Analysis
-
max time kernel
149s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12-11-2024 02:58
Behavioral task
behavioral1
Sample
d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0.exe
Resource
win7-20241010-en
General
-
Target
d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0.exe
-
Size
3.7MB
-
MD5
b0f05d80b12c67dc9d26fe6d4f0debd0
-
SHA1
9bf6fee145f08c3ea7d41e6f6755187e92f11978
-
SHA256
d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0
-
SHA512
19632526b95ea7435c05af10ceb74179e902201389c62476c7cd5281a5dea338283921166a2272cbe12caf58b2207b18b58834b5c2b1c17df87b2f83fc3824d9
-
SSDEEP
98304:UbF26GgA01Iz8pS1m+j/C7N2DXXrbpqto0:U1A6IIAY+j6pG/Yb
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 30 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5020 2532 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1992 2532 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1648 2532 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2448 2532 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4496 2532 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1544 2532 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1740 2532 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3036 2532 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3096 2532 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4808 2532 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3564 2532 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2324 2532 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5060 2532 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1784 2532 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4168 2532 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4348 2532 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4064 2532 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4900 2532 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3528 2532 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 232 2532 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 724 2532 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2680 2532 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3136 2532 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4764 2532 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5052 2532 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3856 2532 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 556 2532 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4484 2532 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3532 2532 schtasks.exe 97 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2792 2532 schtasks.exe 97 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reviewnet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" reviewnet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" reviewnet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe -
resource yara_rule behavioral2/files/0x000a000000023b78-14.dat dcrat behavioral2/memory/3008-17-0x00000000007D0000-0x0000000000B3A000-memory.dmp dcrat -
Checks computer location settings 2 TTPs 16 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation conhost.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation conhost.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation conhost.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation conhost.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation conhost.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation reviewnet.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation conhost.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation conhost.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation conhost.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation conhost.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation conhost.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation conhost.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation conhost.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation conhost.exe -
Executes dropped EXE 14 IoCs
