Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
14-11-2024 07:00
Static task
static1
Behavioral task
behavioral1
Sample
f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
Resource
win7-20240903-en
General
-
Target
f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe
-
Size
4.9MB
-
MD5
06f186fc55f38b20a7273da22fe0007a
-
SHA1
3eae6dd2aec4dcd82864b9fbe446e85ea603784b
-
SHA256
f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7
-
SHA512
05ea938925775b835e347265e255372c0c2deee1d68b356836c85b93f5751fced8ca8d758ebdc745c0274c53c9c350e63cc2a8624b99aa345438b2963b2a1f37
-
SSDEEP
49152:Dl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2880 536 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2876 536 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2732 536 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2856 536 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2612 536 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2600 536 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2744 536 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2576 536 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2592 536 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1864 536 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1056 536 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2212 536 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1560 536 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1924 536 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1236 536 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2792 536 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2112 536 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1712 536 schtasks.exe -
Processes:
wininit.exef0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe -
Processes:
resource yara_rule behavioral1/memory/2104-3-0x000000001B6B0000-0x000000001B7DE000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 1492 powershell.exe 2496 powershell.exe 236 powershell.exe 2260 powershell.exe 2544 powershell.exe 1032 powershell.exe 2396 powershell.exe 1812 powershell.exe 1732 powershell.exe 2960 powershell.exe 916 powershell.exe 2444 powershell.exe -
Executes dropped EXE 12 IoCs
Processes:
wininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exepid process 2892 wininit.exe 1916 wininit.exe 264 wininit.exe 2128 wininit.exe 2212 wininit.exe 1536 wininit.exe 2548 wininit.exe 1344 wininit.exe 2224 wininit.exe 2184 wininit.exe 1876 wininit.exe 796 wininit.exe -
Processes:
wininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exef0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exewininit.exewininit.exewininit.exewininit.exewininit.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wininit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wininit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wininit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wininit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wininit.exe -
Drops file in Program Files directory 8 IoCs
Processes:
f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exedescription ioc process File opened for modification C:\Program Files\VideoLAN\VLC\spoolsv.exe f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe File created C:\Program Files\Common Files\System\ja-JP\wininit.exe f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe File created C:\Program Files\Common Files\System\ja-JP\56085415360792 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe File created C:\Program Files\VideoLAN\VLC\spoolsv.exe f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe File created C:\Program Files\VideoLAN\VLC\f3b6ecef712a24 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe File opened for modification C:\Program Files\Common Files\System\ja-JP\RCXC14F.tmp f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe File opened for modification C:\Program Files\Common Files\System\ja-JP\wininit.exe f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe File opened for modification C:\Program Files\VideoLAN\VLC\RCXC7C9.tmp f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe -
Drops file in Windows directory 4 IoCs
Processes:
f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\sppsvc.exe f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe File created C:\Windows\ServiceProfiles\0a1fd5f707cd16 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe File opened for modification C:\Windows\ServiceProfiles\RCXBCDA.tmp f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe File created C:\Windows\ServiceProfiles\sppsvc.exe f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2592 schtasks.exe 1864 schtasks.exe 2856 schtasks.exe 2576 schtasks.exe 2112 schtasks.exe 1712 schtasks.exe 2744 schtasks.exe 2792 schtasks.exe 2600 schtasks.exe 2212 schtasks.exe 1560 schtasks.exe 1924 schtasks.exe 1236 schtasks.exe 2876 schtasks.exe 2612 schtasks.exe 1056 schtasks.exe 2880 schtasks.exe 2732 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
Processes:
f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exepid process 2104 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe 1812 powershell.exe 2260 powershell.exe 2960 powershell.exe 916 powershell.exe 1492 powershell.exe 2444 powershell.exe 236 powershell.exe 2496 powershell.exe 1732 powershell.exe 2544 powershell.exe 1032 powershell.exe 2396 powershell.exe 2892 wininit.exe 1916 wininit.exe 264 wininit.exe 2128 wininit.exe 2212 wininit.exe 1536 wininit.exe 2548 wininit.exe 1344 wininit.exe 2224 wininit.exe 2184 wininit.exe 1876 wininit.exe 796 wininit.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
Processes:
f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exedescription pid process Token: SeDebugPrivilege 2104 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe Token: SeDebugPrivilege 1812 powershell.exe Token: SeDebugPrivilege 2260 powershell.exe Token: SeDebugPrivilege 2960 powershell.exe Token: SeDebugPrivilege 916 powershell.exe Token: SeDebugPrivilege 1492 powershell.exe Token: SeDebugPrivilege 2444 powershell.exe Token: SeDebugPrivilege 236 powershell.exe Token: SeDebugPrivilege 2496 powershell.exe Token: SeDebugPrivilege 1732 powershell.exe Token: SeDebugPrivilege 2544 powershell.exe Token: SeDebugPrivilege 1032 powershell.exe Token: SeDebugPrivilege 2396 powershell.exe Token: SeDebugPrivilege 2892 wininit.exe Token: SeDebugPrivilege 1916 wininit.exe Token: SeDebugPrivilege 264 wininit.exe Token: SeDebugPrivilege 2128 wininit.exe Token: SeDebugPrivilege 2212 wininit.exe Token: SeDebugPrivilege 1536 wininit.exe Token: SeDebugPrivilege 2548 wininit.exe Token: SeDebugPrivilege 1344 wininit.exe Token: SeDebugPrivilege 2224 wininit.exe Token: SeDebugPrivilege 2184 wininit.exe Token: SeDebugPrivilege 1876 wininit.exe Token: SeDebugPrivilege 796 wininit.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.execmd.exewininit.exeWScript.exewininit.exeWScript.exewininit.exedescription pid process target process PID 2104 wrote to memory of 2444 2104 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe powershell.exe PID 2104 wrote to memory of 2444 2104 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe powershell.exe PID 2104 wrote to memory of 2444 2104 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe powershell.exe PID 2104 wrote to memory of 1032 2104 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe powershell.exe PID 2104 wrote to memory of 1032 2104 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe powershell.exe PID 2104 wrote to memory of 1032 2104 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe powershell.exe PID 2104 wrote to memory of 2544 2104 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe powershell.exe PID 2104 wrote to memory of 2544 2104 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe powershell.exe PID 2104 wrote to memory of 2544 2104 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe powershell.exe PID 2104 wrote to memory of 1492 2104 