Overview
overview
10Static
static
10d4f7e0c033...35.exe
windows7-x64
10d4f7e0c033...35.exe
windows10-2004-x64
10d57a15943a...b8.exe
windows7-x64
10d57a15943a...b8.exe
windows10-2004-x64
10d5b7e88e91...31.exe
windows7-x64
5d5b7e88e91...31.exe
windows10-2004-x64
5d5b9cbc990...bf.exe
windows7-x64
7d5b9cbc990...bf.exe
windows10-2004-x64
7d5bce0b9b1...56.exe
windows7-x64
10d5bce0b9b1...56.exe
windows10-2004-x64
10d5fc43e4e1...1f.exe
windows7-x64
1d5fc43e4e1...1f.exe
windows10-2004-x64
1d61876dded...d3.exe
windows7-x64
10d61876dded...d3.exe
windows10-2004-x64
10d61b23d4ac...e0.exe
windows7-x64
10d61b23d4ac...e0.exe
windows10-2004-x64
10d690267038...3a.exe
windows7-x64
8d690267038...3a.exe
windows10-2004-x64
8d6995ab53a...3c.exe
windows7-x64
10d6995ab53a...3c.exe
windows10-2004-x64
10d6a9816b0d...9f.exe
windows7-x64
1d6a9816b0d...9f.exe
windows10-2004-x64
1d6e2e28870...ca.exe
windows7-x64
10d6e2e28870...ca.exe
windows10-2004-x64
10d70550d5d4...cd.exe
windows7-x64
10d70550d5d4...cd.exe
windows10-2004-x64
10d72c4b8c14...db.exe
windows7-x64
7d72c4b8c14...db.exe
windows10-2004-x64
7d735d6b2f3...86.exe
windows7-x64
10d735d6b2f3...86.exe
windows10-2004-x64
10d7508b0790...b3.exe
windows7-x64
10d7508b0790...b3.exe
windows10-2004-x64
10Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
22/03/2025, 06:17
Behavioral task
behavioral1
Sample
d4f7e0c033fa7006a593674e3052cc35.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
d4f7e0c033fa7006a593674e3052cc35.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral3
Sample
d57a15943ae8a9e653d5a6c6870271b8.exe
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
d57a15943ae8a9e653d5a6c6870271b8.exe
Resource
win10v2004-20250313-en
Behavioral task
behavioral5
Sample
d5b7e88e919915c58afbaad1d7cb2531.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
d5b7e88e919915c58afbaad1d7cb2531.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral7
Sample
d5b9cbc990cc88135ff80a41945ea3c940b8726e286812fbf402dbf5f2f66bbf.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
d5b9cbc990cc88135ff80a41945ea3c940b8726e286812fbf402dbf5f2f66bbf.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral9
Sample
d5bce0b9b1bfbe56a03cf54d9beb1a2a2e485beccb72393148e209ae63fb8556.exe
Resource
win7-20240729-en
Behavioral task
behavioral10
Sample
d5bce0b9b1bfbe56a03cf54d9beb1a2a2e485beccb72393148e209ae63fb8556.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral11
Sample
d5fc43e4e1fb229c3f946ac0417a0a630b0809b33a2f1bacc7b81f45006fbf1f.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
d5fc43e4e1fb229c3f946ac0417a0a630b0809b33a2f1bacc7b81f45006fbf1f.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral13
Sample
d61876ddede62df51f22178f3f3810d3.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
d61876ddede62df51f22178f3f3810d3.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral15
Sample
d61b23d4acf185dc6322a40c7f0f56e0.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
d61b23d4acf185dc6322a40c7f0f56e0.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral17
Sample
d690267038d2a718d56558e839b2613a.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
d690267038d2a718d56558e839b2613a.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral19
Sample
d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
d6995ab53a3e1764dcb69174e80bb9d55cc93c4335efc865e937655c4f92803c.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral21
Sample
d6a9816b0df03fee5229e490ff3bfa2a016c0eeb9658b09fd6538a34e469579f.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
d6a9816b0df03fee5229e490ff3bfa2a016c0eeb9658b09fd6538a34e469579f.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral23
Sample
d6e2e288705c6ca37ed2968b4ff7e7ca.exe
Resource
win7-20241010-en
Behavioral task
behavioral24
Sample
