dcrat | edd84255835c79c57e078dda2a58c4bef0266a9ad2133030301f8501252d6bc3

Analysis

max time kernel
149s
max time network
145s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 16:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

edd84255835c79c57e078dda2a58c4bef0266a9ad2133030301f8501252d6bc3.exe
Size

1.3MB
MD5

b10a2cc89ffe888291025739e3c48fa4
SHA1

c4529d26b58f4da2f952b7d1aef405f238c879db
SHA256

edd84255835c79c57e078dda2a58c4bef0266a9ad2133030301f8501252d6bc3
SHA512

a427430906a612187c545263fe8e8dfa334ba9738b6d3d901c06a27eedea0dba32eea6427e6a59d8d21b2a45c2a86b227610183a4d9ade353590c271de2b32b5
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2692	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2692	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2692	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2692	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2692	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2692	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	2692	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	2692	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	2692	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2692	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	2692	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	2692	schtasks.exe	35

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00060000000186f8-10.dat	dcrat
behavioral1/memory/2424-13-0x0000000001290000-0x00000000013A0000-memory.dmp	dcrat
behavioral1/memory/1516-59-0x0000000000320000-0x0000000000430000-memory.dmp	dcrat
behavioral1/memory/2528-119-0x0000000000970000-0x0000000000A80000-memory.dmp	dcrat
behavioral1/memory/484-179-0x0000000000340000-0x0000000000450000-memory.dmp	dcrat
behavioral1/memory/1620-240-0x0000000000260000-0x0000000000370000-memory.dmp	dcrat
behavioral1/memory/1028-301-0x0000000000A80000-0x0000000000B90000-memory.dmp	dcrat
behavioral1/memory/2264-361-0x0000000000180000-0x0000000000290000-memory.dmp	dcrat
behavioral1/memory/2920-421-0x0000000000BE0000-0x0000000000CF0000-memory.dmp	dcrat
behavioral1/memory/916-481-0x0000000001000000-0x0000000001110000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
296	powershell.exe
1620	powershell.exe
1912	powershell.exe
1692	powershell.exe
1708	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2424	DllCommonsvc.exe
1516	WmiPrvSE.exe
2528	WmiPrvSE.exe
484	WmiPrvSE.exe
1620	WmiPrvSE.exe
1028	WmiPrvSE.exe
2264	WmiPrvSE.exe
2920	WmiPrvSE.exe
916	WmiPrvSE.exe
2192	WmiPrvSE.exe
2548	WmiPrvSE.exe

