Analysis
-
max time kernel
44s -
max time network
84s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
12-11-2024 10:41
Static task
static1
Behavioral task
behavioral1
Sample
SolaraBootstrapper.exe
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral2
Sample
SolaraBootstrapper.exe
Resource
win11-20241007-en
General
-
Target
SolaraBootstrapper.exe
-
Size
2.2MB
-
MD5
83539ba7c5103e90cf7230812873abb5
-
SHA1
aa84fc6f29b943e714f7be00e4cc7af957484381
-
SHA256
e3b04ffe1c3222f16e71be15978a33b03fa6bdd92e276d7fa933f04e6929aed1
-
SHA512
e8183cbd06ae2f1930cf7a2d417562d1c90cc1e5bbe580f0049d2b303ab4699f59981d6ab6a3f774c01dc014e9f1c7cc1933e1e6aeaea62404f42e1e07d27487
-
SSDEEP
24576:2TbBv5rUyXVijPqBdzumpuWIax7RAxXo6MA17qm8w4tBPP+3wVwLsvMlDF/3cWA3:IBJiSr41q9FtBPW3+elDNMWAgPrc7H
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Speech\\Engines\\Lexicon\\cmd.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\dllhost.exe\", \"C:\\Program Files\\Java\\jdk-1.8\\RuntimeBroker.exe\", \"C:\\Program Files\\Microsoft Office\\Updates\\Download\\PackageFiles\\Local Security Authority Process.exe\", \"C:\\Recovery\\WindowsRE\\sppsvc.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Local Security Authority Process.exe\"" Local Security Authority Process.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Speech\\Engines\\Lexicon\\cmd.exe\"" Local Security Authority Process.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Speech\\Engines\\Lexicon\\cmd.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\dllhost.exe\"" Local Security Authority Process.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Speech\\Engines\\Lexicon\\cmd.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\dllhost.exe\", \"C:\\Program Files\\Java\\jdk-1.8\\RuntimeBroker.exe\"" Local Security Authority Process.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Speech\\Engines\\Lexicon\\cmd.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\dllhost.exe\", \"C:\\Program Files\\Java\\jdk-1.8\\RuntimeBroker.exe\", \"C:\\Program Files\\Microsoft Office\\Updates\\Download\\PackageFiles\\Local Security Authority Process.exe\"" Local Security Authority Process.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Speech\\Engines\\Lexicon\\cmd.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\dllhost.exe\", \"C:\\Program Files\\Java\\jdk-1.8\\RuntimeBroker.exe\", \"C:\\Program Files\\Microsoft Office\\Updates\\Download\\PackageFiles\\Local Security Authority Process.exe\", \"C:\\Recovery\\WindowsRE\\sppsvc.exe\"" Local Security Authority Process.exe -
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1380 1832 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3656 1832 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2664 1832 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3052 1832 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4240 1832 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4336 1832 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2628 1832 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1924 1832 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3176 1832 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2556 1832 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3400 1832 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1048 1832 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 940 1832 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2280 1832 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3324 1832 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2108 1832 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1580 1832 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 228 1832 schtasks.exe 85 -
Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3708 powershell.exe 1948 powershell.exe 5024 powershell.exe 4844 powershell.exe 1272 powershell.exe 772 powershell.exe 4320 powershell.exe 3144 powershell.exe 3832 powershell.exe 3784 powershell.exe 3300 powershell.exe 3016 powershell.exe 5008 powershell.exe 1452 powershell.exe 3332 powershell.exe 4124 powershell.exe 3676 powershell.exe -
