Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
16-09-2024 03:06
Static task
static1
Behavioral task
behavioral1
Sample
Trojan.MSIL.Siggen.exe
Resource
win7-20240903-en
General
-
Target
Trojan.MSIL.Siggen.exe
-
Size
4.9MB
-
MD5
fa6a70b32304b41f2ca98115cae843f0
-
SHA1
15e0536c0b4be4fca7ee2a03a7e40a4075a18950
-
SHA256
f19f7803a88945eb9370a47e0ac9c59a2f25d9a18c2af844298dbdfcc5177ddf
-
SHA512
6226c2d25875e7b7fc930094ebfb6cbc67dfd4c52c0c3211adcf3a18c0ca5b9b6d5d68312dc44522fd8b36b777cd2cee0c201c24228e751d1e8e506491839279
-
SSDEEP
49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:
Malware Config
Extracted
colibri
1.2.0
Build1
http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php
http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php
Signatures
-
DcRat 26 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
description ioc pid Process File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\f3b6ecef712a24 Trojan.MSIL.Siggen.exe 216 schtasks.exe 4528 schtasks.exe 372 schtasks.exe 2204 schtasks.exe 5104 schtasks.exe 396 schtasks.exe 4700 schtasks.exe 3320 schtasks.exe 3388 schtasks.exe 3244 schtasks.exe 3860 schtasks.exe 844 schtasks.exe 4028 schtasks.exe 4504 schtasks.exe 3016 schtasks.exe 3724 schtasks.exe 3320 schtasks.exe 4888 schtasks.exe 4496 schtasks.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Trojan.MSIL.Siggen.exe 4976 schtasks.exe 1084 schtasks.exe 4452 schtasks.exe 2772 schtasks.exe 3920 schtasks.exe -
Process spawned unexpected child process 24 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3724 4356 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4528 4356 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 372 4356 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3388 4356 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3320 4356 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4496 4356 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3860 4356 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2204 4356 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4452 4356 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4976 4356 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3244 4356 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 216 4356 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2772 4356 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5104 4356 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 396 4356 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4028 4356 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1084 4356 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4504 4356 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3320 4356 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3920 4356 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3016 4356 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4700 4356 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 844 4356 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4888 4356 schtasks.exe 82 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Trojan.MSIL.Siggen.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Trojan.MSIL.Siggen.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Trojan.MSIL.Siggen.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Trojan.MSIL.Siggen.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Trojan.MSIL.Siggen.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Trojan.MSIL.Siggen.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe -
resource yara_rule behavioral2/memory/3028-3-0x000000001BB20000-0x000000001BC4E000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 22 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3444 powershell.exe 3224 powershell.exe 412 powershell.exe 3872 powershell.exe 3448 powershell.exe 956 powershell.exe 3608 powershell.exe 3720 powershell.exe 2848 powershell.exe 3220 powershell.exe 4460 powershell.exe 1552 powershell.exe 3016 powershell.exe 3620 powershell.exe 636 powershell.exe 2364 powershell.exe 2060 powershell.exe 3088 powershell.exe 220 powershell.exe 4168 powershell.exe 2520 powershell.exe 1784 powershell.exe -
Checks computer location settings 2 TTPs 14 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation Trojan.MSIL.Siggen.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation Trojan.MSIL.Siggen.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe -
Executes dropped EXE 41 IoCs
pid Process 4404 tmp78BD.tmp.exe 3196 tmp78BD.tmp.exe 3468 tmp78BD.tmp.exe 2536 Trojan.MSIL.Siggen.exe 1076 tmp883B.tmp.exe 4036 tmp883B.tmp.exe 4692 RuntimeBroker.exe 4512 tmpA047.tmp.exe 4772 tmpA047.tmp.exe 2424 RuntimeBroker.exe 4504 tmpBC7A.tmp.exe 1664 tmpBC7A.tmp.exe 4192 RuntimeBroker.exe 2200 tmpED4E.tmp.exe 2592 tmpED4E.tmp.exe 4988 RuntimeBroker.exe 1968 RuntimeBroker.exe 396 tmp25E2.tmp.exe 4456 tmp25E2.tmp.exe 1176 RuntimeBroker.exe 5068 tmp437C.tmp.exe 1796 tmp437C.tmp.exe 1612 RuntimeBroker.exe 320 tmp5FAF.tmp.exe 5000 tmp5FAF.tmp.exe 3332 RuntimeBroker.exe 2016 tmp7BA3.tmp.exe 3780 tmp7BA3.tmp.exe 4888 RuntimeBroker.exe 1980 tmp96FB.tmp.exe 408 tmp96FB.tmp.exe 2036 RuntimeBroker.exe 560 tmpC772.tmp.exe 1524 tmpC772.tmp.exe 4308 RuntimeBroker.exe 4332 tmpF6DE.tmp.exe 4112 tmpF6DE.tmp.exe 2400 tmpF6DE.tmp.exe 3488 RuntimeBroker.exe 2704 tmp2699.tmp.exe 1796 tmp2699.tmp.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RuntimeBroker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Trojan.MSIL.Siggen.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RuntimeBroker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RuntimeBroker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RuntimeBroker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RuntimeBroker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RuntimeBroker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Trojan.MSIL.Siggen.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Trojan.MSIL.Siggen.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Trojan.MSIL.Siggen.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe -
Suspicious use of SetThreadContext 13 IoCs
description pid Process procid_target PID 3196 set thread context of 3468 3196 tmp78BD.tmp.exe 114 PID 1076 set thread context of 4036 1076 tmp883B.tmp.exe 139 PID 4512 set thread context of 4772 4512 tmpA047.tmp.exe 170 PID 4504 set thread context of 1664 4504 tmpBC7A.tmp.exe 176 PID 2200 set thread context of 2592 2200 tmpED4E.tmp.exe 184 PID 396 set thread context of 4456 396 tmp25E2.tmp.exe 193 PID 5068 set thread context of 1796 5068 tmp437C.tmp.exe 199 PID 320 set thread context of 5000 320 tmp5FAF.tmp.exe 205 PID 2016 set thread context of 3780 2016 tmp7BA3.tmp.exe 211 PID 1980 set thread context of 408 1980 tmp96FB.tmp.exe 217 PID 560 set thread context of 1524 560 tmpC772.tmp.exe 223 PID 4112 set thread context of 2400 4112 tmpF6DE.tmp.exe 230 PID 2704 set thread context of 1796 2704 tmp2699.tmp.exe 236 -
Drops file in Program Files directory 10 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\spoolsv.exe Trojan.MSIL.Siggen.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\f3b6ecef712a24 Trojan.MSIL.Siggen.exe File opened for modification C:\Program Files\Windows Defender\it-IT\SearchApp.exe Trojan.MSIL.Siggen.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\RuntimeBroker.exe Trojan.MSIL.Siggen.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\spoolsv.exe Trojan.MSIL.Siggen.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\RCX72A1.tmp Trojan.MSIL.Siggen.exe File created C:\Program Files\Windows Defender\it-IT\SearchApp.exe Trojan.MSIL.Siggen.exe File created C:\Program Files\Windows Defender\it-IT\38384e6a620884 Trojan.MSIL.Siggen.exe File created C:\Program Files (x86)\WindowsPowerShell\RuntimeBroker.exe Trojan.MSIL.Siggen.exe File created C:\Program Files (x86)\WindowsPowerShell\9e8d7a4ca61bd9 Trojan.MSIL.Siggen.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\DigitalLocker\en-US\csrss.exe Trojan.MSIL.Siggen.exe File created C:\Windows\DigitalLocker\en-US\886983d96e3d3e Trojan.MSIL.Siggen.exe File created C:\Windows\ja-JP\winlogon.exe Trojan.MSIL.Siggen.exe File created C:\Windows\ja-JP\cc11b995f2a76d Trojan.MSIL.Siggen.exe File opened for modification C:\Windows\DigitalLocker\en-US\csrss.exe Trojan.MSIL.Siggen.exe File opened for modification C:\Windows\ja-JP\winlogon.exe Trojan.MSIL.Siggen.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 15 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpA047.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp437C.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp96FB.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpF6DE.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp883B.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpC772.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp78BD.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpED4E.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp25E2.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp7BA3.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp78BD.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp5FAF.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpF6DE.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp2699.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpBC7A.tmp.exe -
