dcrat | 7564e427054537f671838b319b67a0e41d788ad9735ac2c2b04d58a56a3f4742

Analysis

max time kernel
147s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 16:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7564e427054537f671838b319b67a0e41d788ad9735ac2c2b04d58a56a3f4742.exe
Size

1.3MB
MD5

3108a2dabc945949edc1019eb794b752
SHA1

16c16b63f45d8cb9303102bff7981003719ec705
SHA256

7564e427054537f671838b319b67a0e41d788ad9735ac2c2b04d58a56a3f4742
SHA512

8fee7b5345a6e7e7f6195b4de30b57ce53196dbc509a080367f261e2f9c688ae8fa50c9fd1aa471b95bc00eccb0acbb9afe33f96ff2cfddd5f61bb4abee256c8
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	556	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	464	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	2820	schtasks.exe	34

DCRat payload 12 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000015694-10.dat	dcrat
behavioral1/memory/2700-13-0x0000000000D00000-0x0000000000E10000-memory.dmp	dcrat
behavioral1/memory/2528-66-0x0000000000080000-0x0000000000190000-memory.dmp	dcrat
behavioral1/memory/3068-126-0x0000000000050000-0x0000000000160000-memory.dmp	dcrat
behavioral1/memory/2036-186-0x0000000000310000-0x0000000000420000-memory.dmp	dcrat
behavioral1/memory/2860-246-0x0000000000B20000-0x0000000000C30000-memory.dmp	dcrat
behavioral1/memory/1880-306-0x00000000011F0000-0x0000000001300000-memory.dmp	dcrat
behavioral1/memory/3000-366-0x0000000000390000-0x00000000004A0000-memory.dmp	dcrat
behavioral1/memory/2912-426-0x0000000001070000-0x0000000001180000-memory.dmp	dcrat
behavioral1/memory/1708-486-0x00000000000B0000-0x00000000001C0000-memory.dmp	dcrat
behavioral1/memory/1440-546-0x00000000013E0000-0x00000000014F0000-memory.dmp	dcrat
behavioral1/memory/532-606-0x0000000000170000-0x0000000000280000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2024	powershell.exe
1248	powershell.exe
1924	powershell.exe
1596	powershell.exe
664	powershell.exe
1268	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2700	DllCommonsvc.exe
2528	smss.exe
3068	smss.exe
2036	smss.exe
2860	smss.exe
1880	smss.exe
3000	smss.exe
2912	smss.exe
1708	smss.exe
1440	smss.exe
532	smss.exe

