Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
27-10-2024 10:12
General
-
Target
76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe
-
Size
4.9MB
-
MD5
0f75edb514278b6e45793f61c9a91a50
-
SHA1
e767580f580339a4b7091fc105ffebfbb7d00f03
-
SHA256
76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3c
-
SHA512
940e37f693ea83fcf991acdf85ffc3bb50b880c8f9ffe3cb4d7420651b9973f1bfd9d16d36e0ee0eaa08ad0d1f0b6da75e56e856e55a6ce6aeff4915c291f0ed
-
SSDEEP
49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:
Malware Config
Extracted
colibri
1.2.0
Build1
http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php
http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php
Signatures
-
Colibri Loader
A loader sold as MaaS first seen in August 2021.
-
Colibri family
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 9 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 45 IoCs
-
DCRat payload 1 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 50 IoCs
-
Checks whether UAC is enabled 1 TTPs 30 IoCs
-
Suspicious use of SetThreadContext 15 IoCs
-
Drops file in Program Files directory 12 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 20 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 15 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 61 IoCs
-
Suspicious use of AdjustPrivilegeToken 27 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 45 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe"C:\Users\Admin\AppData\Local\Temp\76788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3cN.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\tmpAAEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpAAEA.tmp.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmpAAEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpAAEA.tmp.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmpAAEA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpAAEA.tmp.exe"4⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xi7FenmHsd.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵
-
-
C:\Program Files\Google\Chrome\Application\explorer.exe"C:\Program Files\Google\Chrome\Application\explorer.exe"3⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e91bb5f-e328-4384-903e-7e6bf8361b67.vbs"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\explorer.exe"C:\Program Files\Google\Chrome\Application\explorer.exe"5⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b2c3a375-ca87-4599-a1a8-41089fd534ec.vbs"6⤵
-
C:\Program Files\Google\Chrome\Application\explorer.exe"C:\Program Files\Google\Chrome\Application\explorer.exe"7⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5427b14e-896f-4d28-8bca-a5a4bd3c11b8.vbs"8⤵
-
C:\Program Files\Google\Chrome\Application\explorer.exe"C:\Program Files\Google\Chrome\Application\explorer.exe"9⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d1e0b14e-735c-4c2a-86c2-887058af74cd.vbs"10⤵
-
C:\Program Files\Google\Chrome\Application\explorer.exe"C:\Program Files\Google\Chrome\Application\explorer.exe"11⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9491b077-0523-497e-b330-298a446e57f6.vbs"12⤵
-
C:\Program Files\Google\Chrome\Application\explorer.exe"C:\Program Files\Google\Chrome\Application\explorer.exe"13⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\83119fff-861e-4724-9a45-2f4184c003bb.vbs"14⤵
-
C:\Program Files\Google\Chrome\Application\explorer.exe"C:\Program Files\Google\Chrome\Application\explorer.exe"15⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2037fa93-8e4f-48de-a294-3ed81bc3e9cc.vbs"16⤵
-
C:\Program Files\Google\Chrome\Application\explorer.exe"C:\Program Files\Google\Chrome\Application\explorer.exe"17⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\06dfbdec-0f9b-463f-94d0-16a526ddd7dc.vbs"18⤵
-
C:\Program Files\Google\Chrome\Application\explorer.exe"C:\Program Files\Google\Chrome\Application\explorer.exe"19⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\102146ad-83b7-47cc-90b0-331e6ad2ae9e.vbs"20⤵
-
C:\Program Files\Google\Chrome\Application\explorer.exe"C:\Program Files\Google\Chrome\Application\explorer.exe"21⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d4082c60-fde2-40e2-a3d3-225028507538.vbs"22⤵
-
C:\Program Files\Google\Chrome\Application\explorer.exe"C:\Program Files\Google\Chrome\Application\explorer.exe"23⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3719f978-3d46-4c3f-b52c-3d1a05a82229.vbs"24⤵
-
C:\Program Files\Google\Chrome\Application\explorer.exe"C:\Program Files\Google\Chrome\Application\explorer.exe"25⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b8854e62-b9a2-4dfa-810a-2a618e969717.vbs"26⤵
-
C:\Program Files\Google\Chrome\Application\explorer.exe"C:\Program Files\Google\Chrome\Application\explorer.exe"27⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fec57453-2232-4ef9-b2b8-2541824b544f.vbs"28⤵
-
C:\Program Files\Google\Chrome\Application\explorer.exe"C:\Program Files\Google\Chrome\Application\explorer.exe"29⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e3774793-1d2d-486f-beda-1f05f7bf3f1a.vbs"30⤵
-
