Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
27-11-2024 16:54
Behavioral task
behavioral1
Sample
078a6edfe74bdca838f020373b45f18d1a89abe276d75eedba8cc4a0e8ac0acd.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
078a6edfe74bdca838f020373b45f18d1a89abe276d75eedba8cc4a0e8ac0acd.exe
Resource
win10v2004-20241007-en
General
-
Target
078a6edfe74bdca838f020373b45f18d1a89abe276d75eedba8cc4a0e8ac0acd.exe
-
Size
3.6MB
-
MD5
646a50d060ae1b649f0ca735aabf5744
-
SHA1
a666932e153ef1d2c2463009e0df4de9bdf73322
-
SHA256
078a6edfe74bdca838f020373b45f18d1a89abe276d75eedba8cc4a0e8ac0acd
-
SHA512
0872641f90557c8ab8dd015b9486061b85a48ab7db06a74f6787ab87685f2bb6358eda822ba16757a7b6fc8fe1744a831ea76f47d6130225596a285bf9dd1f4c
-
SSDEEP
98304:EbRxeIaNRcgnk9MO32RzRpAH267w3adH2fte4I/Bu:E+IoREF32B67wuH2I5/M
Malware Config
Signatures
-
DcRat 46 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe078a6edfe74bdca838f020373b45f18d1a89abe276d75eedba8cc4a0e8ac0acd.exeschtasks.exeschtasks.exeschtasks.exedescription ioc pid Process 868 schtasks.exe 592 schtasks.exe 2424 schtasks.exe 1088 schtasks.exe 1104 schtasks.exe 1156 schtasks.exe 1120 schtasks.exe 2900 schtasks.exe 2792 schtasks.exe 2024 schtasks.exe 2092 schtasks.exe 2304 schtasks.exe 1464 schtasks.exe 2664 schtasks.exe 396 schtasks.exe 928 schtasks.exe 1636 schtasks.exe 2404 schtasks.exe 2496 schtasks.exe 1592 schtasks.exe 1756 schtasks.exe 2236 schtasks.exe 2360 schtasks.exe 2368 schtasks.exe 2828 schtasks.exe 1376 schtasks.exe 2868 schtasks.exe 2796 schtasks.exe 2228 schtasks.exe 2960 schtasks.exe 2324 schtasks.exe 1476 schtasks.exe 2692 schtasks.exe 940 schtasks.exe 2188 schtasks.exe 2112 schtasks.exe 2472 schtasks.exe 2928 schtasks.exe 1076 schtasks.exe 1924 schtasks.exe 1092 schtasks.exe 1608 schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 078a6edfe74bdca838f020373b45f18d1a89abe276d75eedba8cc4a0e8ac0acd.exe 1144 schtasks.exe 2252 schtasks.exe 2288 schtasks.exe -
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 15 IoCs
Processes:
chainagent.exechainagent.exechainagent.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\fontMonitor\\dllhost.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\conhost.exe\", \"C:\\Windows\\RemotePackages\\RemoteApps\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\taskhost.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\lsm.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\ja-JP\\taskhost.exe\", \"C:\\MSOCache\\All Users\\lsm.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\winlogon.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\sppsvc.exe\", \"C:\\Program Files\\Java\\jre7\\bin\\dwm.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\OSPPSVC.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\chainagent.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\dwm.exe\", \"C:\\Windows\\assembly\\NativeImages_v4.0.30319_64\\PresentationUI\\93309b55a9caa04c2f4fe06c13438631\\csrss.exe\"" chainagent.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\fontMonitor\\dllhost.exe\"" chainagent.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\fontMonitor\\dllhost.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\conhost.exe\", \"C:\\Windows\\RemotePackages\\RemoteApps\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\dwm.exe\"" chainagent.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\fontMonitor\\dllhost.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\conhost.exe\", \"C:\\Windows\\RemotePackages\\RemoteApps\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\taskhost.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\lsm.exe\"" chainagent.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\fontMonitor\\dllhost.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\conhost.exe\", \"C:\\Windows\\RemotePackages\\RemoteApps\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\taskhost.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\lsm.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\ja-JP\\taskhost.exe\", \"C:\\MSOCache\\All Users\\lsm.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\winlogon.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\sppsvc.exe\"" chainagent.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\fontMonitor\\dllhost.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\conhost.exe\", \"C:\\Windows\\RemotePackages\\RemoteApps\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\taskhost.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\lsm.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\ja-JP\\taskhost.exe\", \"C:\\MSOCache\\All Users\\lsm.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\winlogon.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\sppsvc.exe\", \"C:\\Program Files\\Java\\jre7\\bin\\dwm.exe\"" chainagent.