Executes dropped EXE 2 IoCs
pid Process 4248 Local Security Authority Process.exe 5468 RuntimeBroker.exe -
Adds Run key to start application 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Google\\Chrome\\Application\\dllhost.exe\"" Local Security Authority Process.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Java\\jdk-1.8\\RuntimeBroker.exe\"" Local Security Authority Process.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Local Security Authority Process = "\"C:\\Program Files\\Microsoft Office\\Updates\\Download\\PackageFiles\\Local Security Authority Process.exe\"" Local Security Authority Process.exe Set value (str) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Run\Local Security Authority Process = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Local Security Authority Process.exe\"" Local Security Authority Process.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Local Security Authority Process = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Local Security Authority Process.exe\"" Local Security Authority Process.exe Set value (str) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Windows\\Speech\\Engines\\Lexicon\\cmd.exe\"" Local Security Authority Process.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Windows\\Speech\\Engines\\Lexicon\\cmd.exe\"" Local Security Authority Process.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Google\\Chrome\\Application\\dllhost.exe\"" Local Security Authority Process.exe Set value (str) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Java\\jdk-1.8\\RuntimeBroker.exe\"" Local Security Authority Process.exe Set value (str) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Run\Local Security Authority Process = "\"C:\\Program Files\\Microsoft Office\\Updates\\Download\\PackageFiles\\Local Security Authority Process.exe\"" Local Security Authority Process.exe Set value (str) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\WindowsRE\\sppsvc.exe\"" Local Security Authority Process.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\WindowsRE\\sppsvc.exe\"" Local Security Authority Process.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 ipinfo.io 2 ipinfo.io -
Drops file in System32 directory 2 IoCs
description ioc Process File created \??\c:\Windows\System32\CSC70C0BFD96E5F458394AEAACD647985A0.TMP csc.exe File created \??\c:\Windows\System32\warvpk.exe csc.exe -
Drops file in Program Files directory 6 IoCs
description ioc Process File created C:\Program Files\Java\jdk-1.8\RuntimeBroker.exe Local Security Authority Process.exe File created C:\Program Files\Java\jdk-1.8\9e8d7a4ca61bd9 Local Security Authority Process.exe File created C:\Program Files\Google\Chrome\Application\dllhost.exe Local Security Authority Process.exe File created C:\Program Files\Google\Chrome\Application\5940a34987c991 Local Security Authority Process.exe File created C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\Local Security Authority Process.exe Local Security Authority Process.exe File created C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\a6223492ab5179 Local Security Authority Process.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Speech\Engines\Lexicon\cmd.exe Local Security Authority Process.exe File created C:\Windows\Speech\Engines\Lexicon\ebf1f9fa8afd6d Local Security Authority Process.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SolaraBootstrapper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 5228 PING.EXE -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings SolaraBootstrapper.exe Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings Local Security Authority Process.