Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15-12-2024 22:14
Static task
static1
Behavioral task
behavioral1
Sample
04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe
Resource
win7-20240903-en
General
-
Target
04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe
-
Size
4.9MB
-
MD5
ad6f5a9d1be209b53e4ea1e256a259b0
-
SHA1
03da3df7b5d92d7c298e7c7fc9965f140f13000e
-
SHA256
04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3
-
SHA512
24bf284ce56fef4e52278ee6a4c85f27e6d754ff99c1858089c4c70fbca947bdc4e630b096ec29d74dc93eec4734bfc409a8d8837762c2754d8b665ab4258e88
-
SSDEEP
49152:Dl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:
Malware Config
Extracted
colibri
1.2.0
Build1
http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php
http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php
Signatures
-
Colibri family
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 24 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1612 5104 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5064 5104 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2632 5104 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1404 5104 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4700 5104 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3432 5104 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 628 5104 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 228 5104 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3904 5104 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 348 5104 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4156 5104 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3224 5104 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1296 5104 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4428 5104 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4020 5104 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1272 5104 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5112 5104 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 396 5104 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 516 5104 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2424 5104 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4680 5104 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4648 5104 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4292 5104 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2688 5104 schtasks.exe 84 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe -
resource yara_rule behavioral2/memory/1340-3-0x000000001BEE0000-0x000000001C00E000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1620 powershell.exe 1592 powershell.exe 2548 powershell.exe 744 powershell.exe 3556 powershell.exe 3836 powershell.exe 1464 powershell.exe 1604 powershell.exe 4208 powershell.exe 1108 powershell.exe 3652 powershell.exe -
Checks computer location settings 2 TTPs 13 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe -
Executes dropped EXE 36 IoCs
pid Process 3636 tmpB143.tmp.exe 3612 tmpB143.tmp.exe 2316 RuntimeBroker.exe 2980 tmpCE2D.tmp.exe 4800 tmpCE2D.tmp.exe 2892 RuntimeBroker.exe 2084 RuntimeBroker.exe 3124 tmp347.tmp.exe 4048 tmp347.tmp.exe 4684 tmp347.tmp.exe 212 RuntimeBroker.exe 1640 tmp1D28.tmp.exe 2976 tmp1D28.tmp.exe 2568 RuntimeBroker.exe 624 tmp4AEF.tmp.exe 3500 tmp4AEF.tmp.exe 1464 RuntimeBroker.exe 2900 tmp79BF.tmp.exe 4944 tmp79BF.tmp.exe 3636 RuntimeBroker.exe 3984 tmpA8ED.tmp.exe 2660 tmpA8ED.tmp.exe 1768 RuntimeBroker.exe 1868 tmpC4A3.tmp.exe 4264 tmpC4A3.tmp.exe 2084 RuntimeBroker.exe 5032 tmpF279.tmp.exe 3100 tmpF279.tmp.exe 1976 RuntimeBroker.exe 1556 tmpC5A.tmp.exe 4196 tmpC5A.tmp.exe 5028 tmpC5A.tmp.exe 1684 RuntimeBroker.exe 4360 RuntimeBroker.exe 4644 tmp408A.tmp.exe 972 tmp408A.tmp.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RuntimeBroker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RuntimeBroker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RuntimeBroker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RuntimeBroker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RuntimeBroker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RuntimeBroker.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\en-US\Licenses\System.exe 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe -
Suspicious use of SetThreadContext 11 IoCs
description pid Process procid_target PID 3636 set thread context of 3612 3636 tmpB143.tmp.exe 111 PID 2980 set thread context of 4800 2980 tmpCE2D.tmp.exe 139 PID 4048 set thread context of 4684 4048 tmp347.tmp.exe 155 PID 1640 set thread context of 2976 1640 tmp1D28.tmp.exe 162 PID 624 set thread context of 3500 624 tmp4AEF.tmp.exe 169 PID 2900 set thread context of 4944 2900 tmp79BF.tmp.exe 175 PID 3984 set thread context of 2660 3984 tmpA8ED.tmp.exe 181 PID 1868 set thread context of 4264 1868 tmpC4A3.tmp.exe 187 PID 5032 set thread context of 3100 5032 tmpF279.tmp.exe 193 PID 4196 set thread context of 5028 4196 tmpC5A.tmp.exe 200 PID 4644 set thread context of 972 4644 tmp408A.tmp.exe 209 -
