Analysis
-
max time kernel
149s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
14-11-2024 00:07
Static task
static1
Behavioral task
behavioral1
Sample
8a03f7f65c527f58e2c90fbee43ba1bead4580658cf99792a62654a879f4bd8f.exe
Resource
win7-20241010-en
General
-
Target
8a03f7f65c527f58e2c90fbee43ba1bead4580658cf99792a62654a879f4bd8f.exe
-
Size
4.9MB
-
MD5
5cc4d6abb8d7be81eb9e88cd2817782d
-
SHA1
68d23b88f276fd956d0863067595c1f8d485df63
-
SHA256
8a03f7f65c527f58e2c90fbee43ba1bead4580658cf99792a62654a879f4bd8f
-
SHA512
f4b7625e040a4fe325d3c417bb571767a28c737804f959b1326534b4a1fae014afb2e563680b48cecd1172c5d878c0dcd364d640653d7e24a380b31df50d611c
-
SSDEEP
49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 24 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2676 2844 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2692 2844 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2748 2844 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2520 2844 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2780 2844 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 768 2844 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1476 2844 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3044 2844 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 380 2844 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2608 2844 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2384 2844 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 568 2844 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2096 2844 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1736 2844 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3048 2844 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2984 2844 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2208 2844 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2544 2844 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2076 2844 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2340 2844 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2404 2844 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1156 2844 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1032 2844 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1192 2844 schtasks.exe 30 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8a03f7f65c527f58e2c90fbee43ba1bead4580658cf99792a62654a879f4bd8f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 8a03f7f65c527f58e2c90fbee43ba1bead4580658cf99792a62654a879f4bd8f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 8a03f7f65c527f58e2c90fbee43ba1bead4580658cf99792a62654a879f4bd8f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe -
resource yara_rule behavioral1/memory/2876-2-0x000000001B4A0000-0x000000001B5CE000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 776 powershell.exe 1604 powershell.exe 1344 powershell.exe 760 powershell.exe 2620 powershell.exe 1088 powershell.exe 2896 powershell.exe 1984 powershell.exe 976 powershell.exe 964 powershell.exe 868 powershell.exe 1964 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 284 explorer.exe 2348 explorer.exe 996 explorer.exe 932 explorer.exe 1968 explorer.exe 2188 explorer.exe 2996 explorer.exe 2208 explorer.exe 2984 explorer.exe 1036 explorer.exe 1032 explorer.exe 2056 explorer.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8a03f7f65c527f58e2c90fbee43ba1bead4580658cf99792a62654a879f4bd8f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 8a03f7f65c527f58e2c90fbee43ba1bead4580658cf99792a62654a879f4bd8f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe -
Drops file in Program Files directory 8 IoCs
description ioc Process File opened for modification C:\Program Files\Mozilla Firefox\defaults\pref\spoolsv.exe 8a03f7f65c527f58e2c90fbee43ba1bead4580658cf99792a62654a879f4bd8f.exe File opened for modification C:\Program Files\Java\jre7\bin\dtplugin\RCX7DE0.tmp 8a03f7f65c527f58e2c90fbee43ba1bead4580658cf99792a62654a879f4bd8f.exe File opened for modification C:\Program Files\Java\jre7\bin\dtplugin\taskhost.exe 8a03f7f65c527f58e2c90fbee43ba1bead4580658cf99792a62654a879f4bd8f.exe File created C:\Program Files\Mozilla Firefox\defaults\pref\spoolsv.exe 8a03f7f65c527f58e2c90fbee43ba1bead4580658cf99792a62654a879f4bd8f.exe File created C:\Program Files\Mozilla Firefox\defaults\pref\f3b6ecef712a24 8a03f7f65c527f58e2c90fbee43ba1bead4580658cf99792a62654a879f4bd8f.exe File created C:\Program Files\Java\jre7\bin\dtplugin\taskhost.exe 8a03f7f65c527f58e2c90fbee43ba1bead4580658cf99792a62654a879f4bd8f.exe File created C:\Program Files\Java\jre7\bin\dtplugin\b75386f1303e64 8a03f7f65c527f58e2c90fbee43ba1bead4580658cf99792a62654a879f4bd8f.exe File opened for modification C:\Program Files\Mozilla Firefox\defaults\pref\RCX795C.tmp 8a03f7f65c527f58e2c90fbee43ba1bead4580658cf99792a62654a879f4bd8f.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\IME\winlogon.exe 8a03f7f65c527f58e2c90fbee43ba1bead4580658cf99792a62654a879f4bd8f.exe File created C:\Windows\IME\cc11b995f2a76d 8a03f7f65c527f58e2c90fbee43ba1bead4580658cf99792a62654a879f4bd8f.exe File opened for modification C:\Windows\IME\RCX72D3.tmp 8a03f7f65c527f58e2c90fbee43ba1bead4580658cf99792a62654a879f4bd8f.exe File opened for modification C:\Windows\IME\winlogon.exe 8a03f7f65c527f58e2c90fbee43ba1bead4580658cf99792a62654a879f4bd8f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1192 schtasks.exe 2676 schtasks.exe 2520 schtasks.exe 1476 schtasks.exe 568 schtasks.exe 2404 schtasks.exe 2748 schtasks.exe 2384 schtasks.exe 2984 schtasks.exe 2076 schtasks.exe 2208 schtasks.exe 2692 schtasks.exe 2780 schtasks.exe 2608 schtasks.exe 2096 schtasks.exe 1736 schtasks.exe 2340 schtasks.exe 1156 schtasks.exe 1032 schtasks.exe 768 schtasks.exe 3044 schtasks.exe 380 schtasks.exe 3048 schtasks.exe 2544 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 27 IoCs
pid Process 2876 8a03f7f65c527f58e2c90fbee43ba1bead4580658cf99792a62654a879f4bd8f.exe 2876 8a03f7f65c527f58e2c90fbee43ba1bead4580658cf99792a62654a879f4bd8f.exe 2876 8a03f7f65c527f58e2c90fbee43ba1bead4580658cf99792a62654a879f4bd8f.exe 1984 powershell.exe 760 powershell.exe 1088 powershell.exe 976 powershell.exe 1604 powershell.exe 868 powershell.exe 1964 powershell.exe 2896 powershell.exe 2620 powershell.exe 1344 powershell.exe 964 powershell.exe 776 powershell.exe 284 explorer.exe 2348 explorer.exe 996 explorer.exe 932 explorer.exe 1968 explorer.exe 2188 explorer.exe 2996 explorer.exe 2208 explorer.exe 2984 explorer.exe 1036 explorer.exe 1032 explorer.exe 2056 explorer.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
description pid Process Token: SeDebugPrivilege 2876 8a03f7f65c527f58e2c90fbee43ba1bead4580658cf99792a62654a879f4bd8f.exe Token: SeDebugPrivilege 1984 powershell.exe Token: SeDebugPrivilege 760 powershell.exe Token: SeDebugPrivilege 1088 powershell.exe Token: SeDebugPrivilege 976 powershell.exe Token: SeDebugPrivilege 1604 powershell.exe Token: SeDebugPrivilege 868 powershell.exe Token: SeDebugPrivilege 1964 powershell.exe Token: SeDebugPrivilege 2896 powershell.exe Token: SeDebugPrivilege 2620 powershell.exe Token: SeDebugPrivilege 1344 powershell.exe Token: SeDebugPrivilege 964 