Modifies registry class 14 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Trojan.MSIL.Siggen.exe Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Trojan.MSIL.Siggen.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3320 schtasks.exe 4496 schtasks.exe 3860 schtasks.exe 2772 schtasks.exe 396 schtasks.exe 4028 schtasks.exe 4528 schtasks.exe 372 schtasks.exe 3320 schtasks.exe 3244 schtasks.exe 216 schtasks.exe 3920 schtasks.exe 4700 schtasks.exe 3724 schtasks.exe 2204 schtasks.exe 1084 schtasks.exe 3016 schtasks.exe 4888 schtasks.exe 4452 schtasks.exe 4976 schtasks.exe 4504 schtasks.exe 844 schtasks.exe 3388 schtasks.exe 5104 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3028 Trojan.MSIL.Siggen.exe 956 powershell.exe 956 powershell.exe 4460 powershell.exe 4460 powershell.exe 2520 powershell.exe 2520 powershell.exe 3016 powershell.exe 3016 powershell.exe 4168 powershell.exe 4168 powershell.exe 3608 powershell.exe 3608 powershell.exe 2848 powershell.exe 2848 powershell.exe 2060 powershell.exe 2060 powershell.exe 1552 powershell.exe 1552 powershell.exe 3720 powershell.exe 3720 powershell.exe 956 powershell.exe 2364 powershell.exe 2364 powershell.exe 4168 powershell.exe 3720 powershell.exe 3016 powershell.exe 2060 powershell.exe 2520 powershell.exe 4460 powershell.exe 1552 powershell.exe 3608 powershell.exe 2848 powershell.exe 2364 powershell.exe 2536 Trojan.MSIL.Siggen.exe 3620 powershell.exe 3620 powershell.exe 3872 powershell.exe 3872 powershell.exe 412 powershell.exe 412 powershell.exe 3444 powershell.exe 3444 powershell.exe 3448 powershell.exe 3448 powershell.exe 3088 powershell.exe 3088 powershell.exe 3220 powershell.exe 3220 powershell.exe 636 powershell.exe 636 powershell.exe 3224 powershell.exe 3224 powershell.exe 220 powershell.exe 220 powershell.exe 1784 powershell.exe 1784 powershell.exe 3444 powershell.exe 3220 powershell.exe 3872 powershell.exe 3620 powershell.exe 412 powershell.exe 3224 powershell.exe 636 powershell.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
description pid Process Token: SeDebugPrivilege 3028 Trojan.MSIL.Siggen.exe Token: SeDebugPrivilege 956 powershell.exe Token: SeDebugPrivilege 2520 powershell.exe Token: SeDebugPrivilege 4168 powershell.exe Token: SeDebugPrivilege 4460 powershell.exe Token: SeDebugPrivilege 3016 powershell.exe Token: SeDebugPrivilege 3608 powershell.exe Token: SeDebugPrivilege 2848 powershell.exe Token: SeDebugPrivilege 2060 powershell.exe Token: SeDebugPrivilege 1552 powershell.exe Token: SeDebugPrivilege 3720 powershell.exe Token: SeDebugPrivilege 2364 powershell.exe Token: SeDebugPrivilege 2536 Trojan.MSIL.Siggen.exe Token: SeDebugPrivilege 3444 powershell.exe Token: SeDebugPrivilege 3620 powershell.exe Token: SeDebugPrivilege 3872 powershell.exe Token: SeDebugPrivilege 412 powershell.exe Token: SeDebugPrivilege 3448 powershell.exe Token: SeDebugPrivilege 3088 powershell.exe Token: SeDebugPrivilege 3220 powershell.exe Token: SeDebugPrivilege 636 powershell.exe Token: SeDebugPrivilege 3224 powershell.exe Token: SeDebugPrivilege 220 powershell.exe Token: SeDebugPrivilege 1784 powershell.exe Token: SeDebugPrivilege 4692 RuntimeBroker.exe Token: SeDebugPrivilege 2424 RuntimeBroker.exe Token: SeDebugPrivilege 4192 RuntimeBroker.exe Token: SeDebugPrivilege 4988 RuntimeBroker.exe Token: SeDebugPrivilege 1968 RuntimeBroker.exe Token: SeDebugPrivilege 1176 RuntimeBroker.exe Token: SeDebugPrivilege 1612 RuntimeBroker.exe Token: SeDebugPrivilege 3332 RuntimeBroker.exe Token: SeDebugPrivilege 4888 RuntimeBroker.exe Token: SeDebugPrivilege 2036 RuntimeBroker.exe Token: SeDebugPrivilege 4308 RuntimeBroker.exe Token: SeDebugPrivilege 3488 RuntimeBroker.