Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
14-11-2024 20:53
Static task
static1
Behavioral task
behavioral1
Sample
31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe
Resource
win7-20240729-en
General
-
Target
31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe
-
Size
4.9MB
-
MD5
87d29654a3f89b1adc596d2ef22f94dd
-
SHA1
28b9d0678b858302d9a6b8737fd094ff0ee59308
-
SHA256
31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be
-
SHA512
3d8db28ba156c13e865ec24e34e38326fe90e64499e8be9fde05a46d7278c8ea431e2f702a69ede893d220331becea9871f278c8809820b9772fc1f033fa05f9
-
SSDEEP
49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 21 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2404 2084 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2060 2084 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2780 2084 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2888 2084 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2736 2084 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2640 2084 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2792 2084 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2976 2084 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2332 2084 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2744 2084 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2628 2084 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2696 2084 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2328 2084 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2220 2084 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2036 2084 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1092 2084 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2920 2084 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2932 2084 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2604 2084 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2968 2084 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2032 2084 schtasks.exe 30 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe -
resource yara_rule behavioral1/memory/2592-3-0x000000001BBC0000-0x000000001BCEE000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1532 powershell.exe 796 powershell.exe 1072 powershell.exe 1044 powershell.exe 820 powershell.exe 2672 powershell.exe 1748 powershell.exe 448 powershell.exe 3068 powershell.exe 2312 powershell.exe 2088 powershell.exe 348 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 1512 taskhost.exe 2572 taskhost.exe 1980 taskhost.exe 2088 taskhost.exe 2908 taskhost.exe 2532 taskhost.exe 1420 taskhost.exe 1408 taskhost.exe 2004 taskhost.exe 2144 taskhost.exe 2560 taskhost.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA taskhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA taskhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA taskhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA taskhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA taskhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\wininit.exe 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\56085415360792 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\RCXD704.tmp 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\wininit.exe 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\PolicyDefinitions\ja-JP\wininit.exe 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe File created C:\Windows\PolicyDefinitions\ja-JP\56085415360792 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe File opened for modification C:\Windows\PolicyDefinitions\ja-JP\RCXCDDB.tmp 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe File created C:\Windows\PolicyDefinitions\ja-JP\wininit.exe 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2976 schtasks.exe 2220 schtasks.exe 2032 schtasks.exe 2328 schtasks.exe 1092 schtasks.exe 2932 schtasks.exe 2060 schtasks.exe 2736 schtasks.exe 2744 schtasks.exe 2792 schtasks.exe 2604 schtasks.exe 2968 schtasks.exe 2404 schtasks.exe 2888 schtasks.exe 2640 schtasks.exe 2696 schtasks.exe 2036 schtasks.exe 2920 schtasks.exe 2780 schtasks.exe 2332 schtasks.exe 2628 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 2592 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe 2592 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe 2592 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe 1044 powershell.exe 2672 powershell.exe 2088 powershell.exe 1072 powershell.exe 820 powershell.exe 1748 powershell.exe 348 powershell.exe 2312 powershell.exe 3068 powershell.exe 448 powershell.exe 1532 powershell.exe 796 powershell.exe 1512 taskhost.exe 2572 taskhost.exe 1980 taskhost.exe 2088 taskhost.exe 2908 taskhost.exe 2532 taskhost.exe 1420 taskhost.exe 1408 taskhost.exe 2004 taskhost.exe 2144 taskhost.exe 2560 taskhost.