powershell.exe Token: SeDebugPrivilege 776 powershell.exe Token: SeDebugPrivilege 284 explorer.exe Token: SeDebugPrivilege 2348 explorer.exe Token: SeDebugPrivilege 996 explorer.exe Token: SeDebugPrivilege 932 explorer.exe Token: SeDebugPrivilege 1968 explorer.exe Token: SeDebugPrivilege 2188 explorer.exe Token: SeDebugPrivilege 2996 explorer.exe Token: SeDebugPrivilege 2208 explorer.exe Token: SeDebugPrivilege 2984 explorer.exe Token: SeDebugPrivilege 1036 explorer.exe Token: SeDebugPrivilege 1032 explorer.exe Token: SeDebugPrivilege 2056 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2876 wrote to memory of 1984 2876 8a03f7f65c527f58e2c90fbee43ba1bead4580658cf99792a62654a879f4bd8f.exe 55 PID 2876 wrote to memory of 1984 2876 8a03f7f65c527f58e2c90fbee43ba1bead4580658cf99792a62654a879f4bd8f.exe 55 PID 2876 wrote to memory of 1984 2876 8a03f7f65c527f58e2c90fbee43ba1bead4580658cf99792a62654a879f4bd8f.exe 55 PID 2876 wrote to memory of 2896 2876 8a03f7f65c527f58e2c90fbee43ba1bead4580658cf99792a62654a879f4bd8f.exe 56 PID 2876 wrote to memory of 2896 2876 8a03f7f65c527f58e2c90fbee43ba1bead4580658cf99792a62654a879f4bd8f.exe 56 PID 2876 wrote to memory of 2896 2876 8a03f7f65c527f58e2c90fbee43ba1bead4580658cf99792a62654a879f4bd8f.exe 56 PID 2876 wrote to memory of 1964 2876 8a03f7f65c527f58e2c90fbee43ba1bead4580658cf99792a62654a879f4bd8f.exe 57 PID 2876 wrote to memory of 1964 2876 8a03f7f65c527f58e2c90fbee43ba1bead4580658cf99792a62654a879f4bd8f.exe 57 PID 2876 wrote to memory of 1964 2876 8a03f7f65c527f58e2c90fbee43ba1bead4580658cf99792a62654a879f4bd8f.exe 57 PID 2876 wrote to memory of 1088 2876 8a03f7f65c527f58e2c90fbee43ba1bead4580658cf99792a62654a879f4bd8f.exe 59 PID 2876 wrote to memory of 1088 2876 8a03f7f65c527f58e2c90fbee43ba1bead4580658cf99792a62654a879f4bd8f.exe 59 PID 2876 wrote to memory of 1088 2876 8a03f7f65c527f58e2c90fbee43ba1bead4580658cf99792a62654a879f4bd8f.exe 59 PID 2876 wrote to memory of 2620 2876 8a03f7f65c527f58e2c90fbee43ba1bead4580658cf99792a62654a879f4bd8f.exe 60 PID 2876 wrote to memory of 2620 2876 8a03f7f65c527f58e2c90fbee43ba1bead4580658cf99792a62654a879f4bd8f.exe 60 PID 2876 wrote to memory of 2620 2876 8a03f7f65c527f58e2c90fbee43ba1bead4580658cf99792a62654a879f4bd8f.exe 60 PID 2876 wrote to memory of 868 2876 8a03f7f65c527f58e2c90fbee43ba1bead4580658cf99792a62654a879f4bd8f.exe 62 PID 2876 wrote to memory of 868 2876 8a03f7f65c527f58e2c90fbee43ba1bead4580658cf99792a62654a879f4bd8f.exe 62 PID 2876 wrote to memory of 868 2876 8a03f7f65c527f58e2c90fbee43ba1bead4580658cf99792a62654a879f4bd8f.exe 62 PID 2876 wrote to memory of 760 2876 8a03f7f65c527f58e2c90fbee43ba1bead4580658cf99792a62654a879f4bd8f.exe 63 PID 2876 wrote to memory of 760 2876 8a03f7f65c527f58e2c90fbee43ba1bead4580658cf99792a62654a879f4bd8f.exe 63 PID 2876 wrote to memory of 760 2876 8a03f7f65c527f58e2c90fbee43ba1bead4580658cf99792a62654a879f4bd8f.exe 63 PID 2876 wrote to memory of 964 2876 8a03f7f65c527f58e2c90fbee43ba1bead4580658cf99792a62654a879f4bd8f.exe 64 PID 2876 wrote to memory of 964 2876 8a03f7f65c527f58e2c90fbee43ba1bead4580658cf99792a62654a879f4bd8f.exe 64 PID 2876 wrote to memory of 964 2876 8a03f7f65c527f58e2c90fbee43ba1bead4580658cf99792a62654a879f4bd8f.exe 64 PID 2876 wrote to memory of 976 2876 8a03f7f65c527f58e2c90fbee43ba1bead4580658cf99792a62654a879f4bd8f.exe 65 PID 2876 wrote to memory of 976 2876 8a03f7f65c527f58e2c90fbee43ba1bead4580658cf99792a62654a879f4bd8f.exe 65 PID 2876 wrote to memory of 976 2876 8a03f7f65c527f58e2c90fbee43ba1bead4580658cf99792a62654a879f4bd8f.exe 65 PID 2876 wrote to memory of 