816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12

Analysis

max time kernel
142s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04/09/2024, 07:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe
Size

1.8MB
MD5

fed6cc4d1fcad58621713311627231fc
SHA1

5b33210525b96300013b2d177fa16a3ed32469fe
SHA256

816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12
SHA512

ca7a30578af83ce46abc47f5bc6062c0835374721d348b1022c2690440d3a7570381c5659495b056f61549aed7d28597b4d80857d51801182ef44732a99c0a67
SSDEEP

49152:oHqx9cIkdQVscUUGXLx4dY7Ft0iD08owxbij98:oHgKHUyLyu7FtxEAO98

Score

10^/10

credential_access persistence spyware stealer

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\""	816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Windows\\ShellExperiences\\System.exe\""	816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Windows\\ShellExperiences\\System.exe\", \"C:\\Users\\Default\\Videos\\sysmon.exe\""	816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Windows\\ShellExperiences\\System.exe\", \"C:\\Users\\Default\\Videos\\sysmon.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\""	816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Windows\\ShellExperiences\\System.exe\", \"C:\\Users\\Default\\Videos\\sysmon.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Users\\Public\\StartMenuExperienceHost.exe\""	816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Windows\\ShellExperiences\\System.exe\", \"C:\\Users\\Default\\Videos\\sysmon.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Users\\Public\\StartMenuExperienceHost.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe\""	816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4592	4204	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3228	4204	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3296	4204	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4400	4204	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	444	4204	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4868	4204	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4352	4204	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3516	4204	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3552	4204	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3356	4204	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5056	4204	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4232	4204	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4728	4204	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1372	4204	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3160	4204	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4696	4204	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4324	4204	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3448	4204	schtasks.exe	85

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe

Executes dropped EXE 1 IoCs

pid	Process
1960	RuntimeBroker.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\""	816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Users\\Public\\StartMenuExperienceHost.exe\""	816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Users\\Public\\StartMenuExperienceHost.exe\""	816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\""	816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\ShellExperiences\\System.exe\""	816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Users\\Default\\Videos\\sysmon.exe\""	816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\""	816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe\""	816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe\""	816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\""	816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\ShellExperiences\\System.exe\""	816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Users\\Default\\Videos\\sysmon.exe\""	816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSCB06A2DBFE8084A0C8E88BB8348A9912.TMP	csc.exe
File created	\??\c:\Windows\System32\h920ln.exe	csc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ShellExperiences\27d1bcfc3c54e0	816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe
File created	C:\Windows\ShellExperiences\System.exe	816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3228	schtasks.exe
444	schtasks.exe
4868	schtasks.exe
4352	schtasks.exe
4728	schtasks.exe
4592	schtasks.exe
4400	schtasks.exe
5056	schtasks.exe
3160	schtasks.exe
3552	schtasks.exe
3356	schtasks.exe
1372	schtasks.exe
4324	schtasks.exe
3296	schtasks.exe
3516	schtasks.exe
4232	schtasks.exe
4696	schtasks.exe
3448	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
808	816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe
808	816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe
808	816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe
808	816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe
808	816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe
808	816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe
808	816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe
808	816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe
808	816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe
808	816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe
808	816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe
808	816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe
808	816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe
808	816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe
808	816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe
808	816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe
808	816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe
808	816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe
808	816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe
808	816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe
808	816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe
808	816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe
808	816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe
808	816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe
808	816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe
808	816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe
808	816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe
808	816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe
808	816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe
808	816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe
808	816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe
808	816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe
808	816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe
808	816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe
808	816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe
808	816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe
808	816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe
808	816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe
808	816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe
808	816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe
808	816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe
808	816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe
808	816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe
808	816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe
808	816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe
808	816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe
808	816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe
808	816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe
808	816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe
808	816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe
808	816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe
808	816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe
808	816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe
808	816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe
808	816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe
1960	RuntimeBroker.exe
1960	RuntimeBroker.exe
1960	RuntimeBroker.exe
1960	RuntimeBroker.exe
1960	RuntimeBroker.exe
1960	RuntimeBroker.exe
1960	RuntimeBroker.exe
1960	RuntimeBroker.exe
1960	RuntimeBroker.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1960	RuntimeBroker.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	808	816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe
Token: SeDebugPrivilege	1960	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 808 wrote to memory of 4948	808	816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe	89
PID 808 wrote to memory of 4948	808	816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe	89
PID 4948 wrote to memory of 4988	4948	csc.exe	91
PID 4948 wrote to memory of 4988	4948	csc.exe	91
PID 808 wrote to memory of 3628	808	816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe	108
PID 808 wrote to memory of 3628	808	816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe	108
PID 3628 wrote to memory of 2460	3628	cmd.exe	110
PID 3628 wrote to memory of 2460	3628	cmd.exe	110
PID 3628 wrote to memory of 4060	3628	cmd.exe	111
PID 3628 wrote to memory of 4060	3628	cmd.exe	111
PID 3628 wrote to memory of 1960	3628	cmd.exe	116
PID 3628 wrote to memory of 1960	3628	cmd.exe	116

