Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 02:45
Behavioral task
behavioral1
Sample
cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe
Resource
win10v2004-20241007-en
General
-
Target
cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe
-
Size
2.8MB
-
MD5
2397e7230770a20dd685f8903b0e7759
-
SHA1
bc280c16c4f89338df7c3745d0821432443d565c
-
SHA256
cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67
-
SHA512
97923122007bae611db6deb97e25a83f3636bec7c4d4d60aea2638edbeeaf85cef4c7c8755a442fd6525940154ec0d92258a65acdc065d75e1729b602510d7aa
-
SSDEEP
49152:Or8U+ST8nT/r5mZxSuCspYhU7F6511YoWN/qiUt9ETxJ5WGAf2VR:vSi/rwZYuCspQUA5vNWNqGfAGAA
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 42 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2908 2700 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2748 2700 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3016 2700 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2420 2700 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2752 2700 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1728 2700 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2640 2700 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2596 2700 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2624 2700 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2308 2700 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 588 2700 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 992 2700 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 568 2700 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1612 2700 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1220 2700 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2148 2700 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2504 2700 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1880 2700 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1692 2700 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 800 2700 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1636 2700 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1588 2700 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1780 2700 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1672 2700 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2788 2700 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2952 2700 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2996 2700 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2160 2700 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2792 2700 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2416 2700 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1128 2700 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 408 2700 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2968 2700 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2036 2700 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1532 2700 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2316 2700 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1472 2700 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1272 2700 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1308 2700 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 912 2700 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1680 2700 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2488 2700 schtasks.exe 30 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe -
resource yara_rule behavioral1/memory/2520-1-0x0000000000F60000-0x000000000122A000-memory.dmp dcrat behavioral1/files/0x00050000000186fd-30.dat dcrat behavioral1/files/0x0009000000016d64-122.dat dcrat behavioral1/files/0x0007000000019023-144.dat dcrat behavioral1/files/0x000e000000019334-206.dat dcrat behavioral1/files/0x000b00000001961b-212.dat dcrat behavioral1/memory/872-229-0x0000000000DB0000-0x000000000107A000-memory.dmp dcrat -
Executes dropped EXE 1 IoCs
pid Process 872 taskhost.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe -
Drops file in Program Files directory 30 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\RCXCFF8.tmp cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\RCXCDF3.tmp cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe File created C:\Program Files\Google\b75386f1303e64 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe File opened for modification C:\Program Files\Windows NT\Accessories\en-US\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe File created C:\Program Files\Windows NT\Accessories\en-US\f4995097cd8868 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe File opened for modification C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\RCXD066.tmp cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe File created C:\Program Files\Windows NT\Accessories\en-US\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe File created C:\Program Files\7-Zip\Lang\24dbde2999530e cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\42af1c969fbb7b cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe File opened for modification C:\Program Files\Windows NT\Accessories\en-US\RCXC778.tmp cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\RCXC97D.tmp cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe File opened for modification C:\Program Files\7-Zip\Lang\WmiPrvSE.exe cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\lsm.exe cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\audiodg.exe cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe File opened for modification C:\Program Files\7-Zip\Lang\RCXC574.tmp cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\RCXC97E.tmp cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe File created C:\Program Files\Windows Defender\ja-JP\c5b4cb5e9653cc cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe File opened for modification C:\Program Files\7-Zip\Lang\RCXC573.tmp cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\services.exe cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\RCXCDF4.tmp cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe File opened for modification C:\Program Files\Google\RCXD26A.tmp cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe File opened for modification C:\Program Files\Google\taskhost.exe cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe File created C:\Program Files\7-Zip\Lang\WmiPrvSE.exe cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe File created C:\Program Files\Google\taskhost.exe cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\lsm.exe cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\101b941d020240 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe File opened for modification C:\Program Files\Windows NT\Accessories\en-US\RCXC779.tmp cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe File opened for modification C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\audiodg.exe cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe File opened for modification C:\Program Files\Google\RCXD26B.tmp cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe File created C:\Program Files\Windows Defender\ja-JP\services.exe cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\winsxs\amd64_wiabr006.