1344 2876 8a03f7f65c527f58e2c90fbee43ba1bead4580658cf99792a62654a879f4bd8f.exe 66 PID 2876 wrote to memory of 1344 2876 8a03f7f65c527f58e2c90fbee43ba1bead4580658cf99792a62654a879f4bd8f.exe 66 PID 2876 wrote to memory of 1344 2876 8a03f7f65c527f58e2c90fbee43ba1bead4580658cf99792a62654a879f4bd8f.exe 66 PID 2876 wrote to memory of 1604 2876 8a03f7f65c527f58e2c90fbee43ba1bead4580658cf99792a62654a879f4bd8f.exe 67 PID 2876 wrote to memory of 1604 2876 8a03f7f65c527f58e2c90fbee43ba1bead4580658cf99792a62654a879f4bd8f.exe 67 PID 2876 wrote to memory of 1604 2876 8a03f7f65c527f58e2c90fbee43ba1bead4580658cf99792a62654a879f4bd8f.exe 67 PID 2876 wrote to memory of 776 2876 8a03f7f65c527f58e2c90fbee43ba1bead4580658cf99792a62654a879f4bd8f.exe 68 PID 2876 wrote to memory of 776 2876 8a03f7f65c527f58e2c90fbee43ba1bead4580658cf99792a62654a879f4bd8f.exe 68 PID 2876 wrote to memory of 776 2876 8a03f7f65c527f58e2c90fbee43ba1bead4580658cf99792a62654a879f4bd8f.exe 68 PID 2876 wrote to memory of 284 2876 8a03f7f65c527f58e2c90fbee43ba1bead4580658cf99792a62654a879f4bd8f.exe 79 PID 2876 wrote to memory of 284 2876 8a03f7f65c527f58e2c90fbee43ba1bead4580658cf99792a62654a879f4bd8f.exe 79 PID 2876 wrote to memory of 284 2876 8a03f7f65c527f58e2c90fbee43ba1bead4580658cf99792a62654a879f4bd8f.exe 79 PID 284 wrote to memory of 2420 284 explorer.exe 80 PID 284 wrote to memory of 2420 284 explorer.exe 80 PID 284 wrote to memory of 2420 284 explorer.exe 80 PID 284 wrote to memory of 2248 284 explorer.exe 81 PID 284 wrote to memory of 2248 284 explorer.exe 81 PID 284 wrote to memory of 2248 284 explorer.exe 81 PID 2420 wrote to memory of 2348 2420 WScript.exe 82 PID 2420 wrote to memory of 2348 2420 WScript.exe 82 PID 2420 wrote to memory of 2348 2420 WScript.exe 82 PID 2348 wrote to memory of 1336 2348 explorer.exe 83 PID 2348 wrote to memory of 1336 2348 explorer.exe 83 PID 2348 wrote to memory of 1336 2348 explorer.exe 83 PID 2348 wrote to memory of 2212 2348 explorer.exe 84 PID 2348 wrote to memory of 2212 2348 explorer.exe 84 PID 2348 wrote to memory of 2212 2348 explorer.exe 84 PID 1336 wrote to memory of 996 1336 WScript.exe 86 PID 1336 wrote to memory of 996 1336 WScript.exe 86 PID 1336 wrote to memory of 996 1336 WScript.exe 86 PID 996 wrote to memory of 1736 996 explorer.exe 87 PID 996 wrote to memory of 1736 996 explorer.exe 87 PID 996 wrote to memory of 1736 996 explorer.exe 87 PID 996 wrote to memory of 1828 996 explorer.exe 88 PID 996 wrote to memory of 1828 996 explorer.exe 88 PID 996 wrote to memory of 1828 996 explorer.exe 88 PID 1736 wrote to memory of 932 1736 WScript.exe 89 -
System policy modification 1 TTPs 39 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 8a03f7f65c527f58e2c90fbee43ba1bead4580658cf99792a62654a879f4bd8f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8a03f7f65c527f58e2c90fbee43ba1bead4580658cf99792a62654a879f4bd8f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 8a03f7f65c527f58e2c90fbee43ba1bead4580658cf99792a62654a879f4bd8f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\8a03f7f65c527f58e2c90fbee43ba1bead4580658cf99792a62654a879f4bd8f.exe"C:\Users\Admin\AppData\Local\Temp\8a03f7f65c527f58e2c90fbee43ba1bead4580658cf99792a62654a879f4bd8f.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2876 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1984
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2896
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1964
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1088
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2620
