Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-11-2024 00:30
Static task
static1
Behavioral task
behavioral1
Sample
93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe
Resource
win10v2004-20241007-en
General
-
Target
93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe
-
Size
1.9MB
-
MD5
d555abf32ac6999a3ddd82eff6523be5
-
SHA1
fc57db7c9856edd9018b4128b96a9a53146bf910
-
SHA256
93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f
-
SHA512
5c3b30b37394a4b89c1939362fed98f0435d44010b50570cb7841508626de7cdef994890f9736530a94dd065d4ee7bf14cc7dbbe50326c9964a198a21c7d5fa9
-
SSDEEP
49152:eLviZcjVZitNo7l+/yPyC3A0qu3/JbbdY/m/w0p2ZJ:eLvUcBKopOyPZVVYmN4
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Idle.exe\"" 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Idle.exe\", \"C:\\Program Files\\Uninstall Information\\RuntimeBroker.exe\"" 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Idle.exe\", \"C:\\Program Files\\Uninstall Information\\RuntimeBroker.exe\", \"C:\\Windows\\Offline Web Pages\\wininit.exe\"" 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Idle.exe\", \"C:\\Program Files\\Uninstall Information\\RuntimeBroker.exe\", \"C:\\Windows\\Offline Web Pages\\wininit.exe\", \"C:\\Program Files\\Crashpad\\attachments\\smss.exe\"" 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Idle.exe\", \"C:\\Program Files\\Uninstall Information\\RuntimeBroker.exe\", \"C:\\Windows\\Offline Web Pages\\wininit.exe\", \"C:\\Program Files\\Crashpad\\attachments\\smss.exe\", \"C:\\Program Files\\Common Files\\taskhostw.exe\"" 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Idle.exe\", \"C:\\Program Files\\Uninstall Information\\RuntimeBroker.exe\", \"C:\\Windows\\Offline Web Pages\\wininit.exe\", \"C:\\Program Files\\Crashpad\\attachments\\smss.exe\", \"C:\\Program Files\\Common Files\\taskhostw.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe\"" 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe -
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4988 3900 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5076 3900 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2960 3900 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1372 3900 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2892 3900 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4604 3900 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3960 3900 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4080 3900 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4220 3900 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1472 3900 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4836 3900 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1896 3900 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1828 3900 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3200 3900 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2948 3900 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2876 3900 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2196 3900 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3580 3900 schtasks.exe 86 -
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 964 powershell.exe 1976 powershell.exe 2260 powershell.exe 1104 powershell.exe 2444 powershell.exe 3596 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\Public\\Idle.exe\"" 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\Offline Web Pages\\wininit.exe\"" 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\Offline Web Pages\\wininit.exe\"" 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\Crashpad\\attachments\\smss.exe\"" 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Program Files\\Common Files\\taskhostw.exe\"" 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Program Files\\Common Files\\taskhostw.exe\"" 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\Public\\Idle.exe\"" 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Uninstall Information\\RuntimeBroker.exe\"" 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Uninstall Information\\RuntimeBroker.exe\"" 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\Crashpad\\attachments\\smss.exe\"" 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe\"" 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe\"" 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 15 ipinfo.io 16 ipinfo.io 42 ipinfo.io -
Drops file in System32 directory 2 IoCs
description ioc Process File created \??\c:\Windows\System32\CSC8FD3B669C7444D32B489FDCB3EB538E7.TMP csc.exe File created \??\c:\Windows\System32\ovufcs.exe csc.exe -
Drops file in Program Files directory 8 IoCs
description ioc Process File created C:\Program Files\Uninstall Information\RuntimeBroker.exe 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe File created C:\Program Files\Uninstall Information\9e8d7a4ca61bd9 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe File created C:\Program Files\Common Files\taskhostw.exe 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe File opened for modification C:\Program Files\Common Files\taskhostw.exe 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe File created C:\Program Files\Common Files\ea9f0e6c9e2dcd 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe File created C:\Program Files\Crashpad\attachments\smss.exe 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe File created C:\Program Files\Crashpad\attachments\69ddcba757bf72 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe File created C:\Program Files\ModifiableWindowsApps\smss.exe 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Offline Web Pages\wininit.exe 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe File created C:\Windows\Offline Web Pages\56085415360792 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4992 PING.EXE -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4992 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2960 