Analysis
-
max time kernel
122s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
07-12-2024 21:34
Static task
static1
Behavioral task
behavioral1
Sample
7eca6fa06f08fcb6dc76333b8dca047e4b4603de9cd85cd84e93516fecc0fc89.exe
Resource
win7-20240903-en
General
-
Target
7eca6fa06f08fcb6dc76333b8dca047e4b4603de9cd85cd84e93516fecc0fc89.exe
-
Size
1.9MB
-
MD5
0ff4c4cd478f98ae17c254e75688d8c8
-
SHA1
33732dcae2c41811e780e75e8943b5cc794237eb
-
SHA256
7eca6fa06f08fcb6dc76333b8dca047e4b4603de9cd85cd84e93516fecc0fc89
-
SHA512
36e4fe1128e060c6add46c73d0242b1e425d073dc8ac7f373a7dcb275292e4804028270ac25246a8f145cea3e9253b0cbc46be3585a162bcc2411f146577563a
-
SSDEEP
49152:OB8cbBE21MiimB0IJRzISewyxLE2Zu5nUcAdhE:QN+w0aRkhQZ3AdhE
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2676 2784 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1664 2784 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2200 2784 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 680 2784 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2852 2784 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1824 2784 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 556 2784 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2868 2784 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2024 2784 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2856 2784 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2944 2784 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1912 2784 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1760 2784 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2940 2784 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2064 2784 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2460 2784 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1112 2784 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1784 2784 schtasks.exe 34 -
Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2356 powershell.exe 1624 powershell.exe 932 powershell.exe 2472 powershell.exe 656 powershell.exe 1316 powershell.exe 2292 powershell.exe 1728 powershell.exe 2256 powershell.exe 1448 powershell.exe 2144 powershell.exe 1860 powershell.exe 1080 powershell.exe 1808 powershell.exe 1684 powershell.exe 1328 powershell.exe 1596 powershell.exe 872 powershell.exe -
Executes dropped EXE 2 IoCs
pid Process 2820 WinRAR.exe 1740 csrss.exe -
Loads dropped DLL 2 IoCs
pid Process 2232 cmd.exe 2232 cmd.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ipinfo.io 5 ipinfo.io -
Drops file in Program Files directory 5 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\winlogon.exe WinRAR.exe File opened for modification C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\winlogon.exe WinRAR.exe File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\cc11b995f2a76d WinRAR.exe File created C:\Program Files\Windows Journal\fr-FR\smss.exe WinRAR.exe File created C:\Program Files\Windows Journal\fr-FR\69ddcba757bf72 WinRAR.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Boot\EFI\nl-NL\Idle.exe WinRAR.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7eca6fa06f08fcb6dc76333b8dca047e4b4603de9cd85cd84e93516fecc0fc89.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1492 PING.EXE -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 WinRAR.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 WinRAR.