Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
14-12-2024 02:51
Behavioral task
behavioral1
Sample
0bc68db77e687fa52b2f367994c5bc6f.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
0bc68db77e687fa52b2f367994c5bc6f.exe
Resource
win10v2004-20241007-en
General
-
Target
0bc68db77e687fa52b2f367994c5bc6f.exe
-
Size
2.5MB
-
MD5
0bc68db77e687fa52b2f367994c5bc6f
-
SHA1
ecf69c28aa53920f6279ad29d5bc9bb02542e841
-
SHA256
3055d261f05a0656b1b92d9fa8ed3a72111a3a5c6d036d13d3d3a304ca99b987
-
SHA512
fdb5c57a9a86961e895159543196c9b59c810827d82d7610ab8f9e220125f25c1867eae376c2f2aa1ae19b7899cd746dc18f6a56486cd4449766325a135421a1
-
SSDEEP
49152:ubA3jUx4QdTmxnMJUh+pDY92IXc3Mx+HqXQJc2cv1TDlHz:ubVdPpDYbNiIP2cvxZHz
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\wscript.exe\"" SavesintoHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Program Files (x86)\\Windows Defender\\lsm.exe\"" SavesintoHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Program Files (x86)\\Windows Defender\\lsm.exe\", \"C:\\Users\\Admin\\Local Settings\\WmiPrvSE.exe\"" SavesintoHost.exe -
Process spawned unexpected child process 9 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2664 1236 schtasks.exe 36 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1492 1236 schtasks.exe 36 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2004 1236 schtasks.exe 36 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2564 1236 schtasks.exe 36 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1452 1236 schtasks.exe 36 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1312 1236 schtasks.exe 36 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2656 1236 schtasks.exe 36 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1684 1236 schtasks.exe 36 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1872 1236 schtasks.exe 36 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SavesintoHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SavesintoHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SavesintoHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe -
resource yara_rule behavioral1/files/0x0008000000016399-15.dat dcrat behavioral1/memory/2860-18-0x0000000000EC0000-0x00000000010FE000-memory.dmp dcrat behavioral1/memory/1156-62-0x00000000001F0000-0x000000000042E000-memory.dmp dcrat behavioral1/memory/2964-74-0x0000000000B80000-0x0000000000DBE000-memory.dmp dcrat behavioral1/memory/1456-97-0x0000000000D60000-0x0000000000F9E000-memory.dmp dcrat behavioral1/memory/2956-122-0x0000000000FA0000-0x00000000011DE000-memory.dmp dcrat behavioral1/memory/2736-134-0x0000000000390000-0x00000000005CE000-memory.dmp dcrat behavioral1/memory/2792-146-0x00000000010A0000-0x00000000012DE000-memory.dmp dcrat behavioral1/memory/2524-169-0x0000000000270000-0x00000000004AE000-memory.dmp dcrat behavioral1/memory/1896-181-0x0000000000FD0000-0x000000000120E000-memory.dmp dcrat behavioral1/memory/2632-194-0x0000000001110000-0x000000000134E000-memory.dmp dcrat -
Executes dropped EXE 13 IoCs
