Analysis
-
max time kernel
133s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-12-2024 10:05
Behavioral task
behavioral1
Sample
Neverlose.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
Neverlose.exe
Resource
win10v2004-20241007-en
General
-
Target
Neverlose.exe
-
Size
2.6MB
-
MD5
1924cb0ae8b7ccca9e8030087ecc5a94
-
SHA1
a1f4565cb089b27fd3deacd0fd93733f8f0f4c32
-
SHA256
ffc00ef9763576969540d6f2d16a929bad4c3ffc9f4e97cf60206f56a2a7718d
-
SHA512
46ac86ae174c77cd3c81a63a6bce589260a4412d29d4704caa8bc4a064d62859f37fdfb2f5dea48e3c415c5db074f964af732c34b0e2e2ea56db6505124d33ad
-
SSDEEP
49152:ubA3jHZLMGaxfSIkbO+7+KrktBibbg8LU7x/5uzMk+:ub4Z4Bxqg4rkvibb1Yt5u1+
Malware Config
Signatures
-
DcRat 59 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
description ioc pid Process 3416 schtasks.exe 3348 schtasks.exe 776 schtasks.exe 636 schtasks.exe 4696 schtasks.exe 4956 schtasks.exe 3732 schtasks.exe 4340 schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neverlose.exe 760 schtasks.exe 2372 schtasks.exe 3272 schtasks.exe 4584 schtasks.exe 1712 schtasks.exe 976 schtasks.exe 4688 schtasks.exe 672 schtasks.exe 452 schtasks.exe 5060 schtasks.exe 3684 schtasks.exe 732 schtasks.exe 4420 schtasks.exe 4472 schtasks.exe 4080 schtasks.exe 2980 schtasks.exe 1104 schtasks.exe 3376 schtasks.exe 3144 schtasks.exe 5096 schtasks.exe 5112 schtasks.exe 3512 schtasks.exe 3516 schtasks.exe 436 schtasks.exe 4400 schtasks.exe 2716 schtasks.exe 540 schtasks.exe 3672 schtasks.exe 4376 schtasks.exe File created C:\Program Files\Windows Portable Devices\121e5b5079f7c0 Winmonitordhcp.exe 3404 schtasks.exe 2996 schtasks.exe 2844 schtasks.exe 3956 schtasks.exe 3988 schtasks.exe 2384 schtasks.exe 4964 schtasks.exe 2296 schtasks.exe 1988 schtasks.exe 2532 schtasks.exe 2236 schtasks.exe 1876 schtasks.exe 1516 schtasks.exe 2992 schtasks.exe 2800 schtasks.exe 864 schtasks.exe 4288 schtasks.exe 3236 schtasks.exe 4680 schtasks.exe 3968 schtasks.exe -
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 19 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\sysmon.exe\", \"C:\\Users\\Default User\\SppExtComObj.exe\"" Winmonitordhcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\sysmon.exe\", \"C:\\Users\\Default User\\SppExtComObj.exe\", \"C:\\Program Files\\Windows Photo Viewer\\uk-UA\\smss.exe\", \"C:\\Users\\Default\\My Documents\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\"" Winmonitordhcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\sysmon.exe\", \"C:\\Users\\Default User\\SppExtComObj.exe\", \"C:\\Program Files\\Windows Photo Viewer\\uk-UA\\smss.exe\", \"C:\\Users\\Default\\My Documents\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\Visualizations\\smss.exe\", \"C:\\Program Files\\Windows Photo Viewer\\uk-UA\\conhost.exe\", \"C:\\Windows\\Migration\\WTR\\Idle.exe\", \"C:\\mIIccrosoft\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\upfc.exe\", \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\92.0.902.67\\System.exe\"" Winmonitordhcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\sysmon.exe\", \"C:\\Users\\Default User\\SppExtComObj.exe\", \"C:\\Program Files\\Windows Photo Viewer\\uk-UA\\smss.exe\", \"C:\\Users\\Default\\My Documents\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\Visualizations\\smss.exe\", \"C:\\Program Files\\Windows Photo Viewer\\uk-UA\\conhost.exe\", \"C:\\Windows\\Migration\\WTR\\Idle.exe\", \"C:\\mIIccrosoft\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\upfc.exe\", \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\92.0.902.67\\System.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Users\\Default User\\smss.exe\", \"C:\\Program Files\\Windows Sidebar\\conhost.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\explorer.exe\"" Winmonitordhcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\sysmon.exe\"" Winmonitordhcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\sysmon.exe\", \"C:\\Users\\Default User\\SppExtComObj.exe\", \"C:\\Program Files\\Windows Photo Viewer\\uk-UA\\smss.exe\", \"C:\\Users\\Default\\My Documents\\fontdrvhost.exe\"" Winmonitordhcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\sysmon.exe\", \"C:\\Users\\Default User\\SppExtComObj.exe\", \"C:\\Program Files\\Windows Photo Viewer\\uk-UA\\smss.exe\", \"C:\\Users\\Default\\My Documents\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\Visualizations\\smss.exe\", \"C:\\Program Files\\Windows Photo Viewer\\uk-UA\\conhost.exe\", \"C:\\Windows\\Migration\\WTR\\Idle.exe\", \"C:\\mIIccrosoft\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\upfc.exe\", \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\92.0.902.67\\System.