Analysis
-
max time kernel
147s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-11-2024 23:41
Static task
static1
Behavioral task
behavioral1
Sample
B379F4AC167609D8A3EF26444098B61D.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
B379F4AC167609D8A3EF26444098B61D.exe
Resource
win10v2004-20241007-en
General
-
Target
B379F4AC167609D8A3EF26444098B61D.exe
-
Size
1.9MB
-
MD5
b379f4ac167609d8a3ef26444098b61d
-
SHA1
85fe0bbbe666d72a955ee98444415194e00739eb
-
SHA256
430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80
-
SHA512
0028141132f1437ff556a00e7cd32298bf561690fd809f361fcfaf9b8837e5a173f4acb192b25668550e2ec526ea4a518ea46e3fd7c2e1b8fad1a49d8d6ed0fe
-
SSDEEP
24576:qhNLIZG9ZdCvfOqBlRF7kVkHreh1kEGD/5MTgsxjY9gIBiatkZ2hIHirkUP7oM8j:qGfj7rk+CLN9EIshijMX6i5w
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Multimedia Platform\\sppsvc.exe\"" B379F4AC167609D8A3EF26444098B61D.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Multimedia Platform\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" B379F4AC167609D8A3EF26444098B61D.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Multimedia Platform\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Windows\\it-IT\\Registry.exe\"" B379F4AC167609D8A3EF26444098B61D.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Multimedia Platform\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Windows\\it-IT\\Registry.exe\", \"C:\\Windows\\it-IT\\Idle.exe\"" B379F4AC167609D8A3EF26444098B61D.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Multimedia Platform\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Windows\\it-IT\\Registry.exe\", \"C:\\Windows\\it-IT\\Idle.exe\", \"C:\\Windows\\SysWOW64\\nl-NL\\SearchApp.exe\"" B379F4AC167609D8A3EF26444098B61D.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Multimedia Platform\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Windows\\it-IT\\Registry.exe\", \"C:\\Windows\\it-IT\\Idle.exe\", \"C:\\Windows\\SysWOW64\\nl-NL\\SearchApp.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\B379F4AC167609D8A3EF26444098B61D.exe\"" B379F4AC167609D8A3EF26444098B61D.exe -
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2108 1668 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3272 1668 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4480 1668 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4100 1668 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2372 1668 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5072 1668 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1780 1668 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2264 1668 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2452 1668 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1144 1668 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4652 1668 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 776 1668 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5108 1668 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3800 1668 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2236 1668 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 836 1668 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4944 1668 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2080 1668 schtasks.exe 85 -
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1712 powershell.exe 3512 powershell.exe 1352 powershell.exe 1240 powershell.exe 5040 powershell.exe 1952 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation B379F4AC167609D8A3EF26444098B61D.exe -
Executes dropped EXE 1 IoCs
