Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25/01/2025, 07:38
Behavioral task
behavioral1
Sample
95c8a2a9b99890e2398ab49937de11179c816b92ca6ab2ba269f1f8598675e27.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
95c8a2a9b99890e2398ab49937de11179c816b92ca6ab2ba269f1f8598675e27.exe
Resource
win10v2004-20241007-en
General
-
Target
95c8a2a9b99890e2398ab49937de11179c816b92ca6ab2ba269f1f8598675e27.exe
-
Size
2.2MB
-
MD5
ba5102fee3b188bb6ac65068ec18d95d
-
SHA1
59a111a9ab515d690995496967de195eb23b097c
-
SHA256
95c8a2a9b99890e2398ab49937de11179c816b92ca6ab2ba269f1f8598675e27
-
SHA512
2dfe580f3e278431fef83d2c33c19e8af33ba958a7d6abc4cce571b202a64a06d7c54fda635b9b649d6bb6090ef0370063cf35cd5e6688dc435db6e6fe07cc37
-
SSDEEP
49152:ssSHlG56vO0T3/Nh/ptuw/C3TqGaDxr1NcWTMUvifC:sLlK6d3/Nh/bV/Oq3Dxp2RUGC
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Links\\services.exe\"" 95c8a2a9b99890e2398ab49937de11179c816b92ca6ab2ba269f1f8598675e27.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Links\\services.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\spoolsv.exe\"" 95c8a2a9b99890e2398ab49937de11179c816b92ca6ab2ba269f1f8598675e27.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Links\\services.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\dllhost.exe\"" 95c8a2a9b99890e2398ab49937de11179c816b92ca6ab2ba269f1f8598675e27.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Links\\services.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows Mail\\sppsvc.exe\"" 95c8a2a9b99890e2398ab49937de11179c816b92ca6ab2ba269f1f8598675e27.exe -
Process spawned unexpected child process 12 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2712 2720 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3008 2720 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2956 2720 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2760 2720 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2796 2720 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2628 2720 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2252 2720 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2456 2720 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1788 2720 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1308 2720 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 748 2720 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1480 2720 schtasks.exe 30 -
UAC bypass 3 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 95c8a2a9b99890e2398ab49937de11179c816b92ca6ab2ba269f1f8598675e27.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 95c8a2a9b99890e2398ab49937de11179c816b92ca6ab2ba269f1f8598675e27.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 95c8a2a9b99890e2398ab49937de11179c816b92ca6ab2ba269f1f8598675e27.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe -
resource yara_rule behavioral1/memory/2524-1-0x0000000000BA0000-0x0000000000DCE000-memory.dmp dcrat behavioral1/files/0x0005000000019515-41.dat dcrat behavioral1/files/0x0005000000019aea-51.dat dcrat behavioral1/memory/1760-97-0x0000000000D10000-0x0000000000F3E000-memory.dmp dcrat behavioral1/files/0x000600000001933e-96.dat dcrat behavioral1/memory/1636-110-0x00000000013C0000-0x00000000015EE000-memory.dmp dcrat -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts 95c8a2a9b99890e2398ab49937de11179c816b92ca6ab2ba269f1f8598675e27.exe -
Executes dropped EXE 3 IoCs
pid Process 1760 dllhost.exe 1636 dllhost.exe 2764 dllhost.exe -
