Analysis
-
max time kernel
143s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
12-11-2024 02:21
Static task
static1
Behavioral task
behavioral1
Sample
430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
Resource
win10v2004-20241007-en
General
-
Target
430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
-
Size
1.9MB
-
MD5
b379f4ac167609d8a3ef26444098b61d
-
SHA1
85fe0bbbe666d72a955ee98444415194e00739eb
-
SHA256
430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80
-
SHA512
0028141132f1437ff556a00e7cd32298bf561690fd809f361fcfaf9b8837e5a173f4acb192b25668550e2ec526ea4a518ea46e3fd7c2e1b8fad1a49d8d6ed0fe
-
SSDEEP
24576:qhNLIZG9ZdCvfOqBlRF7kVkHreh1kEGD/5MTgsxjY9gIBiatkZ2hIHirkUP7oM8j:qGfj7rk+CLN9EIshijMX6i5w
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\fr-FR\\services.exe\", \"C:\\Windows\\Panther\\setup.exe\\430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe\", \"C:\\Program Files\\Windows Portable Devices\\lsass.exe\", \"C:\\Recovery\\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\fr-FR\\System.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe\"" 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\fr-FR\\services.exe\"" 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\fr-FR\\services.exe\", \"C:\\Windows\\Panther\\setup.exe\\430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe\"" 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\fr-FR\\services.exe\", \"C:\\Windows\\Panther\\setup.exe\\430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe\", \"C:\\Program Files\\Windows Portable Devices\\lsass.exe\"" 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\fr-FR\\services.exe\", \"C:\\Windows\\Panther\\setup.exe\\430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe\", \"C:\\Program Files\\Windows Portable Devices\\lsass.exe\", \"C:\\Recovery\\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\\wininit.exe\"" 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\fr-FR\\services.exe\", \"C:\\Windows\\Panther\\setup.exe\\430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe\", \"C:\\Program Files\\Windows Portable Devices\\lsass.exe\", \"C:\\Recovery\\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\fr-FR\\System.exe\"" 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe -
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2848 2744 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2132 2744 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2648 2744 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2636 2744 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2716 2744 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2472 2744 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2508 2744 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 836 2744 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3052 2744 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1372 2744 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2876 2744 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2948 2744 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3032 2744 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2988 2744 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1180 2744 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1320 2744 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2500 2744 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2468 2744 schtasks.exe 31 -
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2484 powershell.exe 2320 powershell.exe 2112 powershell.exe 2552 powershell.exe 2544 powershell.exe 2108 powershell.exe -
Executes dropped EXE 1 IoCs
pid Process 2312 services.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files\\Windows Portable Devices\\lsass.exe\"" 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\\wininit.exe\"" 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\Windows Journal\\fr-FR\\System.exe\"" 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80 = "\"C:\\Windows\\Panther\\setup.exe\\430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe\"" 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\fr-FR\\services.exe\"" 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80 = "\"C:\\Windows\\Panther\\setup.exe\\430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe\"" 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files\\Windows Portable Devices\\lsass.exe\"" 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\\wininit.exe\"" 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\Windows Journal\\fr-FR\\System.exe\"" 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe\"" 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe\"" 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\fr-FR\\services.exe\"" 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created \??\c:\Windows\System32\CSCEE2C1281E5AA465BB178E71C58F4F651.TMP csc.exe File created \??\c:\Windows\System32\_f1q_j.exe csc.exe -