d6e2e288705c6ca37ed2968b4ff7e7ca.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral25
Sample
d70550d5d46716704be759d325b3a8f0047905a4f170abe251491f13b3a563cd.exe
Resource
win7-20241010-en
Behavioral task
behavioral26
Sample
d70550d5d46716704be759d325b3a8f0047905a4f170abe251491f13b3a563cd.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral27
Sample
d72c4b8c14b424737ffaaef76a9e591144b983e79322541f28ea06b4436e42db.exe
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
d72c4b8c14b424737ffaaef76a9e591144b983e79322541f28ea06b4436e42db.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral29
Sample
d735d6b2f34e9a7cd2604d3036ac8486.exe
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
d735d6b2f34e9a7cd2604d3036ac8486.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral31
Sample
d7508b07903325957294ebdcb89bd5b3.exe
Resource
win7-20241023-en
Behavioral task
behavioral32
Sample
d7508b07903325957294ebdcb89bd5b3.exe
Resource
win10v2004-20250314-en
General
-
Target
d7508b07903325957294ebdcb89bd5b3.exe
-
Size
1.1MB
-
MD5
d7508b07903325957294ebdcb89bd5b3
-
SHA1
b6280b6c5e4b601ba3182520eca834aecd1ae1fc
-
SHA256
4fe2546f5efe48febc2db59093ceef7b1c3db73e3b11ba026bfd8c4444b2af8e
-
SHA512
e79cd38b556481bd3da6fcde5e924c2c0161a7e26ba635d02f393a424cf675b63e61948c7162abc06c487ae661ff431062236327be9b68be90e6ace7bfd23808
-
SSDEEP
12288:p49I/nL8TnKZPVHR3E/bS2vkRNJLXseJQdErvNKj6SKm+eAIhu181d6rsPH:pngTKZ5RU/xG7zsEyEve6SZ+dIe8usv
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 7 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2228 2620 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2972 2620 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2800 2620 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2860 2620 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2832 2620 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2944 2620 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 864 2620 schtasks.exe 30 -
UAC bypass 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d7508b07903325957294ebdcb89bd5b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" d7508b07903325957294ebdcb89bd5b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" d7508b07903325957294ebdcb89bd5b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" services.exe -
resource yara_rule behavioral31/memory/2596-1-0x0000000000850000-0x0000000000966000-memory.dmp dcrat behavioral31/files/0x0005000000019360-16.dat dcrat behavioral31/files/0x0006000000019502-47.dat dcrat behavioral31/files/0x0009000000019278-91.dat dcrat behavioral31/files/0x00070000000193b6-104.dat dcrat behavioral31/memory/2176-125-0x00000000002F0000-0x0000000000406000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2432 powershell.exe 2068 powershell.exe 2572 powershell.exe 2520 powershell.exe 1364 powershell.exe 2024 powershell.exe 1692 powershell.exe 2524 powershell.exe -
Executes dropped EXE 1 IoCs
pid Process 2176 services.exe -
Adds Run key to start application 2 TTPs 7 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\icfupgd\\dwm.exe\"" d7508b07903325957294ebdcb89bd5b3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\ProgramData\\Templates\\taskhost.exe\"" d7508b07903325957294ebdcb89bd5b3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\ProgramData\\Microsoft\\DeviceSync\\services.exe\"" d7508b07903325957294ebdcb89bd5b3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\wininit.exe\"" d7508b07903325957294ebdcb89bd5b3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\lsm.exe\"" d7508b07903325957294ebdcb89bd5b3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\"" d7508b07903325957294ebdcb89bd5b3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Documents and Settings\\lsm.exe\"" d7508b07903325957294ebdcb89bd5b3.exe -