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files (x86)\\Windows Mail\\sppsvc.exe\"" 95c8a2a9b99890e2398ab49937de11179c816b92ca6ab2ba269f1f8598675e27.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\Admin\\Links\\services.exe\"" 95c8a2a9b99890e2398ab49937de11179c816b92ca6ab2ba269f1f8598675e27.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\Admin\\Links\\services.exe\"" 95c8a2a9b99890e2398ab49937de11179c816b92ca6ab2ba269f1f8598675e27.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\spoolsv.exe\"" 95c8a2a9b99890e2398ab49937de11179c816b92ca6ab2ba269f1f8598675e27.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\spoolsv.exe\"" 95c8a2a9b99890e2398ab49937de11179c816b92ca6ab2ba269f1f8598675e27.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\dllhost.exe\"" 95c8a2a9b99890e2398ab49937de11179c816b92ca6ab2ba269f1f8598675e27.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\dllhost.exe\"" 95c8a2a9b99890e2398ab49937de11179c816b92ca6ab2ba269f1f8598675e27.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files (x86)\\Windows Mail\\sppsvc.exe\"" 95c8a2a9b99890e2398ab49937de11179c816b92ca6ab2ba269f1f8598675e27.exe -
Checks whether UAC is enabled 1 TTPs 8 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 95c8a2a9b99890e2398ab49937de11179c816b92ca6ab2ba269f1f8598675e27.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 95c8a2a9b99890e2398ab49937de11179c816b92ca6ab2ba269f1f8598675e27.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe -
Drops file in Program Files directory 10 IoCs
description ioc Process File created C:\Program Files (x86)\MSBuild\Microsoft\spoolsv.exe 95c8a2a9b99890e2398ab49937de11179c816b92ca6ab2ba269f1f8598675e27.exe File created C:\Program Files (x86)\Windows Mail\sppsvc.exe 95c8a2a9b99890e2398ab49937de11179c816b92ca6ab2ba269f1f8598675e27.exe File created C:\Program Files (x86)\Windows Mail\0a1fd5f707cd16 95c8a2a9b99890e2398ab49937de11179c816b92ca6ab2ba269f1f8598675e27.exe File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\RCXA9BB.tmp 95c8a2a9b99890e2398ab49937de11179c816b92ca6ab2ba269f1f8598675e27.exe File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\RCXA9BC.tmp 95c8a2a9b99890e2398ab49937de11179c816b92ca6ab2ba269f1f8598675e27.exe File opened for modification C:\Program Files (x86)\Windows Mail\RCXADC5.tmp 95c8a2a9b99890e2398ab49937de11179c816b92ca6ab2ba269f1f8598675e27.exe File opened for modification C:\Program Files (x86)\Windows Mail\sppsvc.exe 95c8a2a9b99890e2398ab49937de11179c816b92ca6ab2ba269f1f8598675e27.exe File created C:\Program Files (x86)\MSBuild\Microsoft\f3b6ecef712a24 95c8a2a9b99890e2398ab49937de11179c816b92ca6ab2ba269f1f8598675e27.exe File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\spoolsv.exe 95c8a2a9b99890e2398ab49937de11179c816b92ca6ab2ba269f1f8598675e27.exe File opened for modification C:\Program Files (x86)\Windows Mail\RCXADC6.tmp 95c8a2a9b99890e2398ab49937de11179c816b92ca6ab2ba269f1f8598675e27.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1308 schtasks.exe 748 schtasks.exe 3008 schtasks.exe 2760 schtasks.exe 2796 schtasks.exe 2252 schtasks.exe 2456 schtasks.exe 1788 schtasks.exe 1480 schtasks.exe 2712 schtasks.exe 2956 schtasks.exe 2628 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2524 95c8a2a9b99890e2398ab49937de11179c816b92ca6ab2ba269f1f8598675e27.exe 2524 95c8a2a9b99890e2398ab49937de11179c816b92ca6ab2ba269f1f8598675e27.exe 2524 95c8a2a9b99890e2398ab49937de11179c816b92ca6ab2ba269f1f8598675e27.exe 2524 95c8a2a9b99890e2398ab49937de11179c816b92ca6ab2ba269f1f8598675e27.exe 2524 95c8a2a9b99890e2398ab49937de11179c816b92ca6ab2ba269f1f8598675e27.exe 2524 95c8a2a9b99890e2398ab49937de11179c816b92ca6ab2ba269f1f8598675e27.exe 2524 95c8a2a9b99890e2398ab49937de11179c816b92ca6ab2ba269f1f8598675e27.exe 2524 95c8a2a9b99890e2398ab49937de11179c816b92ca6ab2ba269f1f8598675e27.exe 2524 95c8a2a9b99890e2398ab49937de11179c816b92ca6ab2ba269f1f8598675e27.exe 