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\fontMonitor\\dllhost.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\conhost.exe\", \"C:\\Windows\\RemotePackages\\RemoteApps\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\taskhost.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\lsm.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\ja-JP\\taskhost.exe\", \"C:\\MSOCache\\All Users\\lsm.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\winlogon.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\sppsvc.exe\", \"C:\\Program Files\\Java\\jre7\\bin\\dwm.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\OSPPSVC.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\chainagent.exe\"" chainagent.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\fontMonitor\\dllhost.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\conhost.exe\", \"C:\\Windows\\RemotePackages\\RemoteApps\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\taskhost.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\lsm.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\ja-JP\\taskhost.exe\", \"C:\\MSOCache\\All Users\\lsm.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\winlogon.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\sppsvc.exe\", \"C:\\Program Files\\Java\\jre7\\bin\\dwm.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\OSPPSVC.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\chainagent.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\dwm.exe\"" chainagent.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\fontMonitor\\dllhost.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\conhost.exe\", \"C:\\Windows\\RemotePackages\\RemoteApps\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\taskhost.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\lsm.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\ja-JP\\taskhost.exe\", \"C:\\MSOCache\\All Users\\lsm.exe\"" chainagent.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\fontMonitor\\dllhost.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\conhost.exe\", \"C:\\Windows\\RemotePackages\\RemoteApps\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\taskhost.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\lsm.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\ja-JP\\taskhost.exe\", \"C:\\MSOCache\\All Users\\lsm.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\winlogon.exe\"" chainagent.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\fontMonitor\\dllhost.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\conhost.exe\", \"C:\\Windows\\RemotePackages\\RemoteApps\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\taskhost.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\lsm.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\ja-JP\\taskhost.exe\", \"C:\\MSOCache\\All Users\\lsm.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\winlogon.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\sppsvc.exe\", \"C:\\Program Files\\Java\\jre7\\bin\\dwm.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\OSPPSVC.exe\"" chainagent.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\fontMonitor\\dllhost.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\conhost.exe\", \"C:\\Windows\\RemotePackages\\RemoteApps\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\taskhost.exe\"" chainagent.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\fontMonitor\\dllhost.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\conhost.exe\", \"C:\\Windows\\RemotePackages\\RemoteApps\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\taskhost.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\lsm.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\ja-JP\\taskhost.exe\"" chainagent.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\fontMonitor\\dllhost.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\conhost.exe\"" chainagent.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\fontMonitor\\dllhost.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\conhost.exe\", \"C:\\Windows\\RemotePackages\\RemoteApps\\WmiPrvSE.exe\"" chainagent.exe -