Checks whether UAC is enabled 1 TTPs 4 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA d7508b07903325957294ebdcb89bd5b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d7508b07903325957294ebdcb89bd5b3.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File created C:\Windows\System32\icfupgd\dwm.exe d7508b07903325957294ebdcb89bd5b3.exe File opened for modification C:\Windows\System32\icfupgd\dwm.exe d7508b07903325957294ebdcb89bd5b3.exe File created C:\Windows\System32\icfupgd\6cb0b6c459d5d3 d7508b07903325957294ebdcb89bd5b3.exe File opened for modification C:\Windows\System32\icfupgd\RCXBA6B.tmp d7508b07903325957294ebdcb89bd5b3.exe File opened for modification C:\Windows\System32\icfupgd\RCXBA6C.tmp d7508b07903325957294ebdcb89bd5b3.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Speech\Common\fr-FR\services.exe d7508b07903325957294ebdcb89bd5b3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2972 schtasks.exe 2800 schtasks.exe 2860 schtasks.exe 2832 schtasks.exe 2944 schtasks.exe 864 schtasks.exe 2228 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 2596 d7508b07903325957294ebdcb89bd5b3.exe 1364 powershell.exe 2520 powershell.exe 2024 powershell.exe 2068 powershell.exe 2432 powershell.exe 2572 powershell.exe 1692 powershell.exe 2524 powershell.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeDebugPrivilege 2596 d7508b07903325957294ebdcb89bd5b3.exe Token: SeDebugPrivilege 1364 powershell.exe Token: SeDebugPrivilege 2520 powershell.exe Token: SeDebugPrivilege 2024 powershell.exe Token: SeDebugPrivilege 2068 powershell.exe Token: SeDebugPrivilege 2176 services.exe Token: SeDebugPrivilege 2432 powershell.exe Token: SeDebugPrivilege 2572 powershell.exe Token: SeDebugPrivilege 1692 powershell.exe Token: SeDebugPrivilege 2524 powershell.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 2596 wrote to memory of 1364 2596 d7508b07903325957294ebdcb89bd5b3.exe 39 PID 2596 wrote to memory of 1364 2596 d7508b07903325957294ebdcb89bd5b3.exe 39 PID 2596 wrote to memory of 1364 2596 d7508b07903325957294ebdcb89bd5b3.exe 39 PID 2596 wrote to memory of 2024 2596 d7508b07903325957294ebdcb89bd5b3.exe 40 PID 2596 wrote to memory of 2024 2596 d7508b07903325957294ebdcb89bd5b3.exe 40 PID 2596 wrote to memory of 2024 2596 d7508b07903325957294ebdcb89bd5b3.exe 40 PID 2596 wrote to memory of 1692 2596 d7508b07903325957294ebdcb89bd5b3.exe 41 PID 2596 wrote to memory of 1692 2596 d7508b07903325957294ebdcb89bd5b3.exe 41 PID 2596 wrote to memory of 1692 2596 d7508b07903325957294ebdcb89bd5b3.exe 41 PID 2596 wrote to memory of 2524 2596 d7508b07903325957294ebdcb89bd5b3.exe 42 PID 2596 wrote to memory of 2524 2596 d7508b07903325957294ebdcb89bd5b3.exe 42 PID 2596 wrote to memory of 2524 2596 d7508b07903325957294ebdcb89bd5b3.exe 42 PID 2596 wrote to memory of 2432 2596 d7508b07903325957294ebdcb89bd5b3.exe 43 PID 2596 wrote to memory of 2432 2596 d7508b07903325957294ebdcb89bd5b3.exe 43 PID 2596 wrote to memory of 2432 2596 d7508b07903325957294ebdcb89bd5b3.exe 43 PID 2596 wrote to memory of 2068 2596 d7508b07903325957294ebdcb89bd5b3.exe 44 PID 2596 wrote to memory of 2068 2596 d7508b07903325957294ebdcb89bd5b3.exe 44 PID 2596 wrote to memory of 2068 2596 d7508b07903325957294ebdcb89bd5b3.exe 44 PID 2596 wrote to memory of 2572 2596 d7508b07903325957294ebdcb89bd5b3.exe 45 PID 2596 wrote to memory of 2572 2596 d7508b07903325957294ebdcb89bd5b3.exe 45 PID 2596 wrote to memory of 2572 2596 d7508b07903325957294ebdcb89bd5b3.exe 45 PID 2596 wrote to memory of 2520 2596 d7508b07903325957294ebdcb89bd5b3.exe 47 PID 2596 wrote to memory of 2520 2596 d7508b07903325957294ebdcb89bd5b3.exe 47 PID 2596 wrote to memory of 2520 2596 d7508b07903325957294ebdcb89bd5b3.exe 47 PID 2596 wrote to memory of 2176 2596 d7508b07903325957294ebdcb89bd5b3.exe 55 PID 2596 wrote to memory of 2176 2596 d7508b07903325957294ebdcb89bd5b3.exe 55 PID 2596 wrote to memory of 2176 2596 d7508b07903325957294ebdcb89bd5b3.exe 55 -