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1492 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2940 schtasks.exe 2064 schtasks.exe 2460 schtasks.exe 1112 schtasks.exe 1784 schtasks.exe 680 schtasks.exe 556 schtasks.exe 2944 schtasks.exe 2024 schtasks.exe 1760 schtasks.exe 1824 schtasks.exe 2868 schtasks.exe 1912 schtasks.exe 2852 schtasks.exe 2856 schtasks.exe 2676 schtasks.exe 1664 schtasks.exe 2200 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2820 WinRAR.exe 2820 WinRAR.exe 2820 WinRAR.exe 2820 WinRAR.exe 2820 WinRAR.exe 2820 WinRAR.exe 2820 WinRAR.exe 2820 WinRAR.exe 2820 WinRAR.exe 2820 WinRAR.exe 2820 WinRAR.exe 2820 WinRAR.exe 2820 WinRAR.exe 2820 WinRAR.exe 2820 WinRAR.exe 2820 WinRAR.exe 2820 WinRAR.exe 2820 WinRAR.exe 2820 WinRAR.exe 2820 WinRAR.exe 2820 WinRAR.exe 2820 WinRAR.exe 2820 WinRAR.exe 2820 WinRAR.exe 2820 WinRAR.exe 2820 WinRAR.exe 2820 WinRAR.exe 2820 WinRAR.exe 2820 WinRAR.exe 2820 WinRAR.exe 2820 WinRAR.exe 2820 WinRAR.exe 2820 WinRAR.exe 2820 WinRAR.exe 2820 WinRAR.exe 2820 WinRAR.exe 2820 WinRAR.exe 2820 WinRAR.exe 2820 WinRAR.exe 2820 WinRAR.exe 2820 WinRAR.exe 2820 WinRAR.exe 2820 WinRAR.exe 2820 WinRAR.exe 2820 WinRAR.exe 2820 WinRAR.exe 2820 WinRAR.exe 2820 WinRAR.exe 2820 WinRAR.exe 2820 WinRAR.exe 2820 WinRAR.exe 2820 WinRAR.exe 2820 WinRAR.exe 2820 WinRAR.exe 2820 WinRAR.exe 2820 WinRAR.exe 2820 WinRAR.exe 2820 WinRAR.exe 2820 WinRAR.exe 2820 WinRAR.exe 2820 WinRAR.exe 2820 WinRAR.exe 2820 WinRAR.exe 2820 WinRAR.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
description pid Process Token: SeDebugPrivilege 2820 WinRAR.exe Token: SeDebugPrivilege 2472 powershell.exe Token: SeDebugPrivilege 2256 powershell.exe Token: SeDebugPrivilege 1808 powershell.exe Token: SeDebugPrivilege 872 powershell.exe Token: SeDebugPrivilege 2144 powershell.exe Token: SeDebugPrivilege 656 powershell.exe Token: SeDebugPrivilege 2292 powershell.exe Token: SeDebugPrivilege 1080 powershell.exe Token: SeDebugPrivilege 1728 powershell.exe Token: SeDebugPrivilege 2356 powershell.exe Token: SeDebugPrivilege 1684 powershell.exe Token: SeDebugPrivilege 932 powershell.exe Token: SeDebugPrivilege 1596 powershell.exe Token: SeDebugPrivilege 1448 powershell.exe Token: SeDebugPrivilege 1316 powershell.exe Token: SeDebugPrivilege 1860 powershell.exe Token: SeDebugPrivilege 1624 powershell.exe Token: SeDebugPrivilege 1328 powershell.exe Token: SeDebugPrivilege 1740 csrss.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3012 wrote to memory of 2100 3012 7eca6fa06f08fcb6dc76333b8dca047e4b4603de9cd85cd84e93516fecc0fc89.exe 30 PID 3012 wrote to memory of 2100 3012 7eca6fa06f08fcb6dc76333b8dca047e4b4603de9cd85cd84e93516fecc0fc89.exe 30 PID 3012 wrote to memory of 2100 3012 7eca6fa06f08fcb6dc76333b8dca047e4b4603de9cd85cd84e93516fecc0fc89.exe 30 PID 3012 wrote to memory of 2100 3012 7eca6fa06f08fcb6dc76333b8dca047e4b4603de9cd85cd84e93516fecc0fc89.exe 30 PID 2100 wrote to memory of 2232 2100 WScript.exe 31 PID 2100 wrote to memory of 2232 2100 WScript.exe 31 PID 2100 wrote to memory of 2232 2100 WScript.exe 31 PID 2100 wrote to memory of 2232 2100 WScript.exe 31 PID 2232 wrote to memory of 2820 2232 cmd.exe 33 PID 2232 wrote to memory of 2820 2232 cmd.exe 33 PID 2232 wrote to memory of 2820 2232 cmd.exe 33 PID 2232 wrote to memory of 2820 2232 cmd.exe 33 PID 2820 wrote to memory of 1596 2820 WinRAR.exe 54 PID 2820 wrote to memory of 1596 2820 WinRAR.exe 54 PID 2820 wrote to memory of 1596 2820 WinRAR.exe 54 PID 2820 wrote to memory of 656 2820 WinRAR.exe 55 PID 2820 wrote to memory of 656 2820 WinRAR.exe 55 PID 2820 wrote to memory of 656 2820 WinRAR.exe 55 PID 2820 wrote to memory of 1316 2820 WinRAR.exe 