Analysis
-
max time kernel
129s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
01-07-2024 04:26
Static task
static1
Behavioral task
behavioral1
Sample
315e0272c25fcf22ac2b4023f6e9d02f.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
315e0272c25fcf22ac2b4023f6e9d02f.exe
Resource
win10v2004-20240508-en
General
-
Target
315e0272c25fcf22ac2b4023f6e9d02f.exe
-
Size
2.1MB
-
MD5
315e0272c25fcf22ac2b4023f6e9d02f
-
SHA1
c5d91607832ff900ac945ae9d030204e4de747f2
-
SHA256
e564512cd804822bb78cb0a81de39833e283d1a26fc1c3e81402a75c98eb4e0d
-
SHA512
b3b791cf698a333cf099aa298cd2838a7d6b8564252d48e8ef4a283efcaaa463ea8a5cfbc0f3bad9812050f22b66947e1fcbd1f53e075747532c568ed0078522
-
SSDEEP
49152:IBJTPdd11t3B0ks2MOavodMFf6obivfxI4R8Q:ydPdbL3B/4OaQiA1vfxI4R8Q
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
Processes:
AgentmonitorSvc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\conhost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\de-DE\\smss.exe\", \"C:\\Windows\\Microsoft.NET\\Framework\\1036\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\csrss.exe\"" AgentmonitorSvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\conhost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\de-DE\\smss.exe\", \"C:\\Windows\\Microsoft.NET\\Framework\\1036\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\csrss.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\System.exe\"" AgentmonitorSvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\conhost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\de-DE\\smss.exe\", \"C:\\Windows\\Microsoft.NET\\Framework\\1036\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\csrss.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\System.exe\", \"C:\\PortContainerdhcp\\AgentmonitorSvc.exe\"" AgentmonitorSvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\conhost.exe\"" AgentmonitorSvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\conhost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\de-DE\\smss.exe\"" AgentmonitorSvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\conhost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\de-DE\\smss.exe\", \"C:\\Windows\\Microsoft.NET\\Framework\\1036\\csrss.exe\"" AgentmonitorSvc.exe -
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2988 2484 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2924 2484 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1428 2484 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2764 2484 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2376 2484 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2380 2484 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1584 2484 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1544 2484 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 848 2484 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1836 2484 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 484 2484 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 628 2484 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1268 2484 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2768 2484 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2804 2484 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2816 2484 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2784 2484 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2212 2484 schtasks.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 2 IoCs
Processes:
AgentmonitorSvc.exeAgentmonitorSvc.exepid process 2708 AgentmonitorSvc.exe 2404 AgentmonitorSvc.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 2560 cmd.exe 2560 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 12 IoCs
Processes:
AgentmonitorSvc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\Windows Photo Viewer\\de-DE\\smss.exe\"" AgentmonitorSvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\Windows Photo Viewer\\de-DE\\smss.exe\"" AgentmonitorSvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\Microsoft.NET\\Framework\\1036\\csrss.exe\"" AgentmonitorSvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Windows Portable Devices\\csrss.exe\"" AgentmonitorSvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\DigitalLocker\\en-US\\System.exe\"" AgentmonitorSvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AgentmonitorSvc = "\"C:\\PortContainerdhcp\\AgentmonitorSvc.exe\"" AgentmonitorSvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\conhost.exe\"" AgentmonitorSvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\conhost.exe\"" AgentmonitorSvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\Microsoft.NET\\Framework\\1036\\csrss.exe\"" AgentmonitorSvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Windows Portable Devices\\csrss.exe\"" AgentmonitorSvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\DigitalLocker\\en-US\\System.exe\"" AgentmonitorSvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\AgentmonitorSvc = "\"C:\\PortContainerdhcp\\AgentmonitorSvc.exe\"" AgentmonitorSvc.exe -
Drops file in System32 directory 2 IoCs
Processes:
csc.exedescription ioc process File created \??\c:\Windows\System32\CSCC2F8711E2DF944FE8CFEDAE87AC4ED5.TMP csc.exe File created \??\c:\Windows\System32\ldgalj.exe csc.exe -
Drops file in Program Files directory 4 IoCs
Processes:
AgentmonitorSvc.exedescription ioc process File created C:\Program Files (x86)\Windows Portable Devices\886983d96e3d3e AgentmonitorSvc.exe File created C:\Program Files\Windows Photo Viewer\de-DE\smss.exe AgentmonitorSvc.exe File created C:\Program Files\Windows Photo Viewer\de-DE\69ddcba757bf72 AgentmonitorSvc.exe File created C:\Program Files (x86)\Windows Portable Devices\csrss.exe AgentmonitorSvc.exe -
Drops file in Windows directory 5 IoCs
Processes:
AgentmonitorSvc.exedescription ioc process File created C:\Windows\DigitalLocker\en-US\System.exe AgentmonitorSvc.exe File opened for modification C:\Windows\DigitalLocker\en-US\System.exe AgentmonitorSvc.exe File created C:\Windows\DigitalLocker\en-US\27d1bcfc3c54e0 AgentmonitorSvc.exe File created C:\Windows\Microsoft.NET\Framework\1036\csrss.exe AgentmonitorSvc.exe File created C:\Windows\Microsoft.NET\Framework\1036\886983d96e3d3e AgentmonitorSvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2924 schtasks.exe 1584 schtasks.exe 484 schtasks.exe 2988 schtasks.exe 2764 schtasks.exe 2380 schtasks.exe 1544 schtasks.exe 1428 schtasks.exe 848 schtasks.exe 2816 schtasks.exe 2212 schtasks.exe 2804 schtasks.exe 2784 schtasks.exe 2376 schtasks.exe 1836 schtasks.exe 628 schtasks.exe 1268 schtasks.exe 2768 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
AgentmonitorSvc.exeAgentmonitorSvc.exepid process 2708 AgentmonitorSvc.exe 2708 AgentmonitorSvc.exe 2708 AgentmonitorSvc.exe 2708 AgentmonitorSvc.exe 2708 AgentmonitorSvc.exe 2708 AgentmonitorSvc.exe 2708 AgentmonitorSvc.exe 2708 AgentmonitorSvc.exe 2708 AgentmonitorSvc.exe 2708 AgentmonitorSvc.exe 2708 AgentmonitorSvc.exe 2708 AgentmonitorSvc.exe 2708 AgentmonitorSvc.exe 2708 AgentmonitorSvc.exe 2708 AgentmonitorSvc.exe 2708 AgentmonitorSvc.exe 2708 AgentmonitorSvc.exe 2708 AgentmonitorSvc.exe 2708 AgentmonitorSvc.exe 2708 AgentmonitorSvc.exe 2708 AgentmonitorSvc.exe 2708 AgentmonitorSvc.exe 2708 AgentmonitorSvc.exe 2708 AgentmonitorSvc.exe 2708 AgentmonitorSvc.exe 2708 AgentmonitorSvc.exe 2708 AgentmonitorSvc.exe 2708 AgentmonitorSvc.exe 2708 AgentmonitorSvc.exe 2708 AgentmonitorSvc.exe 2708 AgentmonitorSvc.exe 2708 AgentmonitorSvc.exe 2708 AgentmonitorSvc.exe 2708 AgentmonitorSvc.exe 2708 AgentmonitorSvc.exe 2708 AgentmonitorSvc.exe 2708 AgentmonitorSvc.exe 2708 AgentmonitorSvc.exe 2708 AgentmonitorSvc.exe 2708 AgentmonitorSvc.exe 2708 AgentmonitorSvc.exe 2708 AgentmonitorSvc.exe 2708 AgentmonitorSvc.exe 2708 AgentmonitorSvc.exe 2708 AgentmonitorSvc.exe 2708 AgentmonitorSvc.exe 2708 AgentmonitorSvc.exe 2708 AgentmonitorSvc.exe 2708 AgentmonitorSvc.exe 2708 AgentmonitorSvc.exe 2708 AgentmonitorSvc.exe 2708 AgentmonitorSvc.exe 2708 AgentmonitorSvc.exe 2708 AgentmonitorSvc.exe 2708 AgentmonitorSvc.exe 2708 AgentmonitorSvc.exe 2708 AgentmonitorSvc.exe 2708 AgentmonitorSvc.exe 2708 AgentmonitorSvc.exe 2404 AgentmonitorSvc.exe 2404 AgentmonitorSvc.exe 2404 AgentmonitorSvc.exe 2404 AgentmonitorSvc.exe 2404 AgentmonitorSvc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AgentmonitorSvc.exepid process 2404 AgentmonitorSvc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
