Analysis
-
max time kernel
148s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17-11-2024 10:52
Behavioral task
behavioral1
Sample
f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
Resource
win7-20240903-en
General
-
Target
f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
-
Size
1.8MB
-
MD5
7582ed7a9f3ac0c15a2b7c81155d8b59
-
SHA1
0c0429b3d9f1acaeeffb7fd92946cab77d1be2f6
-
SHA256
f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077
-
SHA512
6be6568d2109397e266ce71014f503ec10bd38626146bb38f7955b6f360fccd4c05bad19ac5f94f3695427c595e9eda61079c01e6d156634978039c3749245a0
-
SSDEEP
49152:OhjAJVllHZrhbBruPk+xjSMX4ODTDF8OcFSkMh:OgVTVXYNX9mOWSkM
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4268 1632 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2464 1632 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4688 1632 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5104 1632 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2592 1632 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1436 1632 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3960 1632 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1692 1632 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3416 1632 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2944 1632 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3484 1632 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2060 1632 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4896 1632 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4532 1632 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2996 1632 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4668 1632 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3368 1632 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3328 1632 schtasks.exe 85 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fontdrvhost.exe -
resource yara_rule behavioral2/memory/2204-1-0x0000000000A80000-0x0000000000C4E000-memory.dmp dcrat behavioral2/files/0x0007000000023cce-26.dat dcrat behavioral2/files/0x0003000000022ae8-161.dat dcrat behavioral2/memory/928-163-0x0000000000C10000-0x0000000000DDE000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 360 powershell.exe 1464 powershell.exe 3580 powershell.exe 2904 powershell.exe 1664 powershell.exe 1068 powershell.exe 3660 powershell.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation fontdrvhost.exe -
Executes dropped EXE 3 IoCs
pid Process 928 fontdrvhost.exe 1428 fontdrvhost.exe 3964 fontdrvhost.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fontdrvhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fontdrvhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fontdrvhost.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files\Uninstall Information\smss.exe f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe File opened for modification C:\Program Files\Uninstall Information\smss.exe f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe File created C:\Program Files\Uninstall Information\69ddcba757bf72 f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe File opened for modification C:\Program Files\Uninstall Information\RCXE446.tmp f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings fontdrvhost.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4896 schtasks.exe 2996 schtasks.exe 3368 schtasks.exe 2592 schtasks.exe 3416 schtasks.exe 2060 schtasks.exe 1692 schtasks.exe 3484 schtasks.exe 4668 schtasks.exe 3328 schtasks.exe 4268 schtasks.exe 5104 schtasks.exe 3960 schtasks.exe 2944 schtasks.exe 4532 schtasks.exe 2464 schtasks.exe 4688 schtasks.exe 1436 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 37 IoCs
pid Process 2204 f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe 2204 f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe 2204 f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe 2204 f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe 2204 f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe 2204 f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe 2204 f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe 2204 f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe 2204 f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe 2204 f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe 2204 f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe 2204 f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe 2204 f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe 3660 powershell.exe 3660 powershell.exe 360 powershell.exe 360 powershell.exe 3580 powershell.exe 3580 powershell.exe 1664 powershell.exe 1664 powershell.exe 2904 powershell.exe 2904 powershell.exe 1464 powershell.exe 1464 powershell.exe 1068 powershell.exe 1068 powershell.exe 3660 powershell.exe 360 powershell.exe 3580 powershell.exe 2904 powershell.exe 1664 powershell.exe 1464 powershell.exe 1068 powershell.exe 928 fontdrvhost.exe 1428 fontdrvhost.exe 3964 fontdrvhost.