2524 95c8a2a9b99890e2398ab49937de11179c816b92ca6ab2ba269f1f8598675e27.exe 2524 95c8a2a9b99890e2398ab49937de11179c816b92ca6ab2ba269f1f8598675e27.exe 2524 95c8a2a9b99890e2398ab49937de11179c816b92ca6ab2ba269f1f8598675e27.exe 2524 95c8a2a9b99890e2398ab49937de11179c816b92ca6ab2ba269f1f8598675e27.exe 2524 95c8a2a9b99890e2398ab49937de11179c816b92ca6ab2ba269f1f8598675e27.exe 2524 95c8a2a9b99890e2398ab49937de11179c816b92ca6ab2ba269f1f8598675e27.exe 1760 dllhost.exe 1760 dllhost.exe 1760 dllhost.exe 1760 dllhost.exe 1760 dllhost.exe 1760 dllhost.exe 1760 dllhost.exe 1760 dllhost.exe 1760 dllhost.exe 1760 dllhost.exe 1760 dllhost.exe 1760 dllhost.exe 1760 dllhost.exe 1760 dllhost.exe 1760 dllhost.exe 1760 dllhost.exe 1760 dllhost.exe 1760 dllhost.exe 1760 dllhost.exe 1760 dllhost.exe 1760 dllhost.exe 1760 dllhost.exe 1760 dllhost.exe 1760 dllhost.exe 1760 dllhost.exe 1760 dllhost.exe 1760 dllhost.exe 1760 dllhost.exe 1760 dllhost.exe 1760 dllhost.exe 1760 dllhost.exe 1760 dllhost.exe 1760 dllhost.exe 1760 dllhost.exe 1760 dllhost.exe 1760 dllhost.exe 1760 dllhost.exe 1760 dllhost.exe 1760 dllhost.exe 1760 dllhost.exe 1760 dllhost.exe 1760 dllhost.exe 1760 dllhost.exe 1760 dllhost.exe 1760 dllhost.exe 1760 dllhost.exe 1760 dllhost.exe 1760 dllhost.exe 1760 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2524 95c8a2a9b99890e2398ab49937de11179c816b92ca6ab2ba269f1f8598675e27.exe Token: SeDebugPrivilege 1760 dllhost.exe Token: SeDebugPrivilege 1636 dllhost.exe Token: SeDebugPrivilege 2764 dllhost.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 2524 wrote to memory of 1760 2524 95c8a2a9b99890e2398ab49937de11179c816b92ca6ab2ba269f1f8598675e27.exe 43 PID 2524 wrote to memory of 1760 2524 95c8a2a9b99890e2398ab49937de11179c816b92ca6ab2ba269f1f8598675e27.exe 43 PID 2524 wrote to memory of 1760 2524 95c8a2a9b99890e2398ab49937de11179c816b92ca6ab2ba269f1f8598675e27.exe 43 PID 1760 wrote to memory of 852 1760 dllhost.exe 44 PID 1760 wrote to memory of 852 1760 dllhost.exe 44 PID 1760 wrote to memory of 852 1760 dllhost.exe 44 PID 1760 wrote to memory of 1600 1760 dllhost.exe 45 PID 1760 wrote to memory of 1600 1760 dllhost.exe 45 PID 1760 wrote to memory of 1600 1760 dllhost.exe 45 PID 852 wrote to memory of 1636 852 WScript.exe 47 PID 852 wrote to memory of 1636 852 WScript.exe 47 PID 852 wrote to memory of 1636 852 WScript.exe 47 PID 1636 wrote to memory of 2148 1636 dllhost.exe 48 PID 1636 wrote to memory of 2148 1636 dllhost.exe 48 PID 1636 wrote to memory of 2148 1636 dllhost.exe 48 PID 1636 wrote to memory of 1232 1636 dllhost.exe 49 PID 1636 wrote to memory of 1232 1636 dllhost.exe 49 PID 1636 wrote to memory of 1232 1636 dllhost.exe 49 PID 2148 wrote to memory of 2764 2148 WScript.exe 50 PID 2148 wrote to memory of 2764 2148 WScript.exe 50 PID 2148 wrote to memory of 2764 2148 WScript.exe 50 PID 2764 wrote to memory of 396 2764 dllhost.exe 51 PID 2764 wrote to memory of 396 2764 dllhost.exe 51 PID 2764 wrote to memory of 396 2764 dllhost.exe 51 PID 2764 wrote to memory of 1912 2764 dllhost.exe 52 PID 2764 wrote to memory of 1912 2764 dllhost.exe 52 PID 2764 wrote to memory of 1912 2764 dllhost.exe 52 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 95c8a2a9b99890e2398ab49937de11179c816b92ca6ab2ba269f1f8598675e27.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 95c8a2a9b99890e2398ab49937de11179c816b92ca6ab2ba269f1f8598675e27.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 95c8a2a9b99890e2398ab49937de11179c816b92ca6ab2ba269f1f8598675e27.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\95c8a2a9b99890e2398ab49937de11179c816b92ca6ab2ba269f1f8598675e27.exe"C:\Users\Admin\AppData\Local\Temp\95c8a2a9b99890e2398ab49937de11179c816b92ca6ab2ba269f1f8598675e27.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2524 -