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe powershell.exe PID 2104 wrote to memory of 1492 2104 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe powershell.exe PID 2104 wrote to memory of 1492 2104 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe powershell.exe PID 2104 wrote to memory of 2496 2104 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe powershell.exe PID 2104 wrote to memory of 2496 2104 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe powershell.exe PID 2104 wrote to memory of 2496 2104 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe powershell.exe PID 2104 wrote to memory of 236 2104 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe powershell.exe PID 2104 wrote to memory of 236 2104 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe powershell.exe PID 2104 wrote to memory of 236 2104 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe powershell.exe PID 2104 wrote to memory of 2260 2104 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe powershell.exe PID 2104 wrote to memory of 2260 2104 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe powershell.exe PID 2104 wrote to memory of 2260 2104 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe powershell.exe PID 2104 wrote to memory of 2396 2104 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe powershell.exe PID 2104 wrote to memory of 2396 2104 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe powershell.exe PID 2104 wrote to memory of 2396 2104 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe powershell.exe PID 2104 wrote to memory of 1812 2104 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe powershell.exe PID 2104 wrote to memory of 1812 2104 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe powershell.exe PID 2104 wrote to memory of 1812 2104 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe powershell.exe PID 2104 wrote to memory of 1732 2104 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe powershell.exe PID 2104 wrote to memory of 1732 2104 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe powershell.exe PID 2104 wrote to memory of 1732 2104 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe powershell.exe PID 2104 wrote to memory of 2960 2104 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe powershell.exe PID 2104 wrote to memory of 2960 2104 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe powershell.exe PID 2104 wrote to memory of 2960 2104 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe powershell.exe PID 2104 wrote to memory of 916 2104 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe powershell.exe PID 2104 wrote to memory of 916 2104 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe powershell.exe PID 2104 wrote to memory of 916 2104 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe powershell.exe PID 2104 wrote to memory of 696 2104 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe cmd.exe PID 2104 wrote to memory of 696 2104 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe cmd.exe PID 2104 wrote to memory of 696 2104 f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe cmd.exe PID 696 wrote to memory of 1936 696 cmd.exe w32tm.exe PID 696 wrote to memory of 1936 696 cmd.exe w32tm.exe PID 696 wrote to memory of 1936 696 cmd.exe w32tm.exe PID 696 wrote to memory of 2892 696 cmd.exe wininit.exe PID 696 wrote to memory of 2892 696 cmd.exe wininit.exe PID 696 wrote to memory of 2892 696 cmd.exe wininit.exe PID 2892 wrote to memory of 1148 2892 wininit.exe WScript.exe PID 2892 wrote to memory of 1148 2892 wininit.exe WScript.exe PID 2892 wrote to memory of 1148 2892 wininit.exe WScript.exe PID 2892 wrote to memory of 2756 2892 wininit.exe WScript.exe PID 2892 wrote to memory of 2756 2892 wininit.exe WScript.exe PID 2892 wrote to memory of 2756 2892 wininit.exe WScript.exe PID 1148 wrote to memory of 1916 1148 WScript.exe wininit.exe PID 1148 wrote to memory of 1916 1148 WScript.exe wininit.exe PID 1148 wrote