pid Process 5036 Registry.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files (x86)\\Windows Multimedia Platform\\sppsvc.exe\"" B379F4AC167609D8A3EF26444098B61D.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files (x86)\\Windows Multimedia Platform\\sppsvc.exe\"" B379F4AC167609D8A3EF26444098B61D.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Windows\\it-IT\\Registry.exe\"" B379F4AC167609D8A3EF26444098B61D.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Windows\\it-IT\\Registry.exe\"" B379F4AC167609D8A3EF26444098B61D.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Windows\\SysWOW64\\nl-NL\\SearchApp.exe\"" B379F4AC167609D8A3EF26444098B61D.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\B379F4AC167609D8A3EF26444098B61D = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\B379F4AC167609D8A3EF26444098B61D.exe\"" B379F4AC167609D8A3EF26444098B61D.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" B379F4AC167609D8A3EF26444098B61D.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" B379F4AC167609D8A3EF26444098B61D.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Windows\\it-IT\\Idle.exe\"" B379F4AC167609D8A3EF26444098B61D.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Windows\\it-IT\\Idle.exe\"" B379F4AC167609D8A3EF26444098B61D.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Windows\\SysWOW64\\nl-NL\\SearchApp.exe\"" B379F4AC167609D8A3EF26444098B61D.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\B379F4AC167609D8A3EF26444098B61D = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\B379F4AC167609D8A3EF26444098B61D.exe\"" B379F4AC167609D8A3EF26444098B61D.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File created \??\c:\Windows\System32\ljh0xx.exe csc.exe File created C:\Windows\SysWOW64\nl-NL\SearchApp.exe B379F4AC167609D8A3EF26444098B61D.exe File opened for modification C:\Windows\SysWOW64\nl-NL\SearchApp.exe B379F4AC167609D8A3EF26444098B61D.exe File created C:\Windows\SysWOW64\nl-NL\38384e6a620884 B379F4AC167609D8A3EF26444098B61D.exe File created \??\c:\Windows\System32\CSCC975ED6524B1427DAE1AE86615363CB.TMP csc.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Multimedia Platform\sppsvc.exe B379F4AC167609D8A3EF26444098B61D.exe File created C:\Program Files (x86)\Windows Multimedia Platform\0a1fd5f707cd16 B379F4AC167609D8A3EF26444098B61D.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\it-IT\Idle.exe B379F4AC167609D8A3EF26444098B61D.exe File created C:\Windows\it-IT\6ccacd8608530f B379F4AC167609D8A3EF26444098B61D.exe File created C:\Windows\CSC\fontdrvhost.exe B379F4AC167609D8A3EF26444098B61D.exe File created C:\Windows\it-IT\Registry.exe B379F4AC167609D8A3EF26444098B61D.exe File created C:\Windows\it-IT\ee2ad38f3d4382 B379F4AC167609D8A3EF26444098B61D.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2376 PING.EXE -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings B379F4AC167609D8A3EF26444098B61D.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2376 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3272 schtasks.exe 4480 schtasks.exe 2452 schtasks.exe 836 schtasks.exe 2080 schtasks.exe 2108 schtasks.exe 4100 schtasks.exe 5072 schtasks.exe 4652 schtasks.exe 2264 schtasks.exe 776 schtasks.exe 3800 schtasks.exe 4944 schtasks.exe 2372 schtasks.exe 1780 schtasks.exe 1144 schtasks.exe 5108 schtasks.exe 2236 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3208 B379F4AC167609D8A3EF26444098B61D.exe 3208 B379F4AC167609D8A3EF26444098B61D.exe 3208 B379F4AC167609D8A3EF26444098B61D.exe 3208 B379F4AC167609D8A3EF26444098B61D.exe 3208 B379F4AC167609D8A3EF26444098B61D.exe 3208 B379F4AC167609D8A3EF26444098B61D.exe 3208 B379F4AC167609D8A3EF26444098B61D.exe 3208 B379F4AC167609D8A3EF26444098B61D.exe 3208 B379F4AC167609D8A3EF26444098B61D.exe 3208 B379F4AC167609D8A3EF26444098B61D.exe 3208 B379F4AC167609D8A3EF26444098B61D.exe 3208 B379F4AC167609D8A3EF26444098B61D.exe 3208 B379F4AC167609D8A3EF26444098B61D.exe 3208 B379F4AC167609D8A3EF26444098B61D.exe 3208 B379F4AC167609D8A3EF26444098B61D.exe 3208 B379F4AC167609D8A3EF26444098B61D.exe 3208 B379F4AC167609D8A3EF26444098B61D.exe 3208 B379F4AC167609D8A3EF26444098B61D.exe 3208 B379F4AC167609D8A3EF26444098B61D.exe 3208 B379F4AC167609D8A3EF26444098B61D.exe 3208 B379F4AC167609D8A3EF26444098B61D.exe 3208 B379F4AC167609D8A3EF26444098B61D.exe 3208 B379F4AC167609D8A3EF26444098B61D.exe 3208 B379F4AC167609D8A3EF26444098B61D.exe 3208 B379F4AC167609D8A3EF26444098B61D.exe 3208 B379F4AC167609D8A3EF26444098B61D.exe 3208 B379F4AC167609D8A3EF26444098B61D.exe 3208 B379F4AC167609D8A3EF26444098B61D.exe 3208 B379F4AC167609D8A3EF26444098B61D.exe 3208 B379F4AC167609D8A3EF26444098B61D.exe 3208 B379F4AC167609D8A3EF26444098B61D.exe 