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 5228 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3052 schtasks.exe 4336 schtasks.exe 2556 schtasks.exe 3400 schtasks.exe 940 schtasks.exe 1380 schtasks.exe 3656 schtasks.exe 4240 schtasks.exe 2664 schtasks.exe 1924 schtasks.exe 3176 schtasks.exe 1048 schtasks.exe 3324 schtasks.exe 2628 schtasks.exe 2280 schtasks.exe 2108 schtasks.exe 1580 schtasks.exe 228 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4248 Local Security Authority Process.exe 4248 Local Security Authority Process.exe 4248 Local Security Authority Process.exe 4248 Local Security Authority Process.exe 4248 Local Security Authority Process.exe 4248 Local Security Authority Process.exe 4248 Local Security Authority Process.exe 4248 Local Security Authority Process.exe 4248 Local Security Authority Process.exe 4248 Local Security Authority Process.exe 4248 Local Security Authority Process.exe 4248 Local Security Authority Process.exe 4248 Local Security Authority Process.exe 4248 Local Security Authority Process.exe 4248 Local Security Authority Process.exe 4248 Local Security Authority Process.exe 4248 Local Security Authority Process.exe 4248 Local Security Authority Process.exe 4248 Local Security Authority Process.exe 4248 Local Security Authority Process.exe 4248 Local Security Authority Process.exe 4248 Local Security Authority Process.exe 4248 Local Security Authority Process.exe 4248 Local Security Authority Process.exe 4248 Local Security Authority Process.exe 4248 Local Security Authority Process.exe 4248 Local Security Authority Process.exe 4248 Local Security Authority Process.exe 4248 Local Security Authority Process.exe 4248 Local Security Authority Process.exe 4248 Local Security Authority Process.exe 4248 Local Security Authority Process.exe 4248 Local Security Authority Process.exe 4248 Local Security Authority Process.exe 4248 Local Security Authority Process.exe 4248 Local Security Authority Process.exe 4248 Local Security Authority Process.exe 4248 Local Security Authority Process.exe 4248 Local Security Authority Process.exe 4248 Local Security Authority Process.exe 4248 Local Security Authority Process.exe 4248 Local Security Authority Process.exe 4248 Local Security Authority Process.exe 4248 Local Security Authority Process.exe 4248 Local Security Authority Process.exe 4248 Local Security Authority Process.exe 4248 Local Security Authority Process.exe 4248 Local Security Authority Process.exe 4248 Local Security Authority Process.exe 4248 Local Security Authority Process.exe 4248 Local Security Authority Process.exe 4248 Local Security Authority Process.exe 4248 Local Security Authority Process.exe 4248 Local Security Authority Process.exe 4248 Local Security Authority Process.exe 4248 Local Security Authority Process.exe 4248 Local Security Authority Process.exe 4248 Local Security Authority Process.exe 4248 Local Security Authority Process.exe 4248 Local Security Authority Process.exe 4248 Local Security Authority Process.exe 4248 Local Security Authority Process.exe 4248 Local Security Authority Process.exe 4248 Local Security Authority Process.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
description pid Process Token: SeDebugPrivilege 4248 Local Security Authority Process.exe Token: SeDebugPrivilege 3300 powershell.exe Token: SeDebugPrivilege 4844 powershell.exe Token: SeDebugPrivilege 3332 powershell.exe Token: SeDebugPrivilege 3144 powershell.exe Token: SeDebugPrivilege 3016 powershell.exe Token: SeDebugPrivilege 1452 powershell.exe Token: SeDebugPrivilege 1272 powershell.exe Token: SeDebugPrivilege 3784 powershell.exe Token: SeDebugPrivilege 3832 powershell.exe Token: SeDebugPrivilege 4320 powershell.exe Token: SeDebugPrivilege 4124 powershell.exe Token: SeDebugPrivilege 5008 powershell.exe Token: SeDebugPrivilege 5024 powershell.exe Token: SeDebugPrivilege 3676 powershell.exe Token: SeDebugPrivilege 3708 powershell.exe Token: SeDebugPrivilege 1948 powershell.exe Token: SeDebugPrivilege 772 powershell.exe Token: SeDebugPrivilege 5468 RuntimeBroker.exe -
Suspicious use of WriteProcessMemory 54 IoCs
