Analysis
-
max time kernel
142s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
01-07-2024 01:00
General
-
Target
0b80872ae84d5a7de900b51596d85e09361774ae22cd577ec4898b4350737a53.exe
-
Size
13.0MB
-
MD5
5038e381411591332b285c540d4b6bef
-
SHA1
4af0f013e8652e3d03c296a59c67c70508e39612
-
SHA256
0b80872ae84d5a7de900b51596d85e09361774ae22cd577ec4898b4350737a53
-
SHA512
3055db5a385b9e27cd6e7718a45bf1695ac0d9d798f7089276baf0542227768d5b1d6eb72ddb493a27b346af77c0d40a6a4474beddf77c24eed7b9cf3b06769b
-
SSDEEP
393216:064QwP3EQ5H+i4IDzQTj4pUbZFdoPgY2:0647P3J5eRInQT0pkFmP2
Malware Config
Extracted
xworm
147.185.221.17:14348
147.185.221.17:14348:14348
-
Install_directory
%AppData%
-
install_file
sgredgkrtf09weut3r435.exe
-
telegram
https://api.telegram.org/bot7150716400:AAE41jshl4_joK29lZ3HuflfsurF6ZZKlDg/sendMessage?chat_id=5187782651
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Xworm Payload 4 IoCs
-
Modifies WinLogon for persistence 2 TTPs 14 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
DCRat payload 4 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 13 IoCs
-
Loads dropped DLL 8 IoCs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 29 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 2 IoCs
-
Drops file in Program Files directory 10 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 43 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b80872ae84d5a7de900b51596d85e09361774ae22cd577ec4898b4350737a53.exe"C:\Users\Admin\AppData\Local\Temp\0b80872ae84d5a7de900b51596d85e09361774ae22cd577ec4898b4350737a53.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\adb.exe"C:\Users\Admin\AppData\Roaming\adb.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\bat.bat" "2⤵
-
C:\Users\Admin\AppData\Roaming\dllhost.exe"C:\Users\Admin\AppData\Roaming\dllhost.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\gsdrgrgsehufgewhtfewutahetgr5s543t\1K70CMgSeGxLkKeGse1VkEk.vbe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\gsdrgrgsehufgewhtfewutahetgr5s543t\WQrCS9t0V.bat" "4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\gsdrgrgsehufgewhtfewutahetgr5s543t\amamamsus.exe"C:\Users\Admin\AppData\Roaming\gsdrgrgsehufgewhtfewutahetgr5s543t\amamamsus.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\gsdrgrgsehufgewhtfewutahetgr5s543t\file.vbs"3⤵
-
C:\Users\Admin\AppData\Roaming\fastboot.exe"C:\Users\Admin\AppData\Roaming\fastboot.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\msg.vbe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\gsdrgrgsehufgewhtfewutahetgr5s543t\WQrCS9t0V.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\gsdrgrgsehufgewhtfewutahetgr5s543t\amamamsus.exe"C:\Users\Admin\AppData\Roaming\gsdrgrgsehufgewhtfewutahetgr5s543t\amamamsus.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Windows NT\Accessories\System.exe"C:\Program Files\Windows NT\Accessories\System.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\scvhost.exe"C:\Users\Admin\AppData\Roaming\scvhost.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\scvhost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'scvhost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\sgredgkrtf09weut3r435.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'sgredgkrtf09weut3r435.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "sgredgkrtf09weut3r435" /tr "C:\Users\Admin\AppData\Roaming\sgredgkrtf09weut3r435.exe"3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Users\Admin\AppData\Roaming\setup.exe"C:\Users\Admin\AppData\Roaming\setup.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\setup.exe"C:\Users\Admin\AppData\Roaming\setup.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\sus.bat" "2⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\vbs.vbs"2⤵
