Analysis
-
max time kernel
141s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18-11-2024 08:33
Static task
static1
Behavioral task
behavioral1
Sample
2d756772bc00e5778d794c107358ddf7.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2d756772bc00e5778d794c107358ddf7.exe
Resource
win10v2004-20241007-en
General
-
Target
2d756772bc00e5778d794c107358ddf7.exe
-
Size
1.9MB
-
MD5
2d756772bc00e5778d794c107358ddf7
-
SHA1
77229fc9ceeb137c6644a4fa3085aecabaf94ec3
-
SHA256
a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469
-
SHA512
31fae1a50618ed221cef3bfc72a017e8e925c3aa2bac727040ee655d9dff567813e91d76fecda0478653d50b8061481447ded77939b94e1ec823c3419b68c783
-
SSDEEP
24576:S1cKuEoW9iN0TvOJcaCXMgg2Suqp6Nheem6Vuuean7WiOLYGhYJG9oQpyhctpnWq:wb24KbkglgVMm9OAG9oMgctpnW5yI4
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\explorer.exe\", \"C:\\Windows\\Offline Web Pages\\lsm.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\csrss.exe\"" 2d756772bc00e5778d794c107358ddf7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\explorer.exe\", \"C:\\Windows\\Offline Web Pages\\lsm.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\csrss.exe\", \"C:\\Program Files\\Windows Mail\\en-US\\spoolsv.exe\"" 2d756772bc00e5778d794c107358ddf7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\explorer.exe\", \"C:\\Windows\\Offline Web Pages\\lsm.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\csrss.exe\", \"C:\\Program Files\\Windows Mail\\en-US\\spoolsv.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\WmiPrvSE.exe\"" 2d756772bc00e5778d794c107358ddf7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\explorer.exe\", \"C:\\Windows\\Offline Web Pages\\lsm.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\csrss.exe\", \"C:\\Program Files\\Windows Mail\\en-US\\spoolsv.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\2d756772bc00e5778d794c107358ddf7.exe\"" 2d756772bc00e5778d794c107358ddf7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\explorer.exe\"" 2d756772bc00e5778d794c107358ddf7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\explorer.exe\", \"C:\\Windows\\Offline Web Pages\\lsm.exe\"" 2d756772bc00e5778d794c107358ddf7.exe -
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2288 2864 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2840 2864 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2916 2864 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2680 2864 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2876 2864 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 600 2864 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2928 2864 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3052 2864 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 608 2864 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1672 2864 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2764 2864 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2912 2864 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 468 2864 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 840 2864 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1992 2864 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2600 2864 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3060 2864 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2200 2864 schtasks.exe 31 -
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2656 powershell.exe 1496 powershell.exe 1448 powershell.exe 1312 powershell.exe 1460 powershell.exe 1932 powershell.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\WmiPrvSE.exe\"" 2d756772bc00e5778d794c107358ddf7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\WmiPrvSE.exe\"" 2d756772bc00e5778d794c107358ddf7.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\2d756772bc00e5778d794c107358ddf7 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2d756772bc00e5778d794c107358ddf7.exe\"" 2d756772bc00e5778d794c107358ddf7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2d756772bc00e5778d794c107358ddf7 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2d756772bc00e5778d794c107358ddf7.exe\"" 2d756772bc00e5778d794c107358ddf7.