AgentmonitorSvc.exeAgentmonitorSvc.exedescription pid process Token: SeDebugPrivilege 2708 AgentmonitorSvc.exe Token: SeDebugPrivilege 2404 AgentmonitorSvc.exe -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
315e0272c25fcf22ac2b4023f6e9d02f.exeWScript.execmd.exeAgentmonitorSvc.execsc.execmd.exedescription pid process target process PID 1360 wrote to memory of 2828 1360 315e0272c25fcf22ac2b4023f6e9d02f.exe WScript.exe PID 1360 wrote to memory of 2828 1360 315e0272c25fcf22ac2b4023f6e9d02f.exe WScript.exe PID 1360 wrote to memory of 2828 1360 315e0272c25fcf22ac2b4023f6e9d02f.exe WScript.exe PID 1360 wrote to memory of 2828 1360 315e0272c25fcf22ac2b4023f6e9d02f.exe WScript.exe PID 2828 wrote to memory of 2560 2828 WScript.exe cmd.exe PID 2828 wrote to memory of 2560 2828 WScript.exe cmd.exe PID 2828 wrote to memory of 2560 2828 WScript.exe cmd.exe PID 2828 wrote to memory of 2560 2828 WScript.exe cmd.exe PID 2560 wrote to memory of 2580 2560 cmd.exe reg.exe PID 2560 wrote to memory of 2580 2560 cmd.exe reg.exe PID 2560 wrote to memory of 2580 2560 cmd.exe reg.exe PID 2560 wrote to memory of 2580 2560 cmd.exe reg.exe PID 2560 wrote to memory of 2708 2560 cmd.exe AgentmonitorSvc.exe PID 2560 wrote to memory of 2708 2560 cmd.exe AgentmonitorSvc.exe PID 2560 wrote to memory of 2708 2560 cmd.exe AgentmonitorSvc.exe PID 2560 wrote to memory of 2708 2560 cmd.exe AgentmonitorSvc.exe PID 2708 wrote to memory of 1424 2708 AgentmonitorSvc.exe csc.exe PID 2708 wrote to memory of 1424 2708 AgentmonitorSvc.exe csc.exe PID 2708 wrote to memory of 1424 2708 AgentmonitorSvc.exe csc.exe PID 1424 wrote to memory of 2552 1424 csc.exe cvtres.exe PID 1424 wrote to memory of 2552 1424 csc.exe cvtres.exe PID 1424 wrote to memory of 2552 1424 csc.exe cvtres.exe PID 2708 wrote to memory of 2252 2708 AgentmonitorSvc.exe cmd.exe PID 2708 wrote to memory of 2252 2708 AgentmonitorSvc.exe cmd.exe PID 2708 wrote to memory of 2252 2708 AgentmonitorSvc.exe cmd.exe PID 2252 wrote to memory of 1044 2252 cmd.exe chcp.com PID 2252 wrote to memory of 1044 2252 cmd.exe chcp.com PID 2252 wrote to memory of 1044 2252 cmd.exe chcp.com PID 2252 wrote to memory of 1400 2252 cmd.exe PING.EXE PID 2252 wrote to memory of 1400 2252 cmd.exe PING.EXE PID 2252 wrote to memory of 1400 2252 cmd.exe PING.EXE PID 2252 wrote to memory of 2404 2252 cmd.exe AgentmonitorSvc.exe PID 2252 wrote to memory of 2404 2252 cmd.exe AgentmonitorSvc.exe PID 2252 wrote to memory of 2404 2252 cmd.exe AgentmonitorSvc.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\315e0272c25fcf22ac2b4023f6e9d02f.exe"C:\Users\Admin\AppData\Local\Temp\315e0272c25fcf22ac2b4023f6e9d02f.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\PortContainerdhcp\AapWJ8OdgRI5ePB4uiL5KTMmYWkrnvGGYGk6ZysW03KsiwYhlXR.vbe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\PortContainerdhcp\B3U7B7.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- Modifies registry key
-
C:\PortContainerdhcp\AgentmonitorSvc.exe"C:\PortContainerdhcp/AgentmonitorSvc.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ekprd3ow\ekprd3ow.cmdline"5⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3459.tmp" "c:\Windows\System32\CSCC2F8711E2DF944FE8CFEDAE87AC4ED5.TMP"6⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6NFvLgHS1g.bat"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650016⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- Runs ping.exe
-