to memory of 1916 1148 WScript.exe wininit.exe PID 1916 wrote to memory of 2352 1916 wininit.exe WScript.exe PID 1916 wrote to memory of 2352 1916 wininit.exe WScript.exe PID 1916 wrote to memory of 2352 1916 wininit.exe WScript.exe PID 1916 wrote to memory of 1668 1916 wininit.exe WScript.exe PID 1916 wrote to memory of 1668 1916 wininit.exe WScript.exe PID 1916 wrote to memory of 1668 1916 wininit.exe WScript.exe PID 2352 wrote to memory of 264 2352 WScript.exe wininit.exe PID 2352 wrote to memory of 264 2352 WScript.exe wininit.exe PID 2352 wrote to memory of 264 2352 WScript.exe wininit.exe PID 264 wrote to memory of 2600 264 wininit.exe WScript.exe -
System policy modification 1 TTPs 39 IoCs
Processes:
wininit.exewininit.exewininit.exewininit.exef0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe"C:\Users\Admin\AppData\Local\Temp\f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2104 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2444
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1032
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2544
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1492
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2496
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:236
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2260
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2396
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1812
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1732
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2960
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:916
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dmdigGiX9k.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:696 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:1936
-
-
C:\Program Files\Common Files\System\ja-JP\wininit.exe"C:\Program Files\Common Files\System\ja-JP\wininit.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2892 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d4e2ddff-2026-4bc3-87d9-d62b2355ad51.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Program Files\Common Files\System\ja-JP\wininit.exe"C:\Program Files\Common Files\System\ja-JP\wininit.exe"5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1916 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\71760b5f-833f-4d9c-9f19-c4bfbf51450d.vbs"6⤵
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Program Files\Common Files\System\ja-JP\wininit.exe"C:\Program Files\Common Files\System\ja-JP\wininit.exe"7⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:264 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a7334f90-6213-435d-afc5-c5e9100aec65.vbs"8⤵PID:2600
-
C:\Program Files\Common Files\System\ja-JP\wininit.exe"C:\Program Files\Common Files\System\ja-JP\wininit.exe"9⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2128 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0a7c9bde-76f9-4b18-8d02-4865f8bf5924.vbs"10⤵PID:2964
-
C:\Program Files\Common Files\System\ja-JP\wininit.exe"C:\Program Files\Common Files\System\ja-JP\wininit.exe"11⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2212 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f273f590-c5e2-4b4e-82da-177995a9d6b7.vbs"12⤵PID:400
-
C:\Program Files\Common Files\System\ja-JP\wininit.exe"C:\Program Files\Common Files\System\ja-JP\wininit.exe"13⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1536 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\92c98b9d-c6ff-4203-b757-2fdd91c60b35.vbs"14⤵PID:1000
-
C:\Program Files\Common Files\System\ja-JP\wininit.exe"C:\Program Files\Common Files\System\ja-JP\wininit.exe"15⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2548 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ca7a5099-1770-4a4e-bc1d-146d856b9765.vbs"16⤵PID:2616
-
C:\Program Files\Common Files\System\ja-JP\wininit.exe"C:\Program Files\Common Files\System\ja-JP\wininit.exe"17⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1344 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9086d69c-2bec-4c6a-a5e4-cb1a4215c496.vbs"18⤵PID:316