Drops file in Program Files directory 20 IoCs
description ioc Process File created C:\Program Files\Windows NT\Accessories\sysmon.exe 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe File created C:\Program Files\Microsoft Office 15\ClientX64\spoolsv.exe 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe File created C:\Program Files\Windows Defender\uk-UA\9e8d7a4ca61bd9 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\spoolsv.exe 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe File opened for modification C:\Program Files\WindowsPowerShell\Configuration\Schema\RuntimeBroker.exe 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe File created C:\Program Files\WindowsPowerShell\Configuration\Schema\RuntimeBroker.exe 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe File opened for modification C:\Program Files\Windows NT\Accessories\RCXADA7.tmp 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe File opened for modification C:\Program Files\Windows Defender\uk-UA\RCXB666.tmp 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe File opened for modification C:\Program Files\Windows Defender\uk-UA\RuntimeBroker.exe 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe File created C:\Program Files\Windows Defender\uk-UA\RuntimeBroker.exe 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe File created C:\Program Files\WindowsPowerShell\Configuration\Schema\9e8d7a4ca61bd9 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\upfc.exe 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe File created C:\Program Files\Windows NT\Accessories\121e5b5079f7c0 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe File created C:\Program Files\Microsoft Office 15\ClientX64\f3b6ecef712a24 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\upfc.exe 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\ea1d8f6d871115 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe File opened for modification C:\Program Files\Windows NT\Accessories\sysmon.exe 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\RCXB23E.tmp 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCXB452.tmp 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe File opened for modification C:\Program Files\WindowsPowerShell\Configuration\Schema\RCXB8A9.tmp 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification C:\Windows\SystemApps\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\Assets\System.exe 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe File created C:\Windows\SystemApps\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\Assets\System.exe 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe File created C:\Windows\SystemApps\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\Assets\27d1bcfc3c54e0 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe File created C:\Windows\WinSxS\RuntimeBroker.exe 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe File created C:\Windows\diagnostics\scheduled\Maintenance\uk-UA\smss.exe 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\Assets\RCXAFBB.tmp 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp79BF.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpF279.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpC5A.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpB143.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpCE2D.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp347.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp347.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4AEF.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp1D28.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpA8ED.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpC4A3.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpC5A.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp408A.tmp.exe -
Modifies registry class 13 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings RuntimeBroker.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3432 schtasks.exe 4428 schtasks.exe 396 schtasks.exe 516 schtasks.exe 2424 schtasks.exe 1272 schtasks.exe 5112 schtasks.exe 4680 schtasks.exe 4292 schtasks.exe 2688 schtasks.exe 1404 schtasks.exe 4700 schtasks.exe 3224 schtasks.exe 1612 schtasks.exe 5064 schtasks.exe 2632 schtasks.exe 628 schtasks.exe 228 schtasks.exe 3904 schtasks.exe 348 schtasks.exe 4156 schtasks.exe 1296 schtasks.exe 4020 schtasks.exe 4648 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 59 IoCs