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe
"C:\Users\Admin\AppData\Local\Temp\816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:808
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mm2441hf\mm2441hf.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4948
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES72FD.tmp" "c:\Windows\System32\CSCB06A2DBFE8084A0C8E88BB8348A9912.TMP"
    3⤵
    PID:4988
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eRkT6yrmV3.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3628
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2460
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4060
- - C:\Recovery\WindowsRE\RuntimeBroker.exe
    "C:\Recovery\WindowsRE\RuntimeBroker.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Windows\ShellExperiences\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\ShellExperiences\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Windows\ShellExperiences\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Videos\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Default\Videos\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Videos\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Users\Public\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Public\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Users\Public\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff128" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Local\Temp\816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff128" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Local\Temp\816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\backgroundTaskHost.exe

Filesize
1.8MB

MD5
fed6cc4d1fcad58621713311627231fc

SHA1
5b33210525b96300013b2d177fa16a3ed32469fe

SHA256
816fdd72e167b3583dc4eed77023b72bedaf47f6be9e5d66bb7a19aa64bbff12

SHA512
ca7a30578af83ce46abc47f5bc6062c0835374721d348b1022c2690440d3a7570381c5659495b056f61549aed7d28597b4d80857d51801182ef44732a99c0a67

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES72FD.tmp

Filesize
1KB

MD5
3e51e01470c1fb74dcd20a9da6f0b195

SHA1
702df34f9c449d577478accc25de5dbb486b3755

SHA256
084d01680532e9d6076561255d9dddcf8c8db9c5e7f19073889f8f015bd6319f

SHA512
879650aef515832700dbbd834ce314de35d0d631765ca6f842baa8ab6f860638d74005b5d199405136c4a3a7dc74109b6a68d82f0ec4f0f6622774e13da87f5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\eRkT6yrmV3.bat

Filesize
215B

MD5
ff6a63b78395cde03c45e22a0a66935d

SHA1
57b88a6899ca720c95b7e01b7251d777780a054f

SHA256
b2a4061748addc6304d0f9a0428b911bd0013c19df298837a1008153f5805d89

SHA512
e789e56d38bfdc4ab22839e70ffdcc78268b772306b8fee3d01af80b121c7614039b15566eda3c6982fb5cecc5f74b28b17d991e5eb0a95a7133177211baedf8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mm2441hf\mm2441hf.0.cs

Filesize
376B

MD5
88698eefa10b0526ecf81fa62a9dfb1d

SHA1
204035d1026b6e1cc0f3b839fdb8a97760a242b3

SHA256
a785bfe67040d2458424255bc0e4374789fd37f43b3b137462055f9838c74d12

SHA512
9da5206eb8634700ade932fdacda5b85baeea20c797a601acee49393c303b7a7566ecf6db4fe85cbe74ad99d7268a65116a46d14b127d623804f75e45fd517db