Process spawned unexpected child process 45 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1144 1684 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2092 1684 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2692 1684 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 940 1684 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2496 1684 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2188 1684 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2304 1684 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2252 1684 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2112 1684 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2228 1684 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 396 1684 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2288 1684 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1592 1684 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1076 1684 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2424 1684 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1088 1684 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1464 1684 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1924 1684 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 928 1684 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1756 1684 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1092 1684 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2664 1684 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1104 1684 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1636 1684 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1156 1684 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2828 1684 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1120 1684 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1608 1684 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2472 1684 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2236 1684 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2960 1684 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2324 1684 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2900 1684 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1476 1684 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2792 1684 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1376 1684 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2868 1684 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2404 1684 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2928 1684 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2796 1684 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 868 1684 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 592 1684 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2024 1684 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2360 1684 schtasks.exe 33 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2368 1684 schtasks.exe 33 -
Processes:
OSPPSVC.exechainagent.exechainagent.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exechainagent.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" OSPPSVC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" chainagent.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" chainagent.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" OSPPSVC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" OSPPSVC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" OSPPSVC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" OSPPSVC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" OSPPSVC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" OSPPSVC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" chainagent.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" chainagent.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" OSPPSVC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" OSPPSVC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" chainagent.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" OSPPSVC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" OSPPSVC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" chainagent.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" OSPPSVC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" OSPPSVC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" OSPPSVC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" OSPPSVC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" chainagent.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" chainagent.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" chainagent.exe -
Processes:
resource yara_rule behavioral1/files/0x0008000000019394-9.dat dcrat behavioral1/memory/2864-13-0x00000000002A0000-0x00000000005FC000-memory.dmp dcrat behavioral1/memory/948-65-0x0000000000A40000-0x0000000000D9C000-memory.dmp dcrat behavioral1/memory/2064-94-0x00000000000F0000-0x000000000044C000-memory.dmp dcrat behavioral1/memory/1464-206-0x0000000000EE0000-0x000000000123C000-memory.dmp dcrat behavioral1/memory/2288-294-0x0000000001090000-0x00000000013EC000-memory.dmp dcrat behavioral1/memory/2256-413-0x00000000001B0000-0x000000000050C000-memory.dmp dcrat behavioral1/memory/308-532-0x00000000002B0000-0x000000000060C000-memory.dmp dcrat -
Executes dropped EXE 8 IoCs
Processes:
chainagent.exechainagent.exechainagent.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exepid Process 2864 chainagent.exe 1444 chainagent.exe 948 chainagent.exe 2064 OSPPSVC.exe 1464 OSPPSVC.exe 2288 OSPPSVC.exe 2256 OSPPSVC.exe 308 OSPPSVC.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid Process 2880 cmd.exe 2880 cmd.exe -
Adds Run key to start application 2 TTPs 30 IoCs
Processes:
chainagent.exechainagent.exechainagent.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\MSOCache\\All Users\\lsm.exe\"" chainagent.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\chainagent = "\"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\chainagent.exe\"" chainagent.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\fontMonitor\\dllhost.exe\"" chainagent.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\RemotePackages\\RemoteApps\\WmiPrvSE.exe\"" chainagent.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Users\\Public\\Pictures\\Sample Pictures\\taskhost.exe\"" chainagent.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files\\Windows NT\\Accessories\\ja-JP\\taskhost.exe\"" chainagent.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Windows Portable Devices\\winlogon.exe\"" chainagent.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\Java\\jre7\\bin\\dwm.exe\"" chainagent.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\dwm.exe\"" chainagent.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\RemotePackages\\RemoteApps\\WmiPrvSE.exe\"" chainagent.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Users\\Public\\Pictures\\Sample Pictures\\taskhost.exe\"" chainagent.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\lsm.exe\"" chainagent.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Windows Portable Devices\\winlogon.exe\"" chainagent.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\chainagent = "\"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\chainagent.exe\"" chainagent.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\conhost.exe\"" chainagent.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\dwm.exe\"" chainagent.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\Java\\jre7\\bin\\dwm.exe\"" chainagent.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\sppsvc.exe\"" chainagent.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\dwm.exe\"" chainagent.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\assembly\\NativeImages_v4.0.30319_64\\PresentationUI\\93309b55a9caa04c2f4fe06c13438631\\csrss.exe\"" chainagent.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\lsm.exe\"" chainagent.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files\\Windows NT\\Accessories\\ja-JP\\taskhost.exe\"" chainagent.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\MSOCache\\All Users\\lsm.exe\"" chainagent.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\fontMonitor\\dllhost.exe\"" chainagent.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\dwm.exe\"" chainagent.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\sppsvc.exe\"" chainagent.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\assembly\\NativeImages_v4.0.30319_64\\PresentationUI\\93309b55a9caa04c2f4fe06c13438631\\csrss.exe\"" chainagent.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\conhost.exe\"" chainagent.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\OSPPSVC.exe\"" chainagent.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\OSPPSVC.exe\"" chainagent.exe -
Processes:
OSPPSVC.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exechainagent.exechainagent.exechainagent.exeOSPPSVC.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" OSPPSVC.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA OSPPSVC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" OSPPSVC.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA OSPPSVC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" OSPPSVC.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA chainagent.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" chainagent.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA OSPPSVC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" OSPPSVC.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA chainagent.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA chainagent.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" chainagent.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA OSPPSVC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" OSPPSVC.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA OSPPSVC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" chainagent.exe -
Drops file in Program Files directory 6 IoCs
Processes:
chainagent.exedescription ioc Process File created C:\Program Files\Windows NT\Accessories\ja-JP\b75386f1303e64 chainagent.exe File created C:\Program Files (x86)\Windows Portable Devices\winlogon.exe chainagent.exe File created C:\Program Files (x86)\Windows Portable Devices\cc11b995f2a76d chainagent.exe File created C:\Program Files\Java\jre7\bin\dwm.exe chainagent.exe File created C:\Program Files\Java\jre7\bin\6cb0b6c459d5d3 chainagent.exe File created C:\Program Files\Windows NT\Accessories\ja-JP\taskhost.exe chainagent.exe -
Drops file in Windows directory 5 IoCs
Processes:
chainagent.exechainagent.exedescription ioc Process File created C:\Windows\RemotePackages\RemoteApps\WmiPrvSE.exe chainagent.exe File opened for modification C:\Windows\RemotePackages\RemoteApps\WmiPrvSE.exe chainagent.exe File created C:\Windows\RemotePackages\RemoteApps\24dbde2999530e chainagent.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\PresentationUI\93309b55a9caa04c2f4fe06c13438631\csrss.exe chainagent.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\PresentationUI\93309b55a9caa04c2f4fe06c13438631\886983d96e3d3e chainagent.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
WScript.execmd.exe078a6edfe74bdca838f020373b45f18d1a89abe276d75eedba8cc4a0e8ac0acd.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 078a6edfe74bdca838f020373b45f18d1a89abe276d75eedba8cc4a0e8ac0acd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid Process 2664 schtasks.exe 1476 schtasks.exe 2868 schtasks.exe 2796 schtasks.exe 2692 schtasks.exe 2112 schtasks.exe 2228 schtasks.exe 1092 schtasks.exe 1464 schtasks.exe 1120 schtasks.exe 2792 schtasks.exe 592 schtasks.exe 2496 schtasks.exe 1924 schtasks.exe 1756 schtasks.exe 1636 schtasks.exe 1608 schtasks.exe 2236 schtasks.exe 1376 schtasks.exe 2368 schtasks.exe 940 schtasks.exe 2188 schtasks.exe 396 schtasks.exe 2424 schtasks.exe 868 schtasks.exe 1144 schtasks.exe 2288 schtasks.exe 1156 schtasks.exe 2960 schtasks.exe 1088 schtasks.exe 928 schtasks.exe 2828 schtasks.exe 2472 schtasks.exe 2092 schtasks.exe 2304 schtasks.exe 1592 schtasks.exe 1076 schtasks.exe 2900 schtasks.exe 2324 schtasks.exe 2928 schtasks.exe 2360 schtasks.exe 2252 schtasks.exe 1104 schtasks.exe 2404 schtasks.exe 2024 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
chainagent.exechainagent.exechainagent.exeOSPPSVC.exepid Process 2864 chainagent.exe 2864 chainagent.exe 2864 chainagent.exe 2864 chainagent.exe 2864 chainagent.exe 2864 chainagent.exe 2864 chainagent.exe 1444 chainagent.exe 1444 chainagent.exe 1444 chainagent.exe 1444 chainagent.exe 1444 chainagent.exe 948 chainagent.exe 948 chainagent.exe 948 chainagent.exe 948 chainagent.exe 948 chainagent.exe 948 chainagent.exe 948 chainagent.exe 948 chainagent.exe 948 chainagent.exe 948 chainagent.exe 948 chainagent.exe 2064 OSPPSVC.exe 2064 OSPPSVC.exe 2064 OSPPSVC.exe 2064 OSPPSVC.exe 2064 OSPPSVC.exe 2064 OSPPSVC.exe 2064 OSPPSVC.exe 2064 OSPPSVC.exe 2064 OSPPSVC.exe 2064 OSPPSVC.exe 2064 OSPPSVC.exe 2064 OSPPSVC.exe 2064 OSPPSVC.exe 2064 OSPPSVC.exe 2064 OSPPSVC.exe 2064 OSPPSVC.exe 2064 OSPPSVC.exe 2064 OSPPSVC.exe 2064 OSPPSVC.exe 2064 OSPPSVC.exe 2064 OSPPSVC.exe 2064 OSPPSVC.exe 2064 OSPPSVC.exe 2064 OSPPSVC.exe 2064 OSPPSVC.exe 2064 OSPPSVC.exe 2064 OSPPSVC.exe 2064 OSPPSVC.exe 2064 OSPPSVC.exe 2064 OSPPSVC.exe 2064 OSPPSVC.exe 2064 OSPPSVC.exe 2064 OSPPSVC.exe 2064 OSPPSVC.exe 2064 OSPPSVC.exe 2064 OSPPSVC.exe 2064 OSPPSVC.exe 2064 OSPPSVC.exe 2064 OSPPSVC.exe 2064 OSPPSVC.exe 2064 OSPPSVC.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
chainagent.exechainagent.exechainagent.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exedescription pid Process Token: SeDebugPrivilege 2864 chainagent.exe Token: SeDebugPrivilege 1444 chainagent.exe Token: SeDebugPrivilege 948 chainagent.exe Token: SeDebugPrivilege 2064 OSPPSVC.exe Token: SeDebugPrivilege 1464 OSPPSVC.exe Token: SeDebugPrivilege 2288 OSPPSVC.exe Token: SeDebugPrivilege 2256 OSPPSVC.exe Token: SeDebugPrivilege 308 OSPPSVC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
078a6edfe74bdca838f020373b45f18d1a89abe276d75eedba8cc4a0e8ac0acd.exeWScript.execmd.exechainagent.exechainagent.execmd.exechainagent.execmd.exeOSPPSVC.exeWScript.exeOSPPSVC.exeOSPPSVC.exeWScript.exeOSPPSVC.exeWScript.exeOSPPSVC.exedescription pid Process procid_target PID 3000 wrote to memory of 2964 3000 078a6edfe74bdca838f020373b45f18d1a89abe276d75eedba8cc4a0e8ac0acd.exe 29 PID 3000 wrote to memory of 2964 3000 078a6edfe74bdca838f020373b45f18d1a89abe276d75eedba8cc4a0e8ac0acd.exe 29 PID 3000 wrote to memory of 2964 3000 078a6edfe74bdca838f020373b45f18d1a89abe276d75eedba8cc4a0e8ac0acd.exe 29 PID 3000 wrote to memory of 2964 3000 078a6edfe74bdca838f020373b45f18d1a89abe276d75eedba8cc4a0e8ac0acd.exe 29 PID 2964 wrote to memory of 2880 2964 WScript.exe 30 PID 2964 wrote to memory of 2880 2964 WScript.exe 30 PID 2964 wrote to memory of 2880 2964 WScript.exe 30 PID 2964 wrote to memory of 2880 2964 WScript.exe 30 PID 2880 wrote to memory of 2864 