pid Process 1340 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 1340 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 1340 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 1340 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 1340 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 1340 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 1340 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 1340 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 1340 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 1340 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 1340 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 1340 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 1340 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 3556 powershell.exe 3556 powershell.exe 2548 powershell.exe 2548 powershell.exe 3652 powershell.exe 3652 powershell.exe 1108 powershell.exe 1108 powershell.exe 1620 powershell.exe 1620 powershell.exe 1604 powershell.exe 1604 powershell.exe 744 powershell.exe 744 powershell.exe 3836 powershell.exe 3836 powershell.exe 4208 powershell.exe 4208 powershell.exe 1464 powershell.exe 1464 powershell.exe 3556 powershell.exe 4208 powershell.exe 1592 powershell.exe 1592 powershell.exe 1604 powershell.exe 1108 powershell.exe 2548 powershell.exe 3652 powershell.exe 744 powershell.exe 3836 powershell.exe 1620 powershell.exe 1464 powershell.exe 1592 powershell.exe 2316 RuntimeBroker.exe 2316 RuntimeBroker.exe 2892 RuntimeBroker.exe 2084 RuntimeBroker.exe 212 RuntimeBroker.exe 2568 RuntimeBroker.exe 1464 RuntimeBroker.exe 3636 RuntimeBroker.exe 1768 RuntimeBroker.exe 2084 RuntimeBroker.exe 1976 RuntimeBroker.exe 1684 RuntimeBroker.exe 4360 RuntimeBroker.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeDebugPrivilege 1340 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe Token: SeDebugPrivilege 3556 powershell.exe Token: SeDebugPrivilege 2548 powershell.exe Token: SeDebugPrivilege 3652 powershell.exe Token: SeDebugPrivilege 1108 powershell.exe Token: SeDebugPrivilege 1620 powershell.exe Token: SeDebugPrivilege 1604 powershell.exe Token: SeDebugPrivilege 744 powershell.exe Token: SeDebugPrivilege 3836 powershell.exe Token: SeDebugPrivilege 4208 powershell.exe Token: SeDebugPrivilege 1464 powershell.exe Token: SeDebugPrivilege 1592 powershell.exe Token: SeDebugPrivilege 2316 RuntimeBroker.exe Token: SeDebugPrivilege 2892 RuntimeBroker.exe Token: SeDebugPrivilege 2084 RuntimeBroker.exe Token: SeDebugPrivilege 212 RuntimeBroker.exe Token: SeDebugPrivilege 2568 RuntimeBroker.exe Token: SeDebugPrivilege 1464 RuntimeBroker.exe Token: SeDebugPrivilege 3636 RuntimeBroker.exe Token: SeDebugPrivilege 1768 RuntimeBroker.exe Token: SeDebugPrivilege 2084 RuntimeBroker.exe Token: SeDebugPrivilege 1976 RuntimeBroker.exe Token: SeDebugPrivilege 1684 RuntimeBroker.exe Token: SeDebugPrivilege 4360 RuntimeBroker.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1340 wrote to memory of 3636 1340 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 109 PID 1340 wrote to memory of 3636 1340 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 109 PID 1340 wrote to memory of 3636 1340 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 109 PID 3636 wrote to memory of 3612 3636 tmpB143.tmp.exe 111 PID 3636 wrote to memory of 3612 3636 tmpB143.tmp.exe 111 PID 3636 wrote to memory of 3612 3636 tmpB143.tmp.exe 111 PID 3636 wrote to memory of 3612 3636 tmpB143.tmp.exe 111 PID 3636 wrote to memory of 3612 3636 tmpB143.tmp.exe 111 PID 3636 wrote to memory of 3612 3636 tmpB143.tmp.exe 111 PID 3636 wrote to memory of 3612 3636 tmpB143.tmp.exe 111 PID 1340 wrote to memory of 1592 1340 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 112 PID 1340 wrote to memory of 1592 1340 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 112 PID 1340 wrote to memory of 1620 1340 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 113 PID 1340 wrote to memory of 1620 1340 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 113 PID 1340 wrote to memory of 1464 1340 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 114 PID 1340 wrote to memory of 1464 1340 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 114 PID 1340 wrote to memory of 3652 1340 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 115 PID 1340 wrote to memory of 3652 1340 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 115 PID 1340 wrote to memory of 3836 1340 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 116 PID 1340 wrote to memory of 3836 1340 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 