Loads dropped DLL 2 IoCs

pid	Process
2836	cmd.exe
2836	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
23	raw.githubusercontent.com
33	raw.githubusercontent.com
4	raw.githubusercontent.com
16	raw.githubusercontent.com
20	raw.githubusercontent.com
27	raw.githubusercontent.com
30	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\en-US\smss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\en-US\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7564e427054537f671838b319b67a0e41d788ad9735ac2c2b04d58a56a3f4742.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2536	schtasks.exe
1768	schtasks.exe
2972	schtasks.exe
2728	schtasks.exe
556	schtasks.exe
2168	schtasks.exe
2580	schtasks.exe
1832	schtasks.exe
2068	schtasks.exe
464	schtasks.exe
2196	schtasks.exe
2996	schtasks.exe
2220	schtasks.exe
2016	schtasks.exe
1524	schtasks.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
2700	DllCommonsvc.exe
2024	powershell.exe
1596	powershell.exe
664	powershell.exe
1924	powershell.exe
1268	powershell.exe
1248	powershell.exe
2528	smss.exe
3068	smss.exe
2036	smss.exe
2860	smss.exe
1880	smss.exe
3000	smss.exe
2912	smss.exe
1708	smss.exe
1440	smss.exe
532	smss.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	2700	DllCommonsvc.exe
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeDebugPrivilege	1596	powershell.exe
Token: SeDebugPrivilege	664	powershell.exe
Token: SeDebugPrivilege	1924	powershell.exe
Token: SeDebugPrivilege	1268	powershell.exe
Token: SeDebugPrivilege	1248	powershell.exe
Token: SeDebugPrivilege	2528	smss.exe
Token: SeDebugPrivilege	3068	smss.exe
Token: SeDebugPrivilege	2036	smss.exe
Token: SeDebugPrivilege	2860	smss.exe
Token: SeDebugPrivilege	1880	smss.exe
Token: SeDebugPrivilege	3000	smss.exe
Token: SeDebugPrivilege	2912	smss.exe
Token: SeDebugPrivilege	1708	smss.exe
Token: SeDebugPrivilege	1440	smss.exe
Token: SeDebugPrivilege	532	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 2436	3028	7564e427054537f671838b319b67a0e41d788ad9735ac2c2b04d58a56a3f4742.exe	30
PID 3028 wrote to memory of 2436	3028	7564e427054537f671838b319b67a0e41d788ad9735ac2c2b04d58a56a3f4742.exe	30
PID 3028 wrote to memory of 2436	3028	7564e427054537f671838b319b67a0e41d788ad9735ac2c2b04d58a56a3f4742.exe	30
PID 3028 wrote to memory of 2436	3028	7564e427054537f671838b319b67a0e41d788ad9735ac2c2b04d58a56a3f4742.exe	30
PID 2436 wrote to memory of 2836	2436	WScript.exe	31
PID 2436 wrote to memory of 2836	2436	WScript.exe	31
PID 2436 wrote to memory of 2836	2436	WScript.exe	31
PID 2436 wrote to memory of 2836	2436	WScript.exe	31
PID 2836 wrote to memory of 2700	2836	cmd.exe	33
PID 2836 wrote to memory of 2700	2836	cmd.exe	33
PID 2836 wrote to memory of 2700	2836	cmd.exe	33
PID 2836 wrote to memory of 2700	2836	cmd.exe	33
PID 2700 wrote to memory of 1268	2700	DllCommonsvc.exe	50
PID 2700 wrote to memory of 1268	2700	DllCommonsvc.exe	50
PID 2700 wrote to memory of 1268	2700	DllCommonsvc.exe	50
PID 2700 wrote to memory of 2024	2700	DllCommonsvc.exe	51
PID 2700 wrote to memory of 2024	2700	DllCommonsvc.exe	51
PID 2700 wrote to memory of 2024	2700	DllCommonsvc.exe	51
PID 2700 wrote to memory of 1248	2700	DllCommonsvc.exe	52
PID 2700 wrote to memory of 1248	2700	DllCommonsvc.exe	52
PID 2700 wrote to memory of 1248	2700	DllCommonsvc.exe	52
PID 2700 wrote to memory of 1924	2700	DllCommonsvc.exe	53
PID 2700 wrote to memory of 1924	2700	DllCommonsvc.exe	53
PID 2700 wrote to memory of 1924	2700	DllCommonsvc.exe	53
PID 2700 wrote to memory of 1596	2700	DllCommonsvc.exe	54
PID 2700 wrote to memory of 1596	2700	DllCommonsvc.exe	54
PID 2700 wrote to memory of 1596	2700	DllCommonsvc.exe	54
PID 2700 wrote to memory of 664	2700	DllCommonsvc.exe	55
PID 2700 wrote to memory of 664	2700	DllCommonsvc.exe	55
PID 2700 wrote to memory of 664	2700	DllCommonsvc.exe	55
PID 2700 wrote to memory of 1140	2700	DllCommonsvc.exe	62
PID 2700 wrote to memory of 1140	2700	DllCommonsvc.exe	62
PID 2700 wrote to memory of 1140	2700	DllCommonsvc.exe	62
PID 1140 wrote to memory of 1072	1140	cmd.exe	64
PID 1140 wrote to memory of 1072	1140	cmd.exe	64
PID 1140 wrote to memory of 1072	1140	cmd.exe	64
PID 1140 wrote to memory of 2528	1140	cmd.exe	65
PID 1140 wrote to memory of 2528	1140	cmd.exe	65
PID 1140 wrote to memory of 2528	1140	cmd.exe	65
PID 2528 wrote to memory of 2900	2528	smss.exe	67
PID 2528 wrote to memory of 2900	2528	smss.exe	67
PID 2528 wrote to memory of 2900	2528	smss.exe	67
PID 2900 wrote to memory of 2868	2900	cmd.exe	69
PID 2900 wrote to memory of 2868	2900	cmd.exe	69
PID 2900 wrote to memory of 2868	2900	cmd.exe	69
PID 2900 wrote to memory of 3068	2900	cmd.exe	70
PID 2900 wrote to memory of 3068	2900	cmd.exe	70
PID 2900 wrote to memory of 3068	2900	cmd.exe	70
PID 3068 wrote to memory of 2784	3068	smss.exe	71
PID 3068 wrote to memory of 2784	3068	smss.exe	71
PID 3068 wrote to memory of 2784	3068	smss.exe	71
PID 2784 wrote to memory of 440	2784	cmd.exe	73
PID 2784 wrote to memory of 440	2784	cmd.exe	73
PID 2784 wrote to memory of 440	2784	cmd.exe	73
PID 2784 wrote to memory of 2036	2784	cmd.exe	74
PID 2784 wrote to memory of 2036	2784	cmd.exe	74
PID 2784 wrote to memory of 2036	2784	cmd.exe	74
PID 2036 wrote to memory of 1348	2036	smss.exe	75
PID 2036 wrote to memory of 1348	2036	smss.exe	75
PID 2036 wrote to memory of 1348	2036	smss.exe	75
PID 1348 wrote to memory of 1780	1348	cmd.exe	77
PID 1348 wrote to memory of 1780	1348	cmd.exe	77
PID 1348 wrote to memory of 1780	1348	cmd.exe	77
PID 1348 wrote to memory of 2860	1348	cmd.exe	78