- Enumerates connected drives
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\NetHood\wscript.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\Users\Admin\NetHood\wscript.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\NetHood\wscript.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "setups" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\setup.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "setup" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\setup.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "setups" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\setup.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\dwm.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\dwm.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\dwm.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Windows\LiveKernelReports\conhost.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\conhost.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Windows\LiveKernelReports\conhost.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Windows\SysWOW64\fr\taskhost.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\SysWOW64\fr\taskhost.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Windows\SysWOW64\fr\taskhost.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\lsass.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\lsass.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\lsass.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows NT\Accessories\System.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\System.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\Accessories\System.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\cmd.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\cmd.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\cmd.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "amamamsusa" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\amamamsus.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "amamamsus" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\amamamsus.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "amamamsusa" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\amamamsus.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\winlogon.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\NetHood\sppsvc.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Admin\NetHood\sppsvc.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\NetHood\sppsvc.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\conhost.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\conhost.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\conhost.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\smss.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\smss.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\smss.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\taskeng.exetaskeng.exe {34969921-8D32-49B5-93B0-C39F644FCE4B} S-1-5-21-2737914667-933161113-3798636211-1000:PUMARTNR\Admin:Interactive:[1]1⤵
-
C:\Users\Admin\AppData\Roaming\sgredgkrtf09weut3r435.exeC:\Users\Admin\AppData\Roaming\sgredgkrtf09weut3r435.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\sgredgkrtf09weut3r435.exeC:\Users\Admin\AppData\Roaming\sgredgkrtf09weut3r435.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\sgredgkrtf09weut3r435.exeC:\Users\Admin\AppData\Roaming\sgredgkrtf09weut3r435.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\_MEI25882\python311.dllFilesize
1.6MB
MD5bb46b85029b543b70276ad8e4c238799
SHA1123bdcd9eebcac1ec0fd2764a37e5e5476bb0c1c
SHA25672c24e1db1ba4df791720a93ca9502d77c3738eebf8b9092a5d82aa8d80121d0
SHA5125e993617509c1cf434938d6a467eb0494e04580ad242535a04937f7c174d429da70a6e71792fc3de69e103ffc5d9de51d29001a4df528cfffefdaa2cef4eaf31
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD5e2e512134c1ca9d7c8d577b8fd3bca55
SHA1394963f8566bcfaee8327137eca51767c6d1923b
SHA256a561bc773ac8b4537cb7feacfb2bd1a307d1a04936807c95f6bccef9104bd351
SHA512e48c99cb13a850c5faf4527f3b83f422c6782d6b68dfb9741aa3444c2be0a6c041841dd07819024c2585e144b689be68244e95d1c6986fc628fce53c5b829332
-
C:\Users\Admin\AppData\Roaming\adb.exeFilesize
1.7MB
MD5884242fb6cbbec1f7711b946ef669e0e
SHA17b2bc3c03909e705da759b7c21907683db668cc5
SHA25665210cb4139672b53acaa2222b1005d036b0b02c437aa47e0e7b616fab0e2f6f
SHA512c73ed5875dd0a3f0c400794a10336b00602950fa3ff6fb99ce9a772681fb8c5237c5c3cba2d0b7d254e497383d634d3a97342039cc40d295f262c583d0839768
-
C:\Users\Admin\AppData\Roaming\bat.batFilesize
60B
MD5d55a01e2758ef91cd8ddccc7703517e2
SHA10d0d35d7d0007bdc0ddb74feae218b9eb6bb5e56
SHA256db0c0c5b991e98b03da0dfdc60d3b63af434ef52cf62a523eb28e17f5827f456
SHA512db9eee55674f8f5639803471159c5373fafddfbab7a36422aa2da05064215f0dd23b6b5772eb936620cf13657944bef9f63d2092cf7cb2c0172ca436fc5fc543
-
C:\Users\Admin\AppData\Roaming\dllhost.exeFilesize
3.4MB
MD5de586ed62cbe8aa67b7d2ea749e37e58
SHA13b8f0e80be45995bccd9aad044cf8ceef7fa1fdf
SHA256041b5ae270b886ab3945f54a4dbdbb0e462ff2e4fa33a3acb0fe8e8d063eff8c
SHA51257c80030b7524cb868a1afe8a337bbf93c19d9a301b9a28c28a3dee8aca256cf06df3f95cd847dd82e27d6251ff32bcf3d176dfb565ab4c64edc9ee1184d3054
-
C:\Users\Admin\AppData\Roaming\fastboot.exeFilesize
833KB
MD50875abb1c7b403b3f95631326eafb6c2
SHA145faf0c7b005b72145f25186b1a735f282332246
SHA256d794004af6dfedb5dbf118c20b4fda20ecdb38744191e859f1233287291cf0c7
SHA512e7749ca3490851c854a036147041c04327203aacd9f9ec6577023ff4adfb9f3ae494baa312dbd12eedce21601ce8a0d2fd20f6f130ed0b2b134ee289db47f09b
-
C:\Users\Admin\AppData\Roaming\gsdrgrgsehufgewhtfewutahetgr5s543t\1K70CMgSeGxLkKeGse1VkEk.vbeFilesize
227B
MD5f2c31772e7c91f2ff0d5a3799216245b
SHA17e4229eee244481cc48bf4744cea662676d0b53a
SHA256fec6e35115ab887bbffc816e64363b321d776f1af26a58e935a54f3568aa437c
SHA5129f3db7c0ba6ba33840fe00c12a890bbbb9684023129b997d4ae7a986de024086152e1de14f0288fd24de9f8127d82c161c5ccab3e28b22709d249f063ad91ca4
-
C:\Users\Admin\AppData\Roaming\gsdrgrgsehufgewhtfewutahetgr5s543t\amamamsus.exeFilesize
3.1MB
MD57f37a8b5d7f8477374b5b59e9258b0f4
SHA15dd21643eab2b7dc44cb58acfb01b94ac1fecf3a
SHA256acc383151665d737cdedbcd7c639d59063a64b7ce5e622143b92ce7f765551ab
SHA51270c066075df0450d64acc9eb864e091fe16f081f9f60815fba3967e90f4c86a4c3903c1d88aab54828e60728b71b22abb5eaaf1ffdc29c679991b5574333242c
