Analysis
-
max time kernel
147s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12-11-2024 02:21
Static task
static1
Behavioral task
behavioral1
Sample
430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
Resource
win10v2004-20241007-en
General
-
Target
430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe
-
Size
1.9MB
-
MD5
b379f4ac167609d8a3ef26444098b61d
-
SHA1
85fe0bbbe666d72a955ee98444415194e00739eb
-
SHA256
430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80
-
SHA512
0028141132f1437ff556a00e7cd32298bf561690fd809f361fcfaf9b8837e5a173f4acb192b25668550e2ec526ea4a518ea46e3fd7c2e1b8fad1a49d8d6ed0fe
-
SSDEEP
24576:qhNLIZG9ZdCvfOqBlRF7kVkHreh1kEGD/5MTgsxjY9gIBiatkZ2hIHirkUP7oM8j:qGfj7rk+CLN9EIshijMX6i5w
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\upfc.exe\"" 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Recovery\\WindowsRE\\winlogon.exe\"" 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Recovery\\WindowsRE\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\"" 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Recovery\\WindowsRE\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\sppsvc.exe\"" 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Recovery\\WindowsRE\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\sppsvc.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\csrss.exe\"" 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Recovery\\WindowsRE\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\sppsvc.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\csrss.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe\"" 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe -
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4480 2796 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4620 2796 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2968 2796 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3436 2796 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2700 2796 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3388 2796 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2264 2796 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4196 2796 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2256 2796 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1768 2796 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1064 2796 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1160 2796 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5108 2796 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3480 2796 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2472 2796 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 960 2796 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5116 2796 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3176 2796 schtasks.exe 86 -
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 5040 powershell.exe 1952 powershell.exe 1352 powershell.exe 3568 powershell.exe 3512 powershell.exe 1240 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\"" 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\"" 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files (x86)\\Windows Multimedia Platform\\sppsvc.exe\"" 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\csrss.exe\"" 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe\"" 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\csrss.exe\"" 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe\"" 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Recovery\\WindowsRE\\upfc.exe\"" 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Recovery\\WindowsRE\\upfc.exe\"" 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\WindowsRE\\winlogon.exe\"" 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\WindowsRE\\winlogon.exe\"" 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files (x86)\\Windows Multimedia Platform\\sppsvc.exe\"" 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created \??\c:\Windows\System32\CSCEACF9E4247C04C80BC28CEE872651D1.TMP csc.exe File created \??\c:\Windows\System32\ljh0xx.exe csc.exe -
Drops file in Program Files directory 5 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Multimedia Platform\0a1fd5f707cd16 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe File created C:\Program Files\Windows NT\TableTextService\en-US\csrss.exe 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe File opened for modification C:\Program Files\Windows NT\TableTextService\en-US\csrss.exe 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe File created C:\Program Files\Windows NT\TableTextService\en-US\886983d96e3d3e 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe File created C:\Program Files (x86)\Windows Multimedia Platform\sppsvc.exe 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1668 PING.EXE -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1668 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3388 schtasks.exe 4196 schtasks.exe 5108 schtasks.exe 3480 schtasks.exe 5116 schtasks.exe 4480 schtasks.exe 3436 schtasks.exe 960 schtasks.exe 4620 schtasks.exe 2968 schtasks.exe 2700 schtasks.exe 2264 schtasks.exe 1160 schtasks.exe 2472 schtasks.exe 2256 schtasks.exe 1768 schtasks.exe 1064 schtasks.exe 3176 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 808 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 808 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 808 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 808 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 808 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 808 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 808 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 808 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 808 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 808 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 808 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 808 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 808 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 808 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 808 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 808 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 808 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 808 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 808 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 808 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 808 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 808 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 808 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 808 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 808 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 808 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 808 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 808 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 808 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 808 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 808 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 808 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 808 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 808 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 808 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 808 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 808 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 808 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 808 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 808 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 808 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 808 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 808 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 808 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 