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7564e427054537f671838b319b67a0e41d788ad9735ac2c2b04d58a56a3f4742.exe
"C:\Users\Admin\AppData\Local\Temp\7564e427054537f671838b319b67a0e41d788ad9735ac2c2b04d58a56a3f4742.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2700
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1268
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2024
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\Sample Music\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1248
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1924
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\en-US\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1596
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:664
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZgnekHAkty.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1140
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1072
      - C:\Program Files (x86)\Windows Sidebar\en-US\smss.exe
        
        "C:\Program Files (x86)\Windows Sidebar\en-US\smss.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cU7BGbiaqd.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2868
        
        C:\Program Files (x86)\Windows Sidebar\en-US\smss.exe
        
        "C:\Program Files (x86)\Windows Sidebar\en-US\smss.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yyRUJOSyqo.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2784
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:440
        
        C:\Program Files (x86)\Windows Sidebar\en-US\smss.exe
        
        "C:\Program Files (x86)\Windows Sidebar\en-US\smss.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5irhJyFUC1.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1348
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1780
        
        C:\Program Files (x86)\Windows Sidebar\en-US\smss.exe
        
        "C:\Program Files (x86)\Windows Sidebar\en-US\smss.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2860
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nDwMkfOC2e.bat"
        13⤵
        
        PID:3056
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1992
        
        C:\Program Files (x86)\Windows Sidebar\en-US\smss.exe
        
        "C:\Program Files (x86)\Windows Sidebar\en-US\smss.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1880
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dhQfvaPZ4N.bat"
        15⤵
        
        PID:1492
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2980
        
        C:\Program Files (x86)\Windows Sidebar\en-US\smss.exe
        
        "C:\Program Files (x86)\Windows Sidebar\en-US\smss.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3000
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JCnMdX7E06.bat"
        17⤵
        
        PID:768
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1924
        
        C:\Program Files (x86)\Windows Sidebar\en-US\smss.exe
        
        "C:\Program Files (x86)\Windows Sidebar\en-US\smss.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2912
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fmTXnddwCX.bat"
        19⤵
        
        PID:2652
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1192
        
        C:\Program Files (x86)\Windows Sidebar\en-US\smss.exe
        
        "C:\Program Files (x86)\Windows Sidebar\en-US\smss.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1708
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9j3rBUpSkc.bat"
        21⤵
        
        PID:2056
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2728
        
        C:\Program Files (x86)\Windows Sidebar\en-US\smss.exe
        
        "C:\Program Files (x86)\Windows Sidebar\en-US\smss.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1440
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1hmmkqxEk5.bat"
        23⤵
        