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeDebugPrivilege 2592 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe Token: SeDebugPrivilege 1044 powershell.exe Token: SeDebugPrivilege 2672 powershell.exe Token: SeDebugPrivilege 2088 powershell.exe Token: SeDebugPrivilege 1072 powershell.exe Token: SeDebugPrivilege 820 powershell.exe Token: SeDebugPrivilege 1748 powershell.exe Token: SeDebugPrivilege 348 powershell.exe Token: SeDebugPrivilege 2312 powershell.exe Token: SeDebugPrivilege 3068 powershell.exe Token: SeDebugPrivilege 1512 taskhost.exe Token: SeDebugPrivilege 448 powershell.exe Token: SeDebugPrivilege 1532 powershell.exe Token: SeDebugPrivilege 796 powershell.exe Token: SeDebugPrivilege 2572 taskhost.exe Token: SeDebugPrivilege 1980 taskhost.exe Token: SeDebugPrivilege 2088 taskhost.exe Token: SeDebugPrivilege 2908 taskhost.exe Token: SeDebugPrivilege 2532 taskhost.exe Token: SeDebugPrivilege 1420 taskhost.exe Token: SeDebugPrivilege 1408 taskhost.exe Token: SeDebugPrivilege 2004 taskhost.exe Token: SeDebugPrivilege 2144 taskhost.exe Token: SeDebugPrivilege 2560 taskhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2592 wrote to memory of 2088 2592 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe 53 PID 2592 wrote to memory of 2088 2592 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe 53 PID 2592 wrote to memory of 2088 2592 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe 53 PID 2592 wrote to memory of 1072 2592 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe 54 PID 2592 wrote to memory of 1072 2592 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe 54 PID 2592 wrote to memory of 1072 2592 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe 54 PID 2592 wrote to memory of 2312 2592 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe 55 PID 2592 wrote to memory of 2312 2592 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe 55 PID 2592 wrote to memory of 2312 2592 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe 55 PID 2592 wrote to memory of 348 2592 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe 58 PID 2592 wrote to memory of 348 2592 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe 58 PID 2592 wrote to memory of 348 2592 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe 58 PID 2592 wrote to memory of 796 2592 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe 59 PID 2592 wrote to memory of 796 2592 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe 59 PID 2592 wrote to memory of 796 2592 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe 59 PID 2592 wrote to memory of 2672 2592 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe 60 PID 2592 wrote to memory of 2672 2592 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe 60 PID 2592 wrote to memory of 2672 2592 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe 60 PID 2592 wrote to memory of 3068 2592 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe 61 PID 2592 wrote to memory of 3068 2592 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe 61 PID 2592 wrote to memory of 3068 2592 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe 61 PID 2592 wrote to memory of 1748 2592 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe 62 PID 2592 wrote to memory of 1748 2592 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe 62 PID 2592 wrote to memory of 1748 2592 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe 62 PID 2592 wrote to memory of 448 2592 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe 63 PID 2592 wrote to memory of 448 2592 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe 63 PID 2592 wrote to memory of 448 2592 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe 63 PID 2592 wrote to memory of 1044 2592 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe 64 PID 2592 wrote to memory of 1044 2592 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe 64 PID 2592 wrote to memory of 1044 2592 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe 64 PID 2592 wrote to memory of 1532 2592 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe 65 PID 2592 wrote to memory of 1532 2592 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe 65 PID 2592 wrote to memory of 1532 2592 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe 65 PID 2592 wrote to memory of 820 2592 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe 66 PID 2592 wrote to memory of 820 2592 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe 66 PID 2592 wrote to memory of 820 2592 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe 66 PID 2592 wrote to memory of 1512 2592 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe 77 PID 2592 wrote to memory of 1512 2592 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe 77 PID 2592 wrote to memory of 1512 2592 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe 77 PID 1512 wrote to memory of 1404 1512 taskhost.exe 78 PID 1512 wrote to memory of 1404 1512 taskhost.exe 78 PID 1512 wrote to memory of 1404 1512 taskhost.exe 78 PID 1512 wrote to memory of 1180 1512 taskhost.exe 79 PID 1512 wrote to memory of 1180 1512 taskhost.exe 79 PID 1512 wrote to memory of 1180 1512 taskhost.exe 79 PID 1404 wrote to memory of 2572 1404 WScript.exe 80 PID 1404 wrote to memory of 2572 1404 WScript.exe 80 PID 1404 wrote to memory of 2572 1404 WScript.exe 80 PID 2572 wrote to memory of 876 2572 taskhost.exe 81 PID 2572 wrote to memory of 876 2572 taskhost.exe 81 PID 2572 wrote to memory of 876 2572 taskhost.exe 81 PID 2572 wrote to memory of 1684 2572 taskhost.exe 82 PID 2572 wrote to memory of 1684 2572 taskhost.exe 82 PID 2572 wrote to memory of 1684 2572 taskhost.exe 82 PID 876 wrote to memory of 1980 876 WScript.exe 83 PID 876 wrote to memory of 1980 876 WScript.exe 83 PID 876 wrote to memory of 1980 876 WScript.exe 83 PID 1980 wrote to memory of 2180 1980 taskhost.exe 84 PID 1980 wrote to memory of 2180 1980 taskhost.exe 84 PID 1980 wrote to memory of 2180 1980 taskhost.exe 84 PID 1980 wrote to memory of 1676 1980 taskhost.exe 85 PID 1980 wrote to memory of 1676 1980 taskhost.exe 85 PID 1980 wrote to memory of 1676 1980 taskhost.exe 85 PID 2180 wrote to memory of 2088 2180 WScript.exe 86 -
System policy modification 1 TTPs 36 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe"C:\Users\Admin\AppData\Local\Temp\31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2592 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2088
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1072
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2312
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:348
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:796
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2672
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3068
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1748
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:448
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1044
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1532
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:820
-
-
C:\Users\Default\taskhost.exe"C:\Users\Default\taskhost.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1512 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14b6c44f-be4f-4e34-aab7-d336df8c235b.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Users\Default\taskhost.exeC:\Users\Default\taskhost.exe4⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2572 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cac3362b-d689-430c-8845-b0d3669b3f31.vbs"5⤵
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Users\Default\taskhost.exeC:\Users\Default\taskhost.exe6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1980 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\98781f31-0577-4c28-ab11-eb27a6785e7e.vbs"7⤵