116 PID 1340 wrote to memory of 3556 1340 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 117 PID 1340 wrote to memory of 3556 1340 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 117 PID 1340 wrote to memory of 1108 1340 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 118 PID 1340 wrote to memory of 1108 1340 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 118 PID 1340 wrote to memory of 1604 1340 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 119 PID 1340 wrote to memory of 1604 1340 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 119 PID 1340 wrote to memory of 744 1340 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 120 PID 1340 wrote to memory of 744 1340 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 120 PID 1340 wrote to memory of 2548 1340 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 122 PID 1340 wrote to memory of 2548 1340 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 122 PID 1340 wrote to memory of 4208 1340 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 123 PID 1340 wrote to memory of 4208 1340 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 123 PID 1340 wrote to memory of 2316 1340 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 134 PID 1340 wrote to memory of 2316 1340 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe 134 PID 2316 wrote to memory of 4988 2316 RuntimeBroker.exe 135 PID 2316 wrote to memory of 4988 2316 RuntimeBroker.exe 135 PID 2316 wrote to memory of 4632 2316 RuntimeBroker.exe 136 PID 2316 wrote to memory of 4632 2316 RuntimeBroker.exe 136 PID 2316 wrote to memory of 2980 2316 RuntimeBroker.exe 137 PID 2316 wrote to memory of 2980 2316 RuntimeBroker.exe 137 PID 2316 wrote to memory of 2980 2316 RuntimeBroker.exe 137 PID 2980 wrote to memory of 4800 2980 tmpCE2D.tmp.exe 139 PID 2980 wrote to memory of 4800 2980 tmpCE2D.tmp.exe 139 PID 2980 wrote to memory of 4800 2980 tmpCE2D.tmp.exe 139 PID 2980 wrote to memory of 4800 2980 tmpCE2D.tmp.exe 139 PID 2980 wrote to memory of 4800 2980 tmpCE2D.tmp.exe 139 PID 2980 wrote to memory of 4800 2980 tmpCE2D.tmp.exe 139 PID 2980 wrote to memory of 4800 2980 tmpCE2D.tmp.exe 139 PID 4988 wrote to memory of 2892 4988 WScript.exe 143 PID 4988 wrote to memory of 2892 4988 WScript.exe 143 PID 2892 wrote to memory of 208 2892 RuntimeBroker.exe 145 PID 2892 wrote to memory of 208 2892 RuntimeBroker.exe 145 PID 2892 wrote to memory of 4492 2892 RuntimeBroker.exe 146 PID 2892 wrote to memory of 4492 2892 RuntimeBroker.exe 146 PID 208 wrote to memory of 2084 208 WScript.exe 149 PID 208 wrote to memory of 2084 208 WScript.exe 149 PID 2084 wrote to memory of 4304 2084 RuntimeBroker.exe 150 PID 2084 wrote to memory of 4304 2084 RuntimeBroker.exe 150 PID 2084 wrote to memory of 1304 2084 RuntimeBroker.exe 151 PID 2084 wrote to memory of 1304 2084 RuntimeBroker.exe 151 PID 2084 wrote to memory of 3124 2084 RuntimeBroker.exe 152 PID 2084 wrote to memory of 3124 2084 RuntimeBroker.exe 152 PID 2084 wrote to memory of 3124 2084 RuntimeBroker.exe 152 PID 3124 wrote to memory of 4048 3124 tmp347.tmp.exe 154 -
System policy modification 1 TTPs 39 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RuntimeBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" RuntimeBroker.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe"C:\Users\Admin\AppData\Local\Temp\04b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3N.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1340 -
C:\Users\Admin\AppData\Local\Temp\tmpB143.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpB143.tmp.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3636 -
C:\Users\Admin\AppData\Local\Temp\tmpB143.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpB143.tmp.exe"3⤵
- Executes dropped EXE
PID:3612
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1592
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1620
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1464
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3652
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3836
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3556
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1108
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1604
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:744
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2548
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4208
-
-