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\explorer.exe\"" 2d756772bc00e5778d794c107358ddf7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\Offline Web Pages\\lsm.exe\"" 2d756772bc00e5778d794c107358ddf7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Windows Mail\\en-US\\spoolsv.exe\"" 2d756772bc00e5778d794c107358ddf7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\csrss.exe\"" 2d756772bc00e5778d794c107358ddf7.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Windows Mail\\en-US\\spoolsv.exe\"" 2d756772bc00e5778d794c107358ddf7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\explorer.exe\"" 2d756772bc00e5778d794c107358ddf7.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\Offline Web Pages\\lsm.exe\"" 2d756772bc00e5778d794c107358ddf7.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\csrss.exe\"" 2d756772bc00e5778d794c107358ddf7.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 12 ipinfo.io 13 ipinfo.io 4 ipinfo.io 5 ipinfo.io -
Drops file in System32 directory 2 IoCs
description ioc Process File created \??\c:\Windows\System32\CSC6961F89841684B4D89B24643C968758.TMP csc.exe File created \??\c:\Windows\System32\3kmwe8.exe csc.exe -
Drops file in Program Files directory 5 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\WmiPrvSE.exe 2d756772bc00e5778d794c107358ddf7.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\WmiPrvSE.exe 2d756772bc00e5778d794c107358ddf7.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\24dbde2999530e 2d756772bc00e5778d794c107358ddf7.exe File created C:\Program Files\Windows Mail\en-US\spoolsv.exe 2d756772bc00e5778d794c107358ddf7.exe File created C:\Program Files\Windows Mail\en-US\f3b6ecef712a24 2d756772bc00e5778d794c107358ddf7.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\servicing\de-DE\audiodg.exe 2d756772bc00e5778d794c107358ddf7.exe File created C:\Windows\Offline Web Pages\lsm.exe 2d756772bc00e5778d794c107358ddf7.exe File created C:\Windows\Offline Web Pages\101b941d020240 2d756772bc00e5778d794c107358ddf7.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2068 PING.EXE -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 2d756772bc00e5778d794c107358ddf7.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 2d756772bc00e5778d794c107358ddf7.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2068 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3052 schtasks.exe 1672 schtasks.exe 468 schtasks.exe 2200 schtasks.exe 2876 schtasks.exe 2928 schtasks.exe 1992 schtasks.exe 2600 schtasks.exe 2916 schtasks.exe 608 schtasks.exe 2764 schtasks.exe 2840 schtasks.exe 2680 schtasks.exe 2912 schtasks.exe 840 schtasks.exe 3060 schtasks.exe 2288 schtasks.exe 600 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1224 2d756772bc00e5778d794c107358ddf7.exe 1224 2d756772bc00e5778d794c107358ddf7.exe 1224 2d756772bc00e5778d794c107358ddf7.exe 1224 2d756772bc00e5778d794c107358ddf7.exe 1224 2d756772bc00e5778d794c107358ddf7.exe 1224 2d756772bc00e5778d794c107358ddf7.exe 1224 2d756772bc00e5778d794c107358ddf7.exe 1224 2d756772bc00e5778d794c107358ddf7.exe 1224 2d756772bc00e5778d794c107358ddf7.exe 1224 2d756772bc00e5778d794c107358ddf7.exe 1224 2d756772bc00e5778d794c107358ddf7.exe 1224 2d756772bc00e5778d794c107358ddf7.exe 1224 2d756772bc00e5778d794c107358ddf7.exe 1224 2d756772bc00e5778d794c107358ddf7.exe 1224 2d756772bc00e5778d794c107358ddf7.exe 1224 2d756772bc00e5778d794c107358ddf7.exe 1224 2d756772bc00e5778d794c107358ddf7.exe 1224 2d756772bc00e5778d794c107358ddf7.exe 1224 2d756772bc00e5778d794c107358ddf7.exe 1224 2d756772bc00e5778d794c107358ddf7.exe 1224 2d756772bc00e5778d794c107358ddf7.exe 1224 2d756772bc00e5778d794c107358ddf7.exe 1224 2d756772bc00e5778d794c107358ddf7.exe 1224 2d756772bc00e5778d794c107358ddf7.exe 1224 2d756772bc00e5778d794c107358ddf7.exe 1224 2d756772bc00e5778d794c107358ddf7.exe 1224 2d756772bc00e5778d794c107358ddf7.exe 1224 2d756772bc00e5778d794c107358ddf7.exe 1224 2d756772bc00e5778d794c107358ddf7.exe 1224 2d756772bc00e5778d794c107358ddf7.exe 1224 2d756772bc00e5778d794c107358ddf7.exe 1224 2d756772bc00e5778d794c107358ddf7.exe 1224 2d756772bc00e5778d794c107358ddf7.exe 1224 2d756772bc00e5778d794c107358ddf7.exe 1224 2d756772bc00e5778d794c107358ddf7.exe 1224 2d756772bc00e5778d794c107358ddf7.exe 1224 2d756772bc00e5778d794c107358ddf7.exe 1224 2d756772bc00e5778d794c107358ddf7.exe 1224 2d756772bc00e5778d794c107358ddf7.exe 1224 2d756772bc00e5778d794c107358ddf7.exe 1224 2d756772bc00e5778d794c107358ddf7.exe 1224 2d756772bc00e5778d794c107358ddf7.exe 