Analysis
-
max time kernel
111s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14-11-2024 05:26
Static task
static1
Behavioral task
behavioral1
Sample
6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
Resource
win10v2004-20241007-en
General
-
Target
6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
-
Size
2.0MB
-
MD5
43a09f586ae8fe86191c47743b5cf744
-
SHA1
a8bc2177c871d0d29e93737a7ebcaa3da8f182de
-
SHA256
6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58
-
SHA512
ff8acde081b435a1bb0f204359bd7227b380a66e61472546016db41c53c7708c91215af8fbc3fdc8a99d1e15f6139c3e278b04dc483ecc3d952a2d1240efa104
-
SSDEEP
49152:+bv4/KHiciethGCUA1TJeUCMkiOT3eY1CKzuJtGvAAzB:+bv4/BUVb5JLChiAu1evAoB
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dwm.exe\"" 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\TextInputHost.exe\"" 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\TextInputHost.exe\", \"C:\\Users\\Public\\Music\\RuntimeBroker.exe\"" 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\TextInputHost.exe\", \"C:\\Users\\Public\\Music\\RuntimeBroker.exe\", \"C:\\Windows\\tracing\\smss.exe\"" 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\TextInputHost.exe\", \"C:\\Users\\Public\\Music\\RuntimeBroker.exe\", \"C:\\Windows\\tracing\\smss.exe\", \"C:\\Program Files (x86)\\Windows Mail\\wininit.exe\"" 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\TextInputHost.exe\", \"C:\\Users\\Public\\Music\\RuntimeBroker.exe\", \"C:\\Windows\\tracing\\smss.exe\", \"C:\\Program Files (x86)\\Windows Mail\\wininit.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe\"" 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe -
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 264 3296 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1680 3296 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4244 3296 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3856 3296 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 664 3296 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3336 3296 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1972 3296 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3560 3296 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 404 3296 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4316 3296 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5048 3296 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3368 3296 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5116 3296 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1196 3296 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3448 3296 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2500 3296 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4180 3296 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2732 3296 schtasks.exe 86 -
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1964 powershell.exe 2060 powershell.exe 1688 powershell.exe 3292 powershell.exe 1764 powershell.exe 4144 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe -
Executes dropped EXE 1 IoCs
pid Process 4188 wininit.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\TextInputHost.exe\"" 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Public\\Music\\RuntimeBroker.exe\"" 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Public\\Music\\RuntimeBroker.exe\"" 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\tracing\\smss.exe\"" 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\Windows Mail\\wininit.exe\"" 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe\"" 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\WindowsRE\\dwm.exe\"" 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\TextInputHost.exe\"" 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\Windows Mail\\wininit.exe\"" 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe\"" 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\WindowsRE\\dwm.exe\"" 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\tracing\\smss.exe\"" 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 10 ipinfo.io 40 ipinfo.io 9 ipinfo.io -
Drops file in System32 directory 2 IoCs
description ioc Process File created \??\c:\Windows\System32\CSC932A48A72780499AA72067926DA1C16C.TMP csc.exe File created \??\c:\Windows\System32\s_kgxh.exe csc.exe -
Drops file in Program Files directory 6 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Mail\wininit.exe 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe File opened for modification C:\Program Files (x86)\Windows Mail\wininit.exe 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe File created C:\Program Files (x86)\Windows Mail\56085415360792 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe File created C:\Program Files\ModifiableWindowsApps\taskhostw.exe 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe File created C:\Program Files (x86)\Internet Explorer\it-IT\TextInputHost.exe 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe File created C:\Program Files (x86)\Internet Explorer\it-IT\22eafd247d37c3 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\tracing\smss.exe 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe File created C:\Windows\tracing\69ddcba757bf72 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5116 schtasks.exe 2500 schtasks.exe 4180 schtasks.exe 264 schtasks.exe 664 schtasks.exe 1972 schtasks.exe 5048 schtasks.exe 3368 schtasks.exe 3856 schtasks.exe 3336 schtasks.exe 4316 schtasks.exe 1196 schtasks.exe 3448 schtasks.exe 1680 schtasks.exe 4244 schtasks.exe 3560 schtasks.exe 404 schtasks.exe 2732 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2864 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2864 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2864 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2864 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2864 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2864 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2864 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2864 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2864 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2864 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2864 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2864 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2864 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2864 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2864 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2864 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2864 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2864 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2864 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2864 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2864 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2864 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2864 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2864 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2864 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2864 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2864 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2864 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2864 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2864 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2864 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2864 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2864 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2864 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2864 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2864 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2864 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2864 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2864 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2864 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2864 