pid Process 2860 SavesintoHost.exe 1156 WmiPrvSE.exe 2964 WmiPrvSE.exe 3036 WmiPrvSE.exe 1456 WmiPrvSE.exe 1056 WmiPrvSE.exe 2956 WmiPrvSE.exe 2736 WmiPrvSE.exe 2792 WmiPrvSE.exe 552 WmiPrvSE.exe 2524 WmiPrvSE.exe 1896 WmiPrvSE.exe 2632 WmiPrvSE.exe -
Loads dropped DLL 2 IoCs
pid Process 2740 cmd.exe 2740 cmd.exe -
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\wscript.exe\"" SavesintoHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\wscript.exe\"" SavesintoHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files (x86)\\Windows Defender\\lsm.exe\"" SavesintoHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files (x86)\\Windows Defender\\lsm.exe\"" SavesintoHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Users\\Admin\\Local Settings\\WmiPrvSE.exe\"" SavesintoHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Users\\Admin\\Local Settings\\WmiPrvSE.exe\"" SavesintoHost.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WmiPrvSE.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WmiPrvSE.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WmiPrvSE.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WmiPrvSE.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WmiPrvSE.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SavesintoHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SavesintoHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WmiPrvSE.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Defender\lsm.exe SavesintoHost.exe File created C:\Program Files (x86)\Windows Defender\101b941d020240 SavesintoHost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0bc68db77e687fa52b2f367994c5bc6f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2664 schtasks.exe 2564 schtasks.exe 1452 schtasks.exe 1872 schtasks.exe 1492 schtasks.exe 2004 schtasks.exe 1312 schtasks.exe 2656 schtasks.exe 1684 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2860 SavesintoHost.exe 2860 SavesintoHost.exe 2860 SavesintoHost.exe 2860 SavesintoHost.exe 2860 SavesintoHost.exe 1156 WmiPrvSE.exe 1156 WmiPrvSE.exe 1156 WmiPrvSE.exe 1156 WmiPrvSE.exe 1156 WmiPrvSE.exe 1156 WmiPrvSE.exe 1156 WmiPrvSE.exe 1156 WmiPrvSE.exe 1156 WmiPrvSE.exe 1156 WmiPrvSE.exe 1156 WmiPrvSE.exe 1156 WmiPrvSE.exe 1156 WmiPrvSE.exe 1156 WmiPrvSE.exe 1156 WmiPrvSE.exe 1156 WmiPrvSE.exe 1156 WmiPrvSE.exe 1156 WmiPrvSE.exe 1156 WmiPrvSE.exe 1156 WmiPrvSE.exe 1156 WmiPrvSE.exe 1156 WmiPrvSE.exe 1156 WmiPrvSE.exe 1156 WmiPrvSE.exe 1156 WmiPrvSE.exe 2964 WmiPrvSE.exe 2964 WmiPrvSE.exe 2964 WmiPrvSE.exe 2964 WmiPrvSE.exe 2964 WmiPrvSE.exe 2964 WmiPrvSE.exe 2964 WmiPrvSE.exe 2964 WmiPrvSE.exe 2964 WmiPrvSE.exe 2964 WmiPrvSE.exe 2964 WmiPrvSE.exe 2964 WmiPrvSE.exe 2964 WmiPrvSE.exe 2964 WmiPrvSE.exe 2964 WmiPrvSE.exe 2964 WmiPrvSE.exe 2964 WmiPrvSE.exe 2964 WmiPrvSE.exe 2964 WmiPrvSE.exe 2964 WmiPrvSE.exe 2964 WmiPrvSE.exe 2964 WmiPrvSE.exe 2964 WmiPrvSE.exe 2964 WmiPrvSE.exe 2964 WmiPrvSE.exe 2964 WmiPrvSE.exe 2964 WmiPrvSE.exe 2964 WmiPrvSE.exe 2964 WmiPrvSE.exe 2964 WmiPrvSE.exe 2964 WmiPrvSE.exe 2964 WmiPrvSE.exe 2964 WmiPrvSE.exe 2964 WmiPrvSE.