Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
06-10-2024 21:14
General
-
Target
4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe
-
Size
4.9MB
-
MD5
85ab5c50c78b5db54a69d9f85c8d07ff
-
SHA1
112a5c1bf9a479baf32c8196ba4b1bc24b27541e
-
SHA256
4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21
-
SHA512
2978fdea829a99e828bff671748a346e075ed4fb597127dba6f99bd23704d740d8d776afe530bbd544d42bf71dbcf328a66dbcd55f48dd25ee2a9cb46878eaa4
-
SSDEEP
49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:
Malware Config
Extracted
colibri
1.2.0
Build1
http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php
http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php
Signatures
-
Colibri Loader
A loader sold as MaaS first seen in August 2021.
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 24 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 45 IoCs
-
DCRat payload 1 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 43 IoCs
-
Checks whether UAC is enabled 1 TTPs 30 IoCs
-
Suspicious use of SetThreadContext 12 IoCs
-
Drops file in Program Files directory 8 IoCs
-
Drops file in Windows directory 8 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 17 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 15 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 53 IoCs
-
Suspicious use of AdjustPrivilegeToken 26 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 45 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe"C:\Users\Admin\AppData\Local\Temp\4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\tmpA646.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpA646.tmp.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmpA646.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpA646.tmp.exe"3⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\O7mxRkV2HO.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵
-
-
C:\Windows\Branding\Basebrd\uk-UA\SppExtComObj.exe"C:\Windows\Branding\Basebrd\uk-UA\SppExtComObj.exe"3⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6f52bfb3-c517-4a94-a91f-4cb4fa256c56.vbs"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Branding\Basebrd\uk-UA\SppExtComObj.exeC:\Windows\Branding\Basebrd\uk-UA\SppExtComObj.exe5⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\834abf63-30ca-43bb-9f4a-5973b5c86e9f.vbs"6⤵
-
C:\Windows\Branding\Basebrd\uk-UA\SppExtComObj.exeC:\Windows\Branding\Basebrd\uk-UA\SppExtComObj.exe7⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f35a069b-1a1f-4f08-b141-6eb3d7c40d6b.vbs"8⤵
-
C:\Windows\Branding\Basebrd\uk-UA\SppExtComObj.exeC:\Windows\Branding\Basebrd\uk-UA\SppExtComObj.exe9⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\08c83850-1c5a-4fce-97ba-cf415ecaaffe.vbs"10⤵
-
C:\Windows\Branding\Basebrd\uk-UA\SppExtComObj.exeC:\Windows\Branding\Basebrd\uk-UA\SppExtComObj.exe11⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\73c0aa28-2c43-42b3-a687-b31f77ce9c23.vbs"12⤵
-
C:\Windows\Branding\Basebrd\uk-UA\SppExtComObj.exeC:\Windows\Branding\Basebrd\uk-UA\SppExtComObj.exe13⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4ded5b0-b26b-48d7-81a3-cfcde11b6118.vbs"14⤵
-
C:\Windows\Branding\Basebrd\uk-UA\SppExtComObj.exeC:\Windows\Branding\Basebrd\uk-UA\SppExtComObj.exe15⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ebcfeee-38f4-4362-8e01-86af993014db.vbs"16⤵
-
C:\Windows\Branding\Basebrd\uk-UA\SppExtComObj.exeC:\Windows\Branding\Basebrd\uk-UA\SppExtComObj.exe17⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\17be14d6-9712-4950-ab2e-8953eb843964.vbs"18⤵
-
C:\Windows\Branding\Basebrd\uk-UA\SppExtComObj.exeC:\Windows\Branding\Basebrd\uk-UA\SppExtComObj.exe19⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8453c876-d701-44bf-8ed7-8cad02b813c1.vbs"20⤵
-
C:\Windows\Branding\Basebrd\uk-UA\SppExtComObj.exeC:\Windows\Branding\Basebrd\uk-UA\SppExtComObj.exe21⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0f85c6b-374a-458d-aeb5-79bca456e82a.vbs"22⤵
-
C:\Windows\Branding\Basebrd\uk-UA\SppExtComObj.exeC:\Windows\Branding\Basebrd\uk-UA\SppExtComObj.exe23⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\85e60b88-537b-462a-9805-4fcc686b8f1a.vbs"24⤵
-
C:\Windows\Branding\Basebrd\uk-UA\SppExtComObj.exeC:\Windows\Branding\Basebrd\uk-UA\SppExtComObj.exe25⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\925921f7-343c-4efd-9188-89f11781a5e2.vbs"26⤵
-
C:\Windows\Branding\Basebrd\uk-UA\SppExtComObj.exeC:\Windows\Branding\Basebrd\uk-UA\SppExtComObj.exe27⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\08443954-e787-4ad3-959e-6aa1c00bb8c2.vbs"28⤵
-
C:\Windows\Branding\Basebrd\uk-UA\SppExtComObj.exeC:\Windows\Branding\Basebrd\uk-UA\SppExtComObj.exe29⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\84beef0d-1e6d-4415-8c8a-43068ab1eaf5.vbs"30⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4776e49a-4a89-467e-b6a9-c6382e14db5f.vbs"30⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmpD2A8.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpD2A8.tmp.exe"30⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmpD2A8.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpD2A8.tmp.exe"31⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ef1b5ba-e9da-43eb-a733-bab93e3481bf.vbs"28⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c8b5d45d-ef57-4155-bca8-597c2ae59cac.vbs"26⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmp860E.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp860E.tmp.exe"26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp860E.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp860E.tmp.exe"27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp860E.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp860E.tmp.exe"28⤵
