Analysis
-
max time kernel
120s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16-11-2024 12:23
Static task
static1
Behavioral task
behavioral1
Sample
352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
Resource
win10v2004-20241007-en
General
-
Target
352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe
-
Size
426KB
-
MD5
2d94c0a9c700f4a1552a1e2fe2cd33e2
-
SHA1
7dfe6f390ea59bc8d53431cd3a4756c109e201ee
-
SHA256
352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9
-
SHA512
4add372efa87a762a63c528699b84ce3f0ad4f4f4966fb58a721d92a9d5e1f2acc49e8e406c89a25ba1698cb1ceb0714e9b63109ba3a26b24ee696096ce855f4
-
SSDEEP
12288:mDLfHXFL+Kfcos8Us9s4R1d4j7nwlmyAgn/fT:mtyUAQnR+7wlmy7/7
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\explorer.exe\"" 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\explorer.exe\", \"C:\\Windows\\Help\\spoolsv.exe\"" 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\explorer.exe\", \"C:\\Windows\\Help\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\sppsvc.exe\"" 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\explorer.exe\", \"C:\\Windows\\Help\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\audiodg.exe\"" 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\explorer.exe\", \"C:\\Windows\\Help\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Recovery\\1f4ba082-69f6-11ef-a143-62cb582c238c\\Idle.exe\"" 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\explorer.exe\", \"C:\\Windows\\Help\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Recovery\\1f4ba082-69f6-11ef-a143-62cb582c238c\\Idle.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe\"" 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe -
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2528 2580 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2592 2580 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2712 2580 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2380 2580 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2360 2580 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 632 2580 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1812 2580 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1844 2580 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 584 2580 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2336 2580 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 896 2580 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2120 2580 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2932 2580 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 776 2580 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 980 2580 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1796 2580 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2896 2580 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3056 2580 schtasks.exe 31 -
DCRat payload 2 IoCs
resource yara_rule behavioral1/memory/3052-2-0x0000000000420000-0x00000000004F2000-memory.dmp family_dcrat_v2 behavioral1/memory/448-52-0x000000001AC50000-0x000000001AD22000-memory.dmp family_dcrat_v2 -
Executes dropped EXE 1 IoCs
pid Process 448 explorer.exe -
Adds Run key to start application 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe\"" 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Users\\Default User\\explorer.exe\"" 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Users\\Default User\\explorer.exe\"" 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\Help\\spoolsv.exe\"" 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\Help\\spoolsv.exe\"" 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\audiodg.exe\"" 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\1f4ba082-69f6-11ef-a143-62cb582c238c\\Idle.exe\"" 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe\"" 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\sppsvc.exe\"" 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\sppsvc.exe\"" 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\audiodg.exe\"" 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\1f4ba082-69f6-11ef-a143-62cb582c238c\\Idle.exe\"" 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created \??\c:\Windows\System32\CSC2216095064D44B51B3D1FA35E3FF7EBB.TMP csc.exe File created \??\c:\Windows\System32\qmeprf.exe csc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Help\spoolsv.exe 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe File created C:\Windows\Help\f3b6ecef712a24 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1940 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1940 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2932 schtasks.exe 776 schtasks.exe 1796 schtasks.exe 2380 schtasks.exe 1812 schtasks.exe 1844 schtasks.exe 584 schtasks.exe 2336 schtasks.exe 896 schtasks.exe 2712 schtasks.exe 980 schtasks.exe 632 schtasks.exe 2120 schtasks.exe 2896 schtasks.exe 3056 schtasks.exe 2528 schtasks.exe 2592 schtasks.exe 2360 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3052 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe 3052 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe 3052 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe 3052 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe 3052 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe 3052 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe 3052 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe 3052 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe 3052 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe 3052 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe 3052 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe 3052 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe 3052 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe 3052 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe 3052 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe 3052 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe 3052 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe 3052 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe 3052 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe 3052 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe 3052 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe 3052 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe 3052 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe 3052 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe 3052 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe 3052 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe 3052 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe 3052 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe 3052 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe 3052 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe 3052 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe 3052 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe 3052 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe 3052 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe 3052 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe 3052 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe 3052 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe 3052 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe 3052 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe 3052 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe 3052 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe 3052 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe 3052 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe 3052 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe 3052 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe 3052 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe 3052 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe 3052 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe 3052 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe 3052 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe 3052 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe 3052 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe 3052 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe 3052 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe 3052 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe 3052 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe 3052 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe 3052 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe 3052 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe 3052 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe 3052 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe 3052 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe 3052 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe 3052 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3052 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe Token: SeDebugPrivilege 448 explorer.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 3052 wrote to memory of 2240 3052 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe 35 PID 3052 wrote to memory of 2240 3052 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe 35 PID 3052 wrote to memory of 2240 3052 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe 35 PID 2240 wrote to memory of 1888 2240 csc.exe 37 PID 2240 wrote to memory of 1888 2240 csc.exe 37 PID 2240 wrote to memory of 1888 2240 csc.exe 37 PID 3052 wrote to memory of 2060 3052 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe 53 PID 3052 wrote to memory of 2060 3052 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe 53 PID 3052 wrote to memory of 2060 3052 352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe 53 PID 2060 wrote to memory of 3044 2060 cmd.exe 55 PID 2060 wrote to memory of 3044 2060 cmd.exe 55 PID 2060 wrote to memory of 3044 2060 cmd.exe 55 PID 2060 wrote to memory of 1940 2060 cmd.exe 56 PID 2060 wrote to memory of 1940 2060 cmd.exe 56 PID 2060 wrote to memory of 1940 2060 cmd.exe 56 PID 2060 wrote to memory of 448 2060 cmd.exe 57 PID 2060 wrote to memory of 448 2060 cmd.exe 57 PID 2060 wrote to memory of 448 2060 cmd.exe 57 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe"C:\Users\Admin\AppData\Local\Temp\352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\a4mewvsi\a4mewvsi.cmdline"2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF815.tmp" "c:\Windows\System32\CSC2216095064D44B51B3D1FA35E3FF7EBB.TMP"3⤵PID:1888
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Cbdw6s0XQN.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:3044
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1940
-
-
C:\Users\Default User\explorer.exe"C:\Users\Default User\explorer.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:448
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Windows\Help\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Help\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Windows\Help\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e93" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Local\Temp\352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e93" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Local\Temp\352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
162B
MD5b3ed19195192c3bb31056d6ec1674f0e
SHA1cc7e9e8c57876796237bef44dc7be219beb1dc1f
SHA25672be3d6497e5b0b64ba4a3829e206f942dc0a9bf16a11de934eb5cc347453ab2
SHA5120430a31494bbd5feebaa620c758b472f07e8382944b3641ffefd98707621bc4d1cf4f9c7e0d3816baa0ef717081c74379f538d12ac8943e4880ac2dca20e647f
-
Filesize
1KB
MD537be827f3f962ef9e462794bf37de9e5
SHA16fb1ba6a4c39b623a56a4b266395b0f5f1b5375c
SHA2560b54ce322002110a362179246851ac2d5426cdfadfe113728011dff2c78fe31c
SHA5123fa1b60f0a514cd8596b7fbca1bf40dd3d1ce8934b53dcac6d1692734605a24b6e7558c1e1bb8dae0cc32d0aca622747920b76a5be586b813ddaf1ce9563e1a0
-
Filesize
426KB
MD52d94c0a9c700f4a1552a1e2fe2cd33e2
SHA17dfe6f390ea59bc8d53431cd3a4756c109e201ee
SHA256352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9
SHA5124add372efa87a762a63c528699b84ce3f0ad4f4f4966fb58a721d92a9d5e1f2acc49e8e406c89a25ba1698cb1ceb0714e9b63109ba3a26b24ee696096ce855f4
-
Filesize
366B
MD58c5d062f01d445d6846be61782f77957
SHA11d4fefb5d134feab58c6e4b8536da13c019bac60
SHA25674ac6a017237414339c11f9a86f376569436245db9cb80ac52b645e4dc981a29
SHA5126f5c7ea3ebf56897c7e040ea31b0f3d2424db62cc382cd3e327e83a20145ca343995fa36d09974132ad02433bb6a1910a59915c2a2dd9850e96293400c758e6f
-
Filesize
235B
MD5d92cbbdc956f17a4800e6359d7583075
SHA121404d4207b44b2c270f9bb1b372430faca6f411
SHA2567b6af63453daf7358a7247c7416dccc9a2d5afa799779d4517f7897cd14547db
SHA512083c302495f458f2574ce8d58dd353d57b347db58357c5dde029e8c5a2f5b8a3025afce98f813c1b083a983560b8c3806f2352b13e36d10ebc1ecb3f681e0b34
-
Filesize
1KB
MD5167c870490dc33ec13a83ebb533b1bf6
SHA1182378ebfa7c8372a988dee50a7dd6f8cda6a367
SHA2563f742a374ad5a8da8fba9dfea27c7382dde145d46732cfc0002a53a1311df5e6
SHA5121b48bb5f270f5d99d9dd98cd9da5866aed9377957d92bf1d686878522c438b38a444073c1a0ed4cc85f97315d2ef6abf05b74ab2265fecb20be5795b2ccef64e