Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
59s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
23/01/2025, 03:32
Behavioral task
behavioral1
Sample
433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
Resource
win10v2004-20241007-en
General
-
Target
433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe
-
Size
1.8MB
-
MD5
d7e7b597ce0c3a87c408c197af695fc4
-
SHA1
abf13cbcb77d1fe2270b3b7746087419f366748d
-
SHA256
433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2
-
SHA512
7cfbf0bd871b9e04e8cd178e8f82052efb108284a279c8e16ea0087e322dfbf00aca117db9cfccb6b6278134edcbce2b8f3b6c050fa4021f6f65f2ccdaf02c91
-
SSDEEP
24576:fpu2MG9vXL71sCw7sULd3yRsjBp2gltcEA4pUiD7nApwp6t1:Bu2Mw7Y0RsrB5UiD8pw
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\dllhost.exe\"" 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\dllhost.exe\", \"C:\\Users\\All Users\\services.exe\"" 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\dllhost.exe\", \"C:\\Users\\All Users\\services.exe\", \"C:\\Windows\\Tasks\\winlogon.exe\"" 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\dllhost.exe\", \"C:\\Users\\All Users\\services.exe\", \"C:\\Windows\\Tasks\\winlogon.exe\", \"C:\\Users\\Default\\Saved Games\\csrss.exe\"" 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\csrss.exe\"" 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe -
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2828 3048 schtasks.exe 29 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2748 3048 schtasks.exe 29 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2704 3048 schtasks.exe 29 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2396 3048 schtasks.exe 29 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1036 3048 schtasks.exe 29 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1524 3048 schtasks.exe 29 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1520 3048 schtasks.exe 29 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 516 3048 schtasks.exe 29 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1264 3048 schtasks.exe 29 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1928 3048 schtasks.exe 29 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2604 3048 schtasks.exe 29 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1472 3048 schtasks.exe 29 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3012 3048 schtasks.exe 29 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3044 3048 schtasks.exe 29 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2944 3048 schtasks.exe 29 -
DCRat payload 3 IoCs
resource yara_rule behavioral1/memory/432-1-0x0000000000170000-0x0000000000340000-memory.dmp family_dcrat_v2 behavioral1/files/0x000500000001950f-52.dat family_dcrat_v2 behavioral1/memory/2220-100-0x00000000009C0000-0x0000000000B90000-memory.dmp family_dcrat_v2 -
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3052 powershell.exe 1020 powershell.exe 1628 powershell.exe 1072 powershell.exe 1272 powershell.exe -
Executes dropped EXE 1 IoCs
pid Process 2220 services.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 10 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\csrss.exe\"" 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Microsoft.NET\\dllhost.exe\"" 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Microsoft.NET\\dllhost.exe\"" 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\All Users\\services.exe\"" 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\csrss.exe\"" 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\All Users\\services.exe\"" 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\Tasks\\winlogon.exe\"" 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\Tasks\\winlogon.exe\"" 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default\\Saved Games\\csrss.exe\"" 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default\\Saved Games\\csrss.exe\"" 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created \??\c:\Windows\System32\CSCD1654415D934E7ABF7AD9A834969621.TMP csc.exe File created \??\c:\Windows\System32\hi5-9c.exe csc.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft.NET\dllhost.exe 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe File created C:\Program Files (x86)\Microsoft.NET\5940a34987c991 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Tasks\winlogon.exe 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe File created C:\Windows\Tasks\cc11b995f2a76d 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1728 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1728 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2828 schtasks.exe 2748 schtasks.exe 2396 schtasks.exe 1520 schtasks.exe 516 schtasks.exe 1264 schtasks.exe 1472 schtasks.exe 3012 schtasks.exe 3044 schtasks.exe 1036 schtasks.exe 1524 schtasks.exe 2604 schtasks.exe 2944 schtasks.exe 2704 schtasks.exe 1928 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe Token: SeDebugPrivilege 1072 powershell.exe Token: SeDebugPrivilege 1272 powershell.exe Token: SeDebugPrivilege 3052 powershell.exe Token: SeDebugPrivilege 1020 powershell.exe Token: SeDebugPrivilege 1628 powershell.exe Token: SeDebugPrivilege 2220 services.