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:868
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:760
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:964
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:976
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1344
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1604
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:776
-
-
C:\Users\Public\Videos\Sample Videos\explorer.exe"C:\Users\Public\Videos\Sample Videos\explorer.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:284 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\13a04e06-5f7d-44a5-939d-6fa4d2b7c6b2.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Users\Public\Videos\Sample Videos\explorer.exe"C:\Users\Public\Videos\Sample Videos\explorer.exe"4⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2348 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4e87d1b1-60dc-4056-afbf-2fa7dd58fb3d.vbs"5⤵
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Users\Public\Videos\Sample Videos\explorer.exe"C:\Users\Public\Videos\Sample Videos\explorer.exe"6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:996 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b5a84b9e-a387-4970-b61e-9c8055bf7fae.vbs"7⤵
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Users\Public\Videos\Sample Videos\explorer.exe"C:\Users\Public\Videos\Sample Videos\explorer.exe"8⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:932 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fc33de89-ca07-43a4-836b-87b0bce8b619.vbs"9⤵PID:2496
-
C:\Users\Public\Videos\Sample Videos\explorer.exe"C:\Users\Public\Videos\Sample Videos\explorer.exe"10⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1968 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8b647083-8e9a-4db6-af11-30198a1995dc.vbs"11⤵PID:1676
-
C:\Users\Public\Videos\Sample Videos\explorer.exe"C:\Users\Public\Videos\Sample Videos\explorer.exe"12⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2188 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\46864f68-4591-4343-b1ac-4f432f0b59b3.vbs"13⤵PID:1796
-
C:\Users\Public\Videos\Sample Videos\explorer.exe"C:\Users\Public\Videos\Sample Videos\explorer.exe"14⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2996 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6dd29283-f4a0-40f9-8995-6e0a366adf30.vbs"15⤵PID:1368
-
C:\Users\Public\Videos\Sample Videos\explorer.exe"C:\Users\Public\Videos\Sample Videos\explorer.exe"16⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2208 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a9dc950a-ab1a-4262-bfb2-5c6050950b0a.vbs"17⤵PID:1976
-
C:\Users\Public\Videos\Sample Videos\explorer.exe"C:\Users\Public\Videos\Sample Videos\explorer.exe"18⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2984 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a5689abb-68bc-48fb-8b0d-a13c24f8aef4.vbs"19⤵PID:1860
-
C:\Users\Public\Videos\Sample Videos\explorer.exe"C:\Users\Public\Videos\Sample Videos\explorer.exe"20⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1036 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\04adb34f-895c-4eaa-93a0-d5b7c4eeae6e.vbs"21⤵PID:1504
-
C:\Users\Public\Videos\Sample Videos\explorer.exe"C:\Users\Public\Videos\Sample Videos\explorer.exe"22⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1032 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc723351-23d3-43a3-9ba0-9f74e8f09162.vbs"23⤵PID:1712
-
