Analysis
-
max time kernel
119s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 17:39
Behavioral task
behavioral1
Sample
0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe
Resource
win7-20241010-en
General
-
Target
0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe
-
Size
1.8MB
-
MD5
a1b557c65fa59d8f91138e5cd4f0053e
-
SHA1
94139bac4ae269f6d38f5c7946475855a71c659d
-
SHA256
0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126
-
SHA512
bf72078a5cb40f512f3061a13ecaa3f924d70a5a65c2146f3efeca0655c3924f535785698b3db740f4ae1a51ba6685dc4f2afd911d99d3a58eff86f4aa5c18ee
-
SSDEEP
49152:mhjAJVllHZrhbBruPk+xjSMX4ODTDF8OcFSkMhX:mgVTVXYNX9mOWSkMp
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 51 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2656 2824 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2772 2824 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1980 2824 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2664 2824 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2708 2824 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2948 2824 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1732 2824 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1544 2824 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2432 2824 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1664 2824 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2728 2824 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2176 2824 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 600 2824 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2896 2824 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2892 2824 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3004 2824 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 988 2824 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2020 2824 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1920 2824 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2252 2824 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2284 2824 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 320 2824 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1152 2824 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 900 2824 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1600 2824 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2172 2824 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2388 2824 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2120 2824 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2096 2824 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2512 2824 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1056 2824 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2312 2824 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1916 2824 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1376 2824 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2588 2824 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 916 2824 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 952 2824 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2404 2824 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1772 2824 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 664 2824 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1712 2824 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1040 2824 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1756 2824 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2368 2824 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1988 2824 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2240 2824 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2608 2824 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1380 2824 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1632 2824 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1992 2824 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1784 2824 schtasks.exe 31 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe -
resource yara_rule behavioral1/memory/2124-1-0x0000000000A00000-0x0000000000BCE000-memory.dmp dcrat behavioral1/files/0x0005000000019f9a-24.dat dcrat behavioral1/memory/2544-269-0x0000000000BD0000-0x0000000000D9E000-memory.dmp dcrat behavioral1/memory/1804-280-0x00000000012A0000-0x000000000146E000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 600 powershell.exe 740 powershell.exe 1696 powershell.exe 2320 powershell.exe 2856 powershell.exe 1500 powershell.exe 3012 powershell.exe 316 powershell.exe 1636 powershell.exe 2076 powershell.exe 1852 powershell.exe 2864 powershell.exe 548 powershell.exe 956 powershell.exe 1268 powershell.exe 696 powershell.exe 576 powershell.exe 1760 powershell.exe -
Executes dropped EXE 5 IoCs
pid Process 2544 csrss.exe 1804 csrss.exe 2140 csrss.exe 1088 csrss.exe 836 csrss.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe -
Drops file in Program Files directory 32 IoCs