C:\Program Files\Windows Defender\uk-UA\RuntimeBroker.exe"C:\Program Files\Windows Defender\uk-UA\RuntimeBroker.exe"2⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2316 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\87ac4628-0581-4480-9e2f-35fb52213e17.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Program Files\Windows Defender\uk-UA\RuntimeBroker.exe"C:\Program Files\Windows Defender\uk-UA\RuntimeBroker.exe"4⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2892 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e25c7e6b-a771-4e73-9f82-9785ab818771.vbs"5⤵
- Suspicious use of WriteProcessMemory
PID:208 -
C:\Program Files\Windows Defender\uk-UA\RuntimeBroker.exe"C:\Program Files\Windows Defender\uk-UA\RuntimeBroker.exe"6⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2084 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb8e171d-69f6-415d-a1c0-cec1932755a2.vbs"7⤵PID:4304
-
C:\Program Files\Windows Defender\uk-UA\RuntimeBroker.exe"C:\Program Files\Windows Defender\uk-UA\RuntimeBroker.exe"8⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:212 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a9775670-3077-402f-9d82-21df628eae5b.vbs"9⤵PID:4872
-
C:\Program Files\Windows Defender\uk-UA\RuntimeBroker.exe"C:\Program Files\Windows Defender\uk-UA\RuntimeBroker.exe"10⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2568 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\69f8d423-d09a-415c-ab6a-24738cced8f5.vbs"11⤵PID:3312
-
C:\Program Files\Windows Defender\uk-UA\RuntimeBroker.exe"C:\Program Files\Windows Defender\uk-UA\RuntimeBroker.exe"12⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1464 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9ca64d8a-bb12-4fc9-814b-9e48e2950a42.vbs"13⤵PID:4776
-
C:\Program Files\Windows Defender\uk-UA\RuntimeBroker.exe"C:\Program Files\Windows Defender\uk-UA\RuntimeBroker.exe"14⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3636 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3d4a75a7-2d90-44af-aed9-711e3f55fd57.vbs"15⤵PID:4188
-
C:\Program Files\Windows Defender\uk-UA\RuntimeBroker.exe"C:\Program Files\Windows Defender\uk-UA\RuntimeBroker.exe"16⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1768 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c4e1e22a-c60a-453e-ab26-45be6c6d159d.vbs"17⤵PID:2112
-
C:\Program Files\Windows Defender\uk-UA\RuntimeBroker.exe"C:\Program Files\Windows Defender\uk-UA\RuntimeBroker.exe"18⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2084 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\42faec28-7d22-4284-91a0-57936938e584.vbs"19⤵PID:2008
-
C:\Program Files\Windows Defender\uk-UA\RuntimeBroker.exe"C:\Program Files\Windows Defender\uk-UA\RuntimeBroker.exe"20⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1976 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\787c97c0-c21a-46aa-a6a8-bf5f84704870.vbs"21⤵PID:2504
-
C:\Program Files\Windows Defender\uk-UA\RuntimeBroker.exe"C:\Program Files\Windows Defender\uk-UA\RuntimeBroker.exe"22⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1684 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0877f45e-607d-4082-af9f-45bfa7347c55.vbs"23⤵PID:1756
-
C:\Program Files\Windows Defender\uk-UA\RuntimeBroker.exe"C:\Program Files\Windows Defender\uk-UA\RuntimeBroker.exe"24⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4360 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1af3b025-5798-4822-a1c8-ef1ace42835d.vbs"25⤵PID:3276
-
C:\Program Files\Windows Defender\uk-UA\RuntimeBroker.exe"C:\Program Files\Windows Defender\uk-UA\RuntimeBroker.exe"26⤵PID:2816
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e90e6a2a-7d17-4b15-af99-c2e2d00fb015.vbs"25⤵PID:1044
-
-
C:\Users\Admin\AppData\Local\Temp\tmp408A.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp408A.tmp.exe"25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4644 -
C:\Users\Admin\AppData\Local\Temp\tmp408A.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp408A.tmp.exe"26⤵
- Executes dropped EXE
PID:972
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e74547f-b04b-4d04-be9d-d291b4e5bf55.vbs"23⤵PID:3340
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\52c5dece-abca-4309-979c-4b765207d4e9.vbs"21⤵PID:1640
-
-
C:\Users\Admin\AppData\Local\Temp\tmpC5A.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpC5A.tmp.exe"21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1556 -
C:\Users\Admin\AppData\Local\Temp\tmpC5A.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpC5A.tmp.exe"22⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4196 -
C:\Users\Admin\AppData\Local\Temp\tmpC5A.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpC5A.tmp.exe"23⤵
- Executes dropped EXE
PID:5028
-
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f43a431e-5e56-406e-9631-8f62a28c6851.vbs"19⤵PID:2300
-
-
C:\Users\Admin\AppData\Local\Temp\tmpF279.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpF279.tmp.exe"19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5032 -