description pid Process procid_target PID 2244 wrote to memory of 5032 2244 SolaraBootstrapper.exe 79 PID 2244 wrote to memory of 5032 2244 SolaraBootstrapper.exe 79 PID 2244 wrote to memory of 5032 2244 SolaraBootstrapper.exe 79 PID 5032 wrote to memory of 4532 5032 WScript.exe 82 PID 5032 wrote to memory of 4532 5032 WScript.exe 82 PID 5032 wrote to memory of 4532 5032 WScript.exe 82 PID 4532 wrote to memory of 4248 4532 cmd.exe 84 PID 4532 wrote to memory of 4248 4532 cmd.exe 84 PID 4248 wrote to memory of 1928 4248 Local Security Authority Process.exe 89 PID 4248 wrote to memory of 1928 4248 Local Security Authority Process.exe 89 PID 1928 wrote to memory of 4900 1928 csc.exe 91 PID 1928 wrote to memory of 4900 1928 csc.exe 91 PID 4248 wrote to memory of 3016 4248 Local Security Authority Process.exe 107 PID 4248 wrote to memory of 3016 4248 Local Security Authority Process.exe 107 PID 4248 wrote to memory of 4844 4248 Local Security Authority Process.exe 108 PID 4248 wrote to memory of 4844 4248 Local Security Authority Process.exe 108 PID 4248 wrote to memory of 3300 4248 Local Security Authority Process.exe 109 PID 4248 wrote to memory of 3300 4248 Local Security Authority Process.exe 109 PID 4248 wrote to memory of 3332 4248 Local Security Authority Process.exe 110 PID 4248 wrote to memory of 3332 4248 Local Security Authority Process.exe 110 PID 4248 wrote to memory of 1452 4248 Local Security Authority Process.exe 112 PID 4248 wrote to memory of 1452 4248 Local Security Authority Process.exe 112 PID 4248 wrote to memory of 1272 4248 Local Security Authority Process.exe 113 PID 4248 wrote to memory of 1272 4248 Local Security Authority Process.exe 113 PID 4248 wrote to memory of 1948 4248 Local Security Authority Process.exe 114 PID 4248 wrote to memory of 1948 4248 Local Security Authority Process.exe 114 PID 4248 wrote to memory of 3784 4248 Local Security Authority Process.exe 115 PID 4248 wrote to memory of 3784 4248 Local Security Authority Process.exe 115 PID 4248 wrote to memory of 3832 4248 Local Security Authority Process.exe 116 PID 4248 wrote to memory of 3832 4248 Local Security Authority Process.exe 116 PID 4248 wrote to memory of 3708 4248 Local Security Authority Process.exe 118 PID 4248 wrote to memory of 3708 4248 Local Security Authority Process.exe 118 PID 4248 wrote to memory of 3144 4248 Local Security Authority Process.exe 119 PID 4248 wrote to memory of 3144 4248 Local Security Authority Process.exe 119 PID 4248 wrote to memory of 4124 4248 Local Security Authority Process.exe 121 PID 4248 wrote to memory of 4124 4248 Local Security Authority Process.exe 121 PID 4248 wrote to memory of 4320 4248 Local Security Authority Process.exe 122 PID 4248 wrote to memory of 4320 4248 Local Security Authority Process.exe 122 PID 4248 wrote to memory of 5008 4248 Local Security Authority Process.exe 123 PID 4248 wrote to memory of 5008 4248 Local Security Authority Process.exe 123 PID 4248 wrote to memory of 772 4248 Local Security Authority Process.exe 125 PID 4248 wrote to memory of 772 4248 Local Security Authority Process.exe 125 PID 4248 wrote to memory of 3676 4248 Local Security Authority Process.exe 126 PID 4248 wrote to memory of 3676 4248 Local Security Authority Process.exe 126 PID 4248 wrote to memory of 5024 4248 Local Security Authority Process.exe 127 PID 4248 wrote to memory of 5024 4248 Local Security Authority Process.exe 127 PID 4248 wrote to memory of 1380 4248 Local Security Authority Process.exe 141 PID 4248 wrote to memory of 1380 4248 Local Security Authority Process.exe 141 PID 1380 wrote to memory of 2940 1380 cmd.exe 143 PID 1380 wrote to memory of 2940 1380 cmd.exe 143 PID 1380 wrote to memory of 5228 1380 cmd.exe 144 PID 1380 wrote to memory of 5228 1380 cmd.exe 144 PID 1380 wrote to memory of 5468 1380 cmd.exe 145 PID 1380 wrote to memory of 5468 1380 cmd.exe 145 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\qp9vGmuwSr0nkeo7qSVAnhO3kZyMkfu12RZ0OBiQNAI58E5ZggR.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Microsoft\ZkitL4SswB6Acn9KQ4n8phMXm8v73bXNMxhzpq69L79HkSe5Tb.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Users\Admin\AppData\Roaming\Microsoft\Local Security Authority Process.exe"C:\Users\Admin\AppData\Roaming\Microsoft/Local Security Authority Process.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4248 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2imsq2ve\2imsq2ve.cmdline"5⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFF40.tmp" "c:\Windows\System32\CSC70C0BFD96E5F458394AEAACD647985A0.TMP"6⤵PID:4900