pid Process 3008 reviewnet.exe 2064 conhost.exe 1384 conhost.exe 1160 conhost.exe 4620 conhost.exe 1636 conhost.exe 1264 conhost.exe 2240 conhost.exe 1468 conhost.exe 4288 conhost.exe 3224 conhost.exe 788 conhost.exe 3912 conhost.exe 3440 conhost.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA conhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA conhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA conhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA reviewnet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reviewnet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA conhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA conhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe -
Drops file in Program Files directory 6 IoCs
description ioc Process File created C:\Program Files\7-Zip\Lang\lsass.exe reviewnet.exe File created C:\Program Files\7-Zip\Lang\6203df4a6bafc7 reviewnet.exe File created C:\Program Files\Mozilla Firefox\uninstall\Registry.exe reviewnet.exe File created C:\Program Files\Mozilla Firefox\uninstall\ee2ad38f3d4382 reviewnet.exe File created C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\wininit.exe reviewnet.exe File created C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\56085415360792 reviewnet.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\Web\4K\conhost.exe reviewnet.exe File created C:\Windows\Web\4K\088424020bedd6 reviewnet.exe File created C:\Windows\IdentityCRL\INT\sppsvc.exe reviewnet.exe File created C:\Windows\IdentityCRL\INT\0a1fd5f707cd16 reviewnet.exe File created C:\Windows\IME\RuntimeBroker.exe reviewnet.exe File created C:\Windows\IME\9e8d7a4ca61bd9 reviewnet.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 14 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings conhost.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings conhost.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings conhost.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings conhost.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings conhost.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings conhost.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings conhost.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings conhost.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings conhost.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings conhost.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings conhost.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings conhost.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings conhost.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4064 schtasks.exe 3528 schtasks.exe 4168 schtasks.exe 4496 schtasks.exe 2324 schtasks.exe 5052 schtasks.exe 3532 schtasks.exe 1992 schtasks.exe 4900 schtasks.exe 4764 schtasks.exe 556 schtasks.exe 3096 schtasks.exe 4484 schtasks.exe 2792 schtasks.exe 724 schtasks.exe 1544 schtasks.exe 3564 schtasks.exe 4348 schtasks.exe 3856 schtasks.exe 5020 schtasks.exe 2448 schtasks.exe 4808 schtasks.exe 5060 schtasks.exe 232 schtasks.exe 1648 schtasks.exe 3036 schtasks.exe 1784 schtasks.exe 2680 schtasks.exe 3136 schtasks.exe 1740 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3008 reviewnet.exe 3008 reviewnet.exe 3008 reviewnet.exe 3008 reviewnet.exe 3008 reviewnet.exe 3008 reviewnet.exe 3008 reviewnet.exe 3008 reviewnet.exe 3008 reviewnet.exe 3008 reviewnet.exe 3008 reviewnet.exe 3008 reviewnet.exe 3008 reviewnet.exe 3008 reviewnet.exe 3008 reviewnet.exe 3008 reviewnet.exe 3008 reviewnet.exe 3008 reviewnet.exe 3008 reviewnet.exe 3008 reviewnet.exe 3008 reviewnet.exe 3008 reviewnet.exe 3008 reviewnet.exe 3008 reviewnet.exe 3008 reviewnet.exe 3008 reviewnet.exe 3008 reviewnet.exe 3008 reviewnet.exe 3008 reviewnet.exe 2064 conhost.exe 2064 conhost.exe 2064 conhost.exe 2064 conhost.exe 2064 conhost.exe 2064 conhost.exe 2064 conhost.exe 2064 conhost.exe 2064 conhost.exe 2064 conhost.exe 2064 conhost.exe 2064 conhost.exe 2064 conhost.exe 2064 conhost.exe 2064 conhost.exe 2064 conhost.exe 2064 conhost.exe 2064 conhost.exe 2064 conhost.exe 2064 conhost.exe 2064 conhost.exe 2064 conhost.exe 2064 conhost.exe 2064 conhost.exe 2064 conhost.exe 2064 conhost.exe 2064 conhost.exe 2064 conhost.exe 2064 conhost.exe 2064 conhost.exe 2064 conhost.exe 2064 conhost.exe 2064 conhost.exe 2064 conhost.exe 2064 conhost.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