C:\Users\Admin\AppData\Local\Temp\tmpF279.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpF279.tmp.exe"20⤵
- Executes dropped EXE
PID:3100
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f5b93b72-57e6-4336-9235-03da5c77cc6a.vbs"17⤵PID:4396
-
-
C:\Users\Admin\AppData\Local\Temp\tmpC4A3.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpC4A3.tmp.exe"17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1868 -
C:\Users\Admin\AppData\Local\Temp\tmpC4A3.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpC4A3.tmp.exe"18⤵
- Executes dropped EXE
PID:4264
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c7efb947-2ebb-4c68-b95f-72cc3c4a05f9.vbs"15⤵PID:4828
-
-
C:\Users\Admin\AppData\Local\Temp\tmpA8ED.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpA8ED.tmp.exe"15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3984 -
C:\Users\Admin\AppData\Local\Temp\tmpA8ED.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpA8ED.tmp.exe"16⤵
- Executes dropped EXE
PID:2660
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\474721b8-6721-4434-9886-5e083f8e5079.vbs"13⤵PID:3068
-
-
C:\Users\Admin\AppData\Local\Temp\tmp79BF.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp79BF.tmp.exe"13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2900 -
C:\Users\Admin\AppData\Local\Temp\tmp79BF.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp79BF.tmp.exe"14⤵
- Executes dropped EXE
PID:4944
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a4c6508a-5f12-4076-956d-7500058ca7bf.vbs"11⤵PID:3576
-
-
C:\Users\Admin\AppData\Local\Temp\tmp4AEF.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4AEF.tmp.exe"11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:624 -
C:\Users\Admin\AppData\Local\Temp\tmp4AEF.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4AEF.tmp.exe"12⤵
- Executes dropped EXE
PID:3500
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4b1f68b5-1040-4959-81a1-abbb7e36d407.vbs"9⤵PID:5000
-
-
C:\Users\Admin\AppData\Local\Temp\tmp1D28.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp1D28.tmp.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1640 -
C:\Users\Admin\AppData\Local\Temp\tmp1D28.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp1D28.tmp.exe"10⤵
- Executes dropped EXE
PID:2976
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb7785ec-a9f9-423c-84dc-878ba7a77306.vbs"7⤵PID:1304
-
-
C:\Users\Admin\AppData\Local\Temp\tmp347.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp347.tmp.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3124 -
C:\Users\Admin\AppData\Local\Temp\tmp347.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp347.tmp.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4048 -
C:\Users\Admin\AppData\Local\Temp\tmp347.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp347.tmp.exe"9⤵
- Executes dropped EXE
PID:4684
-
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\05dbd6fd-cabd-46b6-9b32-14dd4fb1c072.vbs"5⤵PID:4492
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c973439f-a12a-4e5a-bf94-ca3db718326c.vbs"3⤵PID:4632
-
-
C:\Users\Admin\AppData\Local\Temp\tmpCE2D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpCE2D.tmp.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Users\Admin\AppData\Local\Temp\tmpCE2D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpCE2D.tmp.exe"4⤵
- Executes dropped EXE
PID:4800
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Pictures\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\Pictures\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Pictures\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows NT\Accessories\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\Accessories\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Windows\SystemApps\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\Assets\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\Assets\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Windows\SystemApps\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\Assets\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Defender\uk-UA\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\uk-UA\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Defender\uk-UA\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Schema\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Configuration\Schema\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Schema\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Downloads\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default\Downloads\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Downloads\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4428