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeDebugPrivilege 2860 SavesintoHost.exe Token: SeDebugPrivilege 1156 WmiPrvSE.exe Token: SeDebugPrivilege 2964 WmiPrvSE.exe Token: SeDebugPrivilege 3036 WmiPrvSE.exe Token: SeDebugPrivilege 1456 WmiPrvSE.exe Token: SeDebugPrivilege 1056 WmiPrvSE.exe Token: SeDebugPrivilege 2956 WmiPrvSE.exe Token: SeDebugPrivilege 2736 WmiPrvSE.exe Token: SeDebugPrivilege 2792 WmiPrvSE.exe Token: SeDebugPrivilege 552 WmiPrvSE.exe Token: SeDebugPrivilege 2524 WmiPrvSE.exe Token: SeDebugPrivilege 1896 WmiPrvSE.exe Token: SeDebugPrivilege 2632 WmiPrvSE.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2148 wrote to memory of 1864 2148 0bc68db77e687fa52b2f367994c5bc6f.exe 30 PID 2148 wrote to memory of 1864 2148 0bc68db77e687fa52b2f367994c5bc6f.exe 30 PID 2148 wrote to memory of 1864 2148 0bc68db77e687fa52b2f367994c5bc6f.exe 30 PID 2148 wrote to memory of 1864 2148 0bc68db77e687fa52b2f367994c5bc6f.exe 30 PID 2148 wrote to memory of 2544 2148 0bc68db77e687fa52b2f367994c5bc6f.exe 31 PID 2148 wrote to memory of 2544 2148 0bc68db77e687fa52b2f367994c5bc6f.exe 31 PID 2148 wrote to memory of 2544 2148 0bc68db77e687fa52b2f367994c5bc6f.exe 31 PID 2148 wrote to memory of 2544 2148 0bc68db77e687fa52b2f367994c5bc6f.exe 31 PID 1864 wrote to memory of 2740 1864 WScript.exe 32 PID 1864 wrote to memory of 2740 1864 WScript.exe 32 PID 1864 wrote to memory of 2740 1864 WScript.exe 32 PID 1864 wrote to memory of 2740 1864 WScript.exe 32 PID 2740 wrote to memory of 2860 2740 cmd.exe 34 PID 2740 wrote to memory of 2860 2740 cmd.exe 34 PID 2740 wrote to memory of 2860 2740 cmd.exe 34 PID 2740 wrote to memory of 2860 2740 cmd.exe 34 PID 2860 wrote to memory of 1156 2860 SavesintoHost.exe 46 PID 2860 wrote to memory of 1156 2860 SavesintoHost.exe 46 PID 2860 wrote to memory of 1156 2860 SavesintoHost.exe 46 PID 1156 wrote to memory of 3028 1156 WmiPrvSE.exe 47 PID 1156 wrote to memory of 3028 1156 WmiPrvSE.exe 47 PID 1156 wrote to memory of 3028 1156 WmiPrvSE.exe 47 PID 1156 wrote to memory of 1192 1156 WmiPrvSE.exe 48 PID 1156 wrote to memory of 1192 1156 WmiPrvSE.exe 48 PID 1156 wrote to memory of 1192 1156 WmiPrvSE.exe 48 PID 3028 wrote to memory of 2964 3028 WScript.exe 49 PID 3028 wrote to memory of 2964 3028 WScript.exe 49 PID 3028 wrote to memory of 2964 3028 WScript.exe 49 PID 2964 wrote to memory of 792 2964 WmiPrvSE.exe 50 PID 2964 wrote to memory of 792 2964 WmiPrvSE.exe 50 PID 2964 wrote to memory of 792 2964 WmiPrvSE.exe 50 PID 2964 wrote to memory of 2556 2964 WmiPrvSE.exe 51 PID 2964 wrote to memory of 2556 2964 WmiPrvSE.exe 51 PID 2964 wrote to memory of 2556 2964 WmiPrvSE.exe 51 PID 792 wrote to memory of 3036 792 WScript.exe 52 PID 792 wrote to memory of 3036 792 WScript.exe 52 PID 792 wrote to memory of 3036 792 WScript.exe 52 PID 3036 wrote to memory of 2752 3036 WmiPrvSE.exe 53 PID 3036 wrote to memory of 2752 3036 WmiPrvSE.exe 53 PID 3036 wrote to memory of 2752 3036 WmiPrvSE.exe 53 PID 3036 wrote to memory of 2768 3036 WmiPrvSE.exe 54 PID 3036 wrote to memory of 2768 3036 WmiPrvSE.exe 54 PID 3036 wrote to memory of 2768 3036 WmiPrvSE.exe 54 PID 2752 