3208 B379F4AC167609D8A3EF26444098B61D.exe 3208 B379F4AC167609D8A3EF26444098B61D.exe 3208 B379F4AC167609D8A3EF26444098B61D.exe 3208 B379F4AC167609D8A3EF26444098B61D.exe 3208 B379F4AC167609D8A3EF26444098B61D.exe 3208 B379F4AC167609D8A3EF26444098B61D.exe 3208 B379F4AC167609D8A3EF26444098B61D.exe 3208 B379F4AC167609D8A3EF26444098B61D.exe 3208 B379F4AC167609D8A3EF26444098B61D.exe 3208 B379F4AC167609D8A3EF26444098B61D.exe 3208 B379F4AC167609D8A3EF26444098B61D.exe 3208 B379F4AC167609D8A3EF26444098B61D.exe 3208 B379F4AC167609D8A3EF26444098B61D.exe 3208 B379F4AC167609D8A3EF26444098B61D.exe 3208 B379F4AC167609D8A3EF26444098B61D.exe 3208 B379F4AC167609D8A3EF26444098B61D.exe 3208 B379F4AC167609D8A3EF26444098B61D.exe 3208 B379F4AC167609D8A3EF26444098B61D.exe 3208 B379F4AC167609D8A3EF26444098B61D.exe 3208 B379F4AC167609D8A3EF26444098B61D.exe 3208 B379F4AC167609D8A3EF26444098B61D.exe 3208 B379F4AC167609D8A3EF26444098B61D.exe 3208 B379F4AC167609D8A3EF26444098B61D.exe 3208 B379F4AC167609D8A3EF26444098B61D.exe 3208 B379F4AC167609D8A3EF26444098B61D.exe 3208 B379F4AC167609D8A3EF26444098B61D.exe 3208 B379F4AC167609D8A3EF26444098B61D.exe 3208 B379F4AC167609D8A3EF26444098B61D.exe 3208 B379F4AC167609D8A3EF26444098B61D.exe 3208 B379F4AC167609D8A3EF26444098B61D.exe 3208 B379F4AC167609D8A3EF26444098B61D.exe 3208 B379F4AC167609D8A3EF26444098B61D.exe 3208 B379F4AC167609D8A3EF26444098B61D.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 5036 Registry.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 3208 B379F4AC167609D8A3EF26444098B61D.exe Token: SeDebugPrivilege 3512 powershell.exe Token: SeDebugPrivilege 5040 powershell.exe Token: SeDebugPrivilege 1712 powershell.exe Token: SeDebugPrivilege 1240 powershell.exe Token: SeDebugPrivilege 1352 powershell.exe Token: SeDebugPrivilege 1952 powershell.exe Token: SeDebugPrivilege 5036 Registry.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 3208 wrote to memory of 1416 3208 B379F4AC167609D8A3EF26444098B61D.exe 89 PID 3208 wrote to memory of 1416 3208 B379F4AC167609D8A3EF26444098B61D.exe 89 PID 1416 wrote to memory of 428 1416 csc.exe 91 PID 1416 wrote to memory of 428 1416 csc.exe 91 PID 3208 wrote to memory of 1952 3208 B379F4AC167609D8A3EF26444098B61D.exe 110 PID 3208 wrote to memory of 1952 3208 B379F4AC167609D8A3EF26444098B61D.exe 110 PID 3208 wrote to memory of 5040 3208 B379F4AC167609D8A3EF26444098B61D.exe 111 PID 3208 wrote to memory of 5040 3208 B379F4AC167609D8A3EF26444098B61D.exe 111 PID 3208 wrote to memory of 1240 3208 B379F4AC167609D8A3EF26444098B61D.exe 112 PID 3208 wrote to memory of 1240 3208 B379F4AC167609D8A3EF26444098B61D.exe 112 PID 3208 wrote to memory of 1352 3208 B379F4AC167609D8A3EF26444098B61D.exe 113 PID 3208 wrote to memory of 1352 3208 B379F4AC167609D8A3EF26444098B61D.exe 113 PID 3208 wrote to memory of 3512 3208 B379F4AC167609D8A3EF26444098B61D.exe 114 PID 3208 wrote to memory of 3512 3208 B379F4AC167609D8A3EF26444098B61D.exe 114 PID 3208 wrote to memory of 1712 3208 B379F4AC167609D8A3EF26444098B61D.exe 115 PID 3208 wrote to memory of 1712 3208 B379F4AC167609D8A3EF26444098B61D.exe 115 PID 3208 wrote to memory of 2396 3208 B379F4AC167609D8A3EF26444098B61D.exe 121 PID 3208 wrote to memory of 2396 3208 B379F4AC167609D8A3EF26444098B61D.exe 121 PID 2396 wrote to memory of 3612 2396 cmd.exe 124 PID 2396 wrote to memory of 3612 2396 cmd.exe 124 PID 2396 wrote to memory of 2376 2396 cmd.exe 125 PID 2396 wrote to memory of 2376 2396 cmd.exe 125 PID 2396 wrote to memory of 5036 2396 cmd.exe 130 PID 2396 wrote to memory of 5036 2396 cmd.exe 130 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\B379F4AC167609D8A3EF26444098B61D.exe"C:\Users\Admin\AppData\Local\Temp\B379F4AC167609D8A3EF26444098B61D.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3208 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wn3tehis\wn3tehis.cmdline"2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC6F9.tmp" "c:\Windows\System32\CSCC975ED6524B1427DAE1AE86615363CB.TMP"3⤵PID:428
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\sppsvc.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1952