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.9MB
MD5ad6f5a9d1be209b53e4ea1e256a259b0
SHA103da3df7b5d92d7c298e7c7fc9965f140f13000e
SHA25604b187f74ef48451f093aaa9518b4979e2987dc8a26ea476f26c0be10a283ab3
SHA51224bf284ce56fef4e52278ee6a4c85f27e6d754ff99c1858089c4c70fbca947bdc4e630b096ec29d74dc93eec4734bfc409a8d8837762c2754d8b665ab4258e88
-
Filesize
1KB
MD54a667f150a4d1d02f53a9f24d89d53d1
SHA1306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97
SHA256414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd
SHA5124edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD56d42b6da621e8df5674e26b799c8e2aa
SHA1ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA2565ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA51253faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29
-
Filesize
944B
MD559d97011e091004eaffb9816aa0b9abd
SHA11602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA25618f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6
-
Filesize
944B
MD5bd5940f08d0be56e65e5f2aaf47c538e
SHA1d7e31b87866e5e383ab5499da64aba50f03e8443
SHA2562d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406
-
Filesize
944B
MD53a6bad9528f8e23fb5c77fbd81fa28e8
SHA1f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2
-
Filesize
944B
MD55f0ddc7f3691c81ee14d17b419ba220d
SHA1f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA5122ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
733B
MD5518de4314f54fb6252850255c77270c0
SHA17df47b7919c027596d5b991878f17ed40519716a
SHA2561b6fb252aa07a6a5e0b8a888765d0bb11aa3753ef9d0492f60f9d950d5119a95
SHA5124c367b75ee9326840da8ffd185d4bf7b14fab7aaeb811ef38e4c33afc9c3dda825894f8cc0b153e31da6ff27661b0b88ba892e834fa986bfc2ac246e1df7d54d
-
Filesize
733B
MD52050bf6e677e91fb0cbfcdd0a9351fe9
SHA1850874c45a662c54def8ced565d92425cd7e2d94
SHA256a629b47549f054016d2243ba93164a439c11546ba32736ea5da96f796894aed6
SHA5120adc707d7c5d7a5522ff36700c9bfd4869aedd73cefd0ef1c51e300e08bb93d73d07204f72f3613464ce3006cc990d1ade92c48ab6a532755dcef066127789c7
-
Filesize
733B
MD52e410ef036c2de9d9b2b9a334ac01999
SHA100acfcbefdeb0a2d6a7c25c192882d4b26ddad19
SHA2567504ccb3b068c366a1f4a8088cebeae2b3b0458270944e57ff228c3904cc2a3d
SHA51249606fff42115a5b707d9a381baec0d8a1bfb5531c0603c6fcd3830f0681ec2c521bba30af118dbb60dbed403df07200fad4b5889027f65f4add07d2c92549d4
-
Filesize
733B
MD5cc8e13cd6776bf54be9cf6fa1e53af51
SHA17b487dd6d4521c3472472e5daf6542d3b2a28621
SHA256b42012e440f4ff7f58e10c35afd5cc2af92d99716f3a26fb177233807100fcb5
SHA5124115a666c23787bcde59e97bc9510c8fcc8b7eccfe6cce7aeabe8f37c905f3d0001cdad1576149d8ce75799b8049869016d470394b7f5b7536aacd37c892e0b3
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
732B
MD5fe90b64b5d39171f6c15bc3b17848655
SHA1911ed2f1e3f54f08a97957fad672a6903e7ad0c9
SHA2565c099b09fc8b66f282853bf0e56062c1dfe77c83be0a3731e23d2dfe90ff7e05
SHA512f82c91307eef9ac0ab5a04e8706294be0c1df50d4d4ee81b2170706a027736ce9faa6411930d0f1d6eeaa8ef852473accab798857030395ed5b073a82eee5535
-
Filesize
733B
MD50c72e193e72672ddb979e38d7e85b5ef
SHA1039e65893db994c66efc663466466e4f2104eb37
SHA256c986b243f7cbe3cf27d9fbab4409dd98a8ac063563311adc98b30714ca956926
SHA512c79437d8f20f9e01cea883ffc10fcfbe09009ef15afd969d6e62043b30b0183cd2fe1fc8ef343a98ea4d8a75cb8908d87c9fdb7d8dcdbf720dd679214de7679b
-
Filesize
509B
MD5eb0478597395694364037d738245ec50
SHA13097695087076b1c4ccbcd0b78c1b7cfdc59e15b
SHA256f90d4607c3caef5ef3b4746b6621c8646aab4234fc6a1a3d6e7c5a5b5ef78e0f
SHA512e78b538b1b913a818b91b2793cd7b76a7727c6d11595934a501eaf48f101a16b15a179ad0b8f645c3f3be335b8874d1f4bc1af9590ff981f6731655d762fd921
-
Filesize
733B
MD596b463b2cc9ed3e928d24161991f78a1
SHA13e84013eba22cc7c3d99ffee6ae2b382b41fdfc2
SHA2564ca7c79dcba338b8684a98b8e3a87b46def9f7703fc32cbf308cc0f2f5708f7d
SHA5120cb1995b144e5689e48c8627ba3ce82269875438a64fae6b1a6d8f37da67b92ea951c728bd9790481e2f9ee1f7919f73a061454462b7c540513e0778aa126d23
-
Filesize
733B
MD5ccbff67f47ef91abc00aed18baabc9c1
SHA1155adbf48ad6930134279537b950ed833987c8b4
SHA256467e152cf7dfe1a498ae77302daafafbacf99be13b496f47597592ddcffd65a5
SHA512e2f2e54a7e8379c6bb8ca57cd3b7747ecdce5fbb655552ccd5dc72917b2e24471e41b9f17d8e8e1ed1a1200ae5f4e6357d7804ef85ee71f5eab01539a9fbeba7
-
Filesize
75KB
MD5e0a68b98992c1699876f818a22b5b907
SHA1d41e8ad8ba51217eb0340f8f69629ccb474484d0
SHA2562b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f
SHA512856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2
-
Filesize
4.9MB
MD5ba72b3f4bf2bd09a6818bc93f3215845
SHA17ada6e72f2d64d37fb7ada739dfa21d37bde8c9d
SHA256c46c6c36c0d83a90afa4626bb07d165389a193a5dcefcd716769d686c962d863
SHA51272a90561948ba152cc850d928b5484881edde99ce13cb480eb07c5e377b7d6a4417ec97342b70954b2ec1de4bd706a36b1a69ade5b3b433a0f405e0b0473b6c2