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dllhost.exe"C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dllhost.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1760 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\96d7e339-db79-4242-8a9c-d6ff99ae768f.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:852 -
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dllhost.exe"C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dllhost.exe"4⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1636 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0cb5a5e-669b-4fb3-bb75-964c0a5d27e1.vbs"5⤵
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dllhost.exe"C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dllhost.exe"6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2764 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6af6a12b-8dc4-4aa0-bc16-1ca2af8cc323.vbs"7⤵PID:396
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4c972005-0c64-443a-948b-d0f144bf9669.vbs"7⤵PID:1912
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b98979d5-5fcc-4239-8e7d-b7aef2b141f2.vbs"5⤵PID:1232
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b096876e-c2e5-4959-acc0-315111aa6353.vbs"3⤵PID:1600
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Links\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\Links\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Links\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD5ba5102fee3b188bb6ac65068ec18d95d
SHA159a111a9ab515d690995496967de195eb23b097c
SHA25695c8a2a9b99890e2398ab49937de11179c816b92ca6ab2ba269f1f8598675e27
SHA5122dfe580f3e278431fef83d2c33c19e8af33ba958a7d6abc4cce571b202a64a06d7c54fda635b9b649d6bb6090ef0370063cf35cd5e6688dc435db6e6fe07cc37
-
Filesize
755B
MD54223e0ac08b68078f58587096de24b8d
SHA123fca6f341e893ff1384a7dbd4943bf38c61921b
SHA2569d80a08bdec2874dc3dad4fca43e3b418f7f1c3edbd23feb49fcd7d3321fe303
SHA5122874c0d5632da6c6b438bb65842c77bc4c0158e29cb571d50792246bb0d488463161c9c9b3903ab922b28fd509cdc7c0c3b3fa68e545e46f84d269ee954285fa
-
Filesize
755B
MD529c52809eb6d5810de1f4694cd3f746f
SHA104e8bde7910610c245e4d3381148e38f52b64dde
SHA256a7c44910c872d8fc719a7ea53978cf9f7e8492989142f984016c457b7609d7fb
SHA512dc7790b2b0fbf1fe533a9a18c4414d927c4ea24800d81162cc0d4ba96de9d16a3a03ebb344ea102d2a7e5e1e04b9d31aa56526b489672eee9107e1355450f67a
-
Filesize
2.2MB
MD5889f050ef7bc85238ef3ba17c1ca8530
SHA15168769f30a3efbf81ec2174c84d4290882b4c08
SHA256774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d
SHA5124a7c67efba35f6e12d2953466e8e7b3a05254ae1fc0cfd43cb16d9cb50bc4e69bdfb44d25d8555b36d7a6096a8a3c8c160de1cd03ee022c5a57681c59c7bf0ef
-
Filesize
531B
MD5bc0cbbb9b724f7f3a01c44d0ad079204
SHA13ab89427193fb2c1d975e0404fb999c856290fe7
SHA25639e978a5320c638e5877b02385699f1631b8a51f3774ad0d7a1bc18149c2c5d4
SHA5128abc5654caaf7d0677fd84a0881c53776b5bbc8671dc8f760182f3b937686a4a46640b361d22b74a3f0705b6fdaaaaee2349d5bcc768d20e274fb9caffeb17a7
-
Filesize
755B
MD503b2b1a59ee621058e52df236e76daeb
SHA1950046edd82f1cb6889d5630d393dc9a405596f4
SHA256c0200d7c03a97955b3c83157ccf989707155774ce88a116bc1a392bd67372de9
SHA5121721857e57e55f83b5f4cd9a728940f58f1fc157e2dc4e50905e3553a41a304c3c368587592bceea5ea78181ac791b98ea26fc9eb479451cfd8934aa82820600
-
Filesize
2.2MB
MD577f7c6f803bcdc2331b9675e06b988be
SHA1427bc645050f531b26b742d1385fe1c77b8d94ef
SHA256140be28e3178be7bd1bf7ed36f7aab70c27628cce8a7b47817ad289447b93c08
SHA512b50c5c27847c9592597b2589df5af37659c6e7f6ec414e73c48b730c4d9b7b3721d0ff7e0117e30f33bcf0fad6d0960b7ebdc7c139dbb254d925529df5bd5e88