description ioc Process File created C:\Program Files\Windows Photo Viewer\ja-JP\cc11b995f2a76d 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Esl\smss.exe 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\dwm.exe 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe File opened for modification C:\Program Files\Windows Mail\it-IT\RCX1391.tmp 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe File created C:\Program Files (x86)\Common Files\csrss.exe 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe File created C:\Program Files (x86)\Uninstall Information\explorer.exe 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe File opened for modification C:\Program Files\Windows Sidebar\spoolsv.exe 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe File opened for modification C:\Program Files (x86)\Common Files\csrss.exe 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe File opened for modification C:\Program Files (x86)\Common Files\RCXF9AE.tmp 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe File opened for modification C:\Program Files (x86)\Uninstall Information\RCXFBB2.tmp 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Esl\RCX118D.tmp 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Esl\smss.exe 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe File created C:\Program Files\Windows Sidebar\spoolsv.exe 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe File created C:\Program Files (x86)\Google\Temp\services.exe 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe File opened for modification C:\Program Files\Windows Photo Viewer\ja-JP\RCXF5A7.tmp 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe File opened for modification C:\Program Files (x86)\Google\Temp\RCXCAB.tmp 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe File created C:\Program Files\Windows Sidebar\f3b6ecef712a24 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe File created C:\Program Files (x86)\Uninstall Information\7a0fd90576e088 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\dwm.exe 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe File created C:\Program Files (x86)\Common Files\886983d96e3d3e 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe File created C:\Program Files\Windows Photo Viewer\ja-JP\winlogon.exe 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Esl\69ddcba757bf72 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe File opened for modification C:\Program Files\Windows Photo Viewer\ja-JP\winlogon.exe 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe File opened for modification C:\Program Files\Windows Sidebar\RCXF7AB.tmp 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe File opened for modification C:\Program Files (x86)\Uninstall Information\explorer.exe 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RCXFDB6.tmp 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe File opened for modification C:\Program Files\Windows Mail\it-IT\lsass.exe 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\6cb0b6c459d5d3 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe File created C:\Program Files (x86)\Google\Temp\c5b4cb5e9653cc 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe File created C:\Program Files\Windows Mail\it-IT\lsass.exe 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe File created C:\Program Files\Windows Mail\it-IT\6203df4a6bafc7 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe File opened for modification C:\Program Files (x86)\Google\Temp\services.exe 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1600 schtasks.exe 2096 schtasks.exe 2512 schtasks.exe 2588 schtasks.exe 1040 schtasks.exe 2708 schtasks.exe 600 schtasks.exe 988 schtasks.exe 2252 schtasks.exe 1056 schtasks.exe 1916 schtasks.exe 1376 schtasks.exe 2368 schtasks.exe 2772 schtasks.exe 1980 schtasks.exe 1784 schtasks.exe 1920 schtasks.exe 664 schtasks.exe 1380 schtasks.exe 1664 schtasks.exe 2728 schtasks.exe 2284 schtasks.exe 320 schtasks.exe 2388 schtasks.exe 2404 schtasks.exe 1712 schtasks.exe 2240 schtasks.exe 1544 schtasks.exe 2432 schtasks.exe 900 schtasks.exe 2172 schtasks.exe 2120 schtasks.exe 2312 schtasks.exe 1756 schtasks.exe 1992 schtasks.exe 1732 schtasks.exe 2176 schtasks.exe 2892 schtasks.exe 3004 schtasks.exe 1772 schtasks.exe 1988 schtasks.exe 2656 schtasks.exe 2664 schtasks.exe 952 schtasks.exe 2608 schtasks.exe 2896 schtasks.exe 2020 schtasks.exe 916 schtasks.exe 1632 schtasks.exe 2948 schtasks.exe 1152 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 2124 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe 2124 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe 2124 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe 2124 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe 2124 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe 1696 powershell.exe 2320 powershell.exe 316 powershell.exe 1636 powershell.exe 956 powershell.exe 1760 powershell.exe 740 powershell.exe 696 powershell.exe 2076 powershell.exe 576 powershell.exe 1500 powershell.exe 3012 powershell.exe 548 powershell.exe 2856 powershell.exe 1852 powershell.exe 2864 powershell.exe 1268 powershell.exe 600 powershell.exe 2544 csrss.exe 1804 csrss.exe 2140 csrss.exe 1088 csrss.exe 836 csrss.