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Users\\Default User\\smss.exe\"" Winmonitordhcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\sysmon.exe\", \"C:\\Users\\Default User\\SppExtComObj.exe\", \"C:\\Program Files\\Windows Photo Viewer\\uk-UA\\smss.exe\", \"C:\\Users\\Default\\My Documents\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\Visualizations\\smss.exe\", \"C:\\Program Files\\Windows Photo Viewer\\uk-UA\\conhost.exe\", \"C:\\Windows\\Migration\\WTR\\Idle.exe\", \"C:\\mIIccrosoft\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\upfc.exe\", \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\92.0.902.67\\System.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Users\\Default User\\smss.exe\", \"C:\\Program Files\\Windows Sidebar\\conhost.exe\"" Winmonitordhcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\sysmon.exe\", \"C:\\Users\\Default User\\SppExtComObj.exe\", \"C:\\Program Files\\Windows Photo Viewer\\uk-UA\\smss.exe\", \"C:\\Users\\Default\\My Documents\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\Visualizations\\smss.exe\", \"C:\\Program Files\\Windows Photo Viewer\\uk-UA\\conhost.exe\", \"C:\\Windows\\Migration\\WTR\\Idle.exe\", \"C:\\mIIccrosoft\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\upfc.exe\", \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\92.0.902.67\\System.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Users\\Default User\\smss.exe\", \"C:\\Program Files\\Windows Sidebar\\conhost.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\explorer.exe\", \"C:\\Users\\Default User\\services.exe\", \"C:\\Users\\All Users\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Windows\\fr-FR\\winlogon.exe\"" Winmonitordhcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\sysmon.exe\", \"C:\\Users\\Default User\\SppExtComObj.exe\", \"C:\\Program Files\\Windows Photo Viewer\\uk-UA\\smss.exe\"" Winmonitordhcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\sysmon.exe\", \"C:\\Users\\Default User\\SppExtComObj.exe\", \"C:\\Program Files\\Windows Photo Viewer\\uk-UA\\smss.exe\", \"C:\\Users\\Default\\My Documents\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\Visualizations\\smss.exe\", \"C:\\Program Files\\Windows Photo Viewer\\uk-UA\\conhost.exe\"" Winmonitordhcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\sysmon.exe\", \"C:\\Users\\Default User\\SppExtComObj.exe\", \"C:\\Program Files\\Windows Photo Viewer\\uk-UA\\smss.exe\", \"C:\\Users\\Default\\My Documents\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\Visualizations\\smss.exe\", \"C:\\Program Files\\Windows Photo Viewer\\uk-UA\\conhost.exe\", \"C:\\Windows\\Migration\\WTR\\Idle.exe\"" Winmonitordhcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\sysmon.exe\", \"C:\\Users\\Default User\\SppExtComObj.exe\", \"C:\\Program Files\\Windows Photo Viewer\\uk-UA\\smss.exe\", \"C:\\Users\\Default\\My Documents\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\Visualizations\\smss.exe\", \"C:\\Program Files\\Windows Photo Viewer\\uk-UA\\conhost.exe\", \"C:\\Windows\\Migration\\WTR\\Idle.exe\", \"C:\\mIIccrosoft\\SppExtComObj.exe\"" Winmonitordhcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\sysmon.exe\", \"C:\\Users\\Default User\\SppExtComObj.exe\", \"C:\\Program Files\\Windows Photo Viewer\\uk-UA\\smss.exe\", \"C:\\Users\\Default\\My Documents\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\Visualizations\\smss.exe\", \"C:\\Program Files\\Windows Photo Viewer\\uk-UA\\conhost.exe\", \"C:\\Windows\\Migration\\WTR\\Idle.exe\", \"C:\\mIIccrosoft\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\upfc.exe\", \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\92.0.902.67\\System.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" Winmonitordhcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\sysmon.exe\", \"C:\\Users\\Default User\\SppExtComObj.exe\", \"C:\\Program Files\\Windows Photo Viewer\\uk-UA\\smss.exe\", \"C:\\Users\\Default\\My Documents\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\Visualizations\\smss.exe\", \"C:\\Program Files\\Windows Photo Viewer\\uk-UA\\conhost.exe\", \"C:\\Windows\\Migration\\WTR\\Idle.exe\", \"C:\\mIIccrosoft\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\upfc.exe\", \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\92.0.902.67\\System.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Users\\Default User\\smss.exe\", \"C:\\Program Files\\Windows Sidebar\\conhost.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\explorer.exe\", \"C:\\Users\\Default User\\services.exe\"" Winmonitordhcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\sysmon.exe\", \"C:\\Users\\Default User\\SppExtComObj.exe\", \"C:\\Program Files\\Windows Photo Viewer\\uk-UA\\smss.exe\", \"C:\\Users\\Default\\My Documents\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\Visualizations\\smss.exe\", \"C:\\Program Files\\Windows Photo Viewer\\uk-UA\\conhost.exe\", \"C:\\Windows\\Migration\\WTR\\Idle.exe\", \"C:\\mIIccrosoft\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\upfc.exe\", \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\92.0.902.67\\System.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Users\\Default User\\smss.exe\", \"C:\\Program Files\\Windows Sidebar\\conhost.