schtasks.exe 3200 schtasks.exe 2876 schtasks.exe 2196 schtasks.exe 5076 schtasks.exe 2892 schtasks.exe 4080 schtasks.exe 4988 schtasks.exe 1372 schtasks.exe 3960 schtasks.exe 3580 schtasks.exe 4604 schtasks.exe 4220 schtasks.exe 1472 schtasks.exe 4836 schtasks.exe 1896 schtasks.exe 1828 schtasks.exe 2948 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4872 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe 4872 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe 4872 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe 4872 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe 4872 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe 4872 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe 4872 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe 4872 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe 4872 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe 4872 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe 4872 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe 4872 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe 4872 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe 4872 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe 4872 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe 4872 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe 4872 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe 4872 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe 4872 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe 4872 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe 4872 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe 4872 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe 4872 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe 4872 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe 4872 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe 4872 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe 4872 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe 4872 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe 4872 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe 4872 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe 4872 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe 4872 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe 4872 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe 4872 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe 4872 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe 4872 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe 4872 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe 4872 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe 4872 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe 4872 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe 4872 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe 4872 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe 4872 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe 4872 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe 4872 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe 4872 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe 4872 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe 4872 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe 4872 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe 4872 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe 4872 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe 4872 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe 4872 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe 4872 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe 4872 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe 4872 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe 4872 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe 4872 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe 4872 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe 4872 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe 4872 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe 4872 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe 4872 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe 4872 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 4872 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe Token: SeDebugPrivilege 3596 powershell.exe Token: SeDebugPrivilege 1976 powershell.exe Token: SeDebugPrivilege 964 powershell.exe Token: SeDebugPrivilege 1104 powershell.exe Token: SeDebugPrivilege 2444 powershell.exe Token: SeDebugPrivilege 2260 powershell.exe Token: SeDebugPrivilege 1164 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 4872 wrote to memory of 5084 4872 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe 90 PID 4872 wrote to memory of 5084 4872 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe 90 PID 5084 wrote to memory of 4268 5084 csc.exe 92 PID 5084 wrote to memory of 4268 5084 csc.exe 92 PID 4872 wrote to memory of 964 4872 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe 111 PID 4872 wrote to memory of 964 4872 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe 111 PID 4872 wrote to memory of 1976 4872 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe 112 PID 4872 wrote to memory of 1976 4872 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe 112 PID 4872 wrote to memory of 3596 4872 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe 113 PID 4872 wrote to memory of 3596 4872 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe 113 PID 4872 wrote to memory of 2444 4872 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe 114 PID 4872 wrote to memory of 2444 4872 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe 114 PID 4872 wrote to memory of 1104 4872 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe 115 PID 4872 wrote to memory of 1104 4872 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe 115 PID 4872 wrote to memory of 2260 4872 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe 116 PID 4872 wrote to memory of 2260 4872 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe 116 PID 4872 wrote to memory of 2188 4872 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe 123 PID 4872 wrote to memory of 2188 4872 93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe 123 PID 2188 wrote to memory of 4996 2188 cmd.exe 125 PID 2188 wrote to memory of 4996 2188 cmd.exe 125 PID 2188 wrote to memory of 4992 2188 cmd.exe 126 PID 2188 wrote to memory of 4992 2188 cmd.exe 126 PID 2188 wrote to memory of 1164 2188 cmd.exe 132 PID 2188 wrote to memory of 1164 2188 cmd.exe 132 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe"C:\Users\Admin\AppData\Local\Temp\93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\r2glokst\r2glokst.cmdline"2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7EA.tmp" "c:\Windows\System32\CSC8FD3B669C7444D32B489FDCB3EB538E7.TMP"3⤵PID:4268
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Idle.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:964
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\RuntimeBroker.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1976
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Offline Web Pages\wininit.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3596
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Crashpad\attachments\smss.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2444
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\taskhostw.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1104
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2260
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NwZlC0Cl87.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:4996
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4992
-
-
C:\Users\Admin\AppData\Local\Temp\93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe"C:\Users\Admin\AppData\Local\Temp\93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1164
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Uninstall Information\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Windows\Offline Web Pages\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Windows\Offline Web Pages\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4080
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files\Crashpad\attachments\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Crashpad\attachments\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files\Crashpad\attachments\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Common Files\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f9" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Local\Temp\93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f9" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Local\Temp\93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3580
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\93306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f.exe.log
Filesize1KB
MD5cb4338b342d00bfe6111ffee5cbfc2ed
SHA1fc16673b6833ad3cb00743a32868b859e90aa536
SHA256343ed6661687e81c9615dcaea42fb1a98b70572bb9fe07e16f020108725dbbe9
SHA5124bcea1366b8be00d08eb15cfd78c87e1c8f3aea140a4ea30efb3c0511cd3de21b7ce8c933c7478fb06a356573ecb928e50df23d340fbd9a6e6c156a004d2a77a
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5254f97caf20b39d0846821965f6c1d4b
SHA16b8492bf210551112d74fdba59c06e01e498959d
SHA256c6698a3842dfc6493ca85cda0e881bd077f928bf5d707c8db45b5bc2c4910569
SHA5129bc7e382d0597b7ba94d6a2447bfcfda5f6bd43dfcdee2e7796d7b527b4e99d68cc0f0a347668f07cc6aa25a63b1aa1b4d84c7abd4204ef64eee9b0b55e9dcc9
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
944B
MD5e448fe0d240184c6597a31d3be2ced58
SHA1372b8d8c19246d3e38cd3ba123cc0f56070f03cd
SHA256c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391
SHA5120b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
944B
MD5e243a38635ff9a06c87c2a61a2200656
SHA1ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA5124418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4
-
Filesize
230B
MD59d2600b3ba183e09f6326524bcfbb84a
SHA198528fe6afdfe0ab85bca568036dd15cefe7c332
SHA256e6006142aac87778c393dfd63f1fafbb0f8fce597608c5bf3130c9a63bf3ad77
SHA51275bfad5f3bff0deccfe7cdb4932e6a05c768763d8bb5d58b464e78f7f493999d8731bfca071e41f2fd4bb70b00d7c4e2e9dd091cb41262b295365c8357c4cf8e
-
Filesize
1KB
MD57c327fc4ceae34cc751c0e3c3fd556d5
SHA11e1b99fa8b302c6bf3e4add9a3007ec7683525ae
SHA256601c8266204de3961737ccfe3beb1336fe353790d3222f14841604b275d1270d
SHA5125bc34b1f6b164bc1d8a2a050928ad8ea7112fe343f77803f76c7914f2799e90520536b97cb85ecc45f797e71ffb4017897e1341d6947f1df199d65c341f7d0c3
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.9MB
MD5d555abf32ac6999a3ddd82eff6523be5
SHA1fc57db7c9856edd9018b4128b96a9a53146bf910
SHA25693306fa8475e4c32aecfcfb3ace4ef29fee67ce1402f1a8e2cecb2ed4956c92f
SHA5125c3b30b37394a4b89c1939362fed98f0435d44010b50570cb7841508626de7cdef994890f9736530a94dd065d4ee7bf14cc7dbbe50326c9964a198a21c7d5fa9
-
Filesize
356B
MD538bd91c90fadb448df2ad7db55212d4d
SHA149ff9072940ae00e727f03679ccef2640cee4b8b
SHA2563eefa27ce299f4d032e8eb722bdc7d6f3cd7f4b9a33d043b741370c2d6c85f00
SHA512b1d06447673f443a645a9edbe242180f45a9cb028d9ea7536ec2d637c213610114600dc21708f384909040e6c1d836eb0628b0777a0bf5f5e3aca06ac700d7a4
-
Filesize
235B
MD5c9d9958ee629fc942b4e7d040a2f0ffc
SHA1c549438ac987abb6e66e9c86ac57797786540e61
SHA2569ac885d3118074b37ea12a4a8ea3669ded9c476c8113ff0059f14ed8488f9b66
SHA5120260e09db14be0db0836c39cc4f6947e673022f9a0968c3704d8d30d9aa91830c2c9a553dafc442fe40da1943c27efbb417483c4a42d4641ad364bee2a0c06ef
-
Filesize
1KB
MD51c519e4618f2b468d0f490d4a716da11
SHA11a693d0046e48fa813e4fa3bb94ccd20d43e3106
SHA2564dbf16e3b3bb06c98eeaf27d0a25d9f34ee0ceac51e6365218ef7cd09edb3438
SHA51299f293878a08b56db6ff2297f243f5f5b85864e6925a1d6af61a65369f7eb323ae1b75fe5f1465fac0b982ac9f49b9e0a295b5dac947da40f61991c4411233fd