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:5040
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\it-IT\Registry.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1240
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\it-IT\Idle.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1352
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SysWOW64\nl-NL\SearchApp.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3512
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\B379F4AC167609D8A3EF26444098B61D.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1712
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fuB6f4vCIa.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:3612
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2376
-
-
C:\Windows\it-IT\Registry.exe"C:\Windows\it-IT\Registry.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:5036
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Windows\it-IT\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\it-IT\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Windows\it-IT\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Windows\it-IT\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\it-IT\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Windows\it-IT\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Windows\SysWOW64\nl-NL\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\SysWOW64\nl-NL\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Windows\SysWOW64\nl-NL\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "B379F4AC167609D8A3EF26444098B61DB" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Local\Temp\B379F4AC167609D8A3EF26444098B61D.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "B379F4AC167609D8A3EF26444098B61D" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\B379F4AC167609D8A3EF26444098B61D.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "B379F4AC167609D8A3EF26444098B61DB" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\Local\Temp\B379F4AC167609D8A3EF26444098B61D.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD5b379f4ac167609d8a3ef26444098b61d
SHA185fe0bbbe666d72a955ee98444415194e00739eb
SHA256430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80
SHA5120028141132f1437ff556a00e7cd32298bf561690fd809f361fcfaf9b8837e5a173f4acb192b25668550e2ec526ea4a518ea46e3fd7c2e1b8fad1a49d8d6ed0fe
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
944B
MD52e907f77659a6601fcc408274894da2e
SHA19f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA51234fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721
-
Filesize
1KB
MD5b5b113c77e4c15240dc47c702dd2eba8
SHA1eebd5559f7f399ec7221deb05575c423d7866b9f
SHA256bdf234671754a169139d3f7a40f925b2f024392b3ca82e28ef307627ca75c2a9
SHA5123e07253034268992260063da23c32918e245c528e88f7be2325c3372b55dadfc19726968d4f16fc7ba530be0979b78557384352794992dbe70c3ed4b96474417
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
157B
MD5fd37c48c0aa5a34bc99b07ce207fbcbd
SHA1293e03c3e396f2a9188306b8f56d10589d992bae
SHA256897390d9593c77fc4549883b7ae38f94c42b7ba5b678bf2ee69746a4eda90cdc
SHA512a0600f8ae69f6c84d750744544466da4059091d2c94ed5e9dc925377532329614bba32e1a50d5ba7bc36e55c2aeda218e001ece4c22c417edd08db8fdf64772b
-
Filesize
393B
MD5f8eb9c4c43cff81b9be190f768ce81d8
SHA1f1a8c7468391140608f1df122e76169a84e033f9
SHA256db21523d6a9254035df61e63d8aca1706db23e12a2c65dab076e9f6071753e30
SHA51210acde1a425aaa8a5847a7ed2595d94eef96f319ea3d3a3baf33c1c06706b2faa283ff3967d2054116231cf3d32991e923abac732567224f55d1aee28ba8c37e
-
Filesize
235B
MD5341cf370c1d3e1aa391ec08b10b3f5b2
SHA15c1d600fc92cc5c3ce0987a91cf17dbb79a96768
SHA256bf1855a9c87f3d11b48d933fceb693b5ea13016d30572e5c3b36709092db8040
SHA5121a67456fe176a0c6201123ca2a3336b774165ca5eb8cbbb7a257a22f8a3f10d5c1dcc711ec6fc0eb81d98a0be88b78dee4fc3ad1f31514a8953e192efb402c1d
-
Filesize
1KB
MD52fd2b90e7053b01e6af25701a467eb1f
SHA168801a13cebba82c24f67a9d7c886fcefcf01a51
SHA25612b900db56a20f01f0f1d65f46933971415d5b5675e59e8b02b3dae12aaa1527
SHA512081d3a621e3664709867f3fdd82808364978f896fb007c0c8e6c8dfe25f2f2b8d37c9e0b2e4fb51c90bc6f691507b569e5d841ef3ca3bd38bd6adda2d30f32af