wrote to memory of 1456 2752 WScript.exe 55 PID 2752 wrote to memory of 1456 2752 WScript.exe 55 PID 2752 wrote to memory of 1456 2752 WScript.exe 55 PID 1456 wrote to memory of 2852 1456 WmiPrvSE.exe 56 PID 1456 wrote to memory of 2852 1456 WmiPrvSE.exe 56 PID 1456 wrote to memory of 2852 1456 WmiPrvSE.exe 56 PID 1456 wrote to memory of 1880 1456 WmiPrvSE.exe 57 PID 1456 wrote to memory of 1880 1456 WmiPrvSE.exe 57 PID 1456 wrote to memory of 1880 1456 WmiPrvSE.exe 57 PID 2852 wrote to memory of 1056 2852 WScript.exe 58 PID 2852 wrote to memory of 1056 2852 WScript.exe 58 PID 2852 wrote to memory of 1056 2852 WScript.exe 58 PID 1056 wrote to memory of 2912 1056 WmiPrvSE.exe 59 PID 1056 wrote to memory of 2912 1056 WmiPrvSE.exe 59 PID 1056 wrote to memory of 2912 1056 WmiPrvSE.exe 59 PID 1056 wrote to memory of 2928 1056 WmiPrvSE.exe 60 PID 1056 wrote to memory of 2928 1056 WmiPrvSE.exe 60 PID 1056 wrote to memory of 2928 1056 WmiPrvSE.exe 60 PID 2912 wrote to memory of 2956 2912 WScript.exe 61 PID 2912 wrote to memory of 2956 2912 WScript.exe 61 PID 2912 wrote to memory of 2956 2912 WScript.exe 61 -
System policy modification 1 TTPs 39 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" SavesintoHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SavesintoHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" SavesintoHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WmiPrvSE.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" WmiPrvSE.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\0bc68db77e687fa52b2f367994c5bc6f.exe"C:\Users\Admin\AppData\Local\Temp\0bc68db77e687fa52b2f367994c5bc6f.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\comSurrogatecontainercomponentRef\4Vp3r4P.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\comSurrogatecontainercomponentRef\QZY1IZ9a6YLs5.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\comSurrogatecontainercomponentRef\SavesintoHost.exe"C:\comSurrogatecontainercomponentRef\SavesintoHost.exe"4⤵
- Modifies WinLogon for persistence
- UAC bypass
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2860 -
C:\Users\Admin\Local Settings\WmiPrvSE.exe"C:\Users\Admin\Local Settings\WmiPrvSE.exe"5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1156 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cddfe6c1-dd4d-41ba-bc5b-ff9eecde4190.vbs"6⤵
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Users\Admin\Local Settings\WmiPrvSE.exe"C:\Users\Admin\Local Settings\WmiPrvSE.exe"7⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2964 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b1282e9a-f2e6-4fc2-80a5-c17bba027792.vbs"8⤵
- Suspicious use of WriteProcessMemory
PID:792 -
C:\Users\Admin\Local Settings\WmiPrvSE.exe"C:\Users\Admin\Local Settings\WmiPrvSE.exe"9⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3036 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7bd924c3-c9f0-4e6f-b129-41bb6612ce76.vbs"10⤵