        PID:808
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1384
        
        C:\Program Files (x86)\Windows Sidebar\en-US\smss.exe
        
        "C:\Program Files (x86)\Windows Sidebar\en-US\smss.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Music\Sample Music\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Public\Music\Sample Music\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Music\Sample Music\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\en-US\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\en-US\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\en-US\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\providercommon\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4763f666163260547161ba1b3b24ccb8

SHA1
1f06bae22cede0c9282247680c63a5ea2b49d896

SHA256
d93151ea44e3ed21cbd3d8b044fd5f7a359da0c6e244e8db2ed69a15b1c34062

SHA512
29b2a8b44480b10d26906f18b4b715ba107480cc14ed697df75e0a1db01d033c0a9bb9887340bb4ad70b72c68a3ac7c38e32d153ec509e967c76aeef19118216

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1d89d17db4c0618ceb162959a04c07aa

SHA1
d2219a137c16883cd7cb214fe400f9529b876266

SHA256
cdf4d5939bd2c0bb52beb06bf6b1d044830ae0b785cc35d1f1af31592a144f0d

SHA512
f117dc04b2e214dc2e992a052726b4f0007edfdc0a580b7b69833c0599bae1065466ac03646aa88b811907841960c6cf6c42d018619ee771bbc53907fcebc187

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4e9d0ec1420531a16142c4f61709dc2d

SHA1
0a9bb4111e78621313dac9169ea5a301687b5349

SHA256
a82b9c2dc2618ba9e44d6b399c8f41f25058b2392e688fdce22eb6e1c22348ff

SHA512
afa9f199592fa909f85652c49c1fa40cac226c2d556c25016648fb2dacf6b3995867aae3548264bbeac6d091d73c402d3e93aa69d3a2a3a3275b15c04b09524a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
30a1657b9cb7e2377b28b40bde213d92

SHA1
ec2609475df5a63b5b1bf012b8fa1ea4cd31e1d9

SHA256
e1b2aa1a7ee1901dfef0fd5d42f4058bff19539696b8e59e7ecd7eb7fe8e6a95

SHA512
b254d3809d13c71f719229d4beed02178c49237f126db2eca91fd548be0d9b28038f961091c4b70f1aac0b104b8a7a8a0270c1b13bcf23751319f82285224161

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c8abe396a0175c424574448c3bed20c9

SHA1
dc40e4a56b963073ab56752283acdcbc3f7e79d2

SHA256
20cc6b7091427dd0056a572500b51cae8fafc5a8ba081f94867526da9a964f4d

SHA512
b06ab3a7efa4930f93d9f17b77d6c2075544976c0a799680f3840437fd7d19d3bac69ef8cad5c0f2716ba876fa1cf171dc8c2adae990f5f440042bac08e47ec0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
15891ccf6275c056d65080a64c42332d

SHA1
c3f309ea40035f5c63c658ed9bfbbe653ad768a3

SHA256
8fe37c0b71d910cf2f0a5432ede38b595bb54d6c14b54614301ad3730c7f9b7b

SHA512
3db2292d4b561aaca5a3ecaee60b5dae393effc2fcec9b0c4fb5d4b5f99c75af0e3816756f491ce1ec4ae661a66d4deb4448141794e41c6d64c192ca1f254be9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
602725228f35dcb4a1769b5da6db2082

SHA1
787f8e589d235386d780c04285fba9e3765f25a2

SHA256
6d3741683763ab04c4f6c9413f5a6e9488de88304b24979384f52e47a40e50b8

SHA512
7f91310a3d4326c6a7652ca200e88a3f21afd468e2b2edab3f9674a9d71e514be0705aec6f9caeec048d66214555106120600cb22c161d7b7d72b917b97f34b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1892218b727c9679b03b5e0c33a5ee91

SHA1
9f2f13b3e3a3621a5b6de030ce7f88d982f6c25c

SHA256
deb080a41a2a4f0bc93d52003c6a5c86a8b63a1844c64a6ec3af9ff262864155

SHA512
3c8812b97817003cf8415344f57dc56b44959bdadda8513ebdbd3b3e214a9738de928c21d7fe57559f5919683a3fc500f7e95bd1f475839be50d4d6f7008338c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1hmmkqxEk5.bat