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeDebugPrivilege 2124 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe Token: SeDebugPrivilege 1696 powershell.exe Token: SeDebugPrivilege 2320 powershell.exe Token: SeDebugPrivilege 316 powershell.exe Token: SeDebugPrivilege 1636 powershell.exe Token: SeDebugPrivilege 956 powershell.exe Token: SeDebugPrivilege 1760 powershell.exe Token: SeDebugPrivilege 740 powershell.exe Token: SeDebugPrivilege 696 powershell.exe Token: SeDebugPrivilege 2076 powershell.exe Token: SeDebugPrivilege 576 powershell.exe Token: SeDebugPrivilege 1500 powershell.exe Token: SeDebugPrivilege 3012 powershell.exe Token: SeDebugPrivilege 548 powershell.exe Token: SeDebugPrivilege 2856 powershell.exe Token: SeDebugPrivilege 1852 powershell.exe Token: SeDebugPrivilege 2864 powershell.exe Token: SeDebugPrivilege 1268 powershell.exe Token: SeDebugPrivilege 600 powershell.exe Token: SeDebugPrivilege 2544 csrss.exe Token: SeDebugPrivilege 1804 csrss.exe Token: SeDebugPrivilege 2140 csrss.exe Token: SeDebugPrivilege 1088 csrss.exe Token: SeDebugPrivilege 836 csrss.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2124 wrote to memory of 316 2124 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe 84 PID 2124 wrote to memory of 316 2124 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe 84 PID 2124 wrote to memory of 316 2124 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe 84 PID 2124 wrote to memory of 1696 2124 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe 85 PID 2124 wrote to memory of 1696 2124 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe 85 PID 2124 wrote to memory of 1696 2124 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe 85 PID 2124 wrote to memory of 2320 2124 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe 86 PID 2124 wrote to memory of 2320 2124 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe 86 PID 2124 wrote to memory of 2320 2124 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe 86 PID 2124 wrote to memory of 2856 2124 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe 87 PID 2124 wrote to memory of 2856 2124 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe 87 PID 2124 wrote to memory of 2856 2124 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe 87 PID 2124 wrote to memory of 600 2124 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe 88 PID 2124 wrote to memory of 600 2124 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe 88 PID 2124 wrote to memory of 600 2124 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe 88 PID 2124 wrote to memory of 1636 2124 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe 89 PID 2124 wrote to memory of 1636 2124 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe 89 PID 2124 wrote to memory of 1636 2124 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe 89 PID 2124 wrote to memory of 740 2124 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe 90 PID 2124 wrote to memory of 740 2124 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe 90 PID 2124 wrote to memory of 740 2124 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe 90 PID 2124 wrote to memory of 956 2124 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe 91 PID 2124 wrote to memory of 956 2124 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe 91 PID 2124 wrote to memory of 956 2124 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe 91 PID 2124 wrote to memory of 2076 2124 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe 92 PID 2124 wrote to memory of 2076 2124 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe 92 PID 2124 wrote to memory of 2076 2124 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe 92 PID 2124 wrote to memory of 1852 2124 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe 93 PID 2124 wrote to memory of 1852 2124 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe 93 PID 2124 wrote to memory of 1852 2124 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe 93 PID 2124 wrote to memory of 1268 2124 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe 94 PID 2124 wrote to memory of 1268 2124 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe 94 PID 2124 wrote to memory of 1268 2124 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe 94 PID 2124 wrote to memory of 696 2124 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe 95 PID 2124 wrote to memory of 696 2124 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe 95 PID 2124 wrote to memory of 696 2124 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe 95 PID 2124 wrote to memory of 1500 2124 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe 96 PID 2124 wrote to memory of 1500 2124 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe 96 PID 2124 wrote to memory of 1500 2124 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe 96 PID 