Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14-11-2024 05:32
Static task
static1
Behavioral task
behavioral1
Sample
6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
Resource
win10v2004-20241007-en
General
-
Target
6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe
-
Size
2.0MB
-
MD5
43a09f586ae8fe86191c47743b5cf744
-
SHA1
a8bc2177c871d0d29e93737a7ebcaa3da8f182de
-
SHA256
6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58
-
SHA512
ff8acde081b435a1bb0f204359bd7227b380a66e61472546016db41c53c7708c91215af8fbc3fdc8a99d1e15f6139c3e278b04dc483ecc3d952a2d1240efa104
-
SSDEEP
49152:+bv4/KHiciethGCUA1TJeUCMkiOT3eY1CKzuJtGvAAzB:+bv4/BUVb5JLChiAu1evAoB
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Start Menu\\SearchApp.exe\", \"C:\\Users\\Public\\Libraries\\backgroundTaskHost.exe\", \"C:\\Windows\\RemotePackages\\RemoteApps\\RuntimeBroker.exe\", \"C:\\Program Files\\dotnet\\StartMenuExperienceHost.exe\", \"C:\\Windows\\ja-JP\\dllhost.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe\"" 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Start Menu\\SearchApp.exe\"" 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Start Menu\\SearchApp.exe\", \"C:\\Users\\Public\\Libraries\\backgroundTaskHost.exe\"" 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Start Menu\\SearchApp.exe\", \"C:\\Users\\Public\\Libraries\\backgroundTaskHost.exe\", \"C:\\Windows\\RemotePackages\\RemoteApps\\RuntimeBroker.exe\"" 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Start Menu\\SearchApp.exe\", \"C:\\Users\\Public\\Libraries\\backgroundTaskHost.exe\", \"C:\\Windows\\RemotePackages\\RemoteApps\\RuntimeBroker.exe\", \"C:\\Program Files\\dotnet\\StartMenuExperienceHost.exe\"" 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Start Menu\\SearchApp.exe\", \"C:\\Users\\Public\\Libraries\\backgroundTaskHost.exe\", \"C:\\Windows\\RemotePackages\\RemoteApps\\RuntimeBroker.exe\", \"C:\\Program Files\\dotnet\\StartMenuExperienceHost.exe\", \"C:\\Windows\\ja-JP\\dllhost.exe\"" 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe -
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1404 5068 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3656 5068 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3952 5068 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3040 5068 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4696 5068 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4456 5068 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1596 5068 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3260 5068 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1736 5068 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1544 5068 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2768 5068 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1696 5068 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3320 5068 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2696 5068 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 912 5068 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 956 5068 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1640 5068 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2936 5068 schtasks.exe 86 -
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4420 powershell.exe 4676 powershell.exe 4488 powershell.exe 3192 powershell.exe 3500 powershell.exe 2368 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Users\\Default\\Start Menu\\SearchApp.exe\"" 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Users\\Public\\Libraries\\backgroundTaskHost.exe\"" 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\RemotePackages\\RemoteApps\\RuntimeBroker.exe\"" 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Program Files\\dotnet\\StartMenuExperienceHost.exe\"" 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\ja-JP\\dllhost.exe\"" 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\ja-JP\\dllhost.exe\"" 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Users\\Default\\Start Menu\\SearchApp.exe\"" 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Users\\Public\\Libraries\\backgroundTaskHost.exe\"" 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\RemotePackages\\RemoteApps\\RuntimeBroker.exe\"" 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Program Files\\dotnet\\StartMenuExperienceHost.exe\"" 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe\"" 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe\"" 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 43 ipinfo.io 12 ipinfo.io 14 ipinfo.io 42 ipinfo.io -
Drops file in System32 directory 2 IoCs
description ioc Process File created \??\c:\Windows\System32\CSCAACA5A80DE1842DFAF5169F14783542D.TMP csc.exe File created \??\c:\Windows\System32\kpkopw.exe csc.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\dotnet\StartMenuExperienceHost.exe 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe File created C:\Program Files\dotnet\55b276f4edf653 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\ja-JP\dllhost.exe 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe File created C:\Windows\ja-JP\5940a34987c991 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe File created C:\Windows\RemotePackages\RemoteApps\RuntimeBroker.exe 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe File created C:\Windows\RemotePackages\RemoteApps\9e8d7a4ca61bd9 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe File created C:\Windows\ja-JP\dllhost.exe 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3532 PING.EXE -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3532 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3260 