57 PID 2820 wrote to memory of 1316 2820 WinRAR.exe 57 PID 2820 wrote to memory of 1316 2820 WinRAR.exe 57 PID 2820 wrote to memory of 1080 2820 WinRAR.exe 58 PID 2820 wrote to memory of 1080 2820 WinRAR.exe 58 PID 2820 wrote to memory of 1080 2820 WinRAR.exe 58 PID 2820 wrote to memory of 1860 2820 WinRAR.exe 59 PID 2820 wrote to memory of 1860 2820 WinRAR.exe 59 PID 2820 wrote to memory of 1860 2820 WinRAR.exe 59 PID 2820 wrote to memory of 1808 2820 WinRAR.exe 61 PID 2820 wrote to memory of 1808 2820 WinRAR.exe 61 PID 2820 wrote to memory of 1808 2820 WinRAR.exe 61 PID 2820 wrote to memory of 1328 2820 WinRAR.exe 64 PID 2820 wrote to memory of 1328 2820 WinRAR.exe 64 PID 2820 wrote to memory of 1328 2820 WinRAR.exe 64 PID 2820 wrote to memory of 2472 2820 WinRAR.exe 65 PID 2820 wrote to memory of 2472 2820 WinRAR.exe 65 PID 2820 wrote to memory of 2472 2820 WinRAR.exe 65 PID 2820 wrote to memory of 1684 2820 WinRAR.exe 66 PID 2820 wrote to memory of 1684 2820 WinRAR.exe 66 PID 2820 wrote to memory of 1684 2820 WinRAR.exe 66 PID 2820 wrote to memory of 2292 2820 WinRAR.exe 67 PID 2820 wrote to memory of 2292 2820 WinRAR.exe 67 PID 2820 wrote to memory of 2292 2820 WinRAR.exe 67 PID 2820 wrote to memory of 872 2820 WinRAR.exe 70 PID 2820 wrote to memory of 872 2820 WinRAR.exe 70 PID 2820 wrote to memory of 872 2820 WinRAR.exe 70 PID 2820 wrote to memory of 932 2820 WinRAR.exe 71 PID 2820 wrote to memory of 932 2820 WinRAR.exe 71 PID 2820 wrote to memory of 932 2820 WinRAR.exe 71 PID 2820 wrote to memory of 1728 2820 WinRAR.exe 72 PID 2820 wrote to memory of 1728 2820 WinRAR.exe 72 PID 2820 wrote to memory of 1728 2820 WinRAR.exe 72 PID 2820 wrote to memory of 1624 2820 WinRAR.exe 74 PID 2820 wrote to memory of 1624 2820 WinRAR.exe 74 PID 2820 wrote to memory of 1624 2820 WinRAR.exe 74 PID 2820 wrote to memory of 2144 2820 WinRAR.exe 75 PID 2820 wrote to memory of 2144 2820 WinRAR.exe 75 PID 2820 wrote to memory of 2144 2820 WinRAR.exe 75 PID 2820 wrote to memory of 2356 2820 WinRAR.exe 76 PID 2820 wrote to memory of 2356 2820 WinRAR.exe 76 PID 2820 wrote to memory of 2356 2820 WinRAR.exe 76 PID 2820 wrote to memory of 2256 2820 WinRAR.exe 78 PID 2820 wrote to memory of 2256 2820 WinRAR.exe 78 PID 2820 wrote to memory of 2256 2820 WinRAR.exe 78 PID 2820 wrote to memory of 1448 2820 WinRAR.exe 79 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\7eca6fa06f08fcb6dc76333b8dca047e4b4603de9cd85cd84e93516fecc0fc89.exe"C:\Users\Admin\AppData\Local\Temp\7eca6fa06f08fcb6dc76333b8dca047e4b4603de9cd85cd84e93516fecc0fc89.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\chrome_BITS_6020_731137815\downloads\winrar-x64-701ru\nsyv1xzYu8VmbCzcG862c9WsvpRLyz7as0bRq7W1Tn2IOKgyOUASya2W1wA.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\chrome_BITS_6020_731137815\downloads\winrar-x64-701ru\uo5q9MISAlMxXE7QNA1x3M7bBFAcJOtmOsD1tooxlC0BMSBA7z5lsvUd.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Users\Admin\AppData\Local\Temp\chrome_BITS_6020_731137815\downloads\winrar-x64-701ru\WinRAR.exe"C:\Users\Admin\AppData\Local\Temp\chrome_BITS_6020_731137815/downloads/winrar-x64-701ru/WinRAR.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1596
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:656
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1316
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1080
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1860
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1808
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1328
