Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
25-09-2024 22:01
General
-
Target
5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe
-
Size
4.9MB
-
MD5
e5419ae77552fe04bb2ec920efdb2552
-
SHA1
1d374f0185758eedc26360c4bf3b13b97c4534e2
-
SHA256
5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac
-
SHA512
8479cf2f4949dd52080a4d4ad364a6f904c3ecc9675b0f2f313075e3a5ab7088fa2cde86568ea21422eccf5475f767229d054c7944a45ed6cf0619a943f6d49e
-
SSDEEP
49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:
Malware Config
Extracted
colibri
1.2.0
Build1
http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php
http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php
Signatures
-
Colibri Loader
A loader sold as MaaS first seen in August 2021.
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 33 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 42 IoCs
-
DCRat payload 1 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 14 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 42 IoCs
-
Checks whether UAC is enabled 1 TTPs 28 IoCs
-
Suspicious use of SetThreadContext 13 IoCs
-
Drops file in Program Files directory 20 IoCs
-
Drops file in Windows directory 8 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 16 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 14 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 51 IoCs
-
Suspicious use of AdjustPrivilegeToken 25 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 42 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe"C:\Users\Admin\AppData\Local\Temp\5ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\tmp7BEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp7BEA.tmp.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmp7BEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp7BEA.tmp.exe"3⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nRPMT4XzSL.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\TextInputHost.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\TextInputHost.exe"3⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\313cebdf-7bb2-4aa0-8631-524ef5401d8a.vbs"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\TextInputHost.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\TextInputHost.exe"5⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b314c2cf-eda3-417c-836f-e34db4390f83.vbs"6⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\TextInputHost.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\TextInputHost.exe"7⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7114a680-d725-487a-bec6-f57a700c1927.vbs"8⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\TextInputHost.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\TextInputHost.exe"9⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef93a926-daff-4281-bdb0-64bd5950f2c6.vbs"10⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\TextInputHost.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\TextInputHost.exe"11⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ce667a26-028d-499a-a0e6-c6a020327878.vbs"12⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\TextInputHost.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\TextInputHost.exe"13⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e565be71-f0c1-4346-a32e-fcfcea18b8cf.vbs"14⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\TextInputHost.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\TextInputHost.exe"15⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a050b697-2f5f-41f6-a568-57b6310408c2.vbs"16⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\TextInputHost.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\TextInputHost.exe"17⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1527a728-479c-4b67-83d2-b4570259fcd3.vbs"18⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\TextInputHost.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\TextInputHost.exe"19⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0569ed4a-3fea-4fc8-9e38-6260d3a92354.vbs"20⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\TextInputHost.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\TextInputHost.exe"21⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f03fdf1-a097-44c5-9d44-d85a009bc0c6.vbs"22⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\TextInputHost.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\TextInputHost.exe"23⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\49455a9f-fde2-4720-8f05-4637c213bd80.vbs"24⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\TextInputHost.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\TextInputHost.exe"25⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\71b03a67-9385-4b7a-b450-6b52f4b57e05.vbs"26⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\TextInputHost.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\TextInputHost.exe"27⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\272e1e4a-9e59-4ffe-bf15-1559a21c91d9.vbs"28⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3cc0fd74-327d-466c-bb51-dca06d095d6e.vbs"28⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmpA629.