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mm2441hf\mm2441hf.cmdline

Filesize
235B

MD5
e45a238995583f29529386294cd79eaa

SHA1
5f2c92b3c28d0afff902de5d5c247430a7aa2fb8

SHA256
ac65d4b4f2623a815ef873119664bb91a3434f365f5c43c6b77477722316accd

SHA512
146494a542dd40956d97ee3bd42da41521ee14587e2cbf0076e7451b10d1ef3b5c7a0fd562d287749b2a549254fdd6a010f2a0764d26b89f19715cd902fdea1c

Download Submit
\??\c:\Windows\System32\CSCB06A2DBFE8084A0C8E88BB8348A9912.TMP

Filesize
1KB

MD5
acf0a5c902f3dd3bd7790cdb4484d7b3

SHA1
cdebcde6ce451177576b39f24e62b134678daf75

SHA256
30a40cd52450f1fc314048db7431d96464002bfa5a204d1969c6b563c4715622

SHA512
9559b21b7acb3ed32bba7556a7c68b034a2e9f784bd818d5731cff6c54d81f954d5babf71d2264a82fe463f1314e36e0e227a63a63cc68a00c3fe6d3b2a66fe8

Download Submit
memory/808-16-0x0000000002BA0000-0x0000000002BAC000-memory.dmp

Filesize
48KB

Download
memory/808-31-0x00007FFCB1360000-0x00007FFCB1E21000-memory.dmp

Filesize
10.8MB

Download
memory/808-11-0x000000001BAA0000-0x000000001BAF0000-memory.dmp

Filesize
320KB

Download
memory/808-10-0x00007FFCB1360000-0x00007FFCB1E21000-memory.dmp

Filesize
10.8MB

Download
memory/808-14-0x00007FFCB1360000-0x00007FFCB1E21000-memory.dmp

Filesize
10.8MB

Download
memory/808-13-0x0000000002BE0000-0x0000000002BF8000-memory.dmp

Filesize
96KB

Download
memory/808-0-0x00007FFCB1363000-0x00007FFCB1365000-memory.dmp

Filesize
8KB

Download
memory/808-17-0x00007FFCB1360000-0x00007FFCB1E21000-memory.dmp

Filesize
10.8MB

Download
memory/808-21-0x00007FFCB1360000-0x00007FFCB1E21000-memory.dmp

Filesize
10.8MB

Download
memory/808-7-0x00007FFCB1360000-0x00007FFCB1E21000-memory.dmp

Filesize
10.8MB

Download
memory/808-30-0x00007FFCB1360000-0x00007FFCB1E21000-memory.dmp

Filesize
10.8MB

Download
memory/808-9-0x0000000002BC0000-0x0000000002BDC000-memory.dmp

Filesize
112KB

Download
memory/808-32-0x00007FFCB1360000-0x00007FFCB1E21000-memory.dmp

Filesize
10.8MB

Download
memory/808-6-0x0000000002B90000-0x0000000002B9E000-memory.dmp

Filesize
56KB

Download
memory/808-4-0x00007FFCB1360000-0x00007FFCB1E21000-memory.dmp

Filesize
10.8MB

Download
memory/808-3-0x00007FFCB1360000-0x00007FFCB1E21000-memory.dmp

Filesize
10.8MB

Download
memory/808-2-0x00007FFCB1360000-0x00007FFCB1E21000-memory.dmp

Filesize
10.8MB

Download
memory/808-50-0x000000001BBF0000-0x000000001BC99000-memory.dmp

Filesize
676KB

Download
memory/808-51-0x00007FFCB1360000-0x00007FFCB1E21000-memory.dmp

Filesize
10.8MB

Download
memory/808-1-0x00000000008A0000-0x0000000000A7A000-memory.dmp

Filesize
1.9MB

Download
memory/1960-60-0x000000001BF40000-0x000000001BFE9000-memory.dmp

Filesize
676KB

Download