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Users\Admin\Local Settings\WmiPrvSE.exe"C:\Users\Admin\Local Settings\WmiPrvSE.exe"11⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1456 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a3f1befc-ab65-4ef7-b78f-630542093d89.vbs"12⤵
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Users\Admin\Local Settings\WmiPrvSE.exe"C:\Users\Admin\Local Settings\WmiPrvSE.exe"13⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1056 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\83a1e859-e274-48d0-97c6-1ced66daede2.vbs"14⤵
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Users\Admin\Local Settings\WmiPrvSE.exe"C:\Users\Admin\Local Settings\WmiPrvSE.exe"15⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2956 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f2da1703-d9c8-4f51-b06e-c34746d1563f.vbs"16⤵PID:1664
-
C:\Users\Admin\Local Settings\WmiPrvSE.exe"C:\Users\Admin\Local Settings\WmiPrvSE.exe"17⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2736 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\364f04fc-a5a3-4645-ac8e-e6f3e528e36d.vbs"18⤵PID:2624
-
C:\Users\Admin\Local Settings\WmiPrvSE.exe"C:\Users\Admin\Local Settings\WmiPrvSE.exe"19⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2792 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\add23bd7-49ee-4df4-8c74-0de04cf6f5b7.vbs"20⤵PID:1764
-
C:\Users\Admin\Local Settings\WmiPrvSE.exe"C:\Users\Admin\Local Settings\WmiPrvSE.exe"21⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:552 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a590bafd-f8a3-42d6-9e3a-1cadb2ce1eca.vbs"22⤵PID:1740
-
C:\Users\Admin\Local Settings\WmiPrvSE.exe"C:\Users\Admin\Local Settings\WmiPrvSE.exe"23⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2524 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1037223a-6582-45b6-95da-e5633daa9560.vbs"24⤵PID:1976
-
C:\Users\Admin\Local Settings\WmiPrvSE.exe"C:\Users\Admin\Local Settings\WmiPrvSE.exe"25⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1896 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8ecafcee-d91e-4d71-856c-9a88117996ac.vbs"26⤵PID:2724
-
C:\Users\Admin\Local Settings\WmiPrvSE.exe"C:\Users\Admin\Local Settings\WmiPrvSE.exe"27⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2632 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\16b67448-1d03-4f79-8bbf-05b4df877798.vbs"28⤵PID:1396
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\da55c33e-b022-4352-80e9-0b9e609b94c9.vbs"28⤵PID:2668
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0a120da6-02cd-4357-89dd-22f950226f91.vbs"26⤵PID:2824
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\64019764-b321-4743-875a-a1ef1cf2f6b5.vbs"24⤵PID:2712
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\232fee47-b6b2-47f2-a88a-dc507e76f568.vbs"22⤵PID:1188
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1daab52f-0622-44e3-b318-ef24bddda786.vbs"20⤵PID:2892
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4ea3bddd-8cbb-4d97-8f43-10a151b6ec71.vbs"18⤵PID:868
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f26d8f30-9272-418e-b930-fd361fd214fd.vbs"16⤵PID:1936