- Executes dropped EXE
-
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8ac2c68a-e11e-4461-97e3-7dc44ecbbe8b.vbs"24⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmp42AC.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp42AC.tmp.exe"24⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp42AC.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp42AC.tmp.exe"25⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7be13510-3544-48a1-a7d5-d645be2d929b.vbs"22⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmp1275.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp1275.tmp.exe"22⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp1275.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp1275.tmp.exe"23⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\32f3dec8-86b2-4a7b-9c56-824896f145d6.vbs"20⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmpF661.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpF661.tmp.exe"20⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmpF661.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpF661.tmp.exe"21⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\34b247f7-a688-4a05-93fa-882186bf2a6d.vbs"18⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmpDA00.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDA00.tmp.exe"18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmpDA00.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDA00.tmp.exe"19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmpDA00.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDA00.tmp.exe"20⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmpDA00.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDA00.tmp.exe"21⤵
- Executes dropped EXE
-
-
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4c470968-deed-46ce-a0ce-dc8f5b7e0e5d.vbs"16⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\af782a4c-4a5f-40b1-904f-b1a84393b568.vbs"14⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4e17c683-08eb-4fa5-8a7b-2e105de701b2.vbs"12⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmp83A2.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp83A2.tmp.exe"12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp83A2.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp83A2.tmp.exe"13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp83A2.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp83A2.tmp.exe"14⤵
- Executes dropped EXE
-
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b1582319-53c1-4187-a6bc-5fcda5562b83.vbs"10⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmp6675.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp6675.tmp.exe"10⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp6675.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp6675.tmp.exe"11⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8552d4f5-6ed6-4034-a420-8af03f7d319d.vbs"8⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmp36DA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp36DA.tmp.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp36DA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp36DA.tmp.exe"9⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a4bfc2b8-f282-46b9-91a7-7ea4a1c271ee.vbs"6⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmp625.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp625.tmp.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp625.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp625.tmp.exe"7⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ce58da36-7957-4d94-be11-3fd9a2a6ba0f.vbs"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmpD64B.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpD64B.tmp.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmpD64B.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpD64B.tmp.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmpD64B.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpD64B.tmp.exe"6⤵
- Executes dropped EXE
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Windows\Branding\Basebrd\uk-UA\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\Branding\Basebrd\uk-UA\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Windows\Branding\Basebrd\uk-UA\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\Microsoft.NET\Framework64\1036\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\Framework64\1036\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\Microsoft.NET\Framework64\1036\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Update\1.3.36.371\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\1.3.36.371\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Google\Update\1.3.36.371\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Start Menu\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Default\Start Menu\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Start Menu\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f214" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f214" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\4c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD54a667f150a4d1d02f53a9f24d89d53d1