-
C:\Program Files\Common Files\System\ja-JP\wininit.exe"C:\Program Files\Common Files\System\ja-JP\wininit.exe"19⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2224 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f1f56a93-2a58-41e1-b70e-e2e2ca2522c1.vbs"20⤵PID:2748
-
C:\Program Files\Common Files\System\ja-JP\wininit.exe"C:\Program Files\Common Files\System\ja-JP\wininit.exe"21⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2184 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48a505bf-63c0-4624-bb7c-0038fbe3d893.vbs"22⤵PID:2580
-
C:\Program Files\Common Files\System\ja-JP\wininit.exe"C:\Program Files\Common Files\System\ja-JP\wininit.exe"23⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1876 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\764da11e-b267-4164-aeba-f12418cef707.vbs"24⤵PID:684
-
C:\Program Files\Common Files\System\ja-JP\wininit.exe"C:\Program Files\Common Files\System\ja-JP\wininit.exe"25⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:796 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\505c898b-b9bd-41df-8001-6309331a6371.vbs"26⤵PID:2648
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\662e914d-ab54-4f07-9b3e-e9a7d3e476d4.vbs"26⤵PID:2732
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\54bf8446-e949-4d88-8499-0835ed68f80a.vbs"24⤵PID:856
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4a3cf69c-5f63-4bbc-b729-f5fcb2b77adf.vbs"22⤵PID:2168
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9fc9ce3e-e807-4752-bcd1-90726e69ef4d.vbs"20⤵PID:924
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\07a02ef5-891b-4cc0-ac1f-3b9991ffd36e.vbs"18⤵PID:1484
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0bf9f21a-1586-4255-a7d9-350b7f122214.vbs"16⤵PID:1776
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d7379d16-bbb1-41f9-b925-a85963f1f184.vbs"14⤵PID:2576
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0d716864-a552-43e7-b6ec-64193eb993a9.vbs"12⤵PID:952
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a5ff49f1-0855-42e5-853f-3d6d89204941.vbs"10⤵PID:2392
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\74003f38-72d3-40b9-872a-37ed554dedc6.vbs"8⤵PID:1292
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\83e92748-c124-4018-9628-edbe8d87a92e.vbs"6⤵PID:1668
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f58f6810-0a54-4cc8-b3d6-885adb49a023.vbs"4⤵PID:2756
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Windows\ServiceProfiles\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Windows\ServiceProfiles\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Users\Default\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\Default\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Common Files\System\ja-JP\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Common Files\System\ja-JP\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Common Files\System\ja-JP\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\VLC\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\VLC\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.9MB
MD506f186fc55f38b20a7273da22fe0007a
SHA13eae6dd2aec4dcd82864b9fbe446e85ea603784b
SHA256f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7
SHA51205ea938925775b835e347265e255372c0c2deee1d68b356836c85b93f5751fced8ca8d758ebdc745c0274c53c9c350e63cc2a8624b99aa345438b2963b2a1f37
-
Filesize
730B
MD5cee9dc73efed7df2b14f57ef2031e551
SHA1a6d609f89c1e03677cf6f3fcc54eda1b918418a1
SHA256f2ebd79b467f1ac045d05f11747c8e3ff9d403e54c075515c21de8d29b0d7092
SHA5128f94737cdd381d4646ceaea11ada390986c1d4705849c083dd559f8cff7e4587d9f8b9c3608fdbd613e076416d94309f217c5eb76150c0c002608d198650f042
-
Filesize
730B
MD54d143ed8bb144ae2b7ee8f603b0459a9
SHA1be511c9c43995f59e1dcd4d2fb020b41b31429cb
SHA256fa8f61a7cf970392f21bd57c6686b6900f0167e50f6d37e80479225c4261db23
SHA5120da4ca8e26c20b13de86d7eb689a4278c63d1268bd4d843e7600593b4be194f20b2a60f7440ae704693508f15d3f02d2d3e475244782583bd5d2fcb325138653