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpA629.tmp.exe"28⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmpA629.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpA629.tmp.exe"29⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\76b7f8e1-beab-4977-8439-654b070f078d.vbs"26⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmp76CC.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp76CC.tmp.exe"26⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp76CC.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp76CC.tmp.exe"27⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\db2d68a7-d06a-41ff-a1ec-6aa833c2d5fc.vbs"24⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmp5AF7.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp5AF7.tmp.exe"24⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp5AF7.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp5AF7.tmp.exe"25⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fd5421f5-75c5-4a02-82ce-03a8d0743a7b.vbs"22⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmp3F61.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp3F61.tmp.exe"22⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp3F61.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp3F61.tmp.exe"23⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f9c00f5c-d12d-4ba0-9477-aff982de6269.vbs"20⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmpF19.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpF19.tmp.exe"20⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmpF19.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpF19.tmp.exe"21⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\206c51c0-673a-4f17-b918-85838858278e.vbs"18⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmpDF01.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDF01.tmp.exe"18⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmpDF01.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDF01.tmp.exe"19⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bda104e1-709c-4e8f-904f-4bebe3b91ec4.vbs"16⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmpC261.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpC261.tmp.exe"16⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmpC261.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpC261.tmp.exe"17⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f554ee24-13b7-4cc2-ace5-6f133e207b1b.vbs"14⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmp91BC.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp91BC.tmp.exe"14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp91BC.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp91BC.tmp.exe"15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp91BC.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp91BC.tmp.exe"16⤵
- Executes dropped EXE
-
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\70de64c9-6503-4f74-b0cf-56ff71d1f986.vbs"12⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmp6184.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp6184.tmp.exe"12⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp6184.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp6184.tmp.exe"13⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\03bc9c43-e057-4865-8874-8eedc8b8f765.vbs"10⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmp3062.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp3062.tmp.exe"10⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp3062.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp3062.tmp.exe"11⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c55accb7-299e-46a7-bf70-c701cb0f236c.vbs"8⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a0aa7deb-3a85-46b3-bf6d-bd99de2f3c10.vbs"6⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmpE32C.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpE32C.tmp.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmpE32C.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpE32C.tmp.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmpE32C.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpE32C.tmp.exe"8⤵
- Executes dropped EXE
-
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f2d72a82-3da8-4965-98af-661d8369a728.vbs"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmpB3CF.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpB3CF.tmp.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmpB3CF.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpB3CF.tmp.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmpB3CF.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpB3CF.tmp.exe"6⤵
- Executes dropped EXE
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Windows\Media\Cityscape\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Media\Cityscape\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Windows\Media\Cityscape\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\Accessories\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\Accessories\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Contacts\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Admin\Contacts\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Contacts\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\uk-UA\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\uk-UA\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\uk-UA\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Windows\Prefetch\ReadyBoot\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Windows\Prefetch\ReadyBoot\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.9MB