-
C:\Users\Admin\AppData\Roaming\gsdrgrgsehufgewhtfewutahetgr5s543t\file.vbsFilesize
34B
MD5677cc4360477c72cb0ce00406a949c61
SHA1b679e8c3427f6c5fc47c8ac46cd0e56c9424de05
SHA256f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b
SHA5127cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a
-
C:\Users\Admin\AppData\Roaming\scvhost.exeFilesize
61KB
MD59db6d927f9fa97d5419f15ee5b633b3d
SHA1832bdd728fc29bd360a3126da5d48dce3a4ebd31
SHA256c608942ef98e1dd95df33e11104962e91ea360e01b455fbd666f881afc116526
SHA5122ec400d834a83dee4d2db4074e72029098a7fe0a5f5913f41d82f32cc53f7cf16c7fd6fb2dbe22f30dd8defaa344390c0b46625594b61c15ee2a727766174275
-
C:\Users\Admin\AppData\Roaming\sus.batFilesize
54B
MD57b448e495d5ab244be8065bf0b5491d8
SHA11177a30a6aad0ed07295e445b57e23b9bfb0c8f8
SHA256d9daef7c9edb752480402b9e5499049c92018006bca6d51c26d54b5895699090
SHA512328f5682b4dd5e872f5d6fe364870375323965fe77915aeb983eb5b833bd413b6b3a4159b4fe88ca772e515cb4c010532ef6d2ad80d7e1fb0ce515564380c3be
-
C:\Users\Admin\AppData\Roaming\vbs.vbsFilesize
236B
MD5fc0095fbf5911c7f6a487621fd3f9f30
SHA13ff379b9eee2140cf03ecdc72779eee9adfe95e0
SHA2560001254296d73292f955d193f8922aada45057ffc5de65e8b983f9c6d1140618
SHA51288752695000e85a029153b5e368b5e45ed085f35170b7c7888b1ca071889d387d8d437ca40013d1137e333f0d3f04d7709efcc5466cd7a554a2da209e20b4f80
-
\Users\Admin\AppData\Roaming\AdbWinApi.dllFilesize
95KB
MD5ed5a809dc0024d83cbab4fb9933d598d
SHA10bc5a82327f8641d9287101e4cc7041af20bad57
SHA256d60103a5e99bc9888f786ee916f5d6e45493c3247972cb053833803de7e95cf9
SHA5121fdb74ee5912fbdd2c0cba501e998349fecfbef5f4f743c7978c38996aa7e1f38e8ac750f2dc8f84b8094de3dd6fa3f983a29f290b3fa2cdbdaed691748baf17
-
\Users\Admin\AppData\Roaming\AdbWinUsbApi.dllFilesize
61KB
MD50e24119daf1909e398fa1850b6112077
SHA1293eedadb3172e756a421790d551e407457e0a8c
SHA25625207c506d29c4e8dceb61b4bd50e8669ba26012988a43fbf26a890b1e60fc97
SHA5129cbb26e555ab40b019a446337db58770b9a0c9c08316ff1e1909c4b6d99c00bd33522d05890870a91b4b581e20c7dce87488ab0d22fc3c4bbdd7e9b38f164b43
-
\Users\Admin\AppData\Roaming\setup.exeFilesize
6.9MB
MD5e6911d67b1557e060469e3bcbb3f1b26
SHA1d8e26462769918eccae2ca6c15348f810eb6568e
SHA2561420115bb23121fd0ab3a7d9a6ba8ddcd4a718724b258c8c214403c070f1cb18
SHA512b19cfb6214209ce31cf10620f199f03c1c3f344109378e69b05b3651322f13f461232954aafddbe6910887d807126b91258f0902c1e54d3e9f0136cbf265a04d
-
memory/676-134-0x0000000001F40000-0x0000000001F48000-memory.dmpFilesize
32KB
-
memory/676-133-0x000000001B760000-0x000000001BA42000-memory.dmpFilesize
2.9MB
-
memory/756-106-0x000007FEF20E0000-0x000007FEF26C8000-memory.dmpFilesize
5.9MB
-
memory/1124-170-0x0000000000A70000-0x0000000000AC6000-memory.dmpFilesize
344KB
-
memory/1124-184-0x000000001AAC0000-0x000000001AACE000-memory.dmpFilesize
56KB
-
memory/1124-159-0x0000000000460000-0x000000000046E000-memory.dmpFilesize
56KB
-
memory/1124-160-0x0000000000470000-0x0000000000478000-memory.dmpFilesize
32KB
-
memory/1124-162-0x00000000004B0000-0x00000000004B8000-memory.dmpFilesize
32KB
-
memory/1124-163-0x00000000006F0000-0x0000000000706000-memory.dmpFilesize
88KB
-
memory/1124-164-0x0000000000710000-0x0000000000718000-memory.dmpFilesize
32KB
-
memory/1124-166-0x0000000000720000-0x0000000000732000-memory.dmpFilesize
72KB
-