2880 cmd.exe 32 PID 2880 wrote to memory of 2864 2880 cmd.exe 32 PID 2880 wrote to memory of 2864 2880 cmd.exe 32 PID 2880 wrote to memory of 2864 2880 cmd.exe 32 PID 2864 wrote to memory of 1444 2864 chainagent.exe 40 PID 2864 wrote to memory of 1444 2864 chainagent.exe 40 PID 2864 wrote to memory of 1444 2864 chainagent.exe 40 PID 1444 wrote to memory of 1992 1444 chainagent.exe 50 PID 1444 wrote to memory of 1992 1444 chainagent.exe 50 PID 1444 wrote to memory of 1992 1444 chainagent.exe 50 PID 1992 wrote to memory of 2084 1992 cmd.exe 52 PID 1992 wrote to memory of 2084 1992 cmd.exe 52 PID 1992 wrote to memory of 2084 1992 cmd.exe 52 PID 1992 wrote to memory of 948 1992 cmd.exe 53 PID 1992 wrote to memory of 948 1992 cmd.exe 53 PID 1992 wrote to memory of 948 1992 cmd.exe 53 PID 948 wrote to memory of 2736 948 chainagent.exe 84 PID 948 wrote to memory of 2736 948 chainagent.exe 84 PID 948 wrote to memory of 2736 948 chainagent.exe 84 PID 2736 wrote to memory of 3068 2736 cmd.exe 86 PID 2736 wrote to memory of 3068 2736 cmd.exe 86 PID 2736 wrote to memory of 3068 2736 cmd.exe 86 PID 2736 wrote to memory of 2064 2736 cmd.exe 87 PID 2736 wrote to memory of 2064 2736 cmd.exe 87 PID 2736 wrote to memory of 2064 2736 cmd.exe 87 PID 2064 wrote to memory of 1960 2064 OSPPSVC.exe 88 PID 2064 wrote to memory of 1960 2064 OSPPSVC.exe 88 PID 2064 wrote to memory of 1960 2064 OSPPSVC.exe 88 PID 1960 wrote to memory of 1464 1960 WScript.exe 89 PID 1960 wrote to memory of 1464 1960 WScript.exe 89 PID 1960 wrote to memory of 1464 1960 WScript.exe 89 PID 1464 wrote to memory of 1780 1464 OSPPSVC.exe 90 PID 1464 wrote to memory of 1780 1464 OSPPSVC.exe 90 PID 1464 wrote to memory of 1780 1464 OSPPSVC.exe 90 PID 1464 wrote to memory of 2948 1464 OSPPSVC.exe 91 PID 1464 wrote to memory of 2948 1464 OSPPSVC.exe 91 PID 1464 wrote to memory of 2948 1464 OSPPSVC.exe 91 PID 2288 wrote to memory of 1652 2288 OSPPSVC.exe 93 PID 2288 wrote to memory of 1652 2288 OSPPSVC.exe 93 PID 2288 wrote to memory of 1652 2288 OSPPSVC.exe 93 PID 2288 wrote to memory of 1152 2288 OSPPSVC.exe 94 PID 2288 wrote to memory of 1152 2288 OSPPSVC.exe 94 PID 2288 wrote to memory of 1152 2288 OSPPSVC.exe 94 PID 1652 wrote to memory of 2256 1652 WScript.exe 95 PID 1652 wrote to memory of 2256 1652 WScript.exe 95 PID 1652 wrote to memory of 2256 1652 WScript.exe 95 PID 2256 wrote to memory of 2736 2256 OSPPSVC.exe 96 PID 2256 wrote to memory of 2736 2256 OSPPSVC.exe 96 PID 2256 wrote to memory of 2736 2256 OSPPSVC.exe 96 PID 2256 wrote to memory of 2292 2256 OSPPSVC.exe 97 PID 2256 wrote to memory of 2292 2256 OSPPSVC.exe 97 PID 2256 wrote to memory of 2292 2256 OSPPSVC.exe 97 PID 2736 wrote to memory of 308 2736 WScript.exe 98 PID 2736 wrote to memory of 308 2736 WScript.exe 98 PID 2736 wrote to memory of 308 2736 WScript.exe 98 PID 308 wrote to memory of 2672 308 OSPPSVC.exe 99 -
System policy modification 1 TTPs 24 IoCs
Processes:
chainagent.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exechainagent.exechainagent.exeOSPPSVC.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" chainagent.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" OSPPSVC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" OSPPSVC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" OSPPSVC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" OSPPSVC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" OSPPSVC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" chainagent.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" chainagent.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" OSPPSVC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" OSPPSVC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" OSPPSVC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" OSPPSVC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" chainagent.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" chainagent.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" OSPPSVC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" OSPPSVC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" OSPPSVC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" chainagent.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" chainagent.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" OSPPSVC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" OSPPSVC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" OSPPSVC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" chainagent.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" chainagent.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\078a6edfe74bdca838f020373b45f18d1a89abe276d75eedba8cc4a0e8ac0acd.exe"C:\Users\Admin\AppData\Local\Temp\078a6edfe74bdca838f020373b45f18d1a89abe276d75eedba8cc4a0e8ac0acd.exe"1⤵
