Analysis
-
max time kernel
137s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11-11-2024 23:41
Static task
static1
Behavioral task
behavioral1
Sample
B379F4AC167609D8A3EF26444098B61D.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
B379F4AC167609D8A3EF26444098B61D.exe
Resource
win10v2004-20241007-en
General
-
Target
B379F4AC167609D8A3EF26444098B61D.exe
-
Size
1.9MB
-
MD5
b379f4ac167609d8a3ef26444098b61d
-
SHA1
85fe0bbbe666d72a955ee98444415194e00739eb
-
SHA256
430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80
-
SHA512
0028141132f1437ff556a00e7cd32298bf561690fd809f361fcfaf9b8837e5a173f4acb192b25668550e2ec526ea4a518ea46e3fd7c2e1b8fad1a49d8d6ed0fe
-
SSDEEP
24576:qhNLIZG9ZdCvfOqBlRF7kVkHreh1kEGD/5MTgsxjY9gIBiatkZ2hIHirkUP7oM8j:qGfj7rk+CLN9EIshijMX6i5w
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\lsass.exe\", \"C:\\Program Files\\DVD Maker\\es-ES\\lsm.exe\", \"C:\\Users\\Public\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\audiodg.exe\"" B379F4AC167609D8A3EF26444098B61D.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\lsass.exe\", \"C:\\Program Files\\DVD Maker\\es-ES\\lsm.exe\", \"C:\\Users\\Public\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\explorer.exe\"" B379F4AC167609D8A3EF26444098B61D.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\lsass.exe\", \"C:\\Program Files\\DVD Maker\\es-ES\\lsm.exe\", \"C:\\Users\\Public\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\B379F4AC167609D8A3EF26444098B61D.exe\"" B379F4AC167609D8A3EF26444098B61D.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\lsass.exe\"" B379F4AC167609D8A3EF26444098B61D.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\lsass.exe\", \"C:\\Program Files\\DVD Maker\\es-ES\\lsm.exe\"" B379F4AC167609D8A3EF26444098B61D.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\lsass.exe\", \"C:\\Program Files\\DVD Maker\\es-ES\\lsm.exe\", \"C:\\Users\\Public\\lsm.exe\"" B379F4AC167609D8A3EF26444098B61D.exe -
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3048 2648 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2544 2648 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1896 2648 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1236 2648 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2180 2648 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1704 2648 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2420 2648 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1836 2648 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1564 2648 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1104 2648 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1872 2648 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2032 2648 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2728 2648 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 620 2648 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2428 2648 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1908 2648 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2928 2648 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2408 2648 schtasks.exe 30 -
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2224 powershell.exe 2924 powershell.exe 2164 powershell.exe 1360 powershell.exe 2156 powershell.exe 2064 powershell.exe -
Executes dropped EXE 1 IoCs
pid Process 2196 lsm.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\explorer.exe\"" B379F4AC167609D8A3EF26444098B61D.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\B379F4AC167609D8A3EF26444098B61D = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\B379F4AC167609D8A3EF26444098B61D.exe\"" B379F4AC167609D8A3EF26444098B61D.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\Default User\\lsass.exe\"" B379F4AC167609D8A3EF26444098B61D.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\Default User\\lsass.exe\"" B379F4AC167609D8A3EF26444098B61D.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files\\DVD Maker\\es-ES\\lsm.exe\"" B379F4AC167609D8A3EF26444098B61D.