Filesize
218B

MD5
c8ac7e12a22a41e5dea1bc6ae99e784d

SHA1
c4fb417002defb4a84902581dd57080614d6a181

SHA256
dd0273f556299f080ab87a5a9f0e290d7603056698e16c991da97e22a5a6f19a

SHA512
a4ea8368168eb02fd74540c45b49845aa26471e4dad64c209983d0d7fea622d4a67df5ac1c1e2fc577631881b1d68301617831a1788a92f6a5d42fbffef6940e

Download Submit
C:\Users\Admin\AppData\Local\Temp\5irhJyFUC1.bat

Filesize
218B

MD5
35577d73dfb10355679fc1ea37de7fca

SHA1
f7f21e837fa589ed03e41e46811fb4050ffe0af4

SHA256
1e35639ef80a679edc8fd3c3de73adee595d4378e3280e01cc6cb69b2b92beca

SHA512
3da79bfb8fcdba53f7d1f839c604ed2b69dbdecc1fbc412883ac5a3bcacaccd40cca41359f85720a68c58aa28839bc8d71247aa9967863d95dc15d39c7de2139

Download Submit
C:\Users\Admin\AppData\Local\Temp\9j3rBUpSkc.bat

Filesize
218B

MD5
6760cae1f4374f7cfede6fdc902f6d9f

SHA1
8729398978205740adbc820e69c7176241ade251

SHA256
7e091ddf479771773c1943dbcc78e22d8cef6ad2307dc65fe5b6ec60b34a21b6

SHA512
9ad6e38c996559579f0036bed0573187d38d942effc4f4b6dc8e9771440936b6ba201b1a2bc98f8ab2e93ef491c89c6f5de31b7c19508cbada08726fedfdcb69

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD75F.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\JCnMdX7E06.bat

Filesize
218B

MD5
a3273472e208ccd1bfa8407ae98e886d

SHA1
920c911732f78b07f65b489392652af22d40c4e2

SHA256
67658a86ba6d4d039bcfdbd162dd55be1be5bb36a93b7c02d9b6fde6c1809c69

SHA512
181c4c59fa06149f79b1087ca00f8cc0e6633b27a4a352be99536620036c006570123acccbca97f88e0abf889b1873d67dbb75788694ea1e0e460213de3ad198

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD760.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZgnekHAkty.bat

Filesize
218B

MD5
6d04d5b77b06defe389fe19040554a87

SHA1
1a3e6344905e7dddf91aa408072369a3ea7b13f2

SHA256
5008dc91c504f4082b4ecbceb679a35acd96921db85b35a634315d9d30da55e1

SHA512
4debfdbfe0ef857da3fbeed57ef746d13ae00952d3f860b04e92f295003264ddc3dff4a9c34c21cf0abce96421a2cb5b21fee167abf62215d7e12c8b1281a200

Download Submit
C:\Users\Admin\AppData\Local\Temp\cU7BGbiaqd.bat

Filesize
218B

MD5
65a11724356398a8692b06ab134c5808

SHA1
5bb8bcc552bc9adfa7d766570454829aa0f0c885

SHA256
35ace130e4e85e71b5066bec64478b82da4d93d4aaed922975595101f49b0104

SHA512
401604227b1edc96254f7ebe6c14bed94678274ba2e08037fe12db670bededd33cd48a85dce80d45465b490e9408909439e99143c109db53df30dd0fe0777e7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dhQfvaPZ4N.bat

Filesize
218B

MD5
97c3f197e6815bae5cf3350ca5905f29

SHA1
8d0bd33a7694f48ce7ee6e04dfc733f835fc0376

SHA256
4b36a8a0914eb5972103387f3410afe8b56a0e19045c654893ce8ce69b7c5b60

SHA512
2bd1bbc99858e830b0cfbef5e9f5a0c40e3ac3c26004822d5b39e98d6d56fd9fd98ab5206492d06188a023982e569aaa33071e3326f7990bf029d33ac2df60dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\fmTXnddwCX.bat