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\explorer.exe\", \"C:\\Users\\Default User\\services.exe\", \"C:\\Users\\All Users\\spoolsv.exe\"" Winmonitordhcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\sysmon.exe\", \"C:\\Users\\Default User\\SppExtComObj.exe\", \"C:\\Program Files\\Windows Photo Viewer\\uk-UA\\smss.exe\", \"C:\\Users\\Default\\My Documents\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\Visualizations\\smss.exe\"" Winmonitordhcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\sysmon.exe\", \"C:\\Users\\Default User\\SppExtComObj.exe\", \"C:\\Program Files\\Windows Photo Viewer\\uk-UA\\smss.exe\", \"C:\\Users\\Default\\My Documents\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\Visualizations\\smss.exe\", \"C:\\Program Files\\Windows Photo Viewer\\uk-UA\\conhost.exe\", \"C:\\Windows\\Migration\\WTR\\Idle.exe\", \"C:\\mIIccrosoft\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\upfc.exe\"" Winmonitordhcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\sysmon.exe\", \"C:\\Users\\Default User\\SppExtComObj.exe\", \"C:\\Program Files\\Windows Photo Viewer\\uk-UA\\smss.exe\", \"C:\\Users\\Default\\My Documents\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\Visualizations\\smss.exe\", \"C:\\Program Files\\Windows Photo Viewer\\uk-UA\\conhost.exe\", \"C:\\Windows\\Migration\\WTR\\Idle.exe\", \"C:\\mIIccrosoft\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\upfc.exe\", \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\92.0.902.67\\System.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Users\\Default User\\smss.exe\", \"C:\\Program Files\\Windows Sidebar\\conhost.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\explorer.exe\", \"C:\\Users\\Default User\\services.exe\", \"C:\\Users\\All Users\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\"" Winmonitordhcp.exe -
Process spawned unexpected child process 57 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4584 1528 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4680 1528 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3956 1528 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1712 1528 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5060 1528 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3516 1528 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 732 1528 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2384 1528 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 864 1528 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3236 1528 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2532 1528 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2800 1528 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4288 1528 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1104 1528 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2236 1528 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3272 1528 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3348 1528 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3404 1528 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3684 1528 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3512 1528 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4472 1528 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3376 1528 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 976 1528 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4688 1528 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4956 1528 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2716 1528 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1876 1528 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3732 1528 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4964 1528 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 776 1528 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3144 1528 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 436 1528 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 672 1528 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 540 1528 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3672 1528 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5096 1528 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4080 1528 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2996 1528 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3988 1528 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2296 1528 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4376 1528 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4420 1528 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 760 1528 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2372 1528 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4340 1528 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1516 1528 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2980 1528 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4400 1528 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3416 1528 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2992 1528 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1988 1528 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 452 1528 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 636 1528 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3968 1528 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5112 1528 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2844 1528 schtasks.exe 90 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4696 1528 schtasks.exe 90 -