C:\Users\Public\Videos\Sample Videos\explorer.exe"C:\Users\Public\Videos\Sample Videos\explorer.exe"24⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2056 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e73a70e7-7ff4-4cd6-aa6d-52b38dbb541a.vbs"25⤵PID:2352
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b83dec92-8e39-4c3c-a3ad-10dcdab58075.vbs"25⤵PID:2300
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d628c0a-4024-4b5c-abb2-df27f67e2195.vbs"23⤵PID:2552
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\333a5f6d-adb3-4475-9f8e-adcd7c0bc2a0.vbs"21⤵PID:1988
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\79046033-927a-46d5-ae2f-f807ea8007f2.vbs"19⤵PID:1800
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\37aac782-6c5e-40fa-972d-afa1d8435e18.vbs"17⤵PID:2196
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8931c8c9-3d19-4546-90ef-debc02d86d29.vbs"15⤵PID:1624
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b0113779-4f79-456b-9a3e-25ba2a79bd59.vbs"13⤵PID:844
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\743be4c9-1177-419f-88af-4828bbb14507.vbs"11⤵PID:2060
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\38fe360a-097e-4f6b-afb2-7f0c0dca4a41.vbs"9⤵PID:2896
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8ebd9746-6cce-4ab0-b273-dd06cec23a62.vbs"7⤵PID:1828
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f790def0-082f-4a06-aa11-46ac0bb8443c.vbs"5⤵PID:2212
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4e1f6f4a-0308-4476-981d-cc6554b7efbc.vbs"3⤵PID:2248
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Videos\Sample Videos\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Videos\Sample Videos\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Windows\IME\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\IME\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Windows\IME\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Cookies\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default\Cookies\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Cookies\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files\Java\jre7\bin\dtplugin\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\bin\dtplugin\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jre7\bin\dtplugin\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1192
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.9MB
MD57eae06f4acdad1ff18445d192cad535e
SHA1e7e8de02f06c307f02e03a7b9f915dc964ffe559
SHA256ef6c316ad5ea6eec16cd5672c67c1a15da3c367aa6730a1fcd542beb511173fa
SHA5128c4d4020f6d26c232228f5310de1bc11573a5bcdbaf3beb5cfcd9bb9a4d9fd778748c548c8754ea7643d5871d6feb2efa26886c566575bee657ee636fd172e13
-
Filesize
725B
MD5685669892702afb182316f75295dc816
SHA14dc981aa46cfe52273f9b1a2dc6819a31c7b1655
SHA2569dd336ff9a2fb6a37c862c563cb14a888e0a5d68f4ac045a7a690faf72f7538f
SHA5127ca04395e3afcd8a7dbe49f02e4f020c4626e49e379e3586ee2be9c8fd43b76bbb7bbd80d113bcff2024f64459bd61814414d4f3c936b8586b03ce9cc7eb0fe8
-
Filesize
724B
MD5c6ecd9ce31aedb4e117575b93becf68f
SHA13cb497af657aada458802530d2507d5516421001
SHA2565cc711ad2aa70cfe9bc6efe7137b366487525c80700a9a0bb87e1d43cd259a88
SHA512d92590c5405d4b20805dac80432ebf5372c010176dec8cabc323235a5649003a3fb72ccb66abc3a0bb2d1a4128aac9da07598cf994dfbc1a18e04450b0ce59c8
-
Filesize
725B
MD57da46b3b958348fb5587332dc78f596c
SHA123d101e9754bcf346b09914cc33e4e09607ffcf9
SHA2569af67bb85af256d2e54d0691c4f1d3173832c38d56a47133155173512289d482
SHA51201e4e93c0429564659580a3b70941d716d36bd25fdd55e576f7b0b7a72ef51f24a51c5e9a79fcee72ac9191b32913ba4c3a63c3b446781e4c714abb45f369382
-
Filesize
501B
MD5f0ea5a505a8b31298417d089cafd6001
SHA1183eb14ee9782a8c585b4dbfa0d1c5107b5826be