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3028 wrote to memory of 4460 3028 Trojan.MSIL.Siggen.exe 89 PID 3028 wrote to memory of 4460 3028 Trojan.MSIL.Siggen.exe 89 PID 3028 wrote to memory of 2848 3028 Trojan.MSIL.Siggen.exe 90 PID 3028 wrote to memory of 2848 3028 Trojan.MSIL.Siggen.exe 90 PID 3028 wrote to memory of 3016 3028 Trojan.MSIL.Siggen.exe 91 PID 3028 wrote to memory of 3016 3028 Trojan.MSIL.Siggen.exe 91 PID 3028 wrote to memory of 2520 3028 Trojan.MSIL.Siggen.exe 92 PID 3028 wrote to memory of 2520 3028 Trojan.MSIL.Siggen.exe 92 PID 3028 wrote to memory of 2060 3028 Trojan.MSIL.Siggen.exe 93 PID 3028 wrote to memory of 2060 3028 Trojan.MSIL.Siggen.exe 93 PID 3028 wrote to memory of 4168 3028 Trojan.MSIL.Siggen.exe 94 PID 3028 wrote to memory of 4168 3028 Trojan.MSIL.Siggen.exe 94 PID 3028 wrote to memory of 1552 3028 Trojan.MSIL.Siggen.exe 95 PID 3028 wrote to memory of 1552 3028 Trojan.MSIL.Siggen.exe 95 PID 3028 wrote to memory of 956 3028 Trojan.MSIL.Siggen.exe 96 PID 3028 wrote to memory of 956 3028 Trojan.MSIL.Siggen.exe 96 PID 3028 wrote to memory of 3720 3028 Trojan.MSIL.Siggen.exe 97 PID 3028 wrote to memory of 3720 3028 Trojan.MSIL.Siggen.exe 97 PID 3028 wrote to memory of 3608 3028 Trojan.MSIL.Siggen.exe 98 PID 3028 wrote to memory of 3608 3028 Trojan.MSIL.Siggen.exe 98 PID 3028 wrote to memory of 2364 3028 Trojan.MSIL.Siggen.exe 99 PID 3028 wrote to memory of 2364 3028 Trojan.MSIL.Siggen.exe 99 PID 3028 wrote to memory of 4404 3028 Trojan.MSIL.Siggen.exe 111 PID 3028 wrote to memory of 4404 3028 Trojan.MSIL.Siggen.exe 111 PID 3028 wrote to memory of 4404 3028 Trojan.MSIL.Siggen.exe 111 PID 4404 wrote to memory of 3196 4404 tmp78BD.tmp.exe 113 PID 4404 wrote to memory of 3196 4404 tmp78BD.tmp.exe 113 PID 4404 wrote to memory of 3196 4404 tmp78BD.tmp.exe 113 PID 3196 wrote to memory of 3468 3196 tmp78BD.tmp.exe 114 PID 3196 wrote to memory of 3468 3196 tmp78BD.tmp.exe 114 PID 3196 wrote to memory of 3468 3196 tmp78BD.tmp.exe 114 PID 3196 wrote to memory of 3468 3196 tmp78BD.tmp.exe 114 PID 3196 wrote to memory of 3468 3196 tmp78BD.tmp.exe 114 PID 3196 wrote to memory of 3468 3196 tmp78BD.tmp.exe 114 PID 3196 wrote to memory of 3468 3196 tmp78BD.tmp.exe 114 PID 3028 wrote to memory of 2536 3028 Trojan.MSIL.Siggen.exe 115 PID 3028 wrote to memory of 2536 3028 Trojan.MSIL.Siggen.exe 115 PID 2536 wrote to memory of 1076 2536 Trojan.MSIL.Siggen.exe 137 PID 2536 wrote to memory of 1076 2536 Trojan.MSIL.Siggen.exe 137 PID 2536 wrote to memory of 1076 2536 Trojan.MSIL.Siggen.exe 137 PID 1076 wrote to memory of 4036 1076 tmp883B.tmp.exe 139 PID 1076 wrote to memory of 4036 1076 tmp883B.tmp.exe 139 PID 1076 wrote to memory of 4036 1076 tmp883B.tmp.exe 139 PID 1076 wrote to memory of 4036 1076 tmp883B.tmp.exe 139 PID 1076 wrote to memory of 4036 1076 tmp883B.tmp.exe 139 PID 1076 wrote to memory of 4036 1076 tmp883B.tmp.exe 139 PID 1076 wrote to memory of 4036 1076 tmp883B.tmp.exe 139 PID 2536 wrote to memory of 3444 2536 Trojan.MSIL.Siggen.exe 140 PID 2536 wrote to memory of 3444 2536 Trojan.MSIL.Siggen.exe 140 PID 2536 wrote to memory of 3220 2536 Trojan.MSIL.Siggen.exe 141 PID 2536 wrote to memory of 3220 2536 Trojan.MSIL.Siggen.exe 141 PID 2536 wrote to memory of 3224 2536 Trojan.MSIL.Siggen.exe 142 PID 2536 wrote to memory of 3224 2536 Trojan.MSIL.Siggen.exe 142 PID 2536 wrote to memory of 412 2536 Trojan.MSIL.Siggen.exe 143 PID 2536 wrote to memory of 412 2536 Trojan.MSIL.Siggen.exe 143 PID 2536 wrote to memory of 3088 2536 Trojan.MSIL.Siggen.exe 144 PID 2536 wrote to memory of 3088 2536 Trojan.MSIL.Siggen.exe 144 PID 2536 wrote to memory of 3872 2536 Trojan.MSIL.Siggen.exe 145 PID 2536 wrote to memory of 3872 2536 Trojan.MSIL.Siggen.exe 145 PID 2536 wrote to memory of 3620 2536 Trojan.MSIL.Siggen.exe 146 PID 2536 wrote to memory of 3620 2536 Trojan.MSIL.Siggen.exe 146 PID 2536 wrote to memory of 636 2536 Trojan.MSIL.Siggen.exe 147 PID 2536 wrote to memory of 636 2536 Trojan.MSIL.Siggen.exe 147 PID 2536 wrote to memory of 1784 2536 Trojan.MSIL.Siggen.exe 148 -
System policy modification 1 TTPs 42 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Trojan.MSIL.Siggen.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Trojan.MSIL.Siggen.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Trojan.MSIL.Siggen.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Trojan.MSIL.Siggen.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Trojan.MSIL.Siggen.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Trojan.MSIL.Siggen.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Trojan.MSIL.Siggen.exe"C:\Users\Admin\AppData\Local\Temp\Trojan.MSIL.Siggen.exe"1⤵