resource yara_rule behavioral2/files/0x0007000000023c88-10.dat dcrat behavioral2/memory/464-13-0x0000000000950000-0x0000000000BA0000-memory.dmp dcrat -
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Winmonitordhcp.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Neverlose.exe -
Executes dropped EXE 2 IoCs
pid Process 464 Winmonitordhcp.exe 4264 conhost.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 38 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\WindowsRE\\wininit.exe\"" Winmonitordhcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files (x86)\\Google\\Temp\\upfc.exe\"" Winmonitordhcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\92.0.902.67\\System.exe\"" Winmonitordhcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\Default User\\smss.exe\"" Winmonitordhcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\Default User\\services.exe\"" Winmonitordhcp.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Program Files\\Windows Portable Devices\\sysmon.exe\"" Winmonitordhcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\Windows Photo Viewer\\uk-UA\\smss.exe\"" Winmonitordhcp.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\Default\\My Documents\\fontdrvhost.exe\"" Winmonitordhcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" Winmonitordhcp.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\All Users\\spoolsv.exe\"" Winmonitordhcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\Default\\My Documents\\fontdrvhost.exe\"" Winmonitordhcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\mIIccrosoft\\SppExtComObj.exe\"" Winmonitordhcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files\\Windows Sidebar\\conhost.exe\"" Winmonitordhcp.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\Default User\\services.exe\"" Winmonitordhcp.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\Default User\\smss.exe\"" Winmonitordhcp.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files\\Windows Sidebar\\conhost.exe\"" Winmonitordhcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\explorer.exe\"" Winmonitordhcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Program Files\\Windows Portable Devices\\sysmon.exe\"" Winmonitordhcp.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Windows Media Player\\Visualizations\\smss.exe\"" Winmonitordhcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Windows Media Player\\Visualizations\\smss.exe\"" Winmonitordhcp.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\mIIccrosoft\\SppExtComObj.exe\"" Winmonitordhcp.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\92.0.902.67\\System.exe\"" Winmonitordhcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Users\\Default User\\SppExtComObj.exe\"" Winmonitordhcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Windows\\Migration\\WTR\\Idle.exe\"" Winmonitordhcp.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files (x86)\\Google\\Temp\\upfc.exe\"" Winmonitordhcp.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\fr-FR\\winlogon.exe\"" Winmonitordhcp.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\Windows Photo Viewer\\uk-UA\\smss.exe\"" Winmonitordhcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\WindowsRE\\wininit.exe\"" Winmonitordhcp.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files\\Windows Photo Viewer\\uk-UA\\conhost.exe\"" Winmonitordhcp.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\explorer.exe\"" Winmonitordhcp.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\WindowsRE\\services.exe\"" Winmonitordhcp.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Users\\Default User\\SppExtComObj.exe\"" Winmonitordhcp.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Windows\\Migration\\WTR\\Idle.exe\"" Winmonitordhcp.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" Winmonitordhcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\All Users\\spoolsv.exe\"" Winmonitordhcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\WindowsRE\\services.exe\"" Winmonitordhcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files\\Windows Photo Viewer\\uk-UA\\conhost.exe\"" Winmonitordhcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\fr-FR\\winlogon.exe\"" Winmonitordhcp.exe -
