Analysis
-
max time kernel
120s -
max time network
115s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
08-12-2024 01:15
General
-
Target
903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe
-
Size
4.9MB
-
MD5
c8aed5ed45bf6b161c7017b923dd50c0
-
SHA1
6df5c1fe6bee119c27b87532cf0d13c31fa3a2dc
-
SHA256
903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5
-
SHA512
496c2da4e5514f9dfd2b0c02096f38cde4203c3022d41df83a4a497b268e13732c8c2dd9e68cc697eae42505b808e674c862787ee337dca6c92e024b90333c5f
-
SSDEEP
49152:Dl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:
Malware Config
Extracted
colibri
1.2.0
Build1
http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php
http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php
Signatures
-
Colibri Loader
A loader sold as MaaS first seen in August 2021.
-
Colibri family
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 39 IoCs
-
DCRat payload 1 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 13 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 42 IoCs
-
Checks whether UAC is enabled 1 TTPs 26 IoCs
-
Suspicious use of SetThreadContext 12 IoCs
-
Drops file in Program Files directory 4 IoCs
-
Drops file in Windows directory 12 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 18 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 13 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 51 IoCs
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 39 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe"C:\Users\Admin\AppData\Local\Temp\903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\tmpABE3.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpABE3.tmp.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmpABE3.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpABE3.tmp.exe"3⤵
- Executes dropped EXE
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files (x86)\Windows Portable Devices\dwm.exe"C:\Program Files (x86)\Windows Portable Devices\dwm.exe"2⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\085e982e-697b-445d-827a-4de6cd5704b2.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Windows Portable Devices\dwm.exe"C:\Program Files (x86)\Windows Portable Devices\dwm.exe"4⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1752e1fa-02ed-463d-bbe2-e2e5e34a810b.vbs"5⤵
-
C:\Program Files (x86)\Windows Portable Devices\dwm.exe"C:\Program Files (x86)\Windows Portable Devices\dwm.exe"6⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\45f13ab9-25d1-49ec-8d45-996dc35447ea.vbs"7⤵
-
C:\Program Files (x86)\Windows Portable Devices\dwm.exe"C:\Program Files (x86)\Windows Portable Devices\dwm.exe"8⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0284f7b-0fe6-49a9-9937-b270767eb084.vbs"9⤵
-
C:\Program Files (x86)\Windows Portable Devices\dwm.exe"C:\Program Files (x86)\Windows Portable Devices\dwm.exe"10⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eec39a14-db19-4097-8c5e-13b96a8f77ed.vbs"11⤵
-
C:\Program Files (x86)\Windows Portable Devices\dwm.exe"C:\Program Files (x86)\Windows Portable Devices\dwm.exe"12⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\685f3391-3ed3-42ba-8c5d-38f87fb52e59.vbs"13⤵
-
C:\Program Files (x86)\Windows Portable Devices\dwm.exe"C:\Program Files (x86)\Windows Portable Devices\dwm.exe"14⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\32d8e578-fe94-49be-a5c8-fff104692502.vbs"15⤵
-
C:\Program Files (x86)\Windows Portable Devices\dwm.exe"C:\Program Files (x86)\Windows Portable Devices\dwm.exe"16⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\da45debf-516f-4de6-9eee-028a5f6bad00.vbs"17⤵
-
C:\Program Files (x86)\Windows Portable Devices\dwm.exe"C:\Program Files (x86)\Windows Portable Devices\dwm.exe"18⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a31b66b3-f3df-464e-afdd-f96d92891453.vbs"19⤵
-
C:\Program Files (x86)\Windows Portable Devices\dwm.exe"C:\Program Files (x86)\Windows Portable Devices\dwm.exe"20⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9bedc410-beb6-48fc-aecd-8ff24faaa1eb.vbs"21⤵
-
C:\Program Files (x86)\Windows Portable Devices\dwm.exe"C:\Program Files (x86)\Windows Portable Devices\dwm.exe"22⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bea0f3e8-92f6-4298-9b1d-a64428ea334a.vbs"23⤵
-
C:\Program Files (x86)\Windows Portable Devices\dwm.exe"C:\Program Files (x86)\Windows Portable Devices\dwm.exe"24⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6c11f53d-e070-43c0-bc3d-1ec2fd0c3d67.vbs"25⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\634cc6bf-f808-4ff9-b660-796bdce81d81.vbs"25⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmp70F0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp70F0.tmp.exe"25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp70F0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp70F0.tmp.exe"26⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp70F0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp70F0.tmp.exe"27⤵