2124 wrote to memory of 576 2124 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe 97 PID 2124 wrote to memory of 576 2124 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe 97 PID 2124 wrote to memory of 576 2124 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe 97 PID 2124 wrote to memory of 2864 2124 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe 98 PID 2124 wrote to memory of 2864 2124 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe 98 PID 2124 wrote to memory of 2864 2124 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe 98 PID 2124 wrote to memory of 548 2124 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe 99 PID 2124 wrote to memory of 548 2124 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe 99 PID 2124 wrote to memory of 548 2124 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe 99 PID 2124 wrote to memory of 1760 2124 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe 100 PID 2124 wrote to memory of 1760 2124 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe 100 PID 2124 wrote to memory of 1760 2124 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe 100 PID 2124 wrote to memory of 3012 2124 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe 101 PID 2124 wrote to memory of 3012 2124 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe 101 PID 2124 wrote to memory of 3012 2124 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe 101 PID 2124 wrote to memory of 1568 2124 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe 120 PID 2124 wrote to memory of 1568 2124 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe 120 PID 2124 wrote to memory of 1568 2124 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe 120 PID 1568 wrote to memory of 2044 1568 cmd.exe 122 PID 1568 wrote to memory of 2044 1568 cmd.exe 122 PID 1568 wrote to memory of 2044 1568 cmd.exe 122 PID 1568 wrote to memory of 2544 1568 cmd.exe 123 PID 1568 wrote to memory of 2544 1568 cmd.exe 123 PID 1568 wrote to memory of 2544 1568 cmd.exe 123 PID 2544 wrote to memory of 2784 2544 csrss.exe 124 -
System policy modification 1 TTPs 18 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe"C:\Users\Admin\AppData\Local\Temp\0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2124 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\0ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:316
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop\spoolsv.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1696
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\ja-JP\winlogon.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2320
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\spoolsv.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2856
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\csrss.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:600
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\explorer.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1636
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\dwm.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:740
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\spoolsv.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:956
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Temp\Crashpad\attachments\csrss.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2076
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\csrss.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1852
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\NetHood\csrss.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1268
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\taskhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:696
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\explorer.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1500
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Temp\services.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:576
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dwm.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2864
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\smss.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:548
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\it-IT\lsass.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1760
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3012
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4YhpUhHpv9.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:2044
-
-
C:\Users\Default User\csrss.exe"C:\Users\Default User\csrss.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2544 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f74becb9-a95a-4017-8bb7-c39c6caa88f7.vbs"4⤵PID:2784
-
C:\Users\Default User\csrss.exe"C:\Users\Default User\csrss.exe"5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1804 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\843e44c3-bf0e-4fc5-a89f-b6078ead0e57.vbs"6⤵PID:2320
-