schtasks.exe 1736 schtasks.exe 912 schtasks.exe 956 schtasks.exe 3656 schtasks.exe 3952 schtasks.exe 1640 schtasks.exe 3040 schtasks.exe 3320 schtasks.exe 4456 schtasks.exe 1596 schtasks.exe 1544 schtasks.exe 2768 schtasks.exe 1696 schtasks.exe 2696 schtasks.exe 1404 schtasks.exe 4696 schtasks.exe 2936 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2160 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2160 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2160 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2160 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2160 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2160 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2160 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2160 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2160 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2160 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2160 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2160 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2160 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2160 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2160 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2160 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2160 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2160 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2160 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2160 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2160 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2160 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2160 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2160 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2160 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2160 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2160 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2160 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2160 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2160 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2160 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2160 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2160 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2160 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2160 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2160 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2160 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2160 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2160 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2160 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2160 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2160 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2160 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2160 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2160 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2160 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2160 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2160 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2160 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2160 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2160 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2160 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2160 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2160 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2160 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2160 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2160 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2160 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2160 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2160 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2160 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2160 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2160 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 2160 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1324 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 2160 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe Token: SeDebugPrivilege 4488 powershell.exe Token: SeDebugPrivilege 4420 powershell.exe Token: SeDebugPrivilege 2368 powershell.exe Token: SeDebugPrivilege 3500 powershell.exe Token: SeDebugPrivilege 3192 powershell.exe Token: SeDebugPrivilege 4676 powershell.exe Token: SeDebugPrivilege 1324 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2160 wrote to memory of 3588 2160 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 90 PID 2160 wrote to memory of 3588 2160 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 90 PID 3588 wrote to memory of 4704 3588 csc.exe 92 PID 3588 wrote to memory of 4704 3588 csc.exe 92 PID 2160 wrote to memory of 4676 2160 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 108 PID 2160 wrote to memory of 4676 2160 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 108 PID 2160 wrote to memory of 4420 2160 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 109 PID 2160 wrote to memory of 4420 2160 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 109 PID 2160 wrote to memory of 2368 2160 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 110 PID 2160 wrote to memory of 2368 2160 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 110 PID 2160 wrote to memory of 3500 2160 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 111 PID 2160 wrote to memory of 3500 2160 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 111 PID 2160 wrote to memory of 3192 2160 