- DcRat
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3028 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4460
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2848
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3016
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2520
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2060
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4168
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1552
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:956
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3720
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3608
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2364
-
-
C:\Users\Admin\AppData\Local\Temp\tmp78BD.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp78BD.tmp.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Users\Admin\AppData\Local\Temp\tmp78BD.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp78BD.tmp.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3196 -
C:\Users\Admin\AppData\Local\Temp\tmp78BD.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp78BD.tmp.exe"4⤵
- Executes dropped EXE
PID:3468
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Trojan.MSIL.Siggen.exe"C:\Users\Admin\AppData\Local\Temp\Trojan.MSIL.Siggen.exe"2⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2536 -
C:\Users\Admin\AppData\Local\Temp\tmp883B.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp883B.tmp.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Users\Admin\AppData\Local\Temp\tmp883B.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp883B.tmp.exe"4⤵
- Executes dropped EXE
PID:4036
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3444
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3220
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3224
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:412
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3088
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3872
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3620
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:636
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1784
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:220
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3448
-
-
C:\Program Files (x86)\WindowsPowerShell\RuntimeBroker.exe"C:\Program Files (x86)\WindowsPowerShell\RuntimeBroker.exe"3⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4692 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\173c1c3b-2631-46e6-9e42-de042372903c.vbs"4⤵PID:2244
-
C:\Program Files (x86)\WindowsPowerShell\RuntimeBroker.exe"C:\Program Files (x86)\WindowsPowerShell\RuntimeBroker.exe"5⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2424 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2911c6c2-375a-4fed-8273-5d2f05516fcb.vbs"6⤵PID:3064
-
C:\Program Files (x86)\WindowsPowerShell\RuntimeBroker.exe"C:\Program Files (x86)\WindowsPowerShell\RuntimeBroker.exe"7⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4192 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a89e2bc3-99a2-4258-9710-7fe62132cbcf.vbs"8⤵PID:3788
-
C:\Program Files (x86)\WindowsPowerShell\RuntimeBroker.exe"C:\Program Files (x86)\WindowsPowerShell\RuntimeBroker.exe"9⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4988 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9c20cce9-f306-433e-83aa-4be918a500f0.vbs"10⤵PID:4500
-
C:\Program Files (x86)\WindowsPowerShell\RuntimeBroker.exe"C:\Program Files (x86)\WindowsPowerShell\RuntimeBroker.exe"11⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1968 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aadcba7c-8866-4abb-9a15-564eef8ef611.vbs"12⤵PID:3832
-
C:\Program Files (x86)\WindowsPowerShell\RuntimeBroker.exe"C:\Program Files (x86)\WindowsPowerShell\RuntimeBroker.exe"13⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1176 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d70b9c4-bf03-430a-aa88-176416a9b498.vbs"14⤵PID:2772
-