SHA1306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97
SHA256414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd
SHA5124edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD56d42b6da621e8df5674e26b799c8e2aa
SHA1ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA2565ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA51253faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29
-
Filesize
944B
MD5a8e8360d573a4ff072dcc6f09d992c88
SHA13446774433ceaf0b400073914facab11b98b6807
SHA256bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b
SHA5124ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
944B
MD53a6bad9528f8e23fb5c77fbd81fa28e8
SHA1f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2
-
Filesize
944B
MD562623d22bd9e037191765d5083ce16a3
SHA14a07da6872672f715a4780513d95ed8ddeefd259
SHA25695d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010
SHA5129a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992
-
Filesize
944B
MD5bd5940f08d0be56e65e5f2aaf47c538e
SHA1d7e31b87866e5e383ab5499da64aba50f03e8443
SHA2562d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406
-
Filesize
726B
MD560f37e0d07f325499245dab54d8702c8
SHA1c6d4d65d76eb057c800ce0e53e4148b206b62cc6
SHA2562344278ff5d9569d687bce9f8a85daacaecc8da0d0d45d3022b1b0c0cd11fe8c
SHA512cad33e249b7421427102a43131b5c9ceb2cdc146a5e85756525a82c7a63ea553f50e6857c65ca801de7f7beecad93e2a6afb9c52b421cbb17a810543800b2cf6
-
Filesize
726B
MD55913afcc978338a4322cbd2540e8e1cc
SHA1f65adc1e264d790bca7e2b3047db44c28cfb4f7f
SHA256f2736630040262a139ca48c6b17c15cb023b1b20c486ab72b1477e6329afa94d
SHA512df748aaf50ff5c5f50f22f34fec6a4f169b2cae62b9e5a8cebebcfff61e28019269ff155dea6243b832687ffbbc4dbc0261b5210d94a3362e8cbabc5343962a6
-
Filesize
726B
MD5e968bccc6425f9c5cfc63f5352a8d003
SHA13036588d2013f792b421d3e691f807d7a6d0fea8
SHA256df9e7d7fe052aa179abe9be6849bfcad3d02fbfc399471bed5f974c9e8fb2191
SHA512a5696ce12473c98b852b2153783f1f649b75632b7666d1e2935b8f07eb246af085b09094c264efe4e6f0f7d079e2c8af4f63c5897d2feb61db7504ee31c1e4ca
-
Filesize
726B
MD562f23dd31a644628e46335f6d4e47132
SHA12704c5f067bcbc93ac1d1f4fe66bfe00e8ce0165
SHA256efb97d62c9f015834780ad5efa5c9b6c07156be9b3401bddf08a3e294e5dc8da
SHA51293f81636ef5b574a5723530f8069ef838fc3d9fd264fd1d7584c432c83ce6e9b86502a4a8d6a192b1fe245402ba9bebaab62615208e6c96f6f2a0c798192eb53
-
Filesize
726B
MD516548550d504eb842de5496276889d87
SHA1df588fcb8c575c825157ba208868814bd730ceac
SHA256a46f9663c4eb58c5874cd08cc96792906b671f8b508d0f50eca8e2f2d39b185d
SHA5123a662a356a142777212599c2407a2d54b7650527bf09c83d42fd6332e3d2eeda661130d44753e6ebb3c5b6037edd5654908b7b8b069c8696457edae915634e08
-
Filesize
726B
MD510cb9f920227956dc2706817bcd5fa60
SHA110717b22cde0d9a7bacd32f3fb08f9d4e62370ac
SHA256b7891844d72d319076e4080f0226f495ba4f88ac9f022dd035a162d8c52c6f79
SHA5123e6aa3ee04925a363f4c1d263440f7b901e92bc886ce05e7423e0caab061c599c165245dd5b20d4fc4090e66cee4783a85222d08870bf03cd6f04f195d24dec8
-
Filesize
215B
MD5431d829c3ceb218b3c149083ea100418
SHA19158f75f593a11e90101a90a0ffc241c17431ece
SHA256753426f5879b4f780666b2a324f46ace1e66383e6e6b355df2c11f67da3cf71b
SHA51235f4ae3d91c53d66320390da0aefa4d7d159d4e23b14b46d84460adc285366c629683c607a8f24a24c7557d7586dd26768bc9eabdb5e5fc23bf6aa1a6a864af3
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
726B
MD511d3e67dffc6ec17fcd21c132b2bf17a
SHA119ea5708428d5e5b1df93c97c619a581e3fadc08
SHA256042552174cb6f55f244fc2585360c4a56bee943cb8f1eea57e26ff415d41cd56
SHA512b77abcd72c034ae59a903cebdffd9c8030aa3639c09b65f7b9a26783aaf1fe65a9b048f247fd10c3ddd5beaa2aa56f68fde6d11c4778ab182cad8fd3ef15bae9
-
Filesize
502B
MD51f7f90ac30bc4e9b72f21dd338d16a9d
SHA12be54ca988fc63b3f7333cb39a63c2cabf6b3877
SHA256192c43d459525faf1348161f7b567f9ef4986c8bde82972d65fa5e5adf69fe94
SHA512770c6ae25a757532d8d217077769fb663c9a3e0dd4d4590f2cf84771fb0e5ea06c42c6256b1e645d24bd27d628db38cd7b8dbbf0c3f8ebdd2356edceefc89fcb
-
Filesize
726B
MD50475edabf1606259ce87032dafd30f32
SHA12614b8f5170d3b158106255142c3f1f0db81846e
SHA256b57a3c3e50d5e62b92a7566081d3982e45a82ad2329f749407d9df1568ef69d1
SHA5124165cdf11ec96ae420b3e95a1b6d7b8ca0125323b8f10f3dcb9aef7aa31b6c76c29db6eddf8114b0e6b103e018a5ac44c5882f4a016ede078a72de421fb1a3f6
-
Filesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2
-
Filesize
4.9MB
MD585ab5c50c78b5db54a69d9f85c8d07ff
SHA1112a5c1bf9a479baf32c8196ba4b1bc24b27541e
SHA2564c1588420e7a12fe738bc30798c17423931c022447b4a0bdf6f5e706ffaf5f21
SHA5122978fdea829a99e828bff671748a346e075ed4fb597127dba6f99bd23704d740d8d776afe530bbd544d42bf71dbcf328a66dbcd55f48dd25ee2a9cb46878eaa4
-
Filesize
136KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
40KB
-
Filesize
5.0MB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
40KB
-
Filesize
5.2MB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
88KB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
1.2MB
-
Filesize
320KB
-
Filesize
10.8MB
-
Filesize
112KB
-
Filesize
28KB
-
Filesize
72KB
-
Filesize
72KB