description pid Process Token: SeDebugPrivilege 3008 reviewnet.exe Token: SeDebugPrivilege 2064 conhost.exe Token: SeDebugPrivilege 1384 conhost.exe Token: SeDebugPrivilege 1160 conhost.exe Token: SeDebugPrivilege 4620 conhost.exe Token: SeDebugPrivilege 1636 conhost.exe Token: SeDebugPrivilege 1264 conhost.exe Token: SeDebugPrivilege 2240 conhost.exe Token: SeDebugPrivilege 1468 conhost.exe Token: SeDebugPrivilege 4288 conhost.exe Token: SeDebugPrivilege 3224 conhost.exe Token: SeDebugPrivilege 788 conhost.exe Token: SeDebugPrivilege 3912 conhost.exe Token: SeDebugPrivilege 3440 conhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2380 wrote to memory of 1832 2380 d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0.exe 85 PID 2380 wrote to memory of 1832 2380 d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0.exe 85 PID 2380 wrote to memory of 1832 2380 d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0.exe 85 PID 2380 wrote to memory of 644 2380 d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0.exe 86 PID 2380 wrote to memory of 644 2380 d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0.exe 86 PID 2380 wrote to memory of 644 2380 d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0.exe 86 PID 1832 wrote to memory of 1772 1832 WScript.exe 90 PID 1832 wrote to memory of 1772 1832 WScript.exe 90 PID 1832 wrote to memory of 1772 1832 WScript.exe 90 PID 1772 wrote to memory of 3008 1772 cmd.exe 92 PID 1772 wrote to memory of 3008 1772 cmd.exe 92 PID 3008 wrote to memory of 2064 3008 reviewnet.exe 128 PID 3008 wrote to memory of 2064 3008 reviewnet.exe 128 PID 2064 wrote to memory of 2620 2064 conhost.exe 132 PID 2064 wrote to memory of 2620 2064 conhost.exe 132 PID 2064 wrote to memory of 752 2064 conhost.exe 133 PID 2064 wrote to memory of 752 2064 conhost.exe 133 PID 2620 wrote to memory of 1384 2620 WScript.exe 139 PID 2620 wrote to memory of 1384 2620 WScript.exe 139 PID 1384 wrote to memory of 4172 1384 conhost.exe 141 PID 1384 wrote to memory of 4172 1384 conhost.exe 141 PID 1384 wrote to memory of 3024 1384 conhost.exe 142 PID 1384 wrote to memory of 3024 1384 conhost.exe 142 PID 4172 wrote to memory of 1160 4172 WScript.exe 146 PID 4172 wrote to memory of 1160 4172 WScript.exe 146 PID 1160 wrote to memory of 4148 1160 conhost.exe 149 PID 1160 wrote to memory of 4148 1160 conhost.exe 149 PID 1160 wrote to memory of 1832 1160 conhost.exe 150 PID 1160 wrote to memory of 1832 1160 conhost.exe 150 PID 4148 wrote to memory of 4620 4148 WScript.exe 153 PID 4148 wrote to memory of 4620 4148 WScript.exe 153 PID 4620 wrote to memory of 1808 4620 conhost.exe 155 PID 4620 wrote to memory of 1808 4620 conhost.exe 155 PID 4620 wrote to memory of 3932 4620 conhost.exe 156 PID 4620 wrote to memory of 3932 4620 conhost.exe 156 PID 1808 wrote to memory of 1636 1808 WScript.exe 158 PID 1808 wrote to memory of 1636 1808 WScript.exe 158 PID 1636 wrote to memory of 4168 1636 conhost.exe 160 PID 1636 wrote to memory of 4168 1636 conhost.exe 160 PID 1636 wrote to memory of 3984 1636 conhost.exe 161 PID 1636 wrote to memory of 3984 1636 conhost.exe 161 PID 4168 wrote to memory of 1264 4168 WScript.exe 164 PID 4168 wrote to memory of 1264 4168 WScript.exe 164 PID 1264 wrote to memory of 3172 1264 conhost.exe 166 PID 1264 wrote to memory of 3172 1264 conhost.exe 166 PID 1264 wrote to memory of 1664 1264 conhost.exe 167 PID 1264 wrote to memory of 1664 1264 conhost.exe 167 PID 3172 wrote to memory of 2240 3172 WScript.exe 169 PID 3172 wrote to memory of 2240 3172 WScript.exe 169 PID 2240 wrote to memory of 1740 2240 conhost.exe 171 PID 2240 wrote to memory of 1740 2240 conhost.exe 171 PID 2240 wrote to memory of 2380 2240 conhost.exe 172 PID 2240 wrote to memory of 2380 2240 conhost.exe 172 PID 1740 wrote to memory of 1468 1740 WScript.exe 174 PID 1740 wrote to memory of 1468 1740 WScript.exe 174 PID 1468 wrote to memory of 3064 1468 conhost.exe 176 PID 1468 wrote to memory of 3064 1468 conhost.exe 176 PID 1468 wrote to memory of 4808 1468 conhost.exe 177 PID 1468 wrote to memory of 4808 1468 conhost.exe 177 PID 3064 wrote to memory of 4288 3064 WScript.exe 180 PID 3064 wrote to memory of 4288 3064 WScript.exe 180 PID 4288 wrote to memory of 2608 4288 conhost.exe 182 PID 4288 wrote to memory of 2608 4288 conhost.exe 182 PID 4288 wrote to memory of 856 4288 conhost.exe 183 -