Drops file in Program Files directory 5 IoCs
description ioc Process File created C:\Program Files\Windows Journal\fr-FR\System.exe 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe File opened for modification C:\Program Files\Windows Journal\fr-FR\System.exe 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe File created C:\Program Files\Windows Journal\fr-FR\27d1bcfc3c54e0 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe File created C:\Program Files\Windows Portable Devices\lsass.exe 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe File created C:\Program Files\Windows Portable Devices\6203df4a6bafc7 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Panther\setup.exe\430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe File created C:\Windows\Panther\setup.exe\0a37e2a0df06c2 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe File created C:\Windows\fr-FR\services.exe 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe File created C:\Windows\fr-FR\c5b4cb5e9653cc 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2208 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2208 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1372 schtasks.exe 1180 schtasks.exe 2500 schtasks.exe 2132 schtasks.exe 2508 schtasks.exe 836 schtasks.exe 2876 schtasks.exe 2468 schtasks.exe 2848 schtasks.exe 2648 schtasks.exe 2948 schtasks.exe 1320 schtasks.exe 2988 schtasks.exe 2636 schtasks.exe 2716 schtasks.exe 2472 schtasks.exe 3052 schtasks.exe 3032 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2312 services.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe Token: SeDebugPrivilege 2484 powershell.exe Token: SeDebugPrivilege 2112 powershell.exe Token: SeDebugPrivilege 2544 powershell.exe Token: SeDebugPrivilege 2320 powershell.exe Token: SeDebugPrivilege 2108 powershell.exe Token: SeDebugPrivilege 2552 powershell.exe Token: SeDebugPrivilege 2312 services.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 108 wrote to memory of 2796 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 35 PID 108 wrote to memory of 2796 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 35 PID 108 wrote to memory of 2796 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 35 PID 2796 wrote to memory of 2908 2796 csc.exe 37 PID 2796 wrote to memory of 2908 2796 csc.exe 37 PID 2796 wrote to memory of 2908 2796 csc.exe 37 PID 108 wrote to memory of 2484 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 53 PID 108 wrote to memory of 2484 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 53 PID 108 wrote to memory of 2484 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 53 PID 108 wrote to memory of 2320 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 54 PID 108 wrote to memory of 2320 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 54 PID 108 wrote to memory of 2320 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 54 PID 108 wrote to memory of 2108 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 55 PID 108 wrote to memory of 2108 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 55 PID 108 wrote to memory of 2108 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 55 PID 108 wrote to memory of 2112 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 58 PID 108 wrote to memory of 2112 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 58 PID 108 wrote to memory of 2112 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 58 PID 108 wrote to memory of 2552 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 59 PID 108 wrote to memory of 2552 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 59 PID 108 wrote to memory of 2552 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 59 PID 108 wrote to memory of 2544 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 60 PID 108 wrote to memory of 2544 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 60 PID 108 wrote to memory of 2544 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 60 PID 108 wrote to memory of 1100 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 63 PID 108 wrote to memory of 1100 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 63 PID 108 wrote to memory of 1100 108 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 63 PID 1100 wrote to memory of 2176 1100 cmd.exe 67 PID 1100 wrote to memory of 2176 1100 cmd.exe 67 PID 1100 wrote to memory of 2176 1100 cmd.exe 67 PID 1100 wrote to memory of 2208 1100 cmd.exe 68 PID 1100 wrote to memory of 2208 1100 cmd.exe 68 PID 1100 wrote to memory of 2208 1100 cmd.exe 68 PID 1100 wrote to memory of 2312 1100 cmd.exe 69 PID 1100 wrote to memory of 2312 1100 cmd.exe 69 PID 1100 wrote to memory of 2312 1100 cmd.exe 69 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe"C:\Users\Admin\AppData\Local\Temp\430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:108 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\j3ge12os\j3ge12os.cmdline"2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD3E2.tmp" "c:\Windows\System32\CSCEE2C1281E5AA465BB178E71C58F4F651.TMP"3⤵PID:2908