- DcRat
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\fontMonitor\GFcBidplGj1mDhuTvzK8nh.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\fontMonitor\B6f2SnQ47.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\fontMonitor\chainagent.exe"C:\fontMonitor\chainagent.exe"4⤵
- Modifies WinLogon for persistence
- UAC bypass
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2864 -
C:\fontMonitor\chainagent.exe"C:\fontMonitor\chainagent.exe"5⤵
- Modifies WinLogon for persistence
- UAC bypass
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1444 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YUrHysCUSm.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:2084
-
-
C:\fontMonitor\chainagent.exe"C:\fontMonitor\chainagent.exe"7⤵
- Modifies WinLogon for persistence
- UAC bypass
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:948 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ud3mmyLrwN.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:3068
-
-
C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe"C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe"9⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2064 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6777d3d4-48fe-4742-a080-7e0d152a3223.vbs"10⤵
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exeC:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe11⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1464 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b8aa07ea-672e-4961-b5ca-4aba837aa92c.vbs"12⤵PID:1780
-
C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exeC:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe13⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2288 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5a4d56ef-62fc-466c-880b-a836589659d0.vbs"14⤵
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exeC:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe15⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2256 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4eeb2f16-ef38-4659-b8dd-730747ef3b91.vbs"16⤵
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exeC:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe17⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:308 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eee00b5c-5a15-4655-acfd-3075ffc51171.vbs"18⤵PID:2672
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bbe679f2-6c3f-43c8-9772-fb5c538633b2.vbs"18⤵PID:3004
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c18ed6e5-2855-49db-ba54-82046e6a8aaa.vbs"16⤵PID:2292
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\53beed78-3c88-41bd-a3d2-53731f85e888.vbs"14⤵PID:1152
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d7ecd642-19a3-470f-98c7-13e660dccc3c.vbs"12⤵PID:2948
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\fontMonitor\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\fontMonitor\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\fontMonitor\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\conhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Windows\RemotePackages\RemoteApps\WmiPrvSE.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteApps\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Windows\RemotePackages\RemoteApps\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dwm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Pictures\Sample Pictures\taskhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\taskhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Pictures\Sample Pictures\taskhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\taskhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\taskhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\taskhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\lsm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\lsm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\lsm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\winlogon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1120
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\sppsvc.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jre7\bin\dwm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\bin\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Java\jre7\bin\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chainagentc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\chainagent.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chainagent" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\chainagent.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chainagentc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\chainagent.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dwm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\assembly\NativeImages_v4.0.30319_64\PresentationUI\93309b55a9caa04c2f4fe06c13438631\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\assembly\NativeImages_v4.0.30319_64\PresentationUI\93309b55a9caa04c2f4fe06c13438631\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\assembly\NativeImages_v4.0.30319_64\PresentationUI\93309b55a9caa04c2f4fe06c13438631\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f0eaa93791a996d3044cb360968c25dc