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 112 PID 2160 wrote to memory of 3192 2160 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 112 PID 2160 wrote to memory of 4488 2160 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 113 PID 2160 wrote to memory of 4488 2160 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 113 PID 2160 wrote to memory of 4472 2160 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 120 PID 2160 wrote to memory of 4472 2160 6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe 120 PID 4472 wrote to memory of 3528 4472 cmd.exe 122 PID 4472 wrote to memory of 3528 4472 cmd.exe 122 PID 4472 wrote to memory of 3532 4472 cmd.exe 123 PID 4472 wrote to memory of 3532 4472 cmd.exe 123 PID 4472 wrote to memory of 1324 4472 cmd.exe 134 PID 4472 wrote to memory of 1324 4472 cmd.exe 134 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe"C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1up5vusy\1up5vusy.cmdline"2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA2F7.tmp" "c:\Windows\System32\CSCAACA5A80DE1842DFAF5169F14783542D.TMP"3⤵PID:4704
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Start Menu\SearchApp.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4676
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\backgroundTaskHost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4420
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\RemotePackages\RemoteApps\RuntimeBroker.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2368
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\dotnet\StartMenuExperienceHost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3500
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ja-JP\dllhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3192
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4488
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\u3YNNGkAjA.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:3528
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3532
-
-
C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe"C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1324
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Start Menu\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Default\Start Menu\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Start Menu\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Libraries\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\Public\Libraries\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Libraries\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Windows\RemotePackages\RemoteApps\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteApps\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Windows\RemotePackages\RemoteApps\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files\dotnet\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\dotnet\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Program Files\dotnet\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\ja-JP\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\ja-JP\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\ja-JP\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e586" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e586" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Local\Temp\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\6a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58.exe.log
Filesize2KB
MD5fb439153f3774b1c4f02ec154d525829
SHA183f284b217d57ea407a4c9fa90133b8b11c173a7
SHA256640fc9ffd4a6afecff4f61ac9484f4722fa7fb9ed4f1b9aa36d1f28c9e227b33
SHA512f0cc8a5e88ddb034cd9ab37997f8cd1ea32460d04dc636b0a9f16d5dede430ad1a8e929b0e3dc4224dcab838b7f02423790ad004f48a9abf46c8098663ae2bb4
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
Filesize
1KB
MD587359ce8075b74a9bcc2501292cea4a7
SHA10c25b2667a9cbdbb99faeeab3efc8d16977683e6
SHA256e98c23b975a07994713a02d576bcc5819c2da328a72a4ff066cf3c4549039aa6
SHA5126deeb43b216b7c15911467c82015da248ea84a9f026d545dfeac392fee33807381c796b41441c7cf5506ddd8197f5ce675c832641ece99c0ad004a68426a4e21
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
230B
MD5c9abed4566092e2451550229ebcee6ee
SHA19d0eb3a3e9d14ac00b61977e8bb349d349287e42
SHA256e78a471156d5ba77ae6c6ab7ddec6559498faf13529944ed2a4a0eeaebb922cb
SHA512057ed11bcec6975d379480709accd25ab018d9a89dd2ec3cac760e9cf6b121e36c813b85dcbd73fcfec1b2fbba43a49529a6ddf12676e491dc238c0b9a06c01f
-
Filesize
2.0MB
MD543a09f586ae8fe86191c47743b5cf744
SHA1a8bc2177c871d0d29e93737a7ebcaa3da8f182de
SHA2566a639fdba14515cf938af997b4c0bd2093b1e099bed8eb4d7950ea5d18e13e58
SHA512ff8acde081b435a1bb0f204359bd7227b380a66e61472546016db41c53c7708c91215af8fbc3fdc8a99d1e15f6139c3e278b04dc483ecc3d952a2d1240efa104
-
Filesize
373B
MD5445a41ef5082677d2b7e186c24217d80
SHA1b6ca840e3dc7a9235344373fd6befbc63721c794
SHA256fcde1ac0dfd752633140e9b13ad2d2163db08bc0d8fca64d09b90f1f79d69bf2
SHA512abf1ce07ce8b85c289562c8da640f0d74e8245de3d039cc445c4be5d0f61465405d180d0d86cf4a858361a5b9d433cb69b33a6457b5beefd537d87d33d9d829e
-
Filesize
235B
MD5a295506adce945cfb12e88deed336254
SHA191d86e1a0d5f09bff53628f7a409578384191fa8
SHA25669e49d732802080f3d560e03ccd43e8c7959ab56d810062693d370d98ba64271
SHA512e11ccec6adb4f7be172561e3fe1b044b3abd257c8d640859dd14f530caa8c739bc956d13f1a98892c221d4d361bd9c63bf409567ede1ae1bccc31927c2f9b518
-
Filesize
1KB
MD57bbfaf1199741b237d2493615c95c6d7
SHA186d466217c4dc1e0808f83ceda8f4b4df948b5dc
SHA256e20e4619dbc932a216fd93f86fe0af2e915f4c2ba6177fc3581da59885094476
SHA5122eda9bf71dc4a4583b7b8e9a6aab0f91d98cca68ee4309df1a4d26541917678da09a15d712397ae4b95fe95b65c8aa6eeab94d7620a5546b3df6c00306ef4a5c