C:\Program Files (x86)\WindowsPowerShell\RuntimeBroker.exe"C:\Program Files (x86)\WindowsPowerShell\RuntimeBroker.exe"15⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1612 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aea096a2-daa9-481c-918c-f01d67888ff3.vbs"16⤵PID:3108
-
C:\Program Files (x86)\WindowsPowerShell\RuntimeBroker.exe"C:\Program Files (x86)\WindowsPowerShell\RuntimeBroker.exe"17⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3332 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5aad210a-38a7-4bd9-a18f-f608d8f81de1.vbs"18⤵PID:2212
-
C:\Program Files (x86)\WindowsPowerShell\RuntimeBroker.exe"C:\Program Files (x86)\WindowsPowerShell\RuntimeBroker.exe"19⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4888 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bfda80c0-ded1-4b0f-a226-4ab45198ee0d.vbs"20⤵PID:3204
-
C:\Program Files (x86)\WindowsPowerShell\RuntimeBroker.exe"C:\Program Files (x86)\WindowsPowerShell\RuntimeBroker.exe"21⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2036 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\047dade4-d7b4-4d2f-ab14-250f3b7633b6.vbs"22⤵PID:4716
-
C:\Program Files (x86)\WindowsPowerShell\RuntimeBroker.exe"C:\Program Files (x86)\WindowsPowerShell\RuntimeBroker.exe"23⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4308 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\556052bb-a66a-463b-9b39-1dd61f14cf22.vbs"24⤵PID:2976
-
C:\Program Files (x86)\WindowsPowerShell\RuntimeBroker.exe"C:\Program Files (x86)\WindowsPowerShell\RuntimeBroker.exe"25⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3488 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5d0bb786-7bba-4cb3-beae-ebdccc7a7540.vbs"26⤵PID:4800
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\af3d2551-e57a-4d8b-bcc9-8e81039296b6.vbs"26⤵PID:32
-
-
C:\Users\Admin\AppData\Local\Temp\tmp2699.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp2699.tmp.exe"26⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2704 -
C:\Users\Admin\AppData\Local\Temp\tmp2699.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp2699.tmp.exe"27⤵
- Executes dropped EXE
PID:1796
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4325113-f4c9-4347-8989-7a1c37836089.vbs"24⤵PID:2376
-
-
C:\Users\Admin\AppData\Local\Temp\tmpF6DE.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpF6DE.tmp.exe"24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4332 -
C:\Users\Admin\AppData\Local\Temp\tmpF6DE.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpF6DE.tmp.exe"25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4112 -
C:\Users\Admin\AppData\Local\Temp\tmpF6DE.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpF6DE.tmp.exe"26⤵
- Executes dropped EXE
PID:2400
-
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26a3d4d1-a21b-43e2-a343-7e2efecc932d.vbs"22⤵PID:4436
-
-
C:\Users\Admin\AppData\Local\Temp\tmpC772.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpC772.tmp.exe"22⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:560 -
C:\Users\Admin\AppData\Local\Temp\tmpC772.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpC772.tmp.exe"23⤵
- Executes dropped EXE
PID:1524
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8c68da2e-f170-456b-b53f-da009297dd8c.vbs"20⤵PID:1988
-
-
C:\Users\Admin\AppData\Local\Temp\tmp96FB.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp96FB.tmp.exe"20⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1980 -
C:\Users\Admin\AppData\Local\Temp\tmp96FB.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp96FB.tmp.exe"21⤵
- Executes dropped EXE
PID:408
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c6a5f20d-fdbd-43b9-b106-bf38e5a53782.vbs"18⤵PID:1368
-
-
C:\Users\Admin\AppData\Local\Temp\tmp7BA3.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp7BA3.tmp.exe"18⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2016 -
C:\Users\Admin\AppData\Local\Temp\tmp7BA3.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp7BA3.tmp.exe"19⤵
- Executes dropped EXE
PID:3780
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f581f524-9991-48e7-99a9-901b62c4c865.vbs"16⤵PID:732
-
-
C:\Users\Admin\AppData\Local\Temp\tmp5FAF.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp5FAF.tmp.exe"16⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:320 -
C:\Users\Admin\AppData\Local\Temp\tmp5FAF.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp5FAF.tmp.exe"17⤵
- Executes dropped EXE
PID:5000