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeDebugPrivilege 2204 f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe Token: SeDebugPrivilege 3660 powershell.exe Token: SeDebugPrivilege 360 powershell.exe Token: SeDebugPrivilege 3580 powershell.exe Token: SeDebugPrivilege 1664 powershell.exe Token: SeDebugPrivilege 2904 powershell.exe Token: SeDebugPrivilege 1464 powershell.exe Token: SeDebugPrivilege 1068 powershell.exe Token: SeDebugPrivilege 928 fontdrvhost.exe Token: SeDebugPrivilege 1428 fontdrvhost.exe Token: SeDebugPrivilege 3964 fontdrvhost.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2204 wrote to memory of 1068 2204 f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe 109 PID 2204 wrote to memory of 1068 2204 f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe 109 PID 2204 wrote to memory of 3660 2204 f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe 110 PID 2204 wrote to memory of 3660 2204 f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe 110 PID 2204 wrote to memory of 360 2204 f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe 111 PID 2204 wrote to memory of 360 2204 f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe 111 PID 2204 wrote to memory of 1464 2204 f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe 112 PID 2204 wrote to memory of 1464 2204 f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe 112 PID 2204 wrote to memory of 3580 2204 f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe 113 PID 2204 wrote to memory of 3580 2204 f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe 113 PID 2204 wrote to memory of 2904 2204 f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe 114 PID 2204 wrote to memory of 2904 2204 f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe 114 PID 2204 wrote to memory of 1664 2204 f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe 115 PID 2204 wrote to memory of 1664 2204 f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe 115 PID 2204 wrote to memory of 2600 2204 f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe 122 PID 2204 wrote to memory of 2600 2204 f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe 122 PID 2600 wrote to memory of 4676 2600 cmd.exe 125 PID 2600 wrote to memory of 4676 2600 cmd.exe 125 PID 2600 wrote to memory of 928 2600 cmd.exe 129 PID 2600 wrote to memory of 928 2600 cmd.exe 129 PID 928 wrote to memory of 3416 928 fontdrvhost.exe 130 PID 928 wrote to memory of 3416 928 fontdrvhost.exe 130 PID 928 wrote to memory of 2928 928 fontdrvhost.exe 131 PID 928 wrote to memory of 2928 928 fontdrvhost.exe 131 PID 3416 wrote to memory of 1428 3416 WScript.exe 134 PID 3416 wrote to memory of 1428 3416 WScript.exe 134 PID 1428 wrote to memory of 3244 1428 fontdrvhost.exe 135 PID 1428 wrote to memory of 3244 1428 fontdrvhost.exe 135 PID 1428 wrote to memory of 1952 1428 fontdrvhost.exe 136 PID 1428 wrote to memory of 1952 1428 fontdrvhost.exe 136 PID 3244 wrote to memory of 3964 3244 WScript.exe 137 PID 3244 wrote to memory of 3964 3244 WScript.exe 137 PID 3964 wrote to memory of 392 3964 fontdrvhost.exe 138 PID 3964 wrote to memory of 392 3964 fontdrvhost.exe 138 PID 3964 wrote to memory of 4520 3964 fontdrvhost.exe 139 PID 3964 wrote to memory of 4520 3964 fontdrvhost.exe 139 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fontdrvhost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe"C:\Users\Admin\AppData\Local\Temp\f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2204 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1068
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\smss.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3660
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:360
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Videos\RuntimeBroker.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1464
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3580