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a25e4b2-1d1e-402d-ba7b-c71f15f31b74.vbs"14⤵PID:2928
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\98678301-b177-4afa-ad98-f1260a043569.vbs"12⤵PID:1880
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0450b3a1-4fed-4b66-9737-df3ff703d708.vbs"10⤵PID:2768
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0542deeb-b857-4167-bf78-66b8a1e273be.vbs"8⤵PID:2556
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ce3fa2b-b977-4118-9c24-1100e59acc00.vbs"6⤵PID:1192
-
-
-
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\comSurrogatecontainercomponentRef\file.vbs"2⤵
- System Location Discovery: System Language Discovery
PID:2544
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\wscript.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\wscript.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\wscript.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Local Settings\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Admin\Local Settings\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Local Settings\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
718B
MD51b77330fff5aadb3d3100381f14bf6e9
SHA1811a5b09fffb9267bb192909e7071493206af5e6
SHA25667cce0f1d7efc5348a8a6acb5553c1c5c339e5f84e91ef77de7e3cd503368a4b
SHA51216c66dd252681efd87937929e987596acd8244e2bcdc430f08e466cd00c50e1348d7b6b64c5799d3b398b29f5f468e1774ee517f7dae4f2e8513d9512b577a1c
-
Filesize
718B
MD53b010a81c21423d65111d49ef252512b
SHA13c24d7c93f9a354222c871a51304ace95edea6c4
SHA2568ee2e8e3bc2c88cb9b31dbe68f89d7d2f02c036a4093b444eb37129a158281a1
SHA5129e36a87dff258360be8b17c56f660064028a835e71a35b3c646833239e0e9518a349f457c8a796cbdf35f37ec16ff8c6f44ad5bc6f62b6ef92cdc325c2a6c63d
-
Filesize
718B
MD521f65e590f7c26f0d8c7b25681ed50f0
SHA115b4c9aa437329d3beb59b44423c69dacb05886c
SHA256bf58147c8f2adc664435dc10d82350c94cc0c2e9ee24b8e3b794a2e84eb687cf
SHA5127264a780224f8912ac3e0ebe777af698816565ee9005b23f4bb61e0dc63165295641dac9ae09563a09210d9af3c39c908a77dfdcdede25784170369ff53afc68
-
Filesize
494B
MD5303351f67b84ae3c3a80622150377ce2
SHA128d18e7f7cd7478488ddefe91bdf6429ba3f6b3e
SHA256754182c772b6e0f4a9c7b823517f0a7720d2d27afd2c0cfb819217b5c96fbdb6
SHA51245cd25615f4ab8661e9c08d3e0d83ec418801496305b3b106e6bcdb896bdc2ed72dc2772ce77d4c5b7e38156beaa3ae4725cc65b6300152a7ca31c91f78a2bda
-
Filesize
718B
MD5df01f556b02f80b52f3e4ba253b4b00a
SHA13d223ecebd3a6393c27e2244a441a17b34bcdf46
SHA256ae917c0cf79b1ca0dd79d8854c638ff04144ebcf9ad2b725958e520ff13ded17
SHA51221fdb2fa5666a2371cd1cafd92b0a1c4c9323c1254434537d725a2bd497d7ac2e9bdcbb35cc22a9e5e6c1fe84067efe6d450428f70e8fcb03d28539632371537
-
Filesize
718B
MD58ca0a2d0d4e70c6318766a0413cb7c8f
SHA1b38fc37c401c6c314a62a8b5ce9697181f4e8496
SHA256bd72a74d3924ef3ce3f0783bd73a3c28eb6547757ad33ce96dc6b81baf62ec84
SHA5123b3cedf8bacd7be36e2b122b29914d43277312ee556ee9392a481c02b2e6a093765ca075794f5916ff7dc6c60b39ab6194c65ac5d7f31362d303b1bc316e0e1c
-
Filesize
718B
MD5597ace0fef5974aeabf1c38764f13b03
SHA1c1c4d55f8f030f11392a9938c8509b715e2371e7
SHA25643d61deb02b9fc8d424714f95dff1316c858bfd1f8e3009e9546e2d7a3f46df3