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cd0a339a-c446-48c5-8ab7-7de7ca21c170.vbs"14⤵PID:3160
-
-
C:\Users\Admin\AppData\Local\Temp\tmp437C.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp437C.tmp.exe"14⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5068 -
C:\Users\Admin\AppData\Local\Temp\tmp437C.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp437C.tmp.exe"15⤵
- Executes dropped EXE
PID:1796
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eee9eeb6-cd54-4201-b4cb-b0d37d0c7c53.vbs"12⤵PID:4276
-
-
C:\Users\Admin\AppData\Local\Temp\tmp25E2.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp25E2.tmp.exe"12⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:396 -
C:\Users\Admin\AppData\Local\Temp\tmp25E2.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp25E2.tmp.exe"13⤵
- Executes dropped EXE
PID:4456
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9520a5cc-2653-45d7-881a-aa5f05ae5b9f.vbs"10⤵PID:2476
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bc03dcad-d853-4809-8132-eb36c4be3b46.vbs"8⤵PID:1536
-
-
C:\Users\Admin\AppData\Local\Temp\tmpED4E.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpED4E.tmp.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2200 -
C:\Users\Admin\AppData\Local\Temp\tmpED4E.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpED4E.tmp.exe"9⤵
- Executes dropped EXE
PID:2592
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\564aac4c-08c7-4853-9777-a711e65db2ce.vbs"6⤵PID:3396
-
-
C:\Users\Admin\AppData\Local\Temp\tmpBC7A.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpBC7A.tmp.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4504 -
C:\Users\Admin\AppData\Local\Temp\tmpBC7A.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpBC7A.tmp.exe"7⤵
- Executes dropped EXE
PID:1664
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6c75cfda-a536-411d-8bbb-ee40b3d90a19.vbs"4⤵PID:844
-
-
C:\Users\Admin\AppData\Local\Temp\tmpA047.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpA047.tmp.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4512 -
C:\Users\Admin\AppData\Local\Temp\tmpA047.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpA047.tmp.exe"5⤵
- Executes dropped EXE
PID:4772
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\spoolsv.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\MusNotification.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\MusNotification.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\MusNotification.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\it-IT\SearchApp.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\it-IT\SearchApp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Defender\it-IT\SearchApp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\DigitalLocker\en-US\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\en-US\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\DigitalLocker\en-US\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4504
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\WindowsPowerShell\RuntimeBroker.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\WindowsPowerShell\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Windows\ja-JP\winlogon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\ja-JP\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Windows\ja-JP\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4888
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.9MB
MD5fa6a70b32304b41f2ca98115cae843f0
SHA115e0536c0b4be4fca7ee2a03a7e40a4075a18950
SHA256f19f7803a88945eb9370a47e0ac9c59a2f25d9a18c2af844298dbdfcc5177ddf
SHA5126226c2d25875e7b7fc930094ebfb6cbc67dfd4c52c0c3211adcf3a18c0ca5b9b6d5d68312dc44522fd8b36b777cd2cee0c201c24228e751d1e8e506491839279
-
Filesize
1KB
MD54a667f150a4d1d02f53a9f24d89d53d1
SHA1306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97
SHA256414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd
SHA5124edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8
-
Filesize
1KB
MD5bbb951a34b516b66451218a3ec3b0ae1
SHA17393835a2476ae655916e0a9687eeaba3ee876e9
SHA256eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a
SHA51263bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
944B
MD52e907f77659a6601fcc408274894da2e
SHA19f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA51234fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721
-
Filesize
944B
MD562623d22bd9e037191765d5083ce16a3