System policy modification 1 TTPs 42 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" reviewnet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" reviewnet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reviewnet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" conhost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0.exe"C:\Users\Admin\AppData\Local\Temp\d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\MssurrogateBrowserDrivermonitor\wcYORPbCatQJR5AFuaKjs.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\MssurrogateBrowserDrivermonitor\Qi30CUagccjw.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\MssurrogateBrowserDrivermonitor\reviewnet.exe"C:\MssurrogateBrowserDrivermonitor\reviewnet.exe"4⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3008 -
C:\Windows\Web\4K\conhost.exe"C:\Windows\Web\4K\conhost.exe"5⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2064 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d1771903-65db-44d1-855d-af299cf4986c.vbs"6⤵
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\Web\4K\conhost.exeC:\Windows\Web\4K\conhost.exe7⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1384 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a31216dc-51b3-4244-b346-a75b19ae4d9d.vbs"8⤵
- Suspicious use of WriteProcessMemory
PID:4172 -
C:\Windows\Web\4K\conhost.exeC:\Windows\Web\4K\conhost.exe9⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1160 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1e47ff35-c0c7-4432-b706-b76640cc059b.vbs"10⤵
- Suspicious use of WriteProcessMemory
PID:4148 -
C:\Windows\Web\4K\conhost.exeC:\Windows\Web\4K\conhost.exe11⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4620 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3ca61eb5-bba8-485c-af83-fffa5d1ffd68.vbs"12⤵
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\Web\4K\conhost.exeC:\Windows\Web\4K\conhost.exe13⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1636 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d3a93697-f5f2-4e87-bd91-dcad4ff5d0df.vbs"14⤵
- Suspicious use of WriteProcessMemory
PID:4168 -
C:\Windows\Web\4K\conhost.exeC:\Windows\Web\4K\conhost.exe15⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1264 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d840b29c-a5a8-420e-b289-351773612f3c.vbs"16⤵
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Windows\Web\4K\conhost.exeC:\Windows\Web\4K\conhost.exe17⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2240 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b5ac4ee1-4288-4474-8135-d7a49a9268e7.vbs"18⤵
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\Web\4K\conhost.exeC:\Windows\Web\4K\conhost.exe19⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1468 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\01d57887-8d33-4d5d-9b95-a89f4add18ad.vbs"20⤵
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\Web\4K\conhost.exeC:\Windows\Web\4K\conhost.exe21⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4288 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2e4d80f4-566f-459b-a04c-f1ec9a6d0d80.vbs"22⤵PID:2608
-
C:\Windows\Web\4K\conhost.exeC:\Windows\Web\4K\conhost.exe23⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3224 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\161e54e5-fee7-43e2-bafa-82e7bc708fc6.vbs"24⤵PID:1040
-
C:\Windows\Web\4K\conhost.exeC:\Windows\Web\4K\conhost.exe25⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:788 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cdba9aba-566a-4b55-88aa-30781d54f627.vbs"26⤵PID:5044
-
C:\Windows\Web\4K\conhost.exeC:\Windows\Web\4K\conhost.exe27⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3912 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6b918aa2-c528-4e60-a78a-5e7c14c59ea1.vbs"28⤵PID:4992
-
C:\Windows\Web\4K\conhost.exeC:\Windows\Web\4K\conhost.exe29⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3440 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\53bbe95a-3176-4c21-802d-24ae3b04a114.vbs"30⤵PID:4700
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\07fe3305-303f-41c6-9838-1efb423575ad.vbs"30⤵PID:3860
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\303578c8-2f86-4c0c-ac0e-43bdf29a636d.vbs"28⤵PID:2244
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\30979c5c-dd64-4f06-a43f-0b154dc4968f.vbs"26⤵PID:2344
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\941b97d4-c2e5-4e7a-9e56-bdd5212baa57.vbs"24⤵PID:4708