MD5e5419ae77552fe04bb2ec920efdb2552
SHA11d374f0185758eedc26360c4bf3b13b97c4534e2
SHA2565ed1035148cde18f9671db0f7fcb1ee3d1f1900ebe2ee50dae380c34037b57ac
SHA5128479cf2f4949dd52080a4d4ad364a6f904c3ecc9675b0f2f313075e3a5ab7088fa2cde86568ea21422eccf5475f767229d054c7944a45ed6cf0619a943f6d49e
-
Filesize
1KB
MD54a667f150a4d1d02f53a9f24d89d53d1
SHA1306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97
SHA256414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd
SHA5124edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8
-
Filesize
2KB
MD59c172d22fbbdafe12dfc5c909edea107
SHA19961cfc5a51f1d375186fc64bf98214bdc0cf2df
SHA256315439a1131019ecb316a0344395624965a961baff563be19221620e6e3dc18d
SHA512d459ca5a3abd05b5bff39056065e786eec0260cb83b03c774ab0b98f07dfc8ef7dd5db5f37c569ac0d531ebd640c6dc0aaefc407d357280e07b011e982b91e2d
-
Filesize
944B
MD505626d543357a7b9aab66738323d7ac6
SHA18a0366530637b0f977af59dde44fae4df8906f0f
SHA256352265151df8fcc298bbbde14c4ddff51683a9a43416ce1987511ee7a27fa433
SHA51211222b457bce9d25eca8b7f4768c5706ad117960d122bf049f94158725187fbaea86f38b3910402043f5a565dcc5faca535366880c0bd92f58a799931a32401d
-
Filesize
944B
MD5bd5940f08d0be56e65e5f2aaf47c538e
SHA1d7e31b87866e5e383ab5499da64aba50f03e8443
SHA2562d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406
-
Filesize
944B
MD53a6bad9528f8e23fb5c77fbd81fa28e8
SHA1f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2
-
Filesize
944B
MD52e907f77659a6601fcc408274894da2e
SHA19f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA51234fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
944B
MD5e243a38635ff9a06c87c2a61a2200656
SHA1ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA5124418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4
-
Filesize
758B
MD53c90983172605856fa5c7ec5d199e6ba
SHA11a5f36107412ca1aaf0f6af6b41c300941e01df5
SHA256c289becaecc99cd3d4e4af85f648757b0a52916bc7f293ef484e688ec905c74d
SHA5120364ceb18b85e2e516381458a5c50f0e372c39215c6d66a2eb042b1103ab9d338d84a53648332ce0abfc1ef6b224a479f7d7d67466d2449c368ba6fb19d4f912
-
Filesize
758B
MD5903ee489dbff8360f33bda881369ff61
SHA1298a211b9e43b738a562c1975093d3c52235b94c
SHA256e23506659d3cf31416b7f1ec0a250e84f56252873d4aed70405cb5b8b79eed8b
SHA512d9aa41cf8dca82b57f3be7d6effab476dc1a2d9e84aa2d9d152c85c67883550227fbfbc17a2957ea0467e28e61d4c8973e6dfe4e8ac462c717800e61921d371a
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
758B
MD520c7d9e873101acdcaac647232658f1f
SHA173ed1183c85d6a2d9a9b656a24ed9671c5e95fb9
SHA256a0507299cd6d7bb54aa7c55e5f11af78c431d41fc56b8c2f14241d50f492c3a1
SHA5123e15198a7517728feaeec20046b7493ddce3208791b231bd9097b66bb44ec47795b0a9d287089edf823a912e6819f6b2fd74795ce34fd77271b5207844da9b8f
-
Filesize
758B
MD5f7353771eff500c45ba61b77ab36be52
SHA17fa3388b68729fa5ad16a1f307a46b0f27f228b1
SHA2562bf2d23473a1035b06392b1cf942b20d8afd7d7606aea2f477603bad109bd08d
SHA51209a47b7ea19e657b36d9dac744a8b922a01680c02d71f452eb8754ba4f3b1d7ae0d3b78b254ef20977e701a31979e6d05e7dc4d970731909a9080cc704e6204a
-
Filesize
758B
MD52a7d6d0b736898a1415d2d181d7307f7
SHA1a79c5ce15cb4eeb55c9dcce79c731a2f55f832bd
SHA256b83f55a4871c29dc8ba4f680bcd3f33d50340a690b5bdc8a125003136c4ea2f6
SHA51230549fc661bfcbee875a20f241da0442981adac0bad75eafebdb5ed50c83a332df566c8017c3e26a76525f2ca7cb7e7d07ba77aad0a452b0dc6cf6d89ecf2871
-
Filesize
758B
MD5f3a510cc538f9a3f92e72f0207e0926a
SHA11f762ad1a036a3867560191e010a22b40a936ef6
SHA2569d0638652aea9ac6c8733bea435deeed2231ceffe6b4123ff83d9387fab8e596
SHA512c5dd292146fa79d8e629b19a1bc5cdbbbeeb854259a61ff23086b6e7ec8a755f51c29d68a3661cc9add3b7147c8a815c3d9a7c7ce047a7f7db867ed9f7225912
-
Filesize
758B
MD55f89eb74b2df67c538105c6c648c7da2
SHA1857125f2b7e425e14bff350ae1a23c495d7442a9
SHA2566b771413c5d6b215efcca0a0b4892ce8f2075afce3b21b9e0b6e4a2f15054518
SHA512f675b06080abeff6ce951927055f1362b095fc9e07714c864fecf865346fd9b96bb4bc2b9a386ecc8cae1af25366423791653e9b13e68f1c8e444ff8eb23cc03
-
Filesize
534B
MD58221f879ddc68a64c310e4cea06bffea
SHA107499466c7dfdae4ab28f89e6124a7786e223e81
SHA25633835c084a17409e39b341bfae666bcc446bb4fa373e37638cb77b9c391baded
SHA5129793802c437f5cae939fdcd4a5d37c453cf47450a0f62a1d75663049b2edec240736c82f117038d0815d4c0450ad7d538ffc44f0daddb4a3904948482101010e
-
Filesize
247B
MD519f1a333d9908fad7a9e80f66a8614fa
SHA1ec9d14d9dde4e385c742a65a7c318487abbce4e2
SHA256cdc78b6b1ea9b1e6ac5675c68083d1593426e3e6be4427772ac81d95e7ee02db
SHA51203957a2413afc8ac8fcef22cff205ea6d25c89c8ca22f79774b231cecc3d9db3ea416e5ea094e4c26021373fce37b79fe530e6086fa5e42e7e005ca7a6f776f7
-
Filesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
5.0MB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
40KB
-
Filesize
5.2MB
-
Filesize
10.8MB
-
Filesize
40KB
-
Filesize
64KB
-
Filesize
88KB
-
Filesize
32KB
-
Filesize
1.2MB
-
Filesize
64KB
-
Filesize
320KB
-
Filesize
112KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
136KB
-
Filesize
28KB