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Users\Default\taskhost.exeC:\Users\Default\taskhost.exe8⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2088 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\476700be-4d9b-4d9c-a84f-57509683b131.vbs"9⤵PID:1088
-
C:\Users\Default\taskhost.exeC:\Users\Default\taskhost.exe10⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2908 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d985a315-3f35-4e4e-8e89-a013d70a5351.vbs"11⤵PID:2996
-
C:\Users\Default\taskhost.exeC:\Users\Default\taskhost.exe12⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2532 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6a08375a-f874-4bf3-be1b-ca048bcbf95b.vbs"13⤵PID:1556
-
C:\Users\Default\taskhost.exeC:\Users\Default\taskhost.exe14⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1420 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9c08e045-9d47-485c-bf35-4bb0ffc2886d.vbs"15⤵PID:292
-
C:\Users\Default\taskhost.exeC:\Users\Default\taskhost.exe16⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1408 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\88083feb-409d-4431-a54d-ba211b9c7b46.vbs"17⤵PID:2768
-
C:\Users\Default\taskhost.exeC:\Users\Default\taskhost.exe18⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2004 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a32eb2fa-e07a-47b6-9de9-daa4752dab31.vbs"19⤵PID:2340
-
C:\Users\Default\taskhost.exeC:\Users\Default\taskhost.exe20⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2144 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7c3da2f2-8bfe-4de2-ab32-7fad0ec920b0.vbs"21⤵PID:2256
-
C:\Users\Default\taskhost.exeC:\Users\Default\taskhost.exe22⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2560 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0dceaea1-715f-4d1b-9296-872c7a516617.vbs"23⤵PID:1740
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\647facef-685d-441b-991c-28839c4f44d4.vbs"23⤵PID:880
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c5ce0181-ffbf-4088-b2e9-803b97dee6fb.vbs"21⤵PID:1600
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3122bc06-1e41-4293-a313-37384f4cb787.vbs"19⤵PID:1092
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e46423cc-961c-4610-bfa0-20106dbceada.vbs"17⤵PID:1744
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ee69c502-fbc5-4ee2-903c-598a148bb2e1.vbs"15⤵PID:1476
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\137dc8f2-601b-43ce-bc27-a563c01c6428.vbs"13⤵PID:2000
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26f45a80-e3af-49d3-bb5a-22ce8129363d.vbs"11⤵PID:2632
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\61690286-a5ba-46b9-a4e0-c42fd6c7650c.vbs"9⤵PID:2400
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d92acad9-b2e5-42de-9553-448f29867728.vbs"7⤵PID:1676
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\25aa5525-4ac5-4ff4-98dd-72e8e7737b75.vbs"5⤵PID:1684
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8e2bbeda-741b-49de-bc13-5b47c6e19fce.vbs"3⤵PID:1180
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Windows\PolicyDefinitions\ja-JP\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\ja-JP\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Windows\PolicyDefinitions\ja-JP\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be3" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Desktop\31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be" /sc ONLOGON /tr "'C:\Users\Default\Desktop\31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be3" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Desktop\31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be3" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Favorites\31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be" /sc ONLOGON /tr "'C:\Users\All Users\Favorites\31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be3" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Favorites\31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Java\jdk1.7.0_80\jre\bin\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\jre\bin\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jdk1.7.0_80\jre\bin\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Users\Default\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Users\Default\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.9MB
