory.dmp

Filesize
3.7MB

Download
memory/1368-4-0x00007FFAA3C60000-0x00007FFAA4721000-memory.dmp

Filesize
10.8MB

Download
memory/1368-140-0x00007FFAA3C60000-0x00007FFAA4721000-memory.dmp

Filesize
10.8MB

Download
memory/1368-3-0x00007FFAA3C60000-0x00007FFAA4721000-memory.dmp

Filesize
10.8MB

Download
memory/1368-2-0x00007FFAA3C60000-0x00007FFAA4721000-memory.dmp

Filesize
10.8MB

Download
memory/1368-0-0x00007FFAA3C63000-0x00007FFAA3C65000-memory.dmp

Filesize
8KB

Download
memory/3656-98-0x00000272503D0000-0x00000272503F2000-memory.dmp

Filesize
136KB

Download