System policy modification 1 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d7508b07903325957294ebdcb89bd5b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" d7508b07903325957294ebdcb89bd5b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" d7508b07903325957294ebdcb89bd5b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" services.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d7508b07903325957294ebdcb89bd5b3.exe"C:\Users\Admin\AppData\Local\Temp\d7508b07903325957294ebdcb89bd5b3.exe"1⤵
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2596 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\d7508b07903325957294ebdcb89bd5b3.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1364
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\icfupgd\dwm.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2024
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Templates\taskhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1692
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\DeviceSync\services.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2524
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\wininit.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2432
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2068
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2572
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Documents and Settings\lsm.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2520
-
-
C:\ProgramData\Microsoft\DeviceSync\services.exe"C:\ProgramData\Microsoft\DeviceSync\services.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2176
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\icfupgd\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\ProgramData\Templates\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\ProgramData\Microsoft\DeviceSync\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Documents and Settings\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:864
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5d7508b07903325957294ebdcb89bd5b3
SHA1b6280b6c5e4b601ba3182520eca834aecd1ae1fc
SHA2564fe2546f5efe48febc2db59093ceef7b1c3db73e3b11ba026bfd8c4444b2af8e
SHA512e79cd38b556481bd3da6fcde5e924c2c0161a7e26ba635d02f393a424cf675b63e61948c7162abc06c487ae661ff431062236327be9b68be90e6ace7bfd23808
-
Filesize
1.1MB
MD558cf048ea2f8f11099c04b6ae0ead575
SHA12df7582dfdcd7577079de0ec3748ecae9cb2a385
SHA256b6462235943cce694ed9d3f8387b6a979a42ed9edaebd20e8398f09cc0df0592
SHA512037d05363e231ed78a950e07b2ea262894ea17260b6d45b3d8d207451cabb885d93bfd9739f5e1017427d997de15ba6c00e541801608e218a7a87db757c9dfee
-
Filesize
1.1MB
MD5d2c96ccd8454e9a85889d5b1633d5781
SHA1c7ec45aab3400bff3db0265f4ea364587cee2be5
SHA256b179d4a8c09a4598644d6807b1aa46311a95170c7ae1d2fdaeaf9e723c603e1e
SHA5127a904715aa5556d329468781f1b3b1d0f6ffc51ac35924811727fb76f38b9a708c1d8bbe8b47f0ceb5362b7fa9be4fefb70369e5045e360c0aed311a870cdd86
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD502f59a122c26a53ab4625ffb55243e06
SHA144dd73d92f9e362539884dad3c74c84afd3fecb9
SHA256a9c03705ee04e37b6c251dfccb016dc6b3852ee6a5b390d3c0301fdd2c84dcdb
SHA51282965aeb451fdf24ba82d50b73bdba3c2734a7ef1def0f1bc4778a5317bf3242525c10c7cfcd39e413c7f1bafce36b47a7654ec4086402cf8bb8c98306365cc4
-
Filesize
1.1MB
MD57d6965b47fdd39857fcf84eb11e5a613
SHA151abf89a4d7b926c4817bed84447c07c56b319ef
SHA256454a8564528805d1d261f20f1a5b12d52bb72073c8f47dfeaa89eb8308ca74fa
SHA512ff985766b66a7203fc2202516427fbc6d75782f9219a09b0fb6640009fcee0b6cd5a86cfaf79b05255d352764dbdef321d0dd1bc839c9b925052bc9b48549b78