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\61f2b0a6-a5c7-4cbf-85a5-6dd367d016c8.vbs"22⤵PID:856
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\71f9c966-04e7-4566-806f-e46f3314e527.vbs"20⤵PID:4808
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\12b0f561-44d3-4b75-99ab-fe09ddf08d94.vbs"18⤵PID:2380
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b28c1a3f-7d38-4f5e-b174-22088aace88b.vbs"16⤵PID:1664
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15cdc8b3-4d2c-4bbd-a165-5012e21c16ba.vbs"14⤵PID:3984
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a31a9ac9-626c-4cb3-9361-978baab814d0.vbs"12⤵PID:3932
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\57af8dd9-bdb8-4cda-b19e-20c491f8e275.vbs"10⤵PID:1832
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\593b0744-5941-4036-bc53-f3cdff9aa9a5.vbs"8⤵PID:3024
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b7fa6e1c-408a-40cd-89da-b38c73ed88f2.vbs"6⤵PID:752
-
-
-
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\MssurrogateBrowserDrivermonitor\file.vbs"2⤵
- System Location Discovery: System Language Discovery
PID:644
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\MssurrogateBrowserDrivermonitor\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MssurrogateBrowserDrivermonitor\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\MssurrogateBrowserDrivermonitor\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3096
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Windows\Web\4K\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Web\4K\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Windows\Web\4K\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Windows\IdentityCRL\INT\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\IdentityCRL\INT\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Windows\IdentityCRL\INT\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4168
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\MssurrogateBrowserDrivermonitor\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MssurrogateBrowserDrivermonitor\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\MssurrogateBrowserDrivermonitor\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Lang\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\Lang\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\MssurrogateBrowserDrivermonitor\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\MssurrogateBrowserDrivermonitor\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\MssurrogateBrowserDrivermonitor\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Windows\IME\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\IME\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Windows\IME\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Mozilla Firefox\uninstall\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\uninstall\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Mozilla Firefox\uninstall\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
50B
MD5934b57a6b87ad62fbf72805fc7ed30d0
SHA104111b17e6b836077bca5c092dfd4e59657fbfae
SHA25625bfd4297df8354c427f96c5569594300935745c03f15aa1e4097cff1be3f70d
SHA5125737cbaa48b1c5804072681e58e8e9d55aa7d996614dd3ff6501afaea693aca3fe7275a811c7aad1bbb88057fea7a31a393cadf7c2761aeca32e1e1f83940b07
-
Filesize
34B
MD5677cc4360477c72cb0ce00406a949c61
SHA1b679e8c3427f6c5fc47c8ac46cd0e56c9424de05
SHA256f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b
SHA5127cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a
-
Filesize
3.4MB
MD57d995f38d429ff33eaf4ce89f60585f9
SHA1160f3163b335110d718e98390add6ca7a110a8ca
SHA25649877051396a67dc531bb04d9745c78820a04e21ab3a6071906739ef48098b68
SHA51261cb35e8469cd396b8487ca31542d0f505179283aa7d645344f2de7ffa47cfda0013bdfa2c5b29edd16978bce9a90fe2795a62e3dd4b900d9db5431b2d81f887
-
Filesize
220B
MD5b7946fc546ca743f534d88dddeee3f00
SHA1668ed69a0b7a298e08a68e80161f7eeead3128a5
SHA2568673980ed61a75db17016d3fe892f2c37ddc037f34032e2fd35626ed146d80d2
SHA5127ee3cec4df1a0b2c5984ccf860a004dcaa3c3fa258370edabb50ccd3f92a8d3ab8daf1af1f5087a67a24bf285a34b040f36d7673f1f8e413dc931a201967712a
-
Filesize
1KB
MD549b64127208271d8f797256057d0b006
SHA1b99bd7e2b4e9ed24de47fb3341ea67660b84cca1
SHA2562a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77