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2864 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2864 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2864 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2864 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2864 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2864 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2864 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2864 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2864 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2864 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2864 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2864 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2864 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2864 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2864 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2864 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2864 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2864 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2864 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2864 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2864 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2864 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2864 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 2864 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe Token: SeDebugPrivilege 3292 powershell.exe Token: SeDebugPrivilege 1688 powershell.exe Token: SeDebugPrivilege 1764 powershell.exe Token: SeDebugPrivilege 1964 powershell.exe Token: SeDebugPrivilege 2060 powershell.exe Token: SeDebugPrivilege 4144 powershell.exe Token: SeDebugPrivilege 4188 wininit.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2864 wrote to memory of 4060 2864 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 90 PID 2864 wrote to memory of 4060 2864 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 90 PID 4060 wrote to memory of 5036 4060 csc.exe 92 PID 4060 wrote to memory of 5036 4060 csc.exe 92 PID 2864 wrote to memory of 4144 2864 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 108 PID 2864 wrote to memory of 4144 2864 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 108 PID 2864 wrote to memory of 1764 2864 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 109 PID 2864 wrote to memory of 1764 2864 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 109 PID 2864 wrote to memory of 3292 2864 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 110 PID 2864 wrote to memory of 3292 2864 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 110 PID 2864 wrote to memory of 1688 2864 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 111 PID 2864 wrote to memory of 1688 2864 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 111 PID 2864 wrote to memory of 2060 2864 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 112 PID 2864 wrote to memory of 2060 2864 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 112 PID 2864 wrote to memory of 1964 2864 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 113 PID 2864 wrote to memory of 1964 2864 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 113 PID 2864 wrote to memory of 2696 2864 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 119 PID 2864 wrote to memory of 2696 2864 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 119 PID 2696 wrote to memory of 1904 2696 cmd.exe 122 PID 2696 wrote to memory of 1904 2696 cmd.exe 122 PID 2696 wrote to memory of 4496 2696 cmd.exe 123 PID 2696 wrote to memory of 4496 2696 cmd.exe 123 PID 2696 wrote to memory of 4188 2696 cmd.exe 128 PID 2696 wrote to memory of 4188 2696 cmd.exe 128 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe"C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jcftksot\jcftksot.cmdline"2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAA88.tmp" "c:\Windows\System32\CSC932A48A72780499AA72067926DA1C16C.TMP"3⤵PID:5036
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dwm.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4144
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\it-IT\TextInputHost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1764
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\RuntimeBroker.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3292
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\tracing\smss.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1688
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\wininit.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2060
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1964
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QkuNgFXync.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:1904
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:4496
-
-
C:\Program Files (x86)\Windows Mail\wininit.exe"C:\Program Files (x86)\Windows Mail\wininit.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4188
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Music\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\Music\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Music\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Windows\tracing\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\tracing\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\tracing\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e586" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e586" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.0MB
MD543a09f586ae8fe86191c47743b5cf744
SHA1a8bc2177c871d0d29e93737a7ebcaa3da8f182de
SHA2566a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58
SHA512ff8acde081b435a1bb0f204359bd7227b380a66e61472546016db41c53c7708c91215af8fbc3fdc8a99d1e15f6139c3e278b04dc483ecc3d952a2d1240efa104
-
Filesize
2KB
MD5a43e653ffb5ab07940f4bdd9cc8fade4
SHA1af43d04e3427f111b22dc891c5c7ee8a10ac4123
SHA256c4c53abb13e99475aebfbe9fec7a8fead81c14c80d9dcc2b81375304f3a683fe
SHA51262a97e95e1f19a8d4302847110dae44f469877eed6aa8ea22345c6eb25ee220e7d310fa0b7ec5df42356815421c0af7c46a0f1fee8933cc446641800eda6cd1b
-
Filesize
944B
MD56d42b6da621e8df5674e26b799c8e2aa
SHA1ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA2565ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA51253faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29
-
Filesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
223B
MD585983d31f36879c00ff17d51a86bd3c0
SHA135970d120d663159a7029ce6df9a23cdf51fe334
SHA256069ab4ea66f5239f7fe518c4be19d8a8cf4ec15282f6f4fef2cd6874f4ac8a4c
SHA512badc798ab59583a8b0b2ea0d79499c1a44f3003429311e8372ae6112dece7669d11ed811a1eb4f22fa092170d5259bd309419a80a2235401cd4d5023f909387d
-
Filesize
1KB
MD56431bbdb6f77f2d693f13c37d5b630d0
SHA165a7b9f3e8c58d12eb1177d82958fa650478c825
SHA2562205f0343978f2cb8176f460dbfb7ee1e1d2d3e47c8c62188f70edd462293ce0
SHA512ad16e5decf974ff84c312c06b1ebdc0503d4bebb3b986c98365a93c0d5c4468abf933b363fd4d6579a95f0a2cf65b0eff6b3f96bfa9560e534d00a51e80427d2
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
361B
MD5a149de744452d7d9c3627798e07ad3d6
SHA1974ddbeaa0ef77d485087e372be0dad0c2bbb6a9
SHA2564fa31d298fd88157215ecc7bc7ef00277b98486cd1f6ebdc88c298962f20dee0
SHA51218d97fdc515e6c1201da2ea86d7dabe3e2c948028be2a6342b481cdfbffa60b6407f4203c27c7fa2c68a4d92672cd17df78b4b6a507a3449201cdb9102cd4c44
-
Filesize
235B
MD53f88461125ef89dec728fea21f2e6a7e
SHA1e5e17759d21a0503fb74e43d9db8d5d2d52636a6
SHA256c3e214de642f83d6c991a84f6933f2fd22388c7fe7459e123351cb3fcb0d355b
SHA51201edfda0595fd03bff9c2e36c2046a12b801484280c86b5b93b353465c97e27e7e74f8f03501c3a65e63353a9b2f0af8ac8d2caebca666c7d513181294af4fca
-
Filesize
1KB
MD5634e281a00b7b9f516c3048badfa1530
SHA1af6369715ce2fe9b99609e470d4f66698880a35a
SHA2560d990336ae793f3f6903048004c8d707d7a7191927bd7df46b7fe887116506c8
SHA5121cb35fa0759f5362c9c7eee5546710874121005a3924bcfec2cf33ac90a257a807ce7ec0db7bc84dcb327604d708009449c34f52560ed936b54eeba49be7d27b