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3016
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4844
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3300
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3332
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1452
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1272
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1948
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3784
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3832
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3708
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3144
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Speech\Engines\Lexicon\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4124
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4320
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jdk-1.8\RuntimeBroker.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:5008
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\Local Security Authority Process.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:772
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3676
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Local Security Authority Process.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:5024
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dKfdWFG73w.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:2940
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5228
-
-
C:\Program Files\Java\jdk-1.8\RuntimeBroker.exe"C:\Program Files\Java\jdk-1.8\RuntimeBroker.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5468
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Windows\Speech\Engines\Lexicon\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\Speech\Engines\Lexicon\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Windows\Speech\Engines\Lexicon\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Google\Chrome\Application\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Google\Chrome\Application\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\jdk-1.8\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Java\jdk-1.8\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jdk-1.8\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3176
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Local Security Authority ProcessL" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\Local Security Authority Process.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Local Security Authority Process" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\Local Security Authority Process.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Local Security Authority ProcessL" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\Local Security Authority Process.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Local Security Authority ProcessL" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Local Security Authority Process.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Local Security Authority Process" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Local Security Authority Process.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Local Security Authority ProcessL" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Local Security Authority Process.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:228
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
Filesize
944B
MD5aa4f31835d07347297d35862c9045f4a
SHA183e728008935d30f98e5480fba4fbccf10cefb05
SHA25699c83bc5c531e49d4240700142f3425aba74e18ebcc23556be32238ffde9cce0
SHA512ec3a4bee8335007b8753ae8ac42287f2b3bcbb258f7fc3fb15c9f8d3e611cb9bf6ae2d3034953286a34f753e9ec33f7495e064bab0e8c7fcedd75d6e5eb66629
-
Filesize
944B
MD5e3840d9bcedfe7017e49ee5d05bd1c46
SHA1272620fb2605bd196df471d62db4b2d280a363c6
SHA2563ac83e70415b9701ee71a4560232d7998e00c3db020fde669eb01b8821d2746f