SHA512f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e
-
Filesize
705B
MD53388a5b8a33afa8ba677d8aac07c7908
SHA18b31e136cef641ea2696f367cc58ccd61b69aeec
SHA256716d4e06b665360aa95a00e28b07a252e353b0763c3eb379e9b2c9ad5da1370d
SHA5124eb80d03f3240aa06485aac31ebe17e0117ba0a78f4a812c3cb5d0ad1d47ddb90496ca2ccabc8d0b1b18d4ddf8d81a2747f29f1835d5fa4821ac0ccb9250ee64
-
Filesize
705B
MD5cab233266569986fbea6e4f14ae9c678
SHA10eacf604482ac47b16906ded4f4e860f4d5f33c3
SHA2562915c65c9f311352424dfb61fb8fcb7947d63f8aba631be2ff80191b7f9acc10
SHA512af2b9790a44cf48312311a92a1670170de34004e940148d40be0aa7e55cce0ce6ec6e8d33c544a8df63b87fadac18a3f68beae53622ef3dd5fc09dedf4d64135
-
Filesize
705B
MD5a73a765a9c40ab587bb3ccac5718b454
SHA1dd9222f8dcc824ea4736de7e53ddf46ca78fe5e6
SHA256bad3d215dabafc7443c36fcf7944e27dbda4b8e2f7397aef616eb66ac0560f35
SHA512116a2d67a50f11e9becede7b5ec5f8a9ffdf4829b0227dcc0127a420e85d6f0ec0cdff00dc3126f4162899b7d04f8e699f21b49a5a0068918978ab56604c1a14
-
Filesize
705B
MD52e72c91c5e1b0b90e0b3bbc6e8b69d21
SHA1751a18db32073f0e994455c65176b202f7ea4dd9
SHA256d05969fec349ec1feb712f29ac2e1f6c1df5223abd9f99ab0aec18160d46df4b
SHA51254125a512c5ffd00f9a85bacb6f89150c1b5f2d43db00fd14a23f61cd570850302fa1b9a4b8d5bf4fb96f2d0cb86e84c8710554a168624969c21e99d246b909a
-
Filesize
705B
MD577eccecb583441cedc1fcec43533a15b
SHA183d1b2d6a638813547d8d8c83ea54912225edf40
SHA256a1a98d1df130523edd376d3f9dd0ac937e710f553724f8fbaad90df4b5d6511d
SHA512059bb935b5d727fa70d8263cc30eb359ef4d2c186e106a49e4ed4bde1680634075e11498a789188b766770a9afdd4a34fe7bc5dc2f2fc01a18f51089203a7e8b
-
Filesize
705B
MD56460cb1e9460811112d0109a79069074
SHA143413aa39303301809b4058074c11d3130a450e6
SHA256cc18b7e384479722e621ad937a355b5b1c854e8e9938ee19ef86923e5200322f
SHA512a924088612a4df3144e84f8456c05c67c2b136ea4ebb821327b9bd27b1a86c509b4fd564a52bedd1aa2106ede23b8034435546f51260b75a7de6e778d2b5209d
-
Filesize
705B
MD5edf39eb0abb4542943ea6fbe7451206f
SHA13e927f2d7b9e0ffa6815ee9f7af295618a672265
SHA256016d5e227f1e1ab208d4ad8515505886eba470dc69c64ea6ebaf6e8e4108ce6d
SHA5126067744530614fda6fe47859dc084cbdff4243a36c55b7a564f7f7a22f1e475156acdb7d9ac8b3479f6ceb38f1788cccc0d909184235b6dee73478bf45a9215b
-
Filesize
705B
MD550f2a4baf5341179ef6467f1c97f43b0
SHA1389fbc0a87951b72eba0e4d8b1c3eb92d8f7480a
SHA2568711a551995fe9a6af6020f535ba1501efd7bb186ff7a1cd370b0a4322790f0d
SHA512482035a26be45d896db812306bf408009773ca7f6401b62bb72236ce0fe3869c3dc7c4dec6a148c8896dd0c9116515fe4e730f31a486e22a6f6a55dec4d28734
-
Filesize
705B
MD5dffbb094c6205a958e98638b83d8c207
SHA1c8078dc54036ddaee025f6447ba36cefd405c69b
SHA2562943da067e5c4bda6e7e057a3c8bc6cd4b257e66ba77f9b535de9fe68d25fd28
SHA512f896cb661736948e5352ce7874a6ee89cf7e7a23c2a92c9a6769ce23c8e7e9e26c9a443ffdb33cf526b9b5e5558039ebe7a96fee3130e8efba2c1cfb7b44dba8
-
Filesize
481B
MD5bd14c78344e05ea232a9825644a1b989
SHA15db5c7797feb55276267401758d9b9a7485ff15e
SHA2568218e1e83446a383cfa0f2ecb120bd33e31190562238f7186ed1c4950ccb7d67
SHA5125157e29af15bd8d96d4d3046d94c380df87f61877faccaf04abd120a0e2493d65a964424a0c23873a6856799ec8dcc76a3b86bb2b81816706f11c96549c589f8
-
Filesize
704B
MD58a223b331f9e0ebd10cf32bff25d51ef
SHA1a0fe16e80644c7ffe9808f71b69fca858a25b48d
SHA2566cfd924861a2c6758e03adb75c01523f4871bc20feecbe17e1077a9dd18476a4
SHA5123713b42a6c6dcb3b4e22fa4504ee5a569a59544a23295b51bbf1c87cc9d66645f3d509c4a88e59b56d096f9999d59a955d278bc68ee9f84f6a1c433c535db8c0
-
Filesize
705B
MD5a87618932fed6050c3e43e16a8126888
SHA1d977d5d170f08c418eaf9bde8d36588b451c1c34
SHA256b6c62a94c529a9f81d801111b23892d5bf9139ae90bd2d11b434cd18e1012a1f
SHA51231740a2c1d2de6bce8cc7bc89d43165be907d2ab4b50cba9fc7470029512460879464862323265e4f9adf818eb3edfb10a42b673bdc17fd6d4bb3cb4160d66fc
-
Filesize
705B
MD5f78007f058d888beacdb9b49e2e88ab3
SHA1ce4c054c1883a9632fdbbdc63a0a7ffa97c72aca
SHA256b26dd5d64e2095a43cf2a328014e90df96014c6d2bfdc2a69ce8430b24543cff
SHA512b32003a2bfa0ad4dac5671e5bccc28e954402778a7fa944a170449f1f607002132f86cef43aa67567e8bfa354aa162a37f93815d23c1a062824cac1fc0ded9fb
-
Filesize
705B
MD5dd2958bde3e765733d77d49aafd7aac6
SHA1a4556f9af99b20af03034f534a47a5c78aed0853
SHA256e1379177aaecc697ccbdd459d82d4fa21bd72e225712e1c6aeb48dcf2ecede50
SHA5124873b2a89fbe4ee69b18bfc309aa2984f65c3331206bc10fed954b91a542a2773f8e3e530c4d48186516e8e64dac2ac6ea57476ca11a988c7d48d00b4ffc2a8d