MD587d29654a3f89b1adc596d2ef22f94dd
SHA128b9d0678b858302d9a6b8737fd094ff0ee59308
SHA25631dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be
SHA5123d8db28ba156c13e865ec24e34e38326fe90e64499e8be9fde05a46d7278c8ea431e2f702a69ede893d220331becea9871f278c8809820b9772fc1f033fa05f9
-
Filesize
705B
MD5f865b9bc235bfcca564f53a84ef4c98d
SHA1eb762702e816482308c1f789f1ae7c784570936e
SHA25658a1cfac23bb11e8928c0ef4b95c5a9287818586e3d70d08a8f5b207e80f2752
SHA5120850d91ee573d06b80e42104c53af103c36a2edd5807d7a2fadf48b524dc19f174e9a0d65fa04b38ff2b5e492acd3a70d232534b40b14404c69c5b386820a928
-
Filesize
705B
MD54d0a39fd209272a3653a365872a13dfc
SHA1a9f73ee197c20149b6d488618ba697c315510f72
SHA2569bc77aa97de67eb8b74d1f3d5de2dcafb3b9ebc54406e2c594336d710072d002
SHA512e649f585e36556f038cb9f8685a57f915605ceec5e48d574be95ac3b94e49a2cd81d23197054d1b8447f0f1d40b0561988ad9018adb3829f658009fa0e0501af
-
Filesize
705B
MD570ab8b9398b261fb82ac538395883ba6
SHA1fbcfd526aff3fb7ef197633207874812f2ef9451
SHA2565addd2f69c4bbb184131d52855f934dae847ca8a14e8f8eed5a27b7dda5eaffa
SHA5120a8f2525b903c06f8fdcf9bdd2212252598a914c2680aec9002162233bdb705d2508ffb06956358ce62de5f6b3020b27de46c5189e8c1e35293e2d7e352ec4da
-
Filesize
705B
MD562d0be100cf06b63a998221744fdb529
SHA16df97681123a94f73a19a4e68c23fb8960b82902
SHA2566994c3fee57a34ca263d24d89e6222e88af7e70d5d00e80df8125bd4127e4f51
SHA512211b3e021fae06b471f191ceb33da71ad152937891ccd464f8a04d7ae2e11602a365c2b93f74a7f21be43b3fc26270594d177681853ea31dc8fdfd05d63903bf
-
Filesize
705B
MD59836c43349d3036ad928657333bc232b
SHA1a3312838cc58de5e321f6462649de7532c66d207
SHA256df0548a2787b738081a1ac252d743f8265657ddf668d2aee4606a8142131b1c9
SHA5128ac4ed8fb7c84bcf14652c6c290fdef023e3646d5580e2899ad806e2c1e7d6505d0b4af3a8887e2b1f3f54738d4c2d87496b7fc5191359948f63e00e15d3aaf4
-
Filesize
705B
MD59813b368970b6070a3e46e215027b5e9
SHA1d9f9ecc82a3d7d5f1b76bc8e06906776f7e0b484
SHA256f652f50593251fd38f8ea2bdc4b6b97082f60b65a296e2b3f354ace92d4ba84c
SHA5126c0bc235b02bf74f68fac9c41eec744d835746d0ee9fa5b95f034b8b768834ec6c37c9b562ce435945dc8c192831f7e47edd4f3c4dbb97a0616354e308fbf21c
-
Filesize
481B
MD582a84d9d3299172b391099a737f42c05
SHA14e95d770b96f40d6bcf411418b45cc04a14c73a2
SHA256f1ef7a46ca275722d09c8d88378d751b94015c1f398aec1e1b1d30ea68e59e00
SHA512b299fb541c741dbf07ffb173eda45e7ef86113f9a409f00d134368d56f706f67b68e165bafa03b0bdaf48b98044536a919480446c9cd2eb6353499e03a95bb0e
-
Filesize
705B
MD55f988f887cc40281fed4ac93bdd9cb17
SHA18c16adff32ed1ae2a98b00fb0774f1e33a2cb8de
SHA2565014b14f06847e1a2f7b0bc70ce0dd8641b6ff01f9a4d2144fa41187a1cef140
SHA5120a400616cda92d197fbbeb0cc4e86e45a0bb5a8979243961cbd0675d619aba7e61fdc753447d62d6cb007a82e8493c9b2f9c143592c84d7f39497a08eafad398
-
Filesize
705B
MD5a8888d2b1021eb1738c03eef6e0064cc
SHA1ab1a46c8a274f256f0a44e2a5ddf3e04db4e4a4f
SHA256e7a2b49c0aff53c88c2e22188d5907d613de8872116534eb5b6b8fb6815bb9a1
SHA512a8747f0dc26515b699e21ec4739e1af88da8b13531dcde49cbfd0796ce45216c72b6336abb1c58e5ef5804a867a0ca89e22cda6656129dd2d77ec7f1144faa2e
-
Filesize
705B
MD53ce4b5c93cc9c634adf44e8b47232404
SHA1a9085b91553c3cab87e9475481d6c6f83387ea5e
SHA256534ebbb69d4fd36caba21e85072ed9efd1069157f104bb9b085b0abf938742fa
SHA512c36d5697a1f80b3692c76f04766e268fa8c762e6421771f718f07d0b2497cc07f598dec81f53912dc1fc69848b8b5c749fa2185ebcf57cb8b102870f2a7f7995
-
Filesize
705B
MD55482e37162487890755b076ec917502b
SHA1b12e9ee8d007387877c9a291ef8f53a9e1d6e40b
SHA256dfbcc0ec188fc75d221bf12268b3ec0e11380c02f227ec5b0a457680d9d4d78e
SHA5128acdd25325edc55b772f4e31d4350858933bdcc7390867420e72611fdd8c798c3c86fd084d54ce338df1c4a0e6d0d4f29350aa2cf7069c14ed84639f26c30740
-
Filesize
705B
MD53cfced3886d4c6b210e9ab335ceebe71
SHA1ddae2f2a942744922df6c39b04c15eab38038b99
SHA256474d0fa084a06d051c69f66b05404300495252a707d1a9bdc18a0aa759bbf172
SHA512d1d57b8b5d126d79652b0468deef6eaca044a4a7049f4449cc644c7177b05808e622531572c0c6fc3e2b0c25d7e3ed19f9d3de7f0e0a7d106f148051ede604b4
-
Filesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5db95d15a4b55fdbef90dce812d060b23
SHA10a0564f38b18f24b40f9f1bcccdc4e132e883423
SHA256231625419c1f7ecbea4e1ff79501fe38ffc8f033ff2b5f3e2f928bee6b4599d5
SHA51276a194d22902fc63b7f6bfc0a005465b96b7a9311d0ed744691a4d6f983b9e5e2c497e053efeb7597285b4ca1c5514ad9b7e5f45e45b08f9aa9b70aefe03de41