SHA2561a61c229dd0e5331ca57f4668f1d2e10e1ac51a6eaafbc72997a6ed6e40deabf
SHA5124ef34c3e300df51f3236d1c3be571fc851072640317785c04a37b5e89e4bf4d380811cb7f483cce368a7c629938cf543b2880e4eec5b0e084b14946013985272
-
Filesize
725B
MD53bc9c467686ae078e5777656f493404a
SHA140d5ec0de55b64aed431c25ad567a2bb80485b7b
SHA256dd4e5b8315f67e3b5301e82301bc1c2d8a1f12e3efebc9d383c5ef59dec99159
SHA512e22e462569a84b3c83bc7f5d338e0ec6ea5c8e0567161cec8d6297a613d885b32d987381ac93f1fcd2475eef1409a300090e9bbd79b2d71040737540906d0153
-
Filesize
725B
MD5510ecc1f12f20f1f9e115f348e6375c6
SHA11a934adea1c0dca52badf4be3be8d29549658a87
SHA2561deb24b0eed507323f9696e8206d75fd1b0d1ae8ff49f12b298cf539b07c1d93
SHA512253d05050760c7ba3ab3e04b126221bb5bb11fc2a2e2fb2934ba92cd48e5c17d8164bf5d384a7dfa7e6a483a3a4c9c47ca01f8aa58f394e7e8e4ac1471919511
-
Filesize
725B
MD5dd1fc73c29251c26e40cb56dcd6e7d72
SHA1daeb3c293113f80577129e3ad9f9cf1960e09705
SHA256d1ae1d102bee415cfe3de1f47acab9d0a98c015289b20d7df05b997320cf0f1d
SHA51232dfe95f7947686028ddfa44972db2626d5a1a63543694af5830157866fb6563c2c0dcd9c67bf2d4d7dc19f1a9f297082c5a334729613aab2e6be01f20373009
-
Filesize
725B
MD55569f014ff994ae38fa00646d0bbf572
SHA14895decabe6bafc152a515c5eb8902f243866efd
SHA256df7e075e9d7592115e80427dfd0f0b5d5bff96bafb3ef8b2ab951323148f1d84
SHA51223d964513db860c09618a616867f924ebc3d034313f15fb6b8fb94c4b5b62275f142e9192ad9c5db9d9dca67cef0b4663ef1a85c7dbed500ceff3a1c80ba4f71
-
Filesize
725B
MD546521540af3156cbedc9624ef2477a6a
SHA1c5a4650f25ef5f690762406fb04668cd1ecef991
SHA256e4dc7d707daf5d4e839e2d0faa1564c7f0d085ed3eee345614efc7a34c261e01
SHA512876e5cf31897585db8339820e9af3df3f88d48795495d507f73530041e93013e5e96ea888e011e65037bad61dc8f747de80d9b4f0624079f3aba5725da2f4cae
-
Filesize
724B
MD5c38d363d7366d49a71dd0b048dee2131
SHA109012a7f2eac38c6b02f7aab49a61ef992f8b1ec
SHA256d375ec96dab01c092c795e994e182589d6fa247587b3429a0387465436a9ee98
SHA5122cac2a28300cd2d456191aca0920421c17806358ca53046ba75299d89b3b86cd3405efc6541b23045ea6cf1f46992c8a432c97cbe0513049eaa05afade98d9f6
-
Filesize
725B
MD585b3186557762f8fa15991ddd6e78e09
SHA1c250e861e390db200e1b439be297c085127a46dd
SHA2562adc26343a7a2e16bec8203d61d26919e7309abfdafbc4f5206a7fb398cbbb73
SHA5122bac90a1e048cab9c05035936d0944237e357400ae73a176b9aacd34e38d776c028c3c4f7adfff89752a002618f7ae682b51317e573596f84b8ce3aa5149d4b1
-
Filesize
725B
MD547ad856a20589134cd2ac0da794cb799
SHA1bfbb77e69b5b5329bd3fd2e0651cf61b34fa937d
SHA25613d6fe95adeb7c562acf16ba0b5de5f0650dc2b2ff9ebafa5cb80f7ef9ad3fc5
SHA512816583437b552d4618e405f436344a1ea89933e677d1cbb5da0330de749da904403b71c38ad26a2e127aac72d7aa244484af94d9479b6231682d03f1d034677e
-
Filesize
724B
MD53cd919913164929ed43ad653a57ee1ab
SHA1c172dd39e27591c1045200fe6e256eca8eaf507d
SHA256ed9f1891837666062b175aa3d5a4a4d4221fde496081d1735891071cb9651f7a
SHA512a6e6a027fd299179b939b2d6b5b6cc9fa357c04dfedb725337820e234b7de68d562476a6632e7f720ed0a906084f9e773af925b60988bda539afd03f0b17acca
-
Filesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD55cf2c1f79c2914a685f046ad69fe268e
SHA14f3dfd70635354e5999429e9da4f6e3693de6bf2
SHA2569803b087aadb48241c95bea94288f270564ed93e5928597832de92994496730c
SHA512a0863357674de771dfaa02d2995484823b83614c687d81799b8b9274f8d12bb9004383690aa6b8544348d040b78dc31480d9550d58078cf5a54c8e0f06ec141c
-
Filesize
4.9MB
MD55cc4d6abb8d7be81eb9e88cd2817782d
SHA168d23b88f276fd956d0863067595c1f8d485df63
SHA2568a03f7f65c527f58e2c90fbee43ba1bead4580658cf99792a62654a879f4bd8f
SHA512f4b7625e040a4fe325d3c417bb571767a28c737804f959b1326534b4a1fae014afb2e563680b48cecd1172c5d878c0dcd364d640653d7e24a380b31df50d611c