C:\Program Files\Google\Chrome\Application\explorer.exe"C:\Program Files\Google\Chrome\Application\explorer.exe"31⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cda4976c-801d-4777-9934-920850a24af8.vbs"30⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmpC181.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpC181.tmp.exe"30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmpC181.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpC181.tmp.exe"31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmpC181.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpC181.tmp.exe"32⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmpC181.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpC181.tmp.exe"33⤵
- Executes dropped EXE
-
-
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5d18ee60-71a1-4b92-b499-bdfd256fb580.vbs"28⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmpA464.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpA464.tmp.exe"28⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmpA464.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpA464.tmp.exe"29⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd7b9689-b61a-418b-b461-286d8a3ea0fc.vbs"26⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmp87D4.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp87D4.tmp.exe"26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp87D4.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp87D4.tmp.exe"27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp87D4.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp87D4.tmp.exe"28⤵
- Executes dropped EXE
-
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df95298f-b7e4-4aac-be4b-4109b32eaec9.vbs"24⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmp5828.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp5828.tmp.exe"24⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp5828.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp5828.tmp.exe"25⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\07c015ea-206c-471d-9432-523512c2df93.vbs"22⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmp282F.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp282F.tmp.exe"22⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp282F.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp282F.tmp.exe"23⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\916bab3d-5b86-44de-aabb-169d05574e5c.vbs"20⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmpAE3.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpAE3.tmp.exe"20⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmpAE3.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpAE3.tmp.exe"21⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a5a86ce4-6ca9-4cc8-9a76-a0c963a88d94.vbs"18⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmpDB77.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB77.tmp.exe"18⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmpDB77.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB77.tmp.exe"19⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\09e062d9-0bf0-4a39-be42-41c534385743.vbs"16⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmpAA06.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpAA06.tmp.exe"16⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmpAA06.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpAA06.tmp.exe"17⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cd4c0bed-4aba-4233-ac2f-6aeb9377e5cc.vbs"14⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmp8D18.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8D18.tmp.exe"14⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp8D18.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8D18.tmp.exe"15⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4948718-e310-4c8a-bb3d-ac20b2facb1e.vbs"12⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmp5B1B.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp5B1B.tmp.exe"12⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp5B1B.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp5B1B.tmp.exe"13⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\082fe04a-a0ce-4016-8523-70dc7ac3484f.vbs"10⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmp3CC6.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp3CC6.tmp.exe"10⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp3CC6.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp3CC6.tmp.exe"11⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c01f973-bcb1-4fae-b73b-fa80950a63e8.vbs"8⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmpAE8.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpAE8.tmp.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmpAE8.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpAE8.tmp.exe"9⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1f3717a6-9e30-4213-b12e-5ad881720207.vbs"6⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmpEE57.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpEE57.tmp.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmpEE57.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpEE57.tmp.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmpEE57.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpEE57.tmp.exe"8⤵
- Executes dropped EXE
-