C:\Users\Default User\csrss.exe"C:\Users\Default User\csrss.exe"7⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2140 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\126dda93-e2c3-4afc-8abf-466ec481278c.vbs"8⤵PID:2844
-
C:\Users\Default User\csrss.exe"C:\Users\Default User\csrss.exe"9⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1088 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d23f34c8-3a1b-4235-b093-65628362c6d4.vbs"10⤵PID:2664
-
C:\Users\Default User\csrss.exe"C:\Users\Default User\csrss.exe"11⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:836 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f3ddfa8-2397-451f-8022-cc90b236d9fb.vbs"12⤵PID:2612
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6b1f97bd-a044-4898-b3c3-7ecc401de511.vbs"12⤵PID:2972
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a4e4ef35-9f67-42e4-9a2f-cca845915bf1.vbs"10⤵PID:584
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\894d5b64-5b41-49f8-940c-04c2578510c6.vbs"8⤵PID:2776
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6cfdfcb8-24cb-4373-a809-3fac47e2b291.vbs"6⤵PID:1928
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6bcbd567-d230-4703-9261-bcab3b292b2d.vbs"4⤵PID:2156
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Desktop\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Public\Desktop\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Desktop\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Uninstall Information\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Uninstall Information\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\Temp\Crashpad\attachments\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Temp\Crashpad\attachments\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\Temp\Crashpad\attachments\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\NetHood\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\NetHood\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\NetHood\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\Temp\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Temp\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\it-IT\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\it-IT\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\it-IT\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD5a1b557c65fa59d8f91138e5cd4f0053e
SHA194139bac4ae269f6d38f5c7946475855a71c659d
SHA2560ee6065fc572266ae4de8492040fbb30b1f9b6e5431a8b304467e0fa82279126
SHA512bf72078a5cb40f512f3061a13ecaa3f924d70a5a65c2146f3efeca0655c3924f535785698b3db740f4ae1a51ba6685dc4f2afd911d99d3a58eff86f4aa5c18ee
-
Filesize
707B
MD5ebe24885bf35b68c68cb243996ca098a
SHA150fd0e68580508af87279f0057f1dcf265b2d12b
SHA256717f4cab1fca261748735dbf6356fde81de4d0378bcf72434c4cdd0a5e4fe4de
SHA512d418ac6fa4d97dbe0360a6157b47b68df4796023c6f998cb96fe93524c2f92371c4fc7491371e8787ed6b7a08b57808303a66b7c67238e9cc604b922b63175d4
-
Filesize
706B
MD5f4e8b5e9deb9f2b8398c60b6198f7e7a
SHA1dac4609e6ee013d953e3840f742e76e54d208331
SHA2561bc0bed8ca7e39522f167f874fd4e330220ad283857cfa54abb38f52a5036f55
SHA51253cb474e78f5f4283079807ce4bd9d05eb18965ef8588c9c471e85974186dc90c8b64f3aba5c514609a3f3bbe74f163f56ea0d9a15b8711e818653d9a4e668e9
-
Filesize
196B
MD5f6f6b7efae7e4b8bbfd7b8bc9557b183
SHA16b90e77fad395261ebcdd848059b52235551a038
SHA2567e26d4a5a16ebe59a24b90096cea6c355698b8d34bc119bc30178b129df36140
SHA51244787ac780ad3679338243565b8cb163f81f380a15c0262a0d8fa5f4fcd6b40f36bb253a3a88a8347c010162b1fda59032b17b39602ba1d43d31edb3ea49d6ea
-
Filesize
483B
MD509979966093be0c3dd8ad9eaa8055b7b
SHA162bf1cf05c442569c7fa7f770b049dfd8916892c
SHA2565a01e9394156f47285bc9b4ae9dcda3efd0bf9e18aa5471a8973c365660c263b
SHA512d51716bf3e9949520c3368c366c2a7f6a7f12b4fe29c1dbafd418e5182d60a9de169d30d1ab748436ff02975803d2ee1bc985eb9fd8ceddea57561826a9af74c
-
Filesize
707B
MD583a7116b7e5136571cf7243e2171f660
SHA1ecd53c42c99cef99354fbac71df88b3d1dcb4b99
SHA25687de95b09b9ef601cbc11c1fa0531180856d6e6ed11ddb8ace79241943582cca
SHA5120721b22902d67d325f1bbb2538f79473cfe0557824ab66603d0d561224f6a7bc2ac72741c72a4eef195c3944256914f0543758106fb01bf7738da9948c4410dc
-
Filesize
707B
MD5d71cf5a7fea2a1faaf28fafaf36639c8
SHA102610925e1d0a59722c3da9f8b10b3b157f1269f
SHA2567793c448a8a0e4ed111b2c5d4e746f0c77ccbf7fb456170de0d7fd220e5a4306
SHA5124e48d0bdd5b4c1aa97d015c9815e6df3a97c30151a7762f92408df4e6541626c3d199ed93f1c6ef0593f9a4a06080514a602487158dccdf1c1b7cf49492d6782
-
Filesize
707B
MD50b47a46365de0297a45abe44682ccd08
SHA1d4460f1984be5ab378495b72c2fa5b856054d999
SHA2566e94f3da92efb97285c1b5c1661e150e7745e69d730be2f0dd2413305cd5b97c
SHA51219f4eab23dd52e2d30c28279cc31565834e039281ad2a26844997f4f3563d402f05ea91ac0042564ea2903fc6843dec64a0fa22fd219e0cb55392364c5594da4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD54a5b1c09400837834dd9d76eac9c1865
SHA11bd4439fe4982a70346f82931c6dd5088b3c4d56
SHA25663783aaec3e2acd73828e3a08ce7304a41ba9842a33d3e900e3b54529ae0e934
SHA512b197f686197a59e395331422f97232cab6eb594ed264fa80d50f65a92e5725cc5133aa0804a20db1c3620e76f033e2dc1fcd0085495b620d0a746ea413fbbf6c