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Users\\Public\\lsm.exe\"" B379F4AC167609D8A3EF26444098B61D.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\audiodg.exe\"" B379F4AC167609D8A3EF26444098B61D.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files\\DVD Maker\\es-ES\\lsm.exe\"" B379F4AC167609D8A3EF26444098B61D.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Users\\Public\\lsm.exe\"" B379F4AC167609D8A3EF26444098B61D.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\audiodg.exe\"" B379F4AC167609D8A3EF26444098B61D.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\explorer.exe\"" B379F4AC167609D8A3EF26444098B61D.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\B379F4AC167609D8A3EF26444098B61D = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\B379F4AC167609D8A3EF26444098B61D.exe\"" B379F4AC167609D8A3EF26444098B61D.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created \??\c:\Windows\System32\CSC8B632B8D858A474CB5D57D1F2D80B3.TMP csc.exe File created \??\c:\Windows\System32\dzuhbf.exe csc.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\DVD Maker\es-ES\lsm.exe B379F4AC167609D8A3EF26444098B61D.exe File created C:\Program Files\DVD Maker\es-ES\101b941d020240 B379F4AC167609D8A3EF26444098B61D.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2328 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2328 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3048 schtasks.exe 2544 schtasks.exe 2428 schtasks.exe 1908 schtasks.exe 1896 schtasks.exe 1872 schtasks.exe 2032 schtasks.exe 1236 schtasks.exe 620 schtasks.exe 1564 schtasks.exe 1104 schtasks.exe 2728 schtasks.exe 2928 schtasks.exe 2180 schtasks.exe 1704 schtasks.exe 2420 schtasks.exe 1836 schtasks.exe 2408 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2820 B379F4AC167609D8A3EF26444098B61D.exe 2820 B379F4AC167609D8A3EF26444098B61D.exe 2820 B379F4AC167609D8A3EF26444098B61D.exe 2820 B379F4AC167609D8A3EF26444098B61D.exe 2820 B379F4AC167609D8A3EF26444098B61D.exe 2820 B379F4AC167609D8A3EF26444098B61D.exe 2820 B379F4AC167609D8A3EF26444098B61D.exe 2820 B379F4AC167609D8A3EF26444098B61D.exe 2820 B379F4AC167609D8A3EF26444098B61D.exe 2820 B379F4AC167609D8A3EF26444098B61D.exe 2820 B379F4AC167609D8A3EF26444098B61D.exe 2820 B379F4AC167609D8A3EF26444098B61D.exe 2820 B379F4AC167609D8A3EF26444098B61D.exe 2820 B379F4AC167609D8A3EF26444098B61D.exe 2820 B379F4AC167609D8A3EF26444098B61D.exe 2820 B379F4AC167609D8A3EF26444098B61D.exe 2820 B379F4AC167609D8A3EF26444098B61D.exe 2820 B379F4AC167609D8A3EF26444098B61D.exe 2820 B379F4AC167609D8A3EF26444098B61D.exe 2820 B379F4AC167609D8A3EF26444098B61D.exe 2820 B379F4AC167609D8A3EF26444098B61D.exe 2820 B379F4AC167609D8A3EF26444098B61D.exe 2820 B379F4AC167609D8A3EF26444098B61D.exe 2820 B379F4AC167609D8A3EF26444098B61D.exe 2820 B379F4AC167609D8A3EF26444098B61D.exe 2820 B379F4AC167609D8A3EF26444098B61D.exe 2820 B379F4AC167609D8A3EF26444098B61D.exe 2820 B379F4AC167609D8A3EF26444098B61D.exe 2820 B379F4AC167609D8A3EF26444098B61D.exe 2820 B379F4AC167609D8A3EF26444098B61D.exe 2820 B379F4AC167609D8A3EF26444098B61D.exe 2820 B379F4AC167609D8A3EF26444098B61D.exe 2820 B379F4AC167609D8A3EF26444098B61D.exe 2820 B379F4AC167609D8A3EF26444098B61D.exe 2820 B379F4AC167609D8A3EF26444098B61D.exe 2820 B379F4AC167609D8A3EF26444098B61D.exe 2820 B379F4AC167609D8A3EF26444098B61D.exe 2820 B379F4AC167609D8A3EF26444098B61D.exe 2820 B379F4AC167609D8A3EF26444098B61D.exe 2820 B379F4AC167609D8A3EF26444098B61D.exe 2820 B379F4AC167609D8A3EF26444098B61D.exe 2820 B379F4AC167609D8A3EF26444098B61D.exe 2820 B379F4AC167609D8A3EF26444098B61D.exe 2820 B379F4AC167609D8A3EF26444098B61D.exe 2820 B379F4AC167609D8A3EF26444098B61D.exe 2820 B379F4AC167609D8A3EF26444098B61D.exe 2820 B379F4AC167609D8A3EF26444098B61D.exe 2820 B379F4AC167609D8A3EF26444098B61D.exe 2820 B379F4AC167609D8A3EF26444098B61D.exe 2820 B379F4AC167609D8A3EF26444098B61D.exe 2820 B379F4AC167609D8A3EF26444098B61D.exe 2820 B379F4AC167609D8A3EF26444098B61D.exe 2820 B379F4AC167609D8A3EF26444098B61D.exe 2820 B379F4AC167609D8A3EF26444098B61D.exe 2820 B379F4AC167609D8A3EF26444098B61D.exe 2820 B379F4AC167609D8A3EF26444098B61D.exe 2820 B379F4AC167609D8A3EF26444098B61D.exe 2820 B379F4AC167609D8A3EF26444098B61D.exe 2820 B379F4AC167609D8A3EF26444098B61D.exe 2820 B379F4AC167609D8A3EF26444098B61D.exe 2820 B379F4AC167609D8A3EF26444098B61D.exe 2820 B379F4AC167609D8A3EF26444098B61D.exe 2820 B379F4AC167609D8A3EF26444098B61D.exe 2820 B379F4AC167609D8A3EF26444098B61D.