808 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 808 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 808 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 808 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 808 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 808 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 808 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 808 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 808 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 808 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 808 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 808 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 808 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 808 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 808 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 808 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 808 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 808 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 808 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 808 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2080 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 808 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe Token: SeDebugPrivilege 5040 powershell.exe Token: SeDebugPrivilege 3568 powershell.exe Token: SeDebugPrivilege 1352 powershell.exe Token: SeDebugPrivilege 1240 powershell.exe Token: SeDebugPrivilege 3512 powershell.exe Token: SeDebugPrivilege 1952 powershell.exe Token: SeDebugPrivilege 2080 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 808 wrote to memory of 2376 808 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 90 PID 808 wrote to memory of 2376 808 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 90 PID 2376 wrote to memory of 736 2376 csc.exe 92 PID 2376 wrote to memory of 736 2376 csc.exe 92 PID 808 wrote to memory of 1952 808 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 110 PID 808 wrote to memory of 1952 808 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 110 PID 808 wrote to memory of 5040 808 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 111 PID 808 wrote to memory of 5040 808 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 111 PID 808 wrote to memory of 1240 808 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 112 PID 808 wrote to memory of 1240 808 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 112 PID 808 wrote to memory of 1352 808 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 113 PID 808 wrote to memory of 1352 808 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 113 PID 808 wrote to memory of 3512 808 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 114 PID 808 wrote to memory of 3512 808 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 114 PID 808 wrote to memory of 3568 808 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 115 PID 808 wrote to memory of 3568 808 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 115 PID 808 wrote to memory of 4212 808 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 122 PID 808 wrote to memory of 4212 808 430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe 122 PID 4212 wrote to memory of 1124 4212 cmd.exe 124 PID 4212 wrote to memory of 1124 4212 cmd.exe 124 PID 4212 wrote to memory of 1668 4212 cmd.exe 125 PID 4212 wrote to memory of 1668 4212 cmd.exe 125 PID 4212 wrote to memory of 2080 4212 cmd.exe 130 PID 4212 wrote to memory of 2080 4212 cmd.exe 130 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe"C:\Users\Admin\AppData\Local\Temp\430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\r2cyctnp\r2cyctnp.cmdline"2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCA35.tmp" "c:\Windows\System32\CSCEACF9E4247C04C80BC28CEE872651D1.TMP"3⤵PID:736
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\upfc.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1952
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\winlogon.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:5040
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1240
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\sppsvc.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1352
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\TableTextService\en-US\csrss.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3512
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3568
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8Hv3OPtewG.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:4212 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:1124
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1668
-
-
C:\Users\Admin\AppData\Local\Temp\430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe"C:\Users\Admin\AppData\Local\Temp\430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2080
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\en-US\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b804" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\Local\Temp\430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b804" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Local\Temp\430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3176
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD5b379f4ac167609d8a3ef26444098b61d
SHA185fe0bbbe666d72a955ee98444415194e00739eb
SHA256430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80
SHA5120028141132f1437ff556a00e7cd32298bf561690fd809f361fcfaf9b8837e5a173f4acb192b25668550e2ec526ea4a518ea46e3fd7c2e1b8fad1a49d8d6ed0fe
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\430cba76bb21f0ff671a5345c15a51bd047b0f5aecf764ef4668ae9085d22b80.exe.log
Filesize1KB
MD5af6acd95d59de87c04642509c30e81c1
SHA1f9549ae93fdb0a5861a79a08f60aa81c4b32377b
SHA2567521ee2d065a78efcab55a194fbd78492f84b70595f139263875f4ea92b194d6
SHA51293ab99bcf588fde553de3240e0d2b0cbd4e4bc5ef5e99d53f45a267d7ff30103a80b5a7aa1c52d6eff1e070af0ec82d2c0b8aafb7099742aa16810edc1815c3a
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD562623d22bd9e037191765d5083ce16a3
SHA14a07da6872672f715a4780513d95ed8ddeefd259
SHA25695d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010
SHA5129a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
230B
MD50d30b4d3d02a2575efdfaad3d8d407d1
SHA134762d9ac8a2bf9f3c91a884b902644efbe5ff98
SHA25637e143f7edfb9b2990c344712f4fa8d2dc3892ba2c6cd0bb313227c521bffc2b
SHA512ade841190686c8bfc29451c747c1eae7518da60c07377704419e73e647a89903fe2e9de0bc6997b8122773ec0b8649c48c2f262ad55bc9f8c2b6bb17ff3a8fce
-
Filesize
1KB
MD581e7ddfb3ec88584e896e47ebd9a94c5
SHA14824568e3f643a709271bf0b0f88f1dc7e6a86f2
SHA256c5d49e2c23f367a20803392eebec58f8c8f252ec0526a66c5ac52fa3a6ab5a33
SHA512b017b8b1feee1b1f7d0e966da46f90ef56123926aa15bf1a0f2cc708cf3ce3a2cffef039eb9bea8b9b65457cc28a73a7b742726714c9cb969e2d8b38b65d0a53
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
362B
MD5fbee4ad69b7faefc5960c14646493d5f
SHA1fcff11974f454439474dd767e72de861fcddb48c
SHA256a07be9aa946f4d907890457663343e30320c2408c630f04fa5cc18f4bbce11d8
SHA5120e8ce7e68212d523c21852be1be7cdb5b723e214a54b45a7d8accc6b1cf5ae51ca3b1ea191c010eb0ffdcc5b3b1a69c4d70812072138e9d1b60354728d390fe4
-
Filesize
235B
MD5f3ae5be31d5ead6f8010e61b95ac5308
SHA1be00efcbaf9e947f80d4cdde75f97edede8d0517
SHA256bcb720d5c7113a0c8a1b6bd67cfe1ecc2598e02369ca632748c62edf37578097
SHA5122cb3f657195289907a55262c3fe0ee0965bb810481bd11f2a661f353a2786cec0324f779aeadb88e25f651d757ed1f5e96f243bf35797eb4eba9b94cc8fe8c40
-
Filesize
1KB
MD52fd2b90e7053b01e6af25701a467eb1f
SHA168801a13cebba82c24f67a9d7c886fcefcf01a51
SHA25612b900db56a20f01f0f1d65f46933971415d5b5675e59e8b02b3dae12aaa1527
SHA512081d3a621e3664709867f3fdd82808364978f896fb007c0c8e6c8dfe25f2f2b8d37c9e0b2e4fb51c90bc6f691507b569e5d841ef3ca3bd38bd6adda2d30f32af