Filesize
218B

MD5
7ee6774936e3879aea9d0da768d2af86

SHA1
741e4db1aec1694724e187116812eed3fd5ff360

SHA256
b81a2d5b7bd030353692df8f4a10a6127a1f7f67689b0d4d950dc2cc4f94db03

SHA512
637bb20347858349c0a8932cc940b5b31aab5e8811b21a6f345ae52dcf62d81c9d82f78f99b2b046a97d6728ccfe6d94f77d7fb26f73b7959f0fca62c62638d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nDwMkfOC2e.bat

Filesize
218B

MD5
82499cf22ed2cb06567c972e28f5e316

SHA1
3434476e1bc45ef20c1f2f3be9221e8219e0db11

SHA256
0dd012dd0fa53d9019747f2f521c8c72fedff60f0ef2e54b576f946e62a48bd3

SHA512
4dcea8daf58d860c78fb9e3f0ace633eb6b30511a8d0c88e7e67be098fa24bf522e3991fbd458f2dc140010eedd2ee8dfd6adbfd19ebbf3d279c3ac95ebd450b

Download Submit
C:\Users\Admin\AppData\Local\Temp\yyRUJOSyqo.bat

Filesize
218B

MD5
867e42a7db2453754c8697d8d80c981a

SHA1
0a2e8108e05ee5024bb77f6fb8fea9ee831578f8

SHA256
7aeeeb5785616922a10b746a01a407ea971f8f3bfe45c1a0eaa71f9dc43851cc

SHA512
86f4493c2f4907267f94f888eedad824ed8d5e4f20fb265d4288e5243181a0a53a93cfcc69c21447cb7a7691e9c06ac5e379ff279b69c3a5a5059b0a5abf6f19

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3a67888cb3aea5e0c7200d4dfdeae63d

SHA1
dc6ee614b7965f812fff9a6fbee9ce96d2423984

SHA256
9dbc6ecd0338efbd055de754a20da9930ddefcdc4a0405a4ddb85f5d2bfa4046

SHA512
92ecfbe0d944134e692c0be32590cc565909951871987e0c9088dd2217bde8c08c00ba3253ac91388fe6d83eba1aa365205d6220c911264e692e0f62244ae96f

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/532-606-0x0000000000170000-0x0000000000280000-memory.dmp

Filesize
1.1MB

Download
memory/664-53-0x00000000021D0000-0x00000000021D8000-memory.dmp

Filesize
32KB

Download
memory/1440-546-0x00000000013E0000-0x00000000014F0000-memory.dmp

Filesize
1.1MB

Download
memory/1708-486-0x00000000000B0000-0x00000000001C0000-memory.dmp

Filesize
1.1MB

Download
memory/1880-306-0x00000000011F0000-0x0000000001300000-memory.dmp

Filesize
1.1MB

Download
memory/2024-51-0x000000001B520000-0x000000001B802000-memory.dmp

Filesize
2.9MB

Download
memory/2036-186-0x0000000000310000-0x0000000000420000-memory.dmp

Filesize
1.1MB

Download
memory/2528-67-0x0000000000360000-0x0000000000372000-memory.dmp

Filesize
72KB

Download
memory/2528-66-0x0000000000080000-0x0000000000190000-memory.dmp

Filesize
1.1MB

Download
memory/2700-17-0x0000000000370000-0x000000000037C000-memory.dmp

Filesize
48KB

Download
memory/2700-15-0x0000000000360000-0x000000000036C000-memory.dmp

Filesize
48KB

Download
memory/2700-16-0x0000000000350000-0x000000000035C000-memory.dmp

Filesize
48KB

Download
memory/2700-14-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/2700-13-0x0000000000D00000-0x0000000000E10000-memory.dmp

Filesize
1.1MB

Download
memory/2860-246-0x0000000000B20000-0x0000000000C30000-memory.dmp

Filesize
1.1MB

Download
memory/2912-426-0x0000000001070000-0x0000000001180000-memory.dmp

Filesize
1.1MB

Download
memory/3000-366-0x0000000000390000-0x00000000004A0000-memory.dmp

Filesize
1.1MB

Download
memory/3068-126-0x0000000000050000-0x0000000000160000-memory.dmp

Filesize
1.1MB

Download