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_63f68d8597f9d5c4\lsm.exe cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1880 schtasks.exe 1672 schtasks.exe 1472 schtasks.exe 2504 schtasks.exe 1780 schtasks.exe 2788 schtasks.exe 1680 schtasks.exe 2420 schtasks.exe 2752 schtasks.exe 1728 schtasks.exe 2036 schtasks.exe 1532 schtasks.exe 2308 schtasks.exe 568 schtasks.exe 1692 schtasks.exe 2416 schtasks.exe 2908 schtasks.exe 992 schtasks.exe 1612 schtasks.exe 408 schtasks.exe 1308 schtasks.exe 2596 schtasks.exe 588 schtasks.exe 1220 schtasks.exe 1636 schtasks.exe 1588 schtasks.exe 2952 schtasks.exe 2160 schtasks.exe 2792 schtasks.exe 1272 schtasks.exe 2488 schtasks.exe 2748 schtasks.exe 3016 schtasks.exe 2624 schtasks.exe 2148 schtasks.exe 912 schtasks.exe 2640 schtasks.exe 800 schtasks.exe 2996 schtasks.exe 1128 schtasks.exe 2968 schtasks.exe 2316 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2520 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 2520 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 2520 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 2520 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 2520 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 2520 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 2520 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 2520 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 2520 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 2520 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 2520 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 2520 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 2520 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 2520 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 2520 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 2520 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 2520 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 2520 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 2520 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 2520 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 2520 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 2520 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 2520 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 2520 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 2520 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 2520 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 2520 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 2520 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 2520 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 2520 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 2520 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 2520 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 2520 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 2520 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 2520 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 2520 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 2520 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 2520 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 2520 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 2520 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 2520 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 2520 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 2520 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 2520 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 2520 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 2520 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 2520 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 2520 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 2520 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 2520 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 2520 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 872 taskhost.exe 872 taskhost.exe 872 taskhost.exe 872 taskhost.exe 872 taskhost.exe 872 taskhost.exe 872 taskhost.exe 872 taskhost.exe 872 taskhost.exe 872 taskhost.exe 872 taskhost.exe 872 taskhost.exe 872 taskhost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2520 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe Token: SeDebugPrivilege 872 taskhost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2520 wrote to memory of 872 2520 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 74 PID 2520 wrote to memory of 872 2520 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 74 PID 2520 wrote to memory of 872 2520 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 74 -
System policy modification 1 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe"C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2520 -
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:872
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\Lang\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\Lang\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67c" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\Accessories\en-US\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\en-US\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67c" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\Accessories\en-US\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Defender\ja-JP\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\ja-JP\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\ja-JP\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Templates\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Admin\Templates\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Templates\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files\Google\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Google\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Pictures\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Public\Pictures\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Pictures\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.8MB
MD50d7069a748e26776c124602ea98c2d64
SHA1422eedfee5e7918363947aa9a219d78859d36685
SHA25671a4cd77b80a4cb67a67ac8a5431b9a1cac939f5be9c41362ed44607df43bd1f
SHA5123c8c9d328616e0c3e0576d175d3a44ff1b4e2a44bc0708deda232b3291c24bb1add0ce685a8652bcce2050c7993ecd7aa8d1b018cf9f5c0fbb08fccc863ed0f0
-
Filesize
2.8MB
MD52397e7230770a20dd685f8903b0e7759
SHA1bc280c16c4f89338df7c3745d0821432443d565c
SHA256cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67
SHA51297923122007bae611db6deb97e25a83f3636bec7c4d4d60aea2638edbeeaf85cef4c7c8755a442fd6525940154ec0d92258a65acdc065d75e1729b602510d7aa
-
Filesize
2.8MB
MD51a4d5652bfbc907dde444f5755637a72
SHA1535a7dc6e5f5c06e9f7f623f11132755ca05a925
SHA25699b23402f8bd95601e1bdde5683c5e904115258a6bad84cd96bac54aa62a0668
SHA512aec6a064d4882b9eb34a0532a124ba50fea16af752bf6e16af40eff3bd3125a488fe23d18396a057d13867a53437ae56bb8ee6e8784540b99ef33ede87e9a2ba
-
Filesize
2.8MB
MD5be45c9bfb41a60772e95105e3f00cfde
SHA12a65e4febe0863070c56e69c0ce75d8806c15a60
SHA25698f667db4918fd77c14520609436555b19c14afcd28e61abcd15257a8d310ac4
SHA512bccf38abac0135152d02d051a95996cf9a74f4370802f315817c724e6f9cd81a89cf3775a86fa3dfe215b024f35897d7697ff77fe0490b01f07facfeb8516b25
-
Filesize
2.8MB
MD5f66e86fa8dc954088f3e2a8836c65b07
SHA1415a7e186a5d52238d18b3920be728137f295982
SHA256f7094d6aa726adfaf925828ce8f4440d86d9bf5356fdc1ded11048d3bb2b7aa4
SHA512d47b02814d0220f2282ffa986b35659b216299a899fafd1ce52d8b589b3e392e3c0d5508b7ca4ce4bfb897736f4b8559398410dc683c767af9b86fb1ab5caced