-
Filesize
729B
MD501c8c52d50fd2582e1f3d6b2861fd692
SHA160bc6d27024165c67f92f0faca76fb527ff76d6a
SHA25664c6c08dd54a999659fd8e2d9f4ed03bf93ffc1f12d4f6816bb7370998c3d731
SHA5122d7bec374f11277650fa025378c55a5cf89a5e40d3cb537c090080fe77252cb86d108e3a496b1589ac6b301fef6b9fc0e370b20ef9dcf8e1cfb7eb36b41b3a0b
-
Filesize
730B
MD55664e511d060159908b76e25982d1fe7
SHA190fc604c87082f440e4ac014c671fcf5722f4a77
SHA2563accf91528fbd61fc1c958ef5df570457ea1b4f6165ef481792915a30b1061d0
SHA512507fcfc855b2c962929a95ee62676dcaf953f8f9b5c26750b4fd6eb20ce7b277372a03145b5c1ba0fdab9aa2251240c459c1d1ffa8113b5e621f863d32024dd2
-
Filesize
730B
MD55ae7d0d4902d03a0e1159e34c660900f
SHA1c6b8d825bcd2f5643987840b9cffdb7a4e2eb3c6
SHA256a8d59ff6aae52710df01590c87dcd78f346ca16c46f7ed74930b7c9b41cbb9a0
SHA5122fa0d8511bf08a75eb5deb62fb083622a22593bc31545db6f9e447c4a962157c670a4e4ba2927f25443f24a7ff3556443e38c058be25a2a80825f131fb6dd9d8
-
Filesize
730B
MD5d56f62f58ba448b2e96df4453be0a67c
SHA15e6935871b0313cdbfe55f0fc63441136fc6e0bb
SHA25619a526807f3a344ccaaf72c3055ff9bb837148b9ba3161a5ba209c2a896c25ab
SHA512ae54dffc6d712b0e25e07ed5954297748f750ff04bf66c1ff475995cc4c733769628898ac13f5e3deb29a64c1972e924e1bc022b391aeadf9b09ff6ca243229d
-
Filesize
730B
MD51707e423423d0882ce26b876877b9772
SHA109ea901a3eb98d75a5f9684895f6734e15375fb7
SHA25628cdfc8e435b5a4078e7e515bb83f6bcd4a6d98083e6824a99e15e24afb050ac
SHA5125b7075121d4c3e6e491d8a64bcfb71b8968e7f0968f86f7517bd73951383c516649cc4634bead2c2c14e501871c1027fbf5c4640c667f73d628041dbb0a26f71
-
Filesize
729B
MD5c48c74a81a4666c1683a2bde4dc122f5
SHA10128fa162c81e69bbecae0737380998d382eb34e
SHA256525fc74688a84e224f87a0a0570022410df4a69dd59fff6a91a99ecae20c21d7
SHA5124c2886702512555ab5f2e1c265a8786ecb596cee90ab6ab5538f66d549416a10fe0abecf090ab5380272c9008529814e77b11501cf4808e602f9ffd420618f35
-
Filesize
730B
MD51604b7b105b924b0813e24a0357e8d28
SHA18d5668c107174e78c32c1fe891d5d37b4ad9553b
SHA256bdeb5f2fdf4f853a82f214f11f4549ba42b9fc5baf319f7af7e8f3cdc785f11a
SHA5124247c8bd0200afac51a94ba4838413eb5cb8f4ccdcdf74767579ff4d12547b323054ac67351554da92cdc578398a543de2d32df8e8b8221ef72e63c337dc7004
-
Filesize
730B
MD5c82141afd15678e3ec2efd451b1fa23f
SHA1539f42ee9c782824b7bb364a198fea8d66a4e963
SHA25613e66fa5778a925a1ec09b4db68c2633a572bb2310c0870c3781a5d19eb278a8
SHA512304ca0fe1b6a5cae9ad7bd75547a1d5a6271b3a5d6e80040ee2b60cd0afc18372c28bd37a6c242a2a37ecc7a3cb2a37983385e770a7fc92eac0664b73be961ca
-
Filesize
219B
MD54ec9aba2838e0bcc48535596397f1422
SHA1ac2d44810b189d21f16f33736c08d6bd420e0b5c
SHA256f1c0047409d18a98bf45250d6727eb7d65224b02220cc96e86c57d72651b2277
SHA51247d13987e32d06ef1e9152e3c9ab2ce0d073e604a2fb2570bc011a9f17ab51d42478c776531ffe5b920ea7ace2c2ed553a95bd0cb8344947ad59b4c4178fe4f8
-
Filesize
730B
MD56581d9b74b99b84efebc944ce6225688
SHA1e5ae0f366f62c63b7631ec30965ae43f4b5d3946
SHA2566b8ff96314689b31517e33f00bbf1433e033f61ca11d5c2de41a75805e7ecff8
SHA512722b84ae1340904db70adbdbb38643f7d16eeb86dcba5ab7e70f48649fe46cf284247a575b1365b98986c1210f59dbb198fe9379ced284a09738246b1eaf6324
-
Filesize
730B
MD5ee657fed157376ccaa91229f776464fd
SHA18a1876b890576a99107ee772032eb95279a7365a
SHA256d480bd8d69490c3fde1bac4f4dd2f37d94581fdb4bb58b9d4c2a6daa6c6fc98b
SHA5120f90fe56b313f7c75864de81782c90d13a43b8537191d32a336c1bdb448f8d5039f62d4b37c4fb2cfca1baf06e609fe982c009f63ea8b356162b4b9e539c5db0
-
Filesize
506B
MD596f457984857f106833b72f89a1853a9
SHA1f125b7a4672be5601a14667ae202788024ea946c
SHA256b76a982332ad3f7283d1448ffec37a4f898beeb2137065dbce3372ac3545376e
SHA512f55e4ef6416964efb788ae898fe83a04d0ca952a04fbf8b82f452ad88e84ffc85f0f108d5d32ddbf63308cd9ea944be0cd5b93c711f9c033eb8f9d830728f88b
-
Filesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD52f4850be2c19a5e2d8c25f6f03d30551
SHA191e9b260eab312f696632e00a87a0b58c5ba0dcf
SHA256c1527a524629bcc9707881383ad455d549a0ac4f870936f1909cb15f1486f1b7
SHA512c372a7fce475bcd70cef3feb2c9bd36156fec9008073b6439b006d04173c3a894661ac27af07fb1729c799573cbc6dced528aaf16b6450d36e2ec4ee8672566e