SHA14a07da6872672f715a4780513d95ed8ddeefd259
SHA25695d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010
SHA5129a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992
-
Filesize
944B
MD53a6bad9528f8e23fb5c77fbd81fa28e8
SHA1f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2
-
Filesize
944B
MD5bd5940f08d0be56e65e5f2aaf47c538e
SHA1d7e31b87866e5e383ab5499da64aba50f03e8443
SHA2562d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406
-
Filesize
944B
MD559d97011e091004eaffb9816aa0b9abd
SHA11602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA25618f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6
-
Filesize
944B
MD565a68df1062af34622552c4f644a5708
SHA16f6ecf7b4b635abb0b132d95dac2759dc14b50af
SHA256718dc2f5f4a6dbb7fab7f3db05bd7f602fb16526caae7084ab46c3ab4e7bad35
SHA5124e460eb566032942547b58411222dd26ae300a95f83cf5ae6df58ebd28594341123611b348bd4031a33bc7f38307d5cb8fb677bba8c896919e3eee677a104d4d
-
Filesize
944B
MD5ef72c47dbfaae0b9b0d09f22ad4afe20
SHA15357f66ba69b89440b99d4273b74221670129338
SHA256692ec20c7039170fb199510f0436181fd155e6b4516d4d1c9e1675adf99aaa7f
SHA5127514b6bc8dc39fa618223300be27cd535dc35b18c66b4a089e2302e72b3e0cac06d88a989fa1296feb386b3cbe2084019df6430c7f895071b76e04ce559a30b4
-
Filesize
944B
MD53bdf0f0bc4de32a6f32ecb8a32ba5df1
SHA1900c6a905984e5e16f3efe01ce2b2cc725fc64f1
SHA256c893092af552e973c44e0596d1509605a393896a0c1eae64f11456dc956ba40e
SHA512680d8f42fd4cb1fffa52e1f7cc483e8afc79c8f3e25ebfe5324c7c277d88499cc58324313599e307e47ba3ee4004de7554192203413cb061a29170cd9bc889c3
-
Filesize
944B
MD5150616521d490e160cd33b97d678d206
SHA171594f5b97a4a61fe5f120eb10bcd6b73d7e6e78
SHA25694595c05912cbb8380f7ed34499eb01fb91707a1ed1c02c02002a4361e889827
SHA5127043dc4b336b1688205fbe762e731478ecaa0036c9f5e0434c79b8a6f8fa58b0705c8674fd6a047e6009edc52c37ce4e2ce81694e13b79a3e8183a32307f3815
-
Filesize
944B
MD5816d03b14553d8d2cd19771bf135873f
SHA13efdd566ca724299705e7c30d4cbb84349b7a1ae
SHA25670d3acdba0037de3d175aca44a86daf8392b2350f6f8b026b7accb02f95a9304
SHA512365ac792e05619e5ef42b40f1e4dd5d1ebb18a5a409be9c5428e52be7896f4b18eef2a93a4e0f5e1930996bf70798fe45fc5b6d829687d975191015944dbbdbd
-
Filesize
944B
MD54f473e15a0686d0c819ad40b5f232368
SHA1a769892ae2e8203e7d4a992a317189b56723da33
SHA25653d6c0d9a801d45fefdcec9b3ecf217fef683efc4e40ba9c72f0116ee4d20237
SHA512d9b43132432078d5496688717253e58e7caab0dcbd20fc41fa8a718d11d699e93ee198f18be4243ed34bcf8912e1377888fe72ae5b26d920e765ab523f0bdf55
-
Filesize
734B
MD53fa6713a9c6d3d2c3e38b6ae94c4bdad
SHA1b18742ed066af109a211893566f6afc5a714feb1
SHA2569b1e34d327ca58c00dc97e1a52f331433d2f5b582e46714353be425953022206
SHA512199dd82fc855de08b3330c9df487d4d0778a8fc7aeb668b0209710ff43c2edda6a0bfed567e6f1745568725489d6d7ed0e6b6c8b665681648ac7dd19d5d95226
-
Filesize
734B
MD515768c254b50b549121e7932c396496d
SHA162cb202fb60541ff0d8db3df633ceab961e386a5
SHA25637d5767ba1061a4a8833d625cd3c2861f725869cac029a6328849d060b4e76ce
SHA51235367f83877b863bdb047754b029aa9e4db3a78321e263138a196697017a23e826e65aedbd9624ac871f5f06679c4be3fc8b22fa22238a1dc1bab168c5ca5a24
-
Filesize
510B
MD571dfe43992965fd378d44a1189217a7b
SHA1b30b429e3dd475d38129f5835c4130c4f3c09b48
SHA2569737fa9f397bb8447b4d0c4c244a2c3e97b4a5ff9865778cd7053540f7fbd65c
SHA51291de1eab5b45d969b394c374928c4879d22232e332e00042876157255f9262b56911adfe17296b60bb9239edbd07945d33f80bce041fe5a447e346fd4e49efaf
-
Filesize
734B
MD564a114d46ebae0aedbf8077a83cc4f6b
SHA19fa38cfb9116f319a4ae34b401c602a104d3d9cc
SHA256b012bc296f054c6d0d0fd4a895ad98679d50a9568e3e977651cc0aeb1131d5aa
SHA5129cfc42d979e32fea8b29a7ee265ed230f934d4c04803c69f5c769662cb58826470ede18bb4ced5761752c0b51af9feb587a2839c122631968671d8907ef5682a
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
734B
MD5a1e7bc3d60f2c350aab48aeb2d33d23d
SHA11c9c1235722edf6406087e5be3aaf7b33c079799
SHA2563d9affa2ab084f3cebbeae2c4e565073db7784a0f77e2c4ceb46eb76d49b9ffe
SHA5126fbf376cd6b65e34e9ed4ea3b6511c007d36b8936cd6fde7c297825c367e0b371c13c86982bf82a497d3507e9a994fd9bef155204753b0e6fd356ae9cbc56838
-
Filesize
734B
MD5bb9e0d56771f864237c346bce09d4d93
SHA193edfd0360b223418ccd8b16df83d330052af119
SHA256803980a1ca4420818fb2f38cd63c67345bbcc2a25618664a9c9eef353cf5a8b9
SHA512ae0ffec776a260657f3a7d2648698815de68b2771317e7af310dd730bd9513c22874646284e514c3a932b3ee1b2119b802d76caca3097bf7027347ce0504339f
-
Filesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2