1224 2d756772bc00e5778d794c107358ddf7.exe 1224 2d756772bc00e5778d794c107358ddf7.exe 1224 2d756772bc00e5778d794c107358ddf7.exe 1224 2d756772bc00e5778d794c107358ddf7.exe 1224 2d756772bc00e5778d794c107358ddf7.exe 1224 2d756772bc00e5778d794c107358ddf7.exe 1224 2d756772bc00e5778d794c107358ddf7.exe 1224 2d756772bc00e5778d794c107358ddf7.exe 1224 2d756772bc00e5778d794c107358ddf7.exe 1224 2d756772bc00e5778d794c107358ddf7.exe 1224 2d756772bc00e5778d794c107358ddf7.exe 1224 2d756772bc00e5778d794c107358ddf7.exe 1224 2d756772bc00e5778d794c107358ddf7.exe 1224 2d756772bc00e5778d794c107358ddf7.exe 1224 2d756772bc00e5778d794c107358ddf7.exe 1224 2d756772bc00e5778d794c107358ddf7.exe 1224 2d756772bc00e5778d794c107358ddf7.exe 1224 2d756772bc00e5778d794c107358ddf7.exe 1224 2d756772bc00e5778d794c107358ddf7.exe 1224 2d756772bc00e5778d794c107358ddf7.exe 1224 2d756772bc00e5778d794c107358ddf7.exe 1224 2d756772bc00e5778d794c107358ddf7.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2172 2d756772bc00e5778d794c107358ddf7.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 1224 2d756772bc00e5778d794c107358ddf7.exe Token: SeDebugPrivilege 1932 powershell.exe Token: SeDebugPrivilege 1460 powershell.exe Token: SeDebugPrivilege 1448 powershell.exe Token: SeDebugPrivilege 1496 powershell.exe Token: SeDebugPrivilege 2656 powershell.exe Token: SeDebugPrivilege 1312 powershell.exe Token: SeDebugPrivilege 2172 2d756772bc00e5778d794c107358ddf7.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 1224 wrote to memory of 1716 1224 2d756772bc00e5778d794c107358ddf7.exe 35 PID 1224 wrote to memory of 1716 1224 2d756772bc00e5778d794c107358ddf7.exe 35 PID 1224 wrote to memory of 1716 1224 2d756772bc00e5778d794c107358ddf7.exe 35 PID 1716 wrote to memory of 2564 1716 csc.exe 37 PID 1716 wrote to memory of 2564 1716 csc.exe 37 PID 1716 wrote to memory of 2564 1716 csc.exe 37 PID 1224 wrote to memory of 1448 1224 2d756772bc00e5778d794c107358ddf7.exe 53 PID 1224 wrote to memory of 1448 1224 2d756772bc00e5778d794c107358ddf7.exe 53 PID 1224 wrote to memory of 1448 1224 2d756772bc00e5778d794c107358ddf7.exe 53 PID 1224 wrote to memory of 1496 1224 2d756772bc00e5778d794c107358ddf7.exe 54 PID 1224 wrote to memory of 1496 1224 2d756772bc00e5778d794c107358ddf7.exe 54 PID 1224 wrote to memory of 1496 1224 2d756772bc00e5778d794c107358ddf7.exe 54 PID 1224 wrote to memory of 2656 1224 2d756772bc00e5778d794c107358ddf7.exe 55 PID 1224 wrote to memory of 2656 1224 2d756772bc00e5778d794c107358ddf7.exe 55 PID 1224 wrote to memory of 2656 1224 2d756772bc00e5778d794c107358ddf7.exe 55 PID 1224 wrote to memory of 1932 1224 2d756772bc00e5778d794c107358ddf7.exe 57 PID 1224 wrote to memory of 1932 1224 2d756772bc00e5778d794c107358ddf7.exe 57 PID 1224 wrote to memory of 1932 1224 2d756772bc00e5778d794c107358ddf7.exe 57 PID 1224 wrote to memory of 1460 1224 2d756772bc00e5778d794c107358ddf7.exe 58 PID 1224 wrote to memory of 1460 1224 2d756772bc00e5778d794c107358ddf7.exe 58 PID 1224 wrote to memory of 1460 1224 2d756772bc00e5778d794c107358ddf7.exe 58 PID 1224 wrote to memory of 1312 1224 2d756772bc00e5778d794c107358ddf7.exe 60 PID 1224 wrote to memory of 1312 1224 2d756772bc00e5778d794c107358ddf7.exe 60 PID 1224 wrote to memory of 1312 1224 2d756772bc00e5778d794c107358ddf7.exe 60 PID 1224 wrote to memory of 2156 1224 2d756772bc00e5778d794c107358ddf7.exe 65 PID 1224 wrote to memory of 2156 1224 2d756772bc00e5778d794c107358ddf7.exe 65 PID 1224 wrote to memory of 2156 1224 2d756772bc00e5778d794c107358ddf7.exe 65 PID 2156 wrote to memory of 768 2156 cmd.exe 67 PID 2156 wrote to memory of 768 2156 cmd.exe 67 PID 2156 wrote to memory of 768 2156 cmd.exe 67 PID 2156 wrote to memory of 2068 2156 cmd.exe 68 PID 2156 wrote to memory of 2068 2156 cmd.exe 68 PID 2156 wrote to memory of 2068 2156 cmd.exe 68 PID 2156 wrote to memory of 2172 2156 cmd.exe 69 PID 2156 wrote to memory of 2172 2156 cmd.exe 69 PID 2156 wrote to memory of 2172 2156 cmd.exe 69 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2d756772bc00e5778d794c107358ddf7.exe"C:\Users\Admin\AppData\Local\Temp\2d756772bc00e5778d794c107358ddf7.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tomytjwq\tomytjwq.cmdline"2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEBD5.tmp" "c:\Windows\System32\CSC6961F89841684B4D89B24643C968758.TMP"3⤵PID:2564