Drops file in Program Files directory 18 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Media Player\Visualizations\69ddcba757bf72 Winmonitordhcp.exe File created C:\Program Files\Windows Photo Viewer\uk-UA\088424020bedd6 Winmonitordhcp.exe File created C:\Program Files (x86)\Google\Temp\upfc.exe Winmonitordhcp.exe File created C:\Program Files\Windows Portable Devices\121e5b5079f7c0 Winmonitordhcp.exe File created C:\Program Files (x86)\Google\Temp\ea1d8f6d871115 Winmonitordhcp.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\27d1bcfc3c54e0 Winmonitordhcp.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\explorer.exe Winmonitordhcp.exe File opened for modification C:\Program Files\Windows Portable Devices\sysmon.exe Winmonitordhcp.exe File created C:\Program Files\ModifiableWindowsApps\sihost.exe Winmonitordhcp.exe File created C:\Program Files\Windows Sidebar\088424020bedd6 Winmonitordhcp.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\7a0fd90576e088 Winmonitordhcp.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\System.exe Winmonitordhcp.exe File created C:\Program Files\Windows Sidebar\conhost.exe Winmonitordhcp.exe File created C:\Program Files\Windows Portable Devices\sysmon.exe Winmonitordhcp.exe File created C:\Program Files\Windows Photo Viewer\uk-UA\smss.exe Winmonitordhcp.exe File created C:\Program Files\Windows Photo Viewer\uk-UA\69ddcba757bf72 Winmonitordhcp.exe File created C:\Program Files (x86)\Windows Media Player\Visualizations\smss.exe Winmonitordhcp.exe File created C:\Program Files\Windows Photo Viewer\uk-UA\conhost.exe Winmonitordhcp.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Migration\WTR\Idle.exe Winmonitordhcp.exe File created C:\Windows\Migration\WTR\6ccacd8608530f Winmonitordhcp.exe File created C:\Windows\fr-FR\winlogon.exe Winmonitordhcp.exe File created C:\Windows\fr-FR\cc11b995f2a76d Winmonitordhcp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neverlose.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings Neverlose.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings Winmonitordhcp.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 4540 reg.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4956 schtasks.exe 1104 schtasks.exe 4688 schtasks.exe 4696 schtasks.exe 4584 schtasks.exe 3236 schtasks.exe 4288 schtasks.exe 5096 schtasks.exe 4680 schtasks.exe 3732 schtasks.exe 4400 schtasks.exe 636 schtasks.exe 2532 schtasks.exe 3512 schtasks.exe 540 schtasks.exe 4420 schtasks.exe 2296 schtasks.exe 3516 schtasks.exe 2236 schtasks.exe 3348 schtasks.exe 672 schtasks.exe 2384 schtasks.exe 3272 schtasks.exe 3404 schtasks.exe 2992 schtasks.exe 452 schtasks.exe 3956 schtasks.exe 3144 schtasks.exe 3416 schtasks.exe 1988 schtasks.exe 3988 schtasks.exe 1516 schtasks.exe 864 schtasks.exe 2800 schtasks.exe 732 schtasks.exe 2980 schtasks.exe 3968 schtasks.exe 3684 schtasks.exe 4472 schtasks.exe 3376 schtasks.exe 2716 schtasks.exe 5112 schtasks.exe 2844 schtasks.exe 5060 schtasks.exe 1876 schtasks.exe 4964 schtasks.exe 2996 schtasks.exe 776 schtasks.exe 4080 schtasks.exe 4340 schtasks.exe 1712 schtasks.exe 976 schtasks.exe 3672 schtasks.exe 436 schtasks.exe 2372 schtasks.exe 4376 schtasks.exe 760 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
pid Process 464 Winmonitordhcp.exe 4264 conhost.exe 4264 conhost.exe 4264 conhost.exe 4264 conhost.exe 4264 conhost.exe 4264 conhost.exe 4264 conhost.exe 4264 conhost.exe 4264 conhost.exe 4264 conhost.exe 4264 conhost.exe 4264 conhost.exe 4264 conhost.exe 4264 conhost.exe 4264 conhost.exe 4264 conhost.exe 4264 conhost.exe 4264 conhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4264 conhost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 464 Winmonitordhcp.exe Token: SeDebugPrivilege 4264 conhost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4264 conhost.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4696 wrote to memory of 1568 4696 Neverlose.exe 83 PID 4696 wrote to memory of 1568 4696 Neverlose.exe 83 PID 4696 wrote to memory of 1568 4696 Neverlose.exe 83 PID 1568 wrote to memory of 3388 1568 WScript.exe 85 PID 1568 wrote to memory of 3388 1568 WScript.exe 85 PID 1568 wrote to memory of 3388 1568 WScript.exe 85 PID 3388 wrote to memory of 464 3388 cmd.exe 87 PID 3388 wrote to memory of 464 3388 cmd.exe 87 PID 464 wrote to memory of 5088 464 Winmonitordhcp.exe 151 PID 464 wrote to memory of 5088 464 Winmonitordhcp.exe 151 PID 3388 wrote to memory of 4540 3388 cmd.exe 153 PID 3388 wrote to memory of 4540 3388 cmd.exe 153 PID 3388 wrote to memory of 4540 3388 cmd.exe 153 PID 5088 wrote to memory of 4412 5088 cmd.exe 154 PID 5088 wrote to memory of 4412 5088 cmd.exe 154 PID 5088 wrote to memory of 4264 5088 cmd.exe 157 PID 5088 wrote to memory of 4264 5088 cmd.exe 157 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Neverlose.exe"C:\Users\Admin\AppData\Local\Temp\Neverlose.exe"1⤵
- DcRat