SHA1c3917c5d40ccaf6b84de67f58c0dd102bb1b6316
SHA256aac3d02ced03c59ef1d4251e10adb2f662a4a61401e92fd8491c177d56141e5c
SHA5121bb53b4e9c1344444c07b6a8094851b0b82407bd25c7e3e7934fd89e000b3cfe5c1bedf3eb4c11c8d7e990cdca65cdc9c10a59819593203eea933cd79f7a1202
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50c597227a970d13bd1bb21da1fe9c4e2
SHA11511af24cf00e3eaa4410457de55dd2b0eaaee5f
SHA25672acc2492e329b1ef8a8560a1dddc9c777496e8959ec0860262a330a7dfd89ca
SHA51216f2116ba6177fed968ebe6d504cb02bbf73c26a7ccb2c34b1b5c633834c37e440b148f78e26aa1fb5fc88b38b92019a6742ddbffd2ae635e99b00f102107690
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5bf2ebce3c999eb14d9e9d589305f69e3
SHA12af7e8e2de105ba651d6f96cf2de4546670cb5f4
SHA256395a1730b4c8b84673799154aec420c19009bc6711b42bee5f484eb41078a183
SHA5129649d6fc9259c2b2b9a11be0a6e9cd0500b3b4085934108f53b0f73395cfc01050ada1c6bc679c0992395a9edb5af64b97abac02672f383fe2cb2c5f45e742ce
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55238fae1b1608a637cf1a1be6804e312
SHA10dc72122c1c9b3d3b0c244bbed64ad5cec30fb89
SHA256d12980e2dcd498da412d7e57c3d0b5043f39d06d12712b827b44bfe8db785f31
SHA512a1f38e3074f6e5d6c069a81d733f868e323004a2cf5e8a6f95c6fdb2ce0e9a1c1e69eb567287688c73fe7affb2dcf3426f9fe09a82d97b637944d862b4b89ec8
-
Filesize
736B
MD51742fd38762d119e1209d4514ef49955
SHA1cb2a20ae7144487e039050c9451f3d42d5a6960d
SHA25618c9e199251289e5db7de9721407e6e0467d631a4e51cc46c5523cd4399a0a0f
SHA512fabdc7f19b1bcb2431b740ad7711df92024e4b4bbe6a04865afe970992e7802284f1e315a1e5c5cccc00438086df2b94c5ae1df7a55874120f78bfa637c14463
-
Filesize
736B
MD5c4bef77c16043f2a36669c9c2e6f9190
SHA169131e6ba0258f545eed8d2406dd272e6b309314
SHA2560f0e8d40d87c2e3750acbae3f711d73dfa42dee13b0240f74eee64e743fdaf10
SHA512a9deb348bab62deb6852c7832d8bdc3e86ded645d95b4a8df556e40e00bac5c013b95ae2565dfa41ec1d07165b648fe8c5c44f90f3fc1a111fb2187517d4037a
-
Filesize
736B
MD5da148ef07f5e1d35ba7cf63ceca50102
SHA1203e3a7ed4cb71fd255d349cf27b7860b7c4419d
SHA2567443707c21be5d4d660677547bd65f831b9efe6584e18ccac6d4a7c80d706186
SHA51220ebe9fce8621269b7a81a1e26f16b75412ef5218d9f1e9880cb6a5f874f26ae230cf104801fc84387a58f4ebf1730c69d740b3941706c3e7fa597ac71965124
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
225B
MD5c0941cd49b8891cf270687cc97f7eae6
SHA1a40b9f4499a131a27615699458387e6ef9250972
SHA25611fe6e26985b4e00915251e6bce378ea72b66bd59a740b6f20edb66151968496
SHA5128d70cabdfc1f3828665b47d3aba6a9d04b0822313bf66df96f63bebe47cdc86b7a61db84e211eb15a74c22d289edb0d1927c2439d6129cdf9985791f8f967694
-
Filesize
194B
MD522e19736ed9bdcea0beac8dfda793330
SHA1c7f929d7d08e9b05a500ef47dbf055feec1fdb7b
SHA256fda599c2a08904224d3ad16e5c5c65ea4a4ebee2a64637040b1cb17b256a4d9b
SHA51209805ff88a0bea9306660a125570b799b3032601fc40f641bb229d589a00503857e78afe9d897c081aaf33c1f89dfeebe26bea6cb9ff67e2af8e6d1142a19262
-
Filesize
512B
MD5fc87d84fc75c277e142af256bdf1e025
SHA1765b9d0753d9db873b9585244f48253bd69d5388
SHA256964b8a3c28fd5b85efe2806c86fbcf969674c77f587cb7ed633f85727f5c1f0c
SHA5122a2e2ba7181f66e7e8dcc906f2611ab10eedf9a72143789ec866a2cf54365d19c3a8bb5c37f26d812df62f83410cfc560160906c2186870a04b62dff9751bb30
-
Filesize
735B
MD579e1fcd326916fa8df58a466900c0484
SHA16e115ef44dd8a37c200cb3cfbc29d284cbac83ed
SHA256143a32bbabb036e113c7ffe17013bad0bd806ced80b8955f74e172477d9f3c68
SHA512a0e6ef631cc0cbab447734fd0c91da3b5d8c8006f1f2d45a981e08827f8903a160c3fc73e4d0c37ab0e0127acdbc741ec7ed4c91bf868dc39ca4612d10182f97
-
Filesize
31B
MD5d919292d76ba6af3f0a7c88b2d07c4fa
SHA10fa76a1456603b525f53d9e787d1a800172afdf8
SHA25652bde46534a8a1ea436617040c311631ce470e0e60875585921e2b3fbde3809c
SHA5123a39f5a6a544634841f20d26dcbc3b2f875639e38eb1f5db1d243517ed87e8df542459e3b65d3336c69293a37e8f3ac03fd4a11330163fbf9eb8bc2218e7a9b5
-
Filesize
197B
MD5692908a9fe7461b9736233b4b217f221
SHA1b3bb8803bba51dd7c622d2a1e4f2c8e4b1c4184d
SHA256d3be77c2e695644f8dfbc8342c806f5f48c3074f5ea1000aa300b6c7061e591f
SHA512f38138284e905c6c877dd67de0858ce6d80403c712249b6e353c51389aa86c67ca29ba4f455d4ab4f1b5f5c6e3c8e1fccbdf01b8d0766aa93b35fb8da5230788
-
Filesize
3.3MB
MD5e74be6bbac3ea0713506397d5d6ef541
SHA1dc4c91d512cb544c5c458e1aecc6bd8a7fab61f9
SHA25658440f3b4db0b30ffa0001857bd2cf329d470c518895ac668ab2eb25a10499f7
SHA51209f31ce980869b6e2d53ee391a62150fdec456ceafa22879f4268094eec03614e77def0dc1adea064e59982838286020e6af45e78c7db3c4cdc1da965c1cd185