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\explorer.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1448
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Offline Web Pages\lsm.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1496
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\csrss.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2656
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\en-US\spoolsv.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1932
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\WmiPrvSE.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1460
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\2d756772bc00e5778d794c107358ddf7.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1312
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ihrXNJRNhj.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:768
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2068
-
-
C:\Users\Admin\AppData\Local\Temp\2d756772bc00e5778d794c107358ddf7.exe"C:\Users\Admin\AppData\Local\Temp\2d756772bc00e5778d794c107358ddf7.exe"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2172
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Windows\Offline Web Pages\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Windows\Offline Web Pages\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Mail\en-US\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\en-US\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\en-US\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "2d756772bc00e5778d794c107358ddf72" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\Local\Temp\2d756772bc00e5778d794c107358ddf7.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "2d756772bc00e5778d794c107358ddf7" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\2d756772bc00e5778d794c107358ddf7.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "2d756772bc00e5778d794c107358ddf72" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\Local\Temp\2d756772bc00e5778d794c107358ddf7.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Modify Registry
3Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD52d756772bc00e5778d794c107358ddf7
SHA177229fc9ceeb137c6644a4fa3085aecabaf94ec3
SHA256a7f4c48301ad6b01c8777427eaceb965a9e0c14d493f44d1dea4f8d498123469
SHA51231fae1a50618ed221cef3bfc72a017e8e925c3aa2bac727040ee655d9dff567813e91d76fecda0478653d50b8061481447ded77939b94e1ec823c3419b68c783
-
Filesize
1KB
MD5b8e3cf6edbdb16182ea2d56791f9ae86
SHA1b84beae3db6ddc55e68e9d8856e20e1a691461a8
SHA2563c5b849708aae845342331a2cfd1e2053abf4f916dc49cf6d783a2b25f286f67
SHA512c47454f39848614d2848fcef5e9301d459eb0ebb363f0bfb3ad514d2bb651f96ab26568397d7f45833971466ca5429d136e0156272efdcc9e55fe22032620994
-
Filesize
198B
MD52ecf2b4b73c45890d4a432ba54421f85
SHA1cba4e53861929528ac522d38350804f28b956f35
SHA256b2336fb8cae429cbb6d4b68fb2ebe85b37a67f31a74db8378173987e85aec678
SHA512dc8d76f82690bba4219a9e34cd4b9c43a55c68ee293383bd00980142006cc4f105147ad0f0e685cdbe32672b602db6dff4487e0411f57b2c94c6fbeff1f42fad
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6WXPNZMHJZYG3STGHQ8A.temp
Filesize7KB
MD5064d8cbf714365db29f0c6c9d9092198
SHA1445b9a9d2fb794a2d8daf1ab5b7c41d0017ede00
SHA256acfd951aa5f2eaba6239ba51b047fa76565757068f5ea9e3fbeb63b9de96c120
SHA5129b8b475453a738ef0b5efa4f0c01f6e69d54c644eb5bb702af46dcc7eee817ae4e6dd674b0cf53e1a7cac8c1bdbd89f81ba18f1f835fbbcd8f3be9ff950c6a73
-
Filesize
393B
MD5859434cc986548e4cc12a985ed4b9d7c
SHA10e55adb128c730132932e22c2d09b051b78edc6e
SHA256ac030dfc7d98613ab929c99061204181cc62e680f92bc50b0a135c7110c19e41
SHA512d84d78fbb996165939d4e1f34f489db008f227dc1b8a2af1dc32039db7cac351ae74b3cdbb3b0bf709dc51a4ecceb230e05158a041465d430a346ea5dd708559
-
Filesize
235B
MD50e04494545208ea9d6abf4b3d94135a0
SHA15f7a57fde8d272d951973865d75d1c9e1ac3e016
SHA256797402ebf9e8289bdc5927630b32b0d456eb8be0a29e526fa9652c4210caea70
SHA51294bb0632f35e310ec5dc4a5f4f3a92876fa23428f08181a1e398fc6792ea6da851bc18b14f75432b7f3fdc24d54b7c5bcbace430dacd38bbe1b45654195e2663
-
Filesize
1KB
MD58c85ef91c6071d33745325a8fa351c3e
SHA1e3311ceef28823eec99699cc35be27c94eca52d2
SHA2568db3e3a5515da1933036688a9b1918cfc3339fc687008c5325461271904b2d41
SHA5122bb89b07fe46b1c406ed6a560e88cb2b8402b1d61bb71e10887bad661751f64f1e5317fd6c1b301ea4766785b915da31b64e0475cfe36c1f950b32915b5dab7d