- Executes dropped EXE
-
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ade207c-f199-4690-94e6-9ecf4e5a6cc5.vbs"23⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmp3F70.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp3F70.tmp.exe"23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp3F70.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp3F70.tmp.exe"24⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1851b5ed-518b-4aee-b94f-bc735de01a9c.vbs"21⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmp234D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp234D.tmp.exe"21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp234D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp234D.tmp.exe"22⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\92ecbf08-8065-4b0a-ba4b-24b99db1543c.vbs"19⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmp7B7.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp7B7.tmp.exe"19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp7B7.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp7B7.tmp.exe"20⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cf105a8b-8697-4835-8e98-07ea51c060e8.vbs"17⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmpD53D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpD53D.tmp.exe"17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmpD53D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpD53D.tmp.exe"18⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b805542e-f23f-4fc1-bf27-111db424a303.vbs"15⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmpB793.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpB793.tmp.exe"15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmpB793.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpB793.tmp.exe"16⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmpB793.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpB793.tmp.exe"17⤵
- Executes dropped EXE
-
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ec5ae2c7-b5ac-4636-a8cf-e53d22897646.vbs"13⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmp99CA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp99CA.tmp.exe"13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp99CA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp99CA.tmp.exe"14⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\45faa9e5-482c-4874-968a-1a745b062c27.vbs"11⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c0877be-988f-491d-bc69-cec631462320.vbs"9⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmp5F80.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp5F80.tmp.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp5F80.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp5F80.tmp.exe"10⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d1fe59a3-3443-4de0-936c-d1a75f67bc16.vbs"7⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmp2F77.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp2F77.tmp.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp2F77.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp2F77.tmp.exe"8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp2F77.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp2F77.tmp.exe"9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp2F77.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp2F77.tmp.exe"10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp2F77.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp2F77.tmp.exe"11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp2F77.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp2F77.tmp.exe"12⤵
- Executes dropped EXE
-
-
-
-
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c3a3f3d3-9eb6-4998-aa5d-0afaf3385dbd.vbs"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmpFCFD.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFCFD.tmp.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmpFCFD.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFCFD.tmp.exe"6⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a3a3f3f4-3ce5-439a-9465-d4a4f4f7770a.vbs"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\tmpC7E4.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpC7E4.tmp.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmpC7E4.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpC7E4.tmp.exe"4⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\Help\OEM\ContentStore\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Help\OEM\ContentStore\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Windows\Help\OEM\ContentStore\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Windows\Offline Web Pages\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Windows\Offline Web Pages\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Windows\DiagTrack\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\DiagTrack\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Windows\DiagTrack\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.9MB