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2196 lsm.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 2820 B379F4AC167609D8A3EF26444098B61D.exe Token: SeDebugPrivilege 2164 powershell.exe Token: SeDebugPrivilege 2156 powershell.exe Token: SeDebugPrivilege 2224 powershell.exe Token: SeDebugPrivilege 1360 powershell.exe Token: SeDebugPrivilege 2924 powershell.exe Token: SeDebugPrivilege 2064 powershell.exe Token: SeDebugPrivilege 2196 lsm.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2820 wrote to memory of 1416 2820 B379F4AC167609D8A3EF26444098B61D.exe 34 PID 2820 wrote to memory of 1416 2820 B379F4AC167609D8A3EF26444098B61D.exe 34 PID 2820 wrote to memory of 1416 2820 B379F4AC167609D8A3EF26444098B61D.exe 34 PID 1416 wrote to memory of 2864 1416 csc.exe 36 PID 1416 wrote to memory of 2864 1416 csc.exe 36 PID 1416 wrote to memory of 2864 1416 csc.exe 36 PID 2820 wrote to memory of 2924 2820 B379F4AC167609D8A3EF26444098B61D.exe 52 PID 2820 wrote to memory of 2924 2820 B379F4AC167609D8A3EF26444098B61D.exe 52 PID 2820 wrote to memory of 2924 2820 B379F4AC167609D8A3EF26444098B61D.exe 52 PID 2820 wrote to memory of 2164 2820 B379F4AC167609D8A3EF26444098B61D.exe 53 PID 2820 wrote to memory of 2164 2820 B379F4AC167609D8A3EF26444098B61D.exe 53 PID 2820 wrote to memory of 2164 2820 B379F4AC167609D8A3EF26444098B61D.exe 53 PID 2820 wrote to memory of 1360 2820 B379F4AC167609D8A3EF26444098B61D.exe 54 PID 2820 wrote to memory of 1360 2820 B379F4AC167609D8A3EF26444098B61D.exe 54 PID 2820 wrote to memory of 1360 2820 B379F4AC167609D8A3EF26444098B61D.exe 54 PID 2820 wrote to memory of 2156 2820 B379F4AC167609D8A3EF26444098B61D.exe 55 PID 2820 wrote to memory of 2156 2820 B379F4AC167609D8A3EF26444098B61D.exe 55 PID 2820 wrote to memory of 2156 2820 B379F4AC167609D8A3EF26444098B61D.exe 55 PID 2820 wrote to memory of 2064 2820 B379F4AC167609D8A3EF26444098B61D.exe 56 PID 2820 wrote to memory of 2064 2820 B379F4AC167609D8A3EF26444098B61D.exe 56 PID 2820 wrote to memory of 2064 2820 B379F4AC167609D8A3EF26444098B61D.exe 56 PID 2820 wrote to memory of 2224 2820 B379F4AC167609D8A3EF26444098B61D.exe 57 PID 2820 wrote to memory of 2224 2820 B379F4AC167609D8A3EF26444098B61D.exe 57 PID 2820 wrote to memory of 2224 2820 B379F4AC167609D8A3EF26444098B61D.exe 57 PID 2820 wrote to memory of 2232 2820 B379F4AC167609D8A3EF26444098B61D.exe 61 PID 2820 wrote to memory of 2232 2820 B379F4AC167609D8A3EF26444098B61D.exe 61 PID 2820 wrote to memory of 2232 2820 B379F4AC167609D8A3EF26444098B61D.exe 61 PID 2232 wrote to memory of 2284 2232 cmd.exe 66 PID 2232 wrote to memory of 2284 2232 cmd.exe 66 PID 2232 wrote to memory of 2284 2232 cmd.exe 66 PID 2232 wrote to memory of 2328 2232 cmd.exe 67 PID 2232 wrote to memory of 2328 2232 cmd.exe 67 PID 2232 wrote to memory of 2328 2232 cmd.exe 67 PID 2232 wrote to memory of 2196 2232 cmd.exe 68 PID 2232 wrote to memory of 2196 2232 cmd.exe 68 PID 2232 wrote to memory of 2196 2232 cmd.exe 68 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\B379F4AC167609D8A3EF26444098B61D.exe"C:\Users\Admin\AppData\Local\Temp\B379F4AC167609D8A3EF26444098B61D.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qqvz1f42\qqvz1f42.cmdline"2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6FC3.tmp" "c:\Windows\System32\CSC8B632B8D858A474CB5D57D1F2D80B3.TMP"3⤵PID:2864
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\lsass.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2924