memory/1124-167-0x0000000000A60000-0x0000000000A6C000-memory.dmpFilesize
48KB
-
memory/1124-168-0x0000000000730000-0x0000000000738000-memory.dmpFilesize
32KB
-
memory/1124-175-0x0000000000BC0000-0x0000000000BCC000-memory.dmpFilesize
48KB
-
memory/1124-176-0x0000000000BD0000-0x0000000000BD8000-memory.dmpFilesize
32KB
-
memory/1124-178-0x000000001AA20000-0x000000001AA2C000-memory.dmpFilesize
48KB
-
memory/1124-155-0x00000000011F0000-0x0000000001508000-memory.dmpFilesize
3.1MB
-
memory/1124-158-0x0000000000450000-0x000000000045E000-memory.dmpFilesize
56KB
-
memory/1124-161-0x0000000000490000-0x00000000004AC000-memory.dmpFilesize
112KB
-
memory/1124-169-0x0000000000740000-0x0000000000750000-memory.dmpFilesize
64KB
-
memory/1124-174-0x0000000000BB0000-0x0000000000BBC000-memory.dmpFilesize
48KB
-
memory/1124-177-0x00000000011C0000-0x00000000011D2000-memory.dmpFilesize
72KB
-
memory/1124-181-0x000000001AA50000-0x000000001AA5C000-memory.dmpFilesize
48KB
-
memory/1124-186-0x000000001AAE0000-0x000000001AAE8000-memory.dmpFilesize
32KB
-
memory/1124-187-0x000000001AAF0000-0x000000001AAFC000-memory.dmpFilesize
48KB
-
memory/1124-185-0x000000001AAD0000-0x000000001AAD8000-memory.dmpFilesize
32KB
-
memory/1124-179-0x000000001AA30000-0x000000001AA38000-memory.dmpFilesize
32KB
-
memory/1124-180-0x000000001AA40000-0x000000001AA4C000-memory.dmpFilesize
48KB
-
memory/1124-182-0x000000001AA60000-0x000000001AA6A000-memory.dmpFilesize
40KB
-
memory/1124-183-0x000000001AAB0000-0x000000001AABE000-memory.dmpFilesize
56KB
-
memory/1204-303-0x00000000002B0000-0x00000000002C6000-memory.dmpFilesize
88KB
-
memory/1264-140-0x000000001B660000-0x000000001B942000-memory.dmpFilesize
2.9MB
-
memory/1264-141-0x0000000001E00000-0x0000000001E08000-memory.dmpFilesize
32KB
-
memory/1844-243-0x0000000001250000-0x0000000001568000-memory.dmpFilesize
3.1MB
-
memory/2068-1-0x0000000000E70000-0x0000000001B78000-memory.dmpFilesize
13.0MB
-
memory/2068-0-0x000007FEF5783000-0x000007FEF5784000-memory.dmpFilesize
4KB
-
memory/2132-23-0x0000000000400000-0x00000000005D7000-memory.dmpFilesize
1.8MB
-
memory/2196-308-0x00000000002E0000-0x00000000002EA000-memory.dmpFilesize
40KB
-
memory/2196-118-0x00000000002E0000-0x00000000002EA000-memory.dmpFilesize
40KB
-
memory/2196-120-0x00000000002E0000-0x00000000002EA000-memory.dmpFilesize
40KB
-
memory/2196-127-0x00000000002E0000-0x00000000002EA000-memory.dmpFilesize
40KB
-
memory/2196-124-0x00000000002E0000-0x00000000002EA000-memory.dmpFilesize
40KB
-
memory/2196-304-0x00000000002E0000-0x00000000002EA000-memory.dmpFilesize
40KB
-
memory/2196-128-0x00000000002E0000-0x00000000002EA000-memory.dmpFilesize
40KB
-
memory/2196-119-0x00000000002E0000-0x00000000002EA000-memory.dmpFilesize
40KB
-
memory/2196-305-0x00000000002E0000-0x00000000002EA000-memory.dmpFilesize
40KB
-
memory/2196-309-0x00000000002E0000-0x00000000002EA000-memory.dmpFilesize
40KB
-
memory/2196-306-0x00000000002E0000-0x00000000002EA000-memory.dmpFilesize
40KB
-
memory/2196-307-0x00000000002E0000-0x00000000002EA000-memory.dmpFilesize
40KB
-
memory/2468-226-0x0000000001E00000-0x0000000001E08000-memory.dmpFilesize
32KB
-
memory/2724-47-0x0000000000250000-0x0000000000266000-memory.dmpFilesize
88KB
-
memory/2728-46-0x0000000000400000-0x00000000004D9000-memory.dmpFilesize
868KB
-
memory/3008-312-0x0000000000E70000-0x0000000000E86000-memory.dmpFilesize
88KB