SHA51276adc88ab3930acc6b8b7668e2de797b8c00edcfc41660ee4485259c72a8adf162db62c2621ead5a9950f12bfe8a76ccab79d02fda11860afb0e217812cac376
-
Filesize
944B
MD57d760ca2472bcb9fe9310090d91318ce
SHA1cb316b8560b38ea16a17626e685d5a501cd31c4a
SHA2565c362b53c4a4578d8b57c51e1eac15f7f3b2447e43e0dad5102ecd003d5b41d4
SHA512141e8661d7348ebbc1f74f828df956a0c6e4cdb70f3b9d52623c9a30993bfd91da9ed7d8d284b84f173d3e6f47c876fb4a8295110895f44d97fd6cc4c5659c35
-
Filesize
944B
MD53284cb698efa6fb773dc0eebd30a3214
SHA1a1093d44f025e5ba9609e99a3fc5fce3723fd7f3
SHA25622f6a7c20c96be4775bec28c377d98d91a160fb5dd3158083e4365286161a2aa
SHA512af3ea3c69350087cd0e6768679ba7bdfff4c184b5bfe7abf9152aa161713c56c6dc86390543507580f9ae0a6103d26486dbe37330dbc78e172a966957ba43606
-
Filesize
944B
MD56903d57eed54e89b68ebb957928d1b99
SHA1fade011fbf2e4bc044d41e380cf70bd6a9f73212
SHA25636cbb00b016c9f97645fb628ef72b524dfbdf6e08d626e5c837bbbb9075dcb52
SHA512c192ea9810fd22de8378269235c1035aa1fe1975a53c876fe4a7acc726c020f94773c21e4e4771133f9fcedb0209f0a5324c594c1db5b28fe1b27644db4fdc9e
-
Filesize
944B
MD545f53352160cf0903c729c35c8edfdce
SHA1b35a4d4fbaf2a3cc61e540fc03516dd70f3c34ab
SHA2569cf18d157a858fc143a6de5c2dd3f618516a527b34478ac478d8c94ff027b0d2
SHA512e3fa27a80a1df58acb49106c306dab22e5ed582f6b0cd7d9c3ef0a85e9f5919333257e88aa44f42a0e095fd577c9e12a02957a7845c0d109f821f32d8d3343f3
-
Filesize
944B
MD5dc4dd6766dd68388d8733f1b729f87e9
SHA17b883d87afec5be3eff2088409cd1f57f877c756
SHA2563407d8ad0c68a148aef81c7f124849573ac02097acd15f9bbe80f86e0498e826
SHA5123084c1b7bb0fd998cddb8c917bac87f163a0f134a420158db4f354cb81ec1d5d65d3bac1d9b3e11b0a6707deacece47f819b1ed55ddf2b1d287fbdb244bf65a4
-
Filesize
1KB
MD58af6baa4304f12e075631b6f4b1012c0
SHA1276a1aee510aaf7a1bef0f697bb186388904b31e
SHA2569a2f1be170c19f96e737f6218c7f83fed50af746383e6e40ed5abe304b2191c3
SHA5124cc6c215e841630929e2650d4575708f50bfedc55e857780ecf404adba6f916cac151affb5fe06264e9e69e402b859206836b399a67cb8aa0c576692b9d34a55
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
175B
MD56c315e1a51f8b64ea358bee73f88d903
SHA149f14da4afd2dcb69d6d6d93aa430e92a193d2ac
SHA256aca10ba341f66b22732d60d005517afc687f1e22a0f0d82b57d07f025a8c9994
SHA512949b64dd59d8b743d5d5489178c20ebd203663bb8c671baf9a8dc493afc3e2357ca42d5292781d574b85a02df499db1ced1c504eef8631dabd773dc3021f2fe9
-
Filesize
1.9MB
MD54ba31fe7c90af2148e83fe198cf99d7b
SHA1bd86eece0e892752950a13282cb323e0775ecae4
SHA256196706cf85ccf38343444deecaeaced58faf7c22963fe45aaa8ea9938fe19a0e
SHA51279991360ad8d5c8968f2aa4836b3b7b39074c99ad28aa25cc69931c4bdf2115921042d818d4cc319984cfa0ed8a9ee015506f3b4b8c026aeda82c5b03a5328f7
-
Filesize
93B
MD5fb55729d3f331e20fb5c1e5377634743
SHA1ad5d1b461d7608598e2683d66eeee3c2a38c625f
SHA2568603cadb532a5ab019b7f07a2c9652905a459f88c8cfe74d387f0d9594f323c9
SHA5122ed609b4ad5d0d9da2d12c12947091e0ce2937a12856d95979a7d2c4248b1d5244e5fc3616d0be8a1fd8febc888eeb0bb6fe08fe38a359ceb2345510645d1870
-
Filesize
245B
MD5dde897c67a0ad3384e01f44658e986d0
SHA151e5a863d22d2305da3d6e82ed2da727a6db5ffa
SHA256f3ea38d1aea5a693f1b87b3d1152f8a1de82391b34e2061ee0fbb29f2ec6dc57
SHA512901990365c1539d432871ef01d36261f537e0928e3afbd93f0833d04355a55464dbe2ca07c59d7d495bb93ad0bf73ed33db748e5856d75941c18f232503c1892
-
Filesize
373B
MD55919cdc3fdc2a941b7bef6b72c0a0d68
SHA16eb0ec31d8d4abf5886757ec37270457a092ffb9
SHA25691b510833d4758e646e3a6c31b3a74ca80fb37a62765718c5601fedf25562823
SHA51221dc4aabfec9556724fdadde4ac9615c5a51fe695bde6794c4c47f6d7c6f85b207850d614fb988d5d13f80f3b47f1a2df738948e5b748d0fe02515e47966bab8
-
Filesize
235B
MD58c620adbb215361ba8c2d828991e62ce
SHA1766d507313c2cbcabeaa63143eb73f18eb10ac00
SHA2567b2e49b56016ec2507cbab2ad3a48dba92ac2de71a796c12ebfd8e86830a862a
SHA5127f5d631534af9244f11d0d1a524ba7219a171fa7975909425561dbb087d563308b83cffdb9a329d1d7926027d679f7d8566eeee605d69c7fa7d164b38d017db3
-
Filesize
1KB
MD5d87433b9d28901689cc7a1ef612d57cc
SHA11c34e0cdd05420fb5e9242d68c378c1dddf6ffb5
SHA25612746c77ce88ff77399e5a6296dbb83ec7d860399ec4e6bdadcff76ec462a48c
SHA512dbad8b5c060fa65a9ecbe9f77dc7297526ad5265628bfc19193db0ef9ee5682087ed564c2e5889ea29b27b54d353cd6bfde8d5f317bafc81f8f8bf399899c588