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\es-ES\lsm.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2164
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\lsm.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1360
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2156
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2064
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\B379F4AC167609D8A3EF26444098B61D.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2224
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\u5ZafbEJi7.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:2284
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2328
-
-
C:\Users\Public\lsm.exe"C:\Users\Public\lsm.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2196
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files\DVD Maker\es-ES\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\es-ES\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files\DVD Maker\es-ES\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Users\Public\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Public\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Users\Public\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "B379F4AC167609D8A3EF26444098B61DB" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Local\Temp\B379F4AC167609D8A3EF26444098B61D.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "B379F4AC167609D8A3EF26444098B61D" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\B379F4AC167609D8A3EF26444098B61D.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "B379F4AC167609D8A3EF26444098B61DB" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Local\Temp\B379F4AC167609D8A3EF26444098B61D.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5ef439c83692329b8b8ecf7ef616924c1
SHA13e0165466da230d6207541cbadfba6cfd4f4e1c6
SHA256d807c60ce8b095eed1d4bc7241deb8877758405550a1d531793de8e7c8c15f9a
SHA512057213702064591d2dae5cbf8f23f95b230046b124ff62f4d786176b2e9a20022570ff29deab92e1145e9a6bf43c4d114eb6437e173180c2f78b23d05f1f1361
-
Filesize
151B
MD55cf376d11775a4448c08b95e8cda42bd
SHA1fff3d82950ac164c5f23ed2773c0f31f8cd40bbc
SHA256a70ecd5654084443159e984ca3e5fb43bda4b805588da49dcf1394afb6a35222
SHA5125d7f7bf215115d201401d63269c5c09ef64fe406ba49ef4cd2566833e42e0c2e380e86c5921ede9075e6e8506112fc7bd79714f991dd782ad982b663c1f3866a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5cd2e903522ce37a38bc429cbb64efec2
SHA1d0be919779febe7ef6a8b0d404675c81584a64b7
SHA256f8d6d58176ff14388464e411c497c8657632bdcce6d73956b7bb8bdc41956699
SHA51254752bc76ca694995c6168195deb8158340fb0ca77ea5550974c14821ffb30dd1aba0c9628bff71dd83fbe6b91204555ba7522c160c2c53e412fbe501277d620
-
Filesize
1.9MB
MD5b379f4ac167609d8a3ef26444098b61d
SHA185fe0bbbe666d72a955ee98444415194e00739eb
SHA256430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80
SHA5120028141132f1437ff556a00e7cd32298bf561690fd809f361fcfaf9b8837e5a173f4acb192b25668550e2ec526ea4a518ea46e3fd7c2e1b8fad1a49d8d6ed0fe
-
Filesize
363B
MD5ef11341720ec634988889b1fa89238de
SHA187d510e75be3eec5e6a619407d2bdfdfb90136f1
SHA2568d71dc62ffce2978b03b0c0efcd9f69c6eaca524fed8074046a1350bc9cbbe89
SHA512c7b0b2b3e4f10acb7c4f927c8ed3ba8f56d6e01119e7448c24d6d0b932e22831db3e5c4d9ff721a4bfa1a5fd658a3944657177165f6982d8fe172769de7e3d46
-
Filesize
235B
MD5d66106facd4bdb2e49f403b22e2b4fe1
SHA195797df65918e514c6195b301600fd03cb94cecc
SHA256022e636d86d9f3c99c1ef096e42aecb92f5a34b7eb44e3fee02e767d1c4c4643
SHA5126d2246c170b502dad6fe92feb450a0225a3f2b802eb3465f20d771b25c41f2423e2ae6a4b667e5af2200aeb0844c4bc89f513d9a0a36a4f64358021dd00ed4eb
-
Filesize
1KB
MD59446a6998523ec187daa3d79bec9c8fa
SHA116c7f73aef03c8a15b4d9e8b1cfa5183caf7ca96
SHA256f55f1bd2c1246cfb3b60cd8649fcc78b3837896bdf5132d6fc8ea0ecabf892d7
SHA512fac3ad1b0c8663aaa94cd66b6ea0aa1848e570ff4a22b709cf2696abb76e28f42fb0d2a74316a7ad86bb6216177013c6b71ce2f4df139edc3054a03ee3467c9d