Analysis
-
max time kernel
91s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2024, 02:45
Behavioral task
behavioral1
Sample
cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe
Resource
win10v2004-20241007-en
General
-
Target
cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe
-
Size
2.8MB
-
MD5
2397e7230770a20dd685f8903b0e7759
-
SHA1
bc280c16c4f89338df7c3745d0821432443d565c
-
SHA256
cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67
-
SHA512
97923122007bae611db6deb97e25a83f3636bec7c4d4d60aea2638edbeeaf85cef4c7c8755a442fd6525940154ec0d92258a65acdc065d75e1729b602510d7aa
-
SSDEEP
49152:Or8U+ST8nT/r5mZxSuCspYhU7F6511YoWN/qiUt9ETxJ5WGAf2VR:vSi/rwZYuCspQUA5vNWNqGfAGAA
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 30 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1436 3008 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1020 3008 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2132 3008 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 856 3008 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1268 3008 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 224 3008 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4900 3008 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 380 3008 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 60 3008 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2392 3008 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3028 3008 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3932 3008 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3728 3008 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4432 3008 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3968 3008 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3596 3008 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3468 3008 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3236 3008 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1488 3008 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 324 3008 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2852 3008 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4688 3008 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 212 3008 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1820 3008 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4460 3008 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3960 3008 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3768 3008 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 640 3008 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3204 3008 schtasks.exe 84 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4936 3008 schtasks.exe 84 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fontdrvhost.exe -
resource yara_rule behavioral2/memory/3660-1-0x00000000007F0000-0x0000000000ABA000-memory.dmp dcrat behavioral2/files/0x000b000000023ba4-33.dat dcrat behavioral2/files/0x000c000000023b9d-105.dat dcrat behavioral2/files/0x000d000000023ba4-116.dat dcrat behavioral2/files/0x000a000000023bbd-127.dat dcrat behavioral2/files/0x0009000000023c1d-138.dat dcrat behavioral2/files/0x000a000000023bce-149.dat dcrat behavioral2/memory/3672-177-0x00000000001B0000-0x000000000047A000-memory.dmp dcrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe -
Executes dropped EXE 1 IoCs
pid Process 3672 fontdrvhost.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fontdrvhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe -
Drops file in Program Files directory 25 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Windows Mail\RCXE03E.tmp cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe File opened for modification C:\Program Files (x86)\Common Files\RCXE564.tmp cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe File opened for modification C:\Program Files (x86)\Common Files\sysmon.exe cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe File created C:\Program Files\Windows Sidebar\Shared Gadgets\7a0fd90576e088 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe File created C:\Program Files (x86)\Common Files\121e5b5079f7c0 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe File opened for modification C:\Program Files\Mozilla Firefox\defaults\pref\RCXCF87.tmp cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe File opened for modification C:\Program Files\Windows Sidebar\Shared Gadgets\RCXD19C.tmp cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe File opened for modification C:\Program Files\Windows Sidebar\Shared Gadgets\explorer.exe cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCXDE3A.tmp cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe File opened for modification C:\Program Files (x86)\Windows Mail\RCXE0BC.tmp cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe File opened for modification C:\Program Files (x86)\Common Files\RCXE563.tmp cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe File created C:\Program Files\Mozilla Firefox\defaults\pref\29c1c3cc0f7685 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe File created C:\Program Files\Windows Sidebar\Shared Gadgets\explorer.exe cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\SppExtComObj.exe cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe File created C:\Program Files (x86)\Common Files\sysmon.exe cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe File opened for modification C:\Program Files\Windows Sidebar\Shared Gadgets\RCXD19D.tmp cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe File opened for modification C:\Program Files\Mozilla Firefox\defaults\pref\unsecapp.exe cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\e1ef82546f0b02 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\SppExtComObj.exe cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe File opened for modification C:\Program Files (x86)\Windows Mail\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe File created C:\Program Files\Mozilla Firefox\defaults\pref\unsecapp.exe cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe File created C:\Program Files (x86)\Windows Mail\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe File created C:\Program Files (x86)\Windows Mail\f4995097cd8868 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe File opened for modification C:\Program Files\Mozilla Firefox\defaults\pref\RCXCF88.tmp cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCXDDBC.tmp cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File opened for modification C:\Windows\PrintDialog\RCXD3E0.tmp cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe File opened for modification C:\Windows\PrintDialog\RCXD3E1.tmp cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe File opened for modification C:\Windows\PrintDialog\services.exe cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RCXD683.tmp cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\fontdrvhost.exe cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe File created C:\Windows\PrintDialog\c5b4cb5e9653cc cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe File created C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\5b884080fd4f94 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RCXD682.tmp cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe File created C:\Windows\PrintDialog\services.exe cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe File created C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\fontdrvhost.exe cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 856 schtasks.exe 4900 schtasks.exe 4432 schtasks.exe 3968 schtasks.exe 1488 schtasks.exe 324 schtasks.exe 380 schtasks.exe 60 schtasks.exe 3596 schtasks.exe 1820 schtasks.exe 4936 schtasks.exe 3932 schtasks.exe 212 schtasks.exe 4460 schtasks.exe 1020 schtasks.exe 3236 schtasks.exe 2852 schtasks.exe 4688 schtasks.exe 3960 schtasks.exe 1436 schtasks.exe 224 schtasks.exe 3028 schtasks.exe 3728 schtasks.exe 640 schtasks.exe 2132 schtasks.exe 1268 schtasks.exe 2392 schtasks.exe 3468 schtasks.exe 3768 schtasks.exe 3204 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3660 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 3660 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 3660 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 3660 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 3660 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 3660 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 3660 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 3660 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 3660 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 3660 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 3660 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 3660 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 3660 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 3660 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 3660 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 3660 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 3660 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 3660 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 3660 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 3660 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 3660 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 3660 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 3660 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 3660 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 3660 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 3660 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 3660 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 3660 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 3660 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 3660 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 3660 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 3660 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 3660 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 3660 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 3660 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 3672 fontdrvhost.exe 3672 fontdrvhost.exe 3672 fontdrvhost.exe 3672 fontdrvhost.exe 3672 fontdrvhost.exe 3672 fontdrvhost.exe 3672 fontdrvhost.exe 3672 fontdrvhost.exe 3672 fontdrvhost.exe 3672 fontdrvhost.exe 3672 fontdrvhost.exe 3672 fontdrvhost.exe 3672 fontdrvhost.exe 3672 fontdrvhost.exe 3672 fontdrvhost.exe 3672 fontdrvhost.exe 3672 fontdrvhost.exe 3672 fontdrvhost.exe 3672 fontdrvhost.exe 3672 fontdrvhost.exe 3672 fontdrvhost.exe 3672 fontdrvhost.exe 3672 fontdrvhost.exe 3672 fontdrvhost.exe 3672 fontdrvhost.exe 3672 fontdrvhost.exe 3672 fontdrvhost.exe 3672 fontdrvhost.exe 3672 fontdrvhost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3660 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe Token: SeDebugPrivilege 3672 fontdrvhost.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3660 wrote to memory of 1904 3660 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 118 PID 3660 wrote to memory of 1904 3660 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe 118 PID 1904 wrote to memory of 216 1904 cmd.exe 121 PID 1904 wrote to memory of 216 1904 cmd.exe 121 PID 1904 wrote to memory of 3672 1904 cmd.exe 124 PID 1904 wrote to memory of 3672 1904 cmd.exe 124 -
System policy modification 1 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fontdrvhost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe"C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3660 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2ryfxXmZBx.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:216
-
-
C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\fontdrvhost.exe"C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\fontdrvhost.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3672
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Windows\PrintDialog\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\PrintDialog\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\PrintDialog\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:60
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67c" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67c" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4936
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.8MB
MD50c9d53abcd0b101509cbaac22edddbf4
SHA1aca4f5ee718a56092414d88ec481688809128827
SHA25651ec9e2169306feae98fae7613b7577f51d5e8aa3c7ea8fe2339005b9d580f79
SHA512f6faf6656a3c6a46249cc41178981ee84896b6f3f3c0f9d5d18275b2593cf0542958e203a4c5162601afe53ab45302e4efd7c876d9ef573037a553367c73bb0c
-
C:\Program Files (x86)\Windows Mail\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe
Filesize2.8MB
MD5ca7f5fd10bd8e691232ef4247b74a1dc
SHA1ac0c89b983f196fd87079122ee3e369014f06b2b
SHA2561134ca885e92277be87acc2de25a6e5ec727f6f5b776639135576d3a8b3932f2
SHA512da86c080a3ee5e0f9b43751f166278700cf4be017df8ea232cd4f8149192ac6c00cb4ac22e5dfb8ed13c074a93f47daae232d89b30b7d8be4bd7f848ca63f22d
-
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\fontdrvhost.exe
Filesize2.8MB
MD555b44b2aa67aeb5c1978020fe0525ab0
SHA1fd4586c4a198ad77659790bdbe7f5af6bf4631e1
SHA25699d7df56a6722c0b7d43179542b6ab93ba49ceb7876b3ab638dc7810b160f405
SHA512d616e1e297310fce9d8322b73d1834144ddcb82ed26efd5d964baa95e7aab7f964ccdec72cbec0a9c43362a5bcb138fd3c491da94111c1d0f4ffa708ac7c8fec
-
Filesize
2.8MB
MD53862b35134c9578137946e8c8f6f2558
SHA1fa0a99694accf014b4bd241e07c915e0f8051bd6
SHA256f781efcb9fb79269c8015fb1e0738d135c3f724b331c8a3eaee750171c1393c2
SHA5125c1be4e42b4e8107f639d1089d1608738fb1123e07d2176f25db23a6d8f7ff811361c6df118e662bcd6344c52091d71a30b5ba1fa9a1b2484862dd04ae3d630d
-
Filesize
2.8MB
MD52397e7230770a20dd685f8903b0e7759
SHA1bc280c16c4f89338df7c3745d0821432443d565c
SHA256cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67
SHA51297923122007bae611db6deb97e25a83f3636bec7c4d4d60aea2638edbeeaf85cef4c7c8755a442fd6525940154ec0d92258a65acdc065d75e1729b602510d7aa
-
Filesize
2.8MB
MD5bd706a261eee6ace2d2aa0a35f1a3659
SHA17090bf7dd97c0ef87cf6da75f14764599a08a31e
SHA256a2d56fe9e690c760fc7328bf380699a74230e55f53fb5bdd65119ff44a7c7fa7
SHA512ed19653b2bf438bc3b630219281bf8afcb09ed49a359a20d79ddc3c2733093bc46dcf9c83d14cd35bdb93ed292084c042cce89a0341fd6f1166e00877b431a63
-
Filesize
269B
MD5748c7f6dbdc2dcdb68744c341b7c126d
SHA153b8e066babcec9224cc0adb46bfe4fdef9527dc
SHA25603223c537c10b5ba3ac4487240494aa481346fc7c9d1fb55e1e8581938e28d9f
SHA512750f424de3b29bcfc0cb0ed056fbff737ec1035456fedaa6f27ed8f31865cdae2013de50c20f4aeaedf09f67ee89e6c994da0b01536e3d79be39955c5ae0558f