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\fr-FR\services.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2484
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Panther\setup.exe\430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2320
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\lsass.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2108
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\wininit.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2112
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\fr-FR\System.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2552
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2544
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lAeXItx3bJ.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:2176
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2208
-
-
C:\Windows\fr-FR\services.exe"C:\Windows\fr-FR\services.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2312
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Windows\fr-FR\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\fr-FR\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Windows\fr-FR\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b804" /sc MINUTE /mo 5 /tr "'C:\Windows\Panther\setup.exe\430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80" /sc ONLOGON /tr "'C:\Windows\Panther\setup.exe\430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b804" /sc MINUTE /mo 9 /tr "'C:\Windows\Panther\setup.exe\430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Portable Devices\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Portable Devices\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Journal\fr-FR\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\fr-FR\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Journal\fr-FR\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b804" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Local\Temp\430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b804" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Local\Temp\430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5bdd05466b6fa0cee96af7c6ca25ddbf2
SHA1da4eedcab2e624415525907f47b5cce2563a7f33
SHA256d1c5a0c9def71a55c6c34f0839cb9094753e2dda29ca69d4e9265067e5e0a54a
SHA512d981929addb2059ec25c161482e593012fb220507d961faadf2e382bf1b7f648820652f7a96483a7ed266640fe5ec3a30fc2925e518a3ab178a712177d0678ea
-
Filesize
157B
MD5e96815e73f04233366232bb522d1d110
SHA17e307a967901d37b34409cc2ad6145c6a5c3c5ea
SHA25615b10b1b1941b699eed53b45046af69c11d41c9d6c9673b45457c0f9cee687c4
SHA51202cdfeb644245523b78bcdafe0317a7864fd5dc202a15e9ee437a97ae7d2c8013dc489b7470af2250df3497c618c1283a197b5f4a03f1ffb2eea76da943b15a9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\A7ZQSOT1EXBBYOB3X181.temp
Filesize7KB
MD515470336762a7e1ead07a820807ead7f
SHA1cb4be7262d395ae97f331bbd716cec27924fd4e4
SHA2568ea8e070699242118fb20bd53de229a02dd4293985ca763db6c68d613c296a48
SHA512d96475b6795c290df446b6661e0c666f1785515e7e767d5adef9f1f8bfdc04706f723f74553bd98e9afeab8c03d60eaa5e2d476888f2f3a67c112f5fe9869377
-
Filesize
1.9MB
MD5b379f4ac167609d8a3ef26444098b61d
SHA185fe0bbbe666d72a955ee98444415194e00739eb
SHA256430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80
SHA5120028141132f1437ff556a00e7cd32298bf561690fd809f361fcfaf9b8837e5a173f4acb192b25668550e2ec526ea4a518ea46e3fd7c2e1b8fad1a49d8d6ed0fe
-
Filesize
361B
MD541821d9875810b2d11667c9cd6787ca0
SHA1a9cb902ae7a18e76bb6a5877b3f6d7612585fac5
SHA25664282d4f7dd1b41a6ba7a9439382d5df0f16d78e665d3e25bc018cc93e45d8c6
SHA512fb646e208ae532bef7aee0750289b0027b6f22d3fccc45f3cc040d89bda56f82ad591a64184b869ce9b219c737633cf53bd7a750d24405c2730a242a7e4bea4f
-
Filesize
235B
MD51ad5810077e33a911d14ef0460d1ccf3
SHA1bf3c8638f53c76e26d4df4ec7c0e5ba03b4c1779
SHA25619ab4a68420194d302154f6d20e65d42e1ff48fef2f4c20be6668ecc4c95e25b
SHA51215ab194567a6063faf3ab85f89a90049e17a7ea5db151587f990ef50c774022f64c0d4105ed000c98dacd827a3e05b3a5f90006d1e0503c1238e8f1a0b014e72
-
Filesize
1KB
MD5fccbcfaf29fdccaabada579f7aaf3ae7
SHA1f9b179b6aab6b96908d89b35aab3f503478a956d
SHA256e70bc8ad14a70d490fe92ed86e79c40fc133a64428a2781e14514b16d83a9b02
SHA512ac047b4ba060e72e224c1afdebbdafecbfd705a67cb8f0cd5c82bf7980c2baa23bdb5bf5d821836bc0c426069a61d8e112b45239887d2d81b8a6d4fa839c1e10