MD5bc964e785372d0d6640c5ec4fe4a0f20
SHA162851aacffabca2b01b923e85fab551981ac69d9
SHA256ea46b81ebf181e2e2f6882d87b0dc70fc0794d9ee204b8d953df716d54cd9800
SHA512be85f481d0ba2999d99ce79bcc8b29aa8a1191dc4f844522e07bb88b48c222e57d6552707b76564fd7c4566ce2855e18d3155498991ffb76ea11d469d209bdfd
-
Filesize
1KB
MD54a667f150a4d1d02f53a9f24d89d53d1
SHA1306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97
SHA256414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd
SHA5124edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD53a6bad9528f8e23fb5c77fbd81fa28e8
SHA1f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2
-
Filesize
944B
MD5e448fe0d240184c6597a31d3be2ced58
SHA1372b8d8c19246d3e38cd3ba123cc0f56070f03cd
SHA256c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391
SHA5120b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
944B
MD53a5e1f1efff867a822c6a57ee928dd66
SHA1b017854d8a1deb05f1447e9dd6002902fb66bf6b
SHA2568222fe869b025493591ca2ffbabe089c2e682449e77b754fc864ba62d64ee957
SHA51225fc0fd6a71595c44efe34d281c4bc4924ac82f76b9f697497d0019fa2c8e0cadf58f92ae4272f00b1ef1e97dfd93bd740a9e7f7d9dc93cb1cadbde5f93d1782
-
Filesize
944B
MD56d42b6da621e8df5674e26b799c8e2aa
SHA1ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA2565ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA51253faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29
-
Filesize
731B
MD50b017962255f26cf2029a623a060bf50
SHA1d66ffe8d022a0ad81add9860235bc507153dfa2b
SHA256a78ab7311010ea72b33e3ec730b1f5c123cfb74ba25d3d1179605f6dc0d6ab14
SHA512ceade3551f50536d2c15f4405a64f48f67f827d6e96f1e67c86813eccf8ef73b0c0f730eb9733455122fcceafbe6adaa336e6828d089fccf041ff4b678818677
-
Filesize
731B
MD5627136967751addc0c639d9178e4501f
SHA182a3b2b3ee274be02123e7b590aa856251a7f912
SHA256a7fb768b20fd1448fcb959ec48d490f60b4cf0398e86bcc657c3675eaf42a44c
SHA51209fc595e8108706fe5f894930cbdc6cb3eddf5565f69a7d854ff8ec3029d9f9bfb0b8eeebc50012b31f34d6c41f5150ac61a302040790539b439bf037487a201
-
Filesize
731B
MD5a27c9a4882c1d68c9bdb356746892d7c
SHA1d6e6c6dfb491db99296f8e3e1f51731ef41b03b5
SHA256c073ba2444ac2defa8820bc105d9694429e2ab721ea7285fdda49d76d8bb5bbd
SHA512efb0273608ac1f29cd24fed195a706cfc714e10df753212ed75393fe122dd308a0009a66a1129176a16e598c8aa9fdecc06c528d509f0332feb73e5fad3be5aa
-
Filesize
730B
MD5b472d887aa362ffe3b2eeaebb0587eec
SHA16ddd001b0e6cd3fedee0031b5f976c174891c7e5
SHA25614bf24f6ce499560ac8598b7249d7cff3fe8d6eb0d7542c1e47a29e55c1cc22d
SHA5127a59ae4856bae74d139cac0b56a2f00b3461e546aeeec08b17b737ad142f27afaab703e3c6170fc24b85b89f0ce0c5ebd585134560d19c7c7e8f0b13095d126b
-
Filesize
730B
MD5e04c1cf91981dc23213f137ce0f7e02c
SHA11e6aff01eb9399046756bc00ae02e54fdfb9917b
SHA256b29ce40a49c433b62843bcb4802f034b467e031df9b68e72322af585d821142e
SHA512485c467ddf82deeadb8101ff774f268fe989ab84c3e523dccd1fd7b0a44803eea139b13cca01732b487efa528f9d8578a97dead99e616f6521bd69079c48d217
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
507B
MD5c70bcd02ad4acbeff4732c4bbda7567a
SHA113fddedf15198f2fe8922ccac73add18d3463c52
SHA2563de3d328c953b5220b44b494158ed249c4fd1a93c801374b52806747f1973d9a
SHA51227a8cbac89311660ac8644e320263f3b1f8aca83c70e2b65e8245b8ff50b4eb4b3190cd597615bab82a338f92ed620a8005d47be69488635a9884baa790b19ef
-
Filesize
731B
MD53582048894a93b12ea7adf9c9d09eb6e
SHA1b06846a1b30513d3fc78b219bcebe11055326029
SHA2568b74cb32ecf506413f7f8c3001184f477a71b73ac654c5c0060ab6b8276623ea
SHA5127698de7cbccf7ab67490401fb985c7a4a56682c40ef13ccfab6311c04263cf9c3bc04fb561259bff7592f8f1e885dcb6c1e8985ade890cb1fa15db5df2d4f1e5
-
Filesize
730B
MD5bb8b07951e8e74c9b8cb42734a8fec18
SHA1b6230064b38f8196e3d916aa29a1fba5092a4a2b
SHA256b0e1dd24d0547f08c2011dea2ea046d237def7b9e535ca3f44fa56a95cd4bf34
SHA512dd533e3d58cffb43ffbb263713bedb470dabba6dee1bed7ae1a35afe3a9130af7cacbcfe09369ed58d8c7576e22886986a0819166964652a840a9012d44b6de5
-
Filesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2
-
Filesize
4.9MB
MD5c8aed5ed45bf6b161c7017b923dd50c0
SHA16df5c1fe6bee119c27b87532cf0d13c31fa3a2dc
SHA256903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5
SHA512496c2da4e5514f9dfd2b0c02096f38cde4203c3022d41df83a4a497b268e13732c8c2dd9e68cc697eae42505b808e674c862787ee337dca6c92e024b90333c5f
-
Filesize
72KB
-
Filesize
28KB
-
Filesize
72KB
-
Filesize
10.8MB
-
Filesize
5.0MB
-
Filesize
64KB
-
Filesize
88KB
-
Filesize
40KB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
320KB
-
Filesize
112KB
-
Filesize
1.2MB
-
Filesize
10.8MB
-
Filesize
72KB
-
Filesize
48KB
-
Filesize
8KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
40KB
-
Filesize
5.2MB
-
Filesize
136KB
-
Filesize
5.0MB