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\mIIccrosoft\VeA0JL7xlD4tfYfCo.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\mIIccrosoft\XqamRZ1Xoz1ZjGFCXqY6WSXlph.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3388 -
C:\mIIccrosoft\Winmonitordhcp.exe"C:\mIIccrosoft\Winmonitordhcp.exe"4⤵
- DcRat
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zu0UbGEiWX.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:4412
-
-
C:\Program Files\Windows Photo Viewer\uk-UA\conhost.exe"C:\Program Files\Windows Photo Viewer\uk-UA\conhost.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4264
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4540
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Portable Devices\sysmon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\sysmon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\sysmon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\SppExtComObj.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Default User\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Photo Viewer\uk-UA\smss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\uk-UA\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\uk-UA\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Users\Default\My Documents\fontdrvhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default\My Documents\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Users\Default\My Documents\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Media Player\Visualizations\smss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Visualizations\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Media Player\Visualizations\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Photo Viewer\uk-UA\conhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\uk-UA\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Photo Viewer\uk-UA\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Windows\Migration\WTR\Idle.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Windows\Migration\WTR\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\mIIccrosoft\SppExtComObj.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\mIIccrosoft\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\mIIccrosoft\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\Temp\upfc.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\upfc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Temp\upfc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\System.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5096
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\smss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4080
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\conhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\explorer.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\services.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\spoolsv.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\services.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Windows\fr-FR\winlogon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\fr-FR\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Windows\fr-FR\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4696
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
114KB
MD5ab87d892a202f83f7e925c5e294069e8
SHA10b86361ff41417a38ce3f5b5250bb6ecd166a6a1
SHA256bdc61a1c60fe8c08fe7a5256e9c8d7ad1ba4dd0963a54357c484256fc8834130
SHA512f9a03eaae52d7fb544047fea3ffa7d8c6f7debdbb907348adfc46545e7b6c3783427983f16885ae138e43e51eec6ce73520c38581e4d9bb7140beeae2137de41
-
Filesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
Filesize
40KB
MD5a182561a527f929489bf4b8f74f65cd7
SHA18cd6866594759711ea1836e86a5b7ca64ee8911f
SHA25642aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA5129bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558
-
Filesize
220B
MD5ea913f9b382eaf78de969cd17abb7f54
SHA1ae855d21bd030d1a9584ef55e8f667ed294b7e82
SHA256872b52a8993da042ed1ea83d00a1910eabba73e3d3616533a81fefbc87f24b7f
SHA512321d2ea6b181c567dff9d96db7b0c875ae05e80bf35f9b3d2b29d4ed31c9d895f2aec61c7f3a50c73e2ef658db31734ded7adbb24e5391eaff2dd397a3306492
-
Filesize
214B
MD5e955b2ec1be8959f39d773b8c8417732
SHA151a89326d1425d8b8bf9db97c2db4dc73ded184e
SHA256741f26d85e76dcba0b82c0ca409cb8222ff1a11faff2e5240f4cc5802d5fb882
SHA51297f8610cd350239ed2363b3bd1ff561daff629754536154940401d2f46080bc3660ec71fc74df25a6e0392f5e4c70d7afad031384fd373899b240801da379ea1
-
Filesize
2.3MB
MD5988542961c81da353a3dc109c65b8408
SHA1424508109934444e670a5a3565d83ffa0c7ac9ec
SHA2561f25153fef26a01656b3b31dc0e84d85a24571d06308029c13a8b2ac4977e22c
SHA512d63b8032ad1cec921e857985b73d918026d40b998b26e21d7b3fbefce3dd3dee060a5ce2e609db44894422897f25816597f0c70005bcee4f2749f7cc6a0a8091
-
Filesize
147B
MD5b6b458cde945cc0c95245c764a82eabf
SHA1d8f0ddb6bf54e07f88f12e7efa92c1709ef25463
SHA256a98a5c09761c4ec2465434b70a052e8141e16195f8aa884984da0cf41601789d
SHA512301e603aaf53f9778e799baba419318d87c5e69058c878f2fa6e76dd68e35e76b49b334c1fa46cc2754c4b339f0bcc507bdbb76294b0ff3d24685563b3ca5395