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\System.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2904
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1664
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GzNm8d7cL0.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:4676
-
-
C:\Recovery\WindowsRE\fontdrvhost.exe"C:\Recovery\WindowsRE\fontdrvhost.exe"3⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:928 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\77b03e35-0451-4371-8fd8-0ff63a69da4a.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:3416 -
C:\Recovery\WindowsRE\fontdrvhost.exeC:\Recovery\WindowsRE\fontdrvhost.exe5⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1428 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e59a0f2-e300-446c-af38-d7af3d5d19c3.vbs"6⤵
- Suspicious use of WriteProcessMemory
PID:3244 -
C:\Recovery\WindowsRE\fontdrvhost.exeC:\Recovery\WindowsRE\fontdrvhost.exe7⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3964 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\87222994-ea78-41c5-bf90-3f3ea8c1e731.vbs"8⤵PID:392
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\80bece52-b31a-4ee6-865b-420477439eb4.vbs"8⤵PID:4520
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c902d54c-6ba7-4aac-8354-85b9a965269b.vbs"6⤵PID:1952
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0260fd4f-e7df-44f1-8475-65644f21a53d.vbs"4⤵PID:2928
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Videos\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\Videos\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Videos\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3328
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD57582ed7a9f3ac0c15a2b7c81155d8b59
SHA10c0429b3d9f1acaeeffb7fd92946cab77d1be2f6
SHA256f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077
SHA5126be6568d2109397e266ce71014f503ec10bd38626146bb38f7955b6f360fccd4c05bad19ac5f94f3695427c595e9eda61079c01e6d156634978039c3749245a0
-
Filesize
1.8MB
MD54719de302f125b25850e7c78ded2acf9
SHA10036bcc15f1b62edf5a9c3e8db1643c898676578
SHA256498a0a570cba4406e646375a6e270afe4a129a5868e5736a6475ef6020c2c504
SHA512696d1e99426828ef4c31e577a984d497b015ca61c1bb474e288d108839a6c8b86736f60131e73c0fb1b356212adf14c26d0f5a9093a052575b0efc0f54c07c3b
-
Filesize
1KB
MD54a667f150a4d1d02f53a9f24d89d53d1
SHA1306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97
SHA256414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd
SHA5124edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD52e907f77659a6601fcc408274894da2e
SHA19f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA51234fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
944B
MD5bd5940f08d0be56e65e5f2aaf47c538e
SHA1d7e31b87866e5e383ab5499da64aba50f03e8443
SHA2562d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406
-
Filesize
489B
MD58df3ee806a56d2eeb4053d9837ffb0bf
SHA1fe9d78325277b316bece625984643d9ac13e5b78
SHA2565b5f2868892c1fc73fff07467f3af6fd63245d6fe71df991a2b64fc7e259697d
SHA51234c567eef66002859e5d75dd0d673be3928114e73d320a9cf29949464bcb18fb0aefa946488015923f58e4d36769bd8a024735a246533f6d2c52608de98f1d02
-
Filesize
713B
MD50c37ebe30f233ad3138d7fc14c48eb4a
SHA1c2504b0b53213c9744a80187eb8d27b8106fcd7b
SHA256b4f4dc1dd132056dec87ecd653c75e145342dc39328de5704e4179e8ee4f1434
SHA5122c5ff711ce3ff48187d884b3617ed62e999972ca1bc3f2906f3151344f48b1112af64d55594ecb94e14ec3b9f3b085e5e03708bc3ee57f07ae511e034df111ab
-
Filesize
712B
MD578605832c1d803eef5ec3c45d05e032f
SHA1906591895ca1efed7885ba512c2424d709f13a7c
SHA25625322f50aa8aca479802595ad8c5823fe54156ef9b066fd58ea104adf8b5aaec
SHA512a8bcf23ec90791a8f0ac8c06bb588996a120355577e57a736f6d2e06dec5043dda916f667f4702bc1fbad6e56612a5f1fc3d92391832f85c236bd0066686f960
-
Filesize
713B
MD537bf12e81434d9e06cbac4301b78ea72
SHA124c2d28da24ccea2cba811c42db42f23b761116f
SHA256961ce2f17ba6653194f80c03808696f73e083f43d5232067942a6b018c027dca
SHA512838d2ba80dfc4cb25ee5eaaad149341503977c8cad7db4ce4b20fba1abcd36ecded53f947f16534f3b3f83a67e8c104f727d8bdc3d0b1f2201504959758bd71f
-
Filesize
202B
MD5b9d38ca28bc7e824cd3e5654d85b6adf
SHA1794c5796dbf185b6d4561eed26c6cbef7bc71d42
SHA25692f7c54d247ffa5e1b33f9d44ebeb20e654019a1b569a1ad2e1f8396325752cf
SHA512bde60966d4218c4fb4b30ebe9419eb2915025e7a6e1a726a2a60d6646080480338c16115cdae2a147edab8b15c8667567edf56cacffa23a630f6835a2649d61f
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82