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c1ae418c-db24-429f-9ba6-3b0673adce6d.vbs"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmpD13A.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpD13A.tmp.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmpD13A.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpD13A.tmp.exe"5⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files\Google\Chrome\Application\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\Chrome\Application\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\uk-UA\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\uk-UA\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\uk-UA\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.9MB
MD50f75edb514278b6e45793f61c9a91a50
SHA1e767580f580339a4b7091fc105ffebfbb7d00f03
SHA25676788ceb22709fa8af5c54f6b64e192d758c11d19944709eac2ce6e05295fc3c
SHA512940e37f693ea83fcf991acdf85ffc3bb50b880c8f9ffe3cb4d7420651b9973f1bfd9d16d36e0ee0eaa08ad0d1f0b6da75e56e856e55a6ce6aeff4915c291f0ed
-
Filesize
1KB
MD54a667f150a4d1d02f53a9f24d89d53d1
SHA1306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97
SHA256414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd
SHA5124edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD52e907f77659a6601fcc408274894da2e
SHA19f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA51234fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721
-
Filesize
944B
MD53a6bad9528f8e23fb5c77fbd81fa28e8
SHA1f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2
-
Filesize
944B
MD55f0ddc7f3691c81ee14d17b419ba220d
SHA1f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA5122ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3
-
Filesize
944B
MD5e448fe0d240184c6597a31d3be2ced58
SHA1372b8d8c19246d3e38cd3ba123cc0f56070f03cd
SHA256c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391
SHA5120b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4
-
Filesize
731B
MD55a7c0aa3dd88cb6544324a04980e0106
SHA146d909bff36894df3e34ab959b5816e1d971e6a2
SHA256050bf8358cc2a5668c17f2bf206693304710b642ff0ed376e4396f1cceab966a
SHA5129743c07c1bf5bb6922a218ee7103673eb84c7251684963f0183539f4ffa8d25986292d081b202532b43ec725dee871f7a5f768cc3052611cf964cf16f25d62ef
-
Filesize
731B
MD5a44c48a954271a3963c913cda5607c28
SHA1e7642bf080d329d356d54241ee1076ebeaeb7739
SHA2563d923bfba01883b2d5663f3476e215ec6b875acdbacf6e2b7bdb30f28f18f6b1
SHA5121a23df2447610281665ae68261e21e98b65a73cd57b9792ac31f07c8eec325defce22b14006b5107b983a3c85833c9f9821b8bfd38cf1c69ee081e155549a7f5
-
Filesize
731B
MD57c34519ead67637d2619da35adbf98d0
SHA138915fc14ff672564be67f6c748c644c0b23fe0a
SHA256f9190a22b2f0ee6efc13214ff3a6a849ead4c4dfbfb20ffc3e52c8e7ed6df9bf
SHA5128365f55fb3a3eb7fdac0adf02490fae14ce51293c326a4fc275740d554f294691e65f32ac682e21cfcdc954ab6237bd5bae50023715d3d1878413221630c8f6e
-
Filesize
731B
MD5449ef36c755438fc246f0e22049d01bb
SHA182a008ef8848c0bc21f6436c01dcfb57951f1aec
SHA2563b31acc7882ad7f1fd740f0c198eaefa0f817443e833443a688f6e7322cb296a
SHA5121c292977d80c8c3fbb6874812c05031acd0cf4e3e1879fa8c9ada910f7b2b1a7054d39c6ce2e3da70fb46d686a63d357ab371ae923a4ca69465cde5f92f049bd
-
Filesize
731B
MD55471433057771fc3f37bd07ce633c2f6
SHA14a322959ea6554f58840fcd09987185149fe295f
SHA2563ae5acc67d0044663ef58b9875f672ffab8938e9f3817556b8eccf45c438de5f
SHA512db08676259ff465c5e2051bab4bb4af1dd76ca336945d1ac4daf2d123e655e0c3f3dfa4ba428185f30f3e9aa310a4a3bb0abaaa623944f10d738bc2e5e0241b5
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
731B
MD5ed12cbd899eab85b51d7508870172b0f
SHA1cc62833ea34b03f243d4e4ddb1a78589ac5b261e
SHA256d8a4770d7f226b8e4da664b0d0a5c70494b0f7abfaaed899ad777f9860976352
SHA512b130eaed5d6008920b76bda6ab88c1f3775ab43337fe0ab4577ae87637a11f150ef590a63825866b5f40e341689ad48a993033fbdfb2bf06c6e03fe68345ed28
-
Filesize
507B
MD5133800af645f19ed37ad882ce2df38a1
SHA15f4f67e5e8dcf20aee0c83d603a59b04e762cf16
SHA2563a514de7addf3c6a97d9c05f31c9cf52ee7e2a64c3b13d79dc61893756d5d6ea
SHA512fcf06ebe7853d7408e1cb368cb848630a4b67223209e0f1651a942e59e9e022970401671eee167128a33ecb98c9b976259dbf8b6223bc551cbb36a74dc416eb3
-
Filesize
731B
MD595497f5a95dcab972aaf7721859ec545
SHA11642e7ba702f4243ead7a5179d2c21ecc48bbb56
SHA256c07aa18eaf06e0a09b5cd68fbdd5655e001d6175210e807f49647bc751a307cc
SHA512c5acb5e485cdc9034d2f5cdc0966190c41a905317c358108bc82fbfc8283a01754e23648e1802bac4ed3a187639cd1059b3656b0af4f200fa3f32a4bcd1f011a
-
Filesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2
-
Filesize
220B
MD5154ca8b69c99a4c558915332de2e4de9
SHA13b59234d142c98081efea898c6c26ec7a5d54f0d
SHA256d0176d000d6e5122cb5d6ab1f5e70de5c5807501e40e395eec05d9c9938a3676
SHA5128ba0e6b6ad107ddfa60faac50eaccf04a370d0b6a9675999dcabf78262a9786410faa6514ca082321dd70ca280b5dc969fab9674792177b6e08466d010ddbdcc
-
Filesize
28KB
-
Filesize
72KB
-
Filesize
136KB
-
Filesize
72KB
-
Filesize
32KB
-
Filesize
8KB
-
Filesize
40KB
-
Filesize
48KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
5.2MB
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
320KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
88KB
-
Filesize
5.0MB
-
Filesize
64KB
-
Filesize
32KB
-
Filesize
112KB
-
Filesize
10.8MB
-
Filesize
1.2MB
-
Filesize
72KB
-
Filesize
72KB