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 432 wrote to memory of 2768 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 33 PID 432 wrote to memory of 2768 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 33 PID 432 wrote to memory of 2768 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 33 PID 2768 wrote to memory of 2296 2768 csc.exe 35 PID 2768 wrote to memory of 2296 2768 csc.exe 35 PID 2768 wrote to memory of 2296 2768 csc.exe 35 PID 432 wrote to memory of 3052 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 48 PID 432 wrote to memory of 3052 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 48 PID 432 wrote to memory of 3052 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 48 PID 432 wrote to memory of 1020 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 49 PID 432 wrote to memory of 1020 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 49 PID 432 wrote to memory of 1020 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 49 PID 432 wrote to memory of 1272 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 50 PID 432 wrote to memory of 1272 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 50 PID 432 wrote to memory of 1272 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 50 PID 432 wrote to memory of 1628 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 51 PID 432 wrote to memory of 1628 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 51 PID 432 wrote to memory of 1628 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 51 PID 432 wrote to memory of 1072 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 52 PID 432 wrote to memory of 1072 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 52 PID 432 wrote to memory of 1072 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 52 PID 432 wrote to memory of 2448 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 58 PID 432 wrote to memory of 2448 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 58 PID 432 wrote to memory of 2448 432 433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe 58 PID 2448 wrote to memory of 2200 2448 cmd.exe 60 PID 2448 wrote to memory of 2200 2448 cmd.exe 60 PID 2448 wrote to memory of 2200 2448 cmd.exe 60 PID 2448 wrote to memory of 1728 2448 cmd.exe 61 PID 2448 wrote to memory of 1728 2448 cmd.exe 61 PID 2448 wrote to memory of 1728 2448 cmd.exe 61 PID 2448 wrote to memory of 2220 2448 cmd.exe 62 PID 2448 wrote to memory of 2220 2448 cmd.exe 62 PID 2448 wrote to memory of 2220 2448 cmd.exe 62 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe"C:\Users\Admin\AppData\Local\Temp\433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5vzjurao\5vzjurao.cmdline"2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES45B7.tmp" "c:\Windows\System32\CSCD1654415D934E7ABF7AD9A834969621.TMP"3⤵PID:2296
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3052
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\dllhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1020
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\services.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1272
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\winlogon.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1628
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Saved Games\csrss.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1072
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XkBnUkZlOu.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:2200
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1728
-
-
C:\Users\All Users\services.exe"C:\Users\All Users\services.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2220
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Windows\Tasks\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Tasks\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Windows\Tasks\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Saved Games\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Saved Games\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b2f94712045b7f0e95b371d8bf436ab3
SHA1c8f7163f4ebb3a22f4ba77b12f8f7145410cd190
SHA25621a1512e91b2a4ca76473891046659e9148bb67015f0122815a1508d342bc4c8
SHA51259ab1232d4ce923faa96839b60da4d053d14f31ee4be22dea0dcdb75b5d0a04a9b6d041fbf6e2ffe92743eb46222323edb6ad84b8daaa49238bf0edce8302b62
-
Filesize
159B
MD51efa22b2286b02780b9cb20b9e6cba86
SHA1598efcec3e649f97fcd729fc6be3b9c382dd84f1
SHA25639955e83f8f069d767ac6638ea6869dafa0899ffe4aa07f15dfd0b77afbd37b2
SHA5123b2aeb2bb2979ed4436d30fb3e20f62fc9bdfacb86df10b34d3fb5ad37c8279f42430c04f62305f25719dec26e0842507665699d302227170865b75ab08da0af
-
Filesize
92KB
MD56d9ead954a1d55a4b7b9a23d96bb545e
SHA1b55a31428681654b9bc4f428fc4c07fa7244760f
SHA256eab705a4e697fa8c54cdbe7df8d46c679df9878c327a003819bb2bf72d90919c
SHA512b9422f770aa156c13f63399aae96d750f273a6db7c9177b725660aa236a04ca7c4e3bf64d394de3a1f1ec2ad49b60528023aee37b7c195ed70073c049980a322
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5a7fc46f45085567a026b95ae8f5856c8
SHA156c113e051df866f4bc575f4d59850bbfb9ac16c
SHA256813836a3de4998a3e15f9bb7503da29f3488f7b965036dfa025daad0de060a32
SHA512709c8a2b0d56da2a1bfb80619e030f60f7faf8e90185bf4e8bfcfc84ff19be4b9a411e843c649bcb851e6d96d1b98b1433b34cb700d47954744931bc67b82cef
-
Filesize
1.8MB
MD5d7e7b597ce0c3a87c408c197af695fc4
SHA1abf13cbcb77d1fe2270b3b7746087419f366748d
SHA256433c302a290e1ca96522457ffb5f0bcca53641a2c49e00d38db75bbb8db282e2
SHA5127cfbf0bd871b9e04e8cd178e8f82052efb108284a279c8e16ea0087e322dfbf00aca117db9cfccb6b6278134edcbce2b8f3b6c050fa4021f6f65f2ccdaf02c91
-
Filesize
409B
MD5209125e1ef900a0592652d9e0cc6ee46
SHA19ceeef4c2b14a5bf13c820eae50294ab3f12bb42
SHA256317f6d4e2dbe3f6b73cdd138988fd4cbaaaa0722a88eacf8190013a73a16af98
SHA5123dd60a7c2fb30a8c2d27d5016cb5af71ef9aa37bccc02438767999a2497c168ac78c0c78fa6a15788baf04c2286d1e931e565d34e3bf72dffb9e3d529715f8b0
-
Filesize
235B
MD50ca00954ef2066eec9c58b863e2e9875
SHA182f100856245271685bd60e1ad17b4907b0c9ead
SHA2566b5c2b6d331f8f89445db9b55786df48d6fb8facece80d84cc334581dcd12012
SHA512b9310f3d26bdd2711abfabd3e5e420e18ae15029e1db1b3c0894a00fb058f108ee4ee04f687a53de548201f26a71bb76e7e8fbad0e44a4cf85b39f2023172abe
-
Filesize
1KB
MD560a1ebb8f840aad127346a607d80fc19
SHA1c8b7e9ad601ac19ab90b3e36f811960e8badf354
SHA2569d6a9d38b7a86cc88e551a0c1172a3fb387b1a5f928ac13993ec3387d39cc243
SHA51244830cefb264bac520174b4b884312dd0393be33a193d4f0fee3cc3c14deb86ca39e43ef281232f9169fd204d19b22e8a7aad72fa448ca52d5cbc3ee1dbb18a4