C:\PortContainerdhcp\AgentmonitorSvc.exe"C:\PortContainerdhcp\AgentmonitorSvc.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\de-DE\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\Microsoft.NET\Framework\1036\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\Framework\1036\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\Microsoft.NET\Framework\1036\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Windows\DigitalLocker\en-US\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\en-US\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\DigitalLocker\en-US\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "AgentmonitorSvcA" /sc MINUTE /mo 14 /tr "'C:\PortContainerdhcp\AgentmonitorSvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "AgentmonitorSvc" /sc ONLOGON /tr "'C:\PortContainerdhcp\AgentmonitorSvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "AgentmonitorSvcA" /sc MINUTE /mo 5 /tr "'C:\PortContainerdhcp\AgentmonitorSvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PortContainerdhcp\AapWJ8OdgRI5ePB4uiL5KTMmYWkrnvGGYGk6ZysW03KsiwYhlXR.vbeFilesize
212B
MD5e45367c7c8d8b48cb95c0435542ced32
SHA1b9943a98ac59cc77ba9a8a1506ccec234decc2d0
SHA256b6d021a7f89875f3f34cc565bf7bc46d6a7e0f00837281e7106738a7cea54d68
SHA51267b5c1904e8592a90166ed27e5ae3211add2d1cac3ac13447b28749d6fb5c0aef7ea2b152a102e89845d926d10dc749ae9812717d77da5732295bd6c4692b2af
-
C:\PortContainerdhcp\AgentmonitorSvc.exeFilesize
1.8MB
MD5b3c40f02fd5de8f3d6879868965241ac
SHA1f8f600aa7dfa91b91e327264e8ca6c5cb28fe877
SHA25660c2806a3fbf26b6de8457f8cc4040a25a52ec2f222de938aaee3d402de010c2
SHA512fbfe0fac2dc53215c72a1265e0fc335c983270ef3ecba7893ecdeda283e03713c31bc607f20593e838aba8dec35ce5dc2ced63f8e72526c47864578454a00fa0
-
C:\PortContainerdhcp\B3U7B7.batFilesize
220B
MD5d3988f3dce0461b3f5618c74ff9805ce
SHA14884569eb70550373ca220ba37d9c19c90a795fd
SHA2568345b3c447b9512bce7dd8989a10d8dcd35bce4893a08d472d28d39e5052a3b0
SHA5122a1bcb3bd3183230cfb438782089ee12640b644193efe1eb6b5043745b648097a3d8504dbb2776a960a160d5f2d206688d73645cb615ef2fd1d588dee7542fd6
-
C:\Users\Admin\AppData\Local\Temp\6NFvLgHS1g.batFilesize
168B
MD581a3940da2942bf661cbced9cebda8c7
SHA1dd34927ee20bfdf7f823b75f70fa634d031edece
SHA256199bb33363b11ed2b711b742af50780cc81006dc1028885eedef042a467e9f07
SHA51288766172171f98334d2589da3cea86801bfeec2d1c79f05e4c3b29d9fc4a2b33af4bfcbdb98632e32362c9d35f274e1e47bd4175692f69b3d1e1725fd73fbabc
-
C:\Users\Admin\AppData\Local\Temp\RES3459.tmpFilesize
1KB
MD56a2e3e1e3865d846d0cbf3c18b76f6d5
SHA12d0ed5eacc4910264ea0bfdec3abfd8d9f50e35d
SHA2569bd4e17a6b7e544833587d9382e828b4eb98d12fc937edd164329557d2cc4184
SHA512ae3ddc09f7fb9926495205aa9075c6b56634a0c1ab3371c8d2d95e5706506d6b12df73eae3718f7f2e91a8e58912d69e8fa62d7ed7e73a53f426ac783e91d0da
-
\??\c:\Users\Admin\AppData\Local\Temp\ekprd3ow\ekprd3ow.0.csFilesize
392B
MD559ff65db070a30fe35b7884599de136c
SHA1b6c1dc87a3245822e57e24df674ceab053947bc3
SHA2561d9091fd8659cebafc3675eed8c9502107a594bb3d8b9776e2cbc8fab449d5ec
SHA5127258b4d83aa60f7c4cd6c1870a26a77eaa2385dd724c4d1f5b1f791eafe41cd8706c18514644bae51b29e4bed7312d4a8622693e5f6808bdcc12ec01312d4703
-
\??\c:\Users\Admin\AppData\Local\Temp\ekprd3ow\ekprd3ow.cmdlineFilesize
235B
MD55d28f5793d0108c2497a645a9f9dc174
SHA1b092850c4b65e6a1a6a9ea1319ebe18b11d26fc6
SHA2569ba12c26d5bd9f2642056616731f16d84dd2d95940ad882f78b4978f9e9d1223
SHA512ec2bc9bae8d8b354951a60d86820508859f75e6ab821fb0540baf60a439fd53013953093ef5e79d1e946a0f3c458a2dc0c09db7a0adf4b0d9af7b29148160915
-
\??\c:\Windows\System32\CSCC2F8711E2DF944FE8CFEDAE87AC4ED5.TMPFilesize
1KB
MD5bfb5195b3f3a87a55924d32b25f58821
SHA120a15b7e5c1f8626a991b0018ecff1e0f9bbdd55
SHA25627fc2b6d7eb6b901e442740584ea89682cf613798415d7f431174412a2c78241
SHA512137ad28b8cc1d5a270c6f98fe129697c1a1d6828f8fbeb72a2f290e0242f547c9aeb97d28c818efe717aa6b7833cece46dd6ddd5d033d9d1f5ce442757d2ab3b
-
memory/2708-13-0x0000000001370000-0x000000000154A000-memory.dmpFilesize
1.9MB
-
memory/2708-21-0x00000000005B0000-0x00000000005BC000-memory.dmpFilesize
48KB
-
memory/2708-19-0x00000000005F0000-0x0000000000608000-memory.dmpFilesize
96KB
-
memory/2708-17-0x00000000005D0000-0x00000000005EC000-memory.dmpFilesize
112KB
-
memory/2708-15-0x0000000000310000-0x000000000031E000-memory.dmpFilesize
56KB