SHA5127090b2871339995f63f9392503548e327c45331246f763b01af4407c13d59ac2d062d3af09a0f0dd7205b021494b6a8fc560af8eb8a2c840026804656b70e2be
-
Filesize
718B
MD5a7b368ed3687e0e0190756da80054969
SHA1ea001818db024a5798968d5c327990ec23d7f1ae
SHA25666ae1ad560bc144fe68e859a5040c4ed950e4602d64959c052de92bddb95887d
SHA51254af717e7b29a859453ca6ca488551d71938c3549413f3d1ba1dc42e8a829f33df015497cd2bfb4bd2d0f965d5864856c66570d74a3e09ff43bbdaf91133c492
-
Filesize
717B
MD591478cf532d95b3c2cf1ee1c767cc792
SHA1320a7aa23c87601b34d8444af564d478c713f20c
SHA2569c67c73e12c53bfbaa1d8cc77630ff1a0faa248c0df64edbf4303e34d35223da
SHA51272c9c9db860051f70d0ae65d07a6d74140714308af765f49d1464c6cb8a3efc8b5b6529b7507a64bd39241de6dcbc78655840689612a883a0c04748f21696f30
-
Filesize
718B
MD563f73f1fc0a59fc26deb02c629941819
SHA145f45db0c628739207fe72a2da91bdfa4b28ba4c
SHA256be91b8c08ed2474ea23cb844444a95d250bec832a64a44846d25810a98fb5f18
SHA512199c343871935f76ad505a696cfc35a498386d19c20f984eaab3c2a8b0f366a762a3e194e093a9d4e5c297f19b93a272244812b4a404850b53c1abb80d3d6d49
-
Filesize
718B
MD5a15446a1bc0d03dffd9863327a66cf9b
SHA1ba94c858d898c7c695c3bdcf79ad11e0c2cbcfc5
SHA2568c26ba04edef854fe97d86c1a616314b8f52054274c2e198efa6909df6ad3ec0
SHA51202c49dc50fa3bd820d6624c8b1ea7bbfea225491985e091a003fd0c6352bce5d0c5e17006702f7a67ccb011ee8151dae143736ecd91e0764f952ab19da809b26
-
Filesize
718B
MD5bdeea34799e0f21e16687a60ab9a4004
SHA105d86040d6586249ebd262adc56272cc8d2c0146
SHA2569079de728ab0fb27968b7bb46cb8f6843d2730923610f689a6003c053574129e
SHA5121c62e682a6449ea474b0a44668abe1244f9c2e5d9cc020244366b6f4a549be30dafac9a159e26656147cf25b7ff0fe8a5935aa1714b0451f14fc08f3331f35b5
-
Filesize
718B
MD56e946b5d57447c223692089f7fbd5bfc
SHA1c19ba26ab9709eb37a0a13cdc21026dc9f253eef
SHA25619dd9c4a7a07f695fea326a8326c2b2ab4ebdd73ed576fc757366a976d53802d
SHA5122102a70ae120aa8a26135b0aaa2be567cb9f9ef69a5940cfc75acdb9af8032619dc87dbc684bf58ae47d154e47224cd11b594654be73598ba0458ca3014b9f1f
-
Filesize
223B
MD55d646684debbc53c0c7ec5fa65f23216
SHA1c161dec715fcc4156442fc30eaf6b3d0caddfb17
SHA256cddd4a030f867acb39a0e7697732cbd57bb2e5e9f0d81fc1e7d752d57c1ee195
SHA512e6518ff37848e7e92d9b820b3eecea2a0d0d85fd6804a8b4f4adf56154aa1a1d5433c3333d469bc8e2ffb9f4ebb4445f979467f970f9155774a670fe5446c19a
-
Filesize
56B
MD5cbba91293fed3dfb5a3a0cd0ec53b505
SHA16d66eaa19e366c386d006b8b782cda171c359c43
SHA256062cff19b7be8c7d9c9941f75b9225982eb3799a766ee73659251f7d0c0b299d
SHA512a97640da0d86256b3512d84c9a5120e41cb7ed47f3a61f8f4f6212804034a8e19a99fc35a3b91804734c93279b74b23737e31e224152d3e6a17e113fd4bca0f4
-
Filesize
2.2MB
MD53aa1bbd17d68b0b67b7423f1fe09b05b
SHA161c43b8f31a51d772fd39d5caa87699d74971a43
SHA2567362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474
SHA5127ae82411565104b15cc0de4cc8315d93301befbb28b1e36e3c50d46c8ba9fb1ff8eb361e12cd9d32771e2a5ecbee9b026aca0105473a9fe5a877fc2744b32014
-
Filesize
34B
MD5677cc4360477c72cb0ce00406a949c61
SHA1b679e8c3427f6c5fc47c8ac46cd0e56c9424de05
SHA256f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b
SHA5127cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a