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2472
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1684
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2292
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:872
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:932
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\fr-FR\smss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1728
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1624
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2144
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2356
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2256
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\chrome_BITS_6020_731137815\downloads\winrar-x64-701ru\WinRAR.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1448
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Vyp3aSwPg4.bat"5⤵PID:1572
-
C:\Windows\system32\chcp.comchcp 650016⤵PID:2832
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1492
-
-
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe"C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1740
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Journal\fr-FR\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\fr-FR\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Journal\fr-FR\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WinRARW" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Local\Temp\chrome_BITS_6020_731137815\downloads\winrar-x64-701ru\WinRAR.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WinRAR" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\chrome_BITS_6020_731137815\downloads\winrar-x64-701ru\WinRAR.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WinRARW" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\Local\Temp\chrome_BITS_6020_731137815\downloads\winrar-x64-701ru\WinRAR.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
186B
MD5551169a40af643b2b3947122e05a985c
SHA1e74b3a8ec85f869eb0064db458547628876a52b7
SHA256a304c381ded7e1dbaf618862384367f9eb8627f14ed668e2a7fa86aac90fc7ce
SHA5122a8746a0bb1b14f6a696e41ecead127fd910d7494c22daf64f19f0677875d9cbd79aea6e81516f5b7d1e2c38679dc801909600abac6534a191a3ff199b23b2f2
-
C:\Users\Admin\AppData\Local\Temp\chrome_BITS_6020_731137815\downloads\winrar-x64-701ru\nsyv1xzYu8VmbCzcG862c9WsvpRLyz7as0bRq7W1Tn2IOKgyOUASya2W1wA.vbe
Filesize291B
MD5e38ee1ac82a0f98f97f2d0f65c43f07c
SHA1826e06d85af422da26e3baac2b8370d762b13de5
SHA256b492062f1785a2205acc1de649539bd3db3e328eab63a9457d18e54e2cca6c20
SHA51202f52a592eba58be3911b4a220b00d6be70b08bb209e9f9d1f79e841abd1d5dee0ec8c784232100002c6fe26e41cb83b2881cf8c934de5bc2b80a87bf682b542
-
C:\Users\Admin\AppData\Local\Temp\chrome_BITS_6020_731137815\downloads\winrar-x64-701ru\uo5q9MISAlMxXE7QNA1x3M7bBFAcJOtmOsD1tooxlC0BMSBA7z5lsvUd.bat
Filesize115B
MD5a3481864c868c617f8cf22bc2ea205b1
SHA13bc448934cf9c65607ca095c43fff6185847fe6f
SHA256adda8c60ddbc883929dc8b08371940c5601993cea525d4f5f3e22ded9cf42304
SHA512a5ed9fadad223a03ba756c3798d74dcc1d2e67572dcf22717137d48de4661eea102327e8346b3518a943bd43a0df1857b95143028478ff8974b7236666ca8ef1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9KCWIYUXCBUJ6L15QBWW.temp
Filesize7KB
MD5ff51779bc6b27cc0a5a00cfdf50934dc
SHA1768ba7c60390a2e4bcd449be9a32cd334ebc0cfe
SHA25698d79ddfb10cac871fcd08b2530b1a6de1d0dc0fb70f2b2913d01d90da4b4865
SHA5126a2a29a64a2f54569592dfa7475f84cd6f3b84cfe3b962f222573ff010507825a3345c3181129538633f687edbd827fc3e82bc8eec5d42b6e5fcf55f340e5652