Loads dropped DLL 2 IoCs

pid	Process
1644	cmd.exe
1644	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
27	raw.githubusercontent.com
31	raw.githubusercontent.com
34	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
5	raw.githubusercontent.com
19	raw.githubusercontent.com
23	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	edd84255835c79c57e078dda2a58c4bef0266a9ad2133030301f8501252d6bc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2572	schtasks.exe
2624	schtasks.exe
3056	schtasks.exe
2420	schtasks.exe
2820	schtasks.exe
2588	schtasks.exe
1736	schtasks.exe
1732	schtasks.exe
1524	schtasks.exe
2108	schtasks.exe
1808	schtasks.exe
1948	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2424	DllCommonsvc.exe
1912	powershell.exe
1692	powershell.exe
296	powershell.exe
1620	powershell.exe
1708	powershell.exe
1516	WmiPrvSE.exe
2528	WmiPrvSE.exe
484	WmiPrvSE.exe
1620	WmiPrvSE.exe
1028	WmiPrvSE.exe
2264	WmiPrvSE.exe
2920	WmiPrvSE.exe
916	WmiPrvSE.exe
2192	WmiPrvSE.exe
2548	WmiPrvSE.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2424	DllCommonsvc.exe
Token: SeDebugPrivilege	1912	powershell.exe
Token: SeDebugPrivilege	1692	powershell.exe
Token: SeDebugPrivilege	296	powershell.exe
Token: SeDebugPrivilege	1620	powershell.exe
Token: SeDebugPrivilege	1708	powershell.exe
Token: SeDebugPrivilege	1516	WmiPrvSE.exe
Token: SeDebugPrivilege	2528	WmiPrvSE.exe
Token: SeDebugPrivilege	484	WmiPrvSE.exe
Token: SeDebugPrivilege	1620	WmiPrvSE.exe
Token: SeDebugPrivilege	1028	WmiPrvSE.exe
Token: SeDebugPrivilege	2264	WmiPrvSE.exe
Token: SeDebugPrivilege	2920	WmiPrvSE.exe
Token: SeDebugPrivilege	916	WmiPrvSE.exe
Token: SeDebugPrivilege	2192	WmiPrvSE.exe
Token: SeDebugPrivilege	2548	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 1152	2336	edd84255835c79c57e078dda2a58c4bef0266a9ad2133030301f8501252d6bc3.exe	31
PID 2336 wrote to memory of 1152	2336	edd84255835c79c57e078dda2a58c4bef0266a9ad2133030301f8501252d6bc3.exe	31
PID 2336 wrote to memory of 1152	2336	edd84255835c79c57e078dda2a58c4bef0266a9ad2133030301f8501252d6bc3.exe	31
PID 2336 wrote to memory of 1152	2336	edd84255835c79c57e078dda2a58c4bef0266a9ad2133030301f8501252d6bc3.exe	31
PID 1152 wrote to memory of 1644	1152	WScript.exe	32
PID 1152 wrote to memory of 1644	1152	WScript.exe	32
PID 1152 wrote to memory of 1644	1152	WScript.exe	32
PID 1152 wrote to memory of 1644	1152	WScript.exe	32
PID 1644 wrote to memory of 2424	1644	cmd.exe	34
PID 1644 wrote to memory of 2424	1644	cmd.exe	34
PID 1644 wrote to memory of 2424	1644	cmd.exe	34
PID 1644 wrote to memory of 2424	1644	cmd.exe	34
PID 2424 wrote to memory of 1620	2424	DllCommonsvc.exe	48
PID 2424 wrote to memory of 1620	2424	DllCommonsvc.exe	48
PID 2424 wrote to memory of 1620	2424	DllCommonsvc.exe	48
PID 2424 wrote to memory of 296	2424	DllCommonsvc.exe	49
PID 2424 wrote to memory of 296	2424	DllCommonsvc.exe	49
PID 2424 wrote to memory of 296	2424	DllCommonsvc.exe	49
PID 2424 wrote to memory of 1708	2424	DllCommonsvc.exe	50
PID 2424 wrote to memory of 1708	2424	DllCommonsvc.exe	50
PID 2424 wrote to memory of 1708	2424	DllCommonsvc.exe	50
PID 2424 wrote to memory of 1692	2424	DllCommonsvc.exe	51
PID 2424 wrote to memory of 1692	2424	DllCommonsvc.exe	51
PID 2424 wrote to memory of 1692	2424	DllCommonsvc.exe	51
PID 2424 wrote to memory of 1912	2424	DllCommonsvc.exe	52
PID 2424 wrote to memory of 1912	2424	DllCommonsvc.exe	52
PID 2424 wrote to memory of 1912	2424	DllCommonsvc.exe	52
PID 2424 wrote to memory of 1528	2424	DllCommonsvc.exe	58
PID 2424 wrote to memory of 1528	2424	DllCommonsvc.exe	58
PID 2424 wrote to memory of 1528	2424	DllCommonsvc.exe	58
PID 1528 wrote to memory of 288	1528	cmd.exe	60
PID 1528 wrote to memory of 288	1528	cmd.exe	60
PID 1528 wrote to memory of 288	1528	cmd.exe	60
PID 1528 wrote to memory of 1516	1528	cmd.exe	61
PID 1528 wrote to memory of 1516	1528	cmd.exe	61
PID 1528 wrote to memory of 1516	1528	cmd.exe	61
PID 1516 wrote to memory of 2452	1516	WmiPrvSE.exe	62
PID 1516 wrote to memory of 2452	1516	WmiPrvSE.exe	62
PID 1516 wrote to memory of 2452	1516	WmiPrvSE.exe	62
PID 2452 wrote to memory of 1712	2452	cmd.exe	64
PID 2452 wrote to memory of 1712	2452	cmd.exe	64
PID 2452 wrote to memory of 1712	2452	cmd.exe	64
PID 2452 wrote to memory of 2528	2452	cmd.exe	65
PID 2452 wrote to memory of 2528	2452	cmd.exe	65
PID 2452 wrote to memory of 2528	2452	cmd.exe	65
PID 2528 wrote to memory of 1676	2528	WmiPrvSE.exe	66
PID 2528 wrote to memory of 1676	2528	WmiPrvSE.exe	66
PID 2528 wrote to memory of 1676	2528	WmiPrvSE.exe	66
PID 1676 wrote to memory of 2600	1676	cmd.exe	68
PID 1676 wrote to memory of 2600	1676	cmd.exe	68
PID 1676 wrote to memory of 2600	1676	cmd.exe	68
PID 1676 wrote to memory of 484	1676	cmd.exe	69
PID 1676 wrote to memory of 484	1676	cmd.exe	69
PID 1676 wrote to memory of 484	1676	cmd.exe	69
PID 484 wrote to memory of 2444	484	WmiPrvSE.exe	70
PID 484 wrote to memory of 2444	484	WmiPrvSE.exe	70
PID 484 wrote to memory of 2444	484	WmiPrvSE.exe	70
PID 2444 wrote to memory of 2424	2444	cmd.exe	72
PID 2444 wrote to memory of 2424	2444	cmd.exe	72
PID 2444 wrote to memory of 2424	2444	cmd.exe	72
PID 2444 wrote to memory of 1620	2444	cmd.exe	73
PID 2444 wrote to memory of 1620	2444	cmd.exe	73
PID 2444 wrote to memory of 1620	2444	cmd.exe	73
PID 1620 wrote to memory of 2500	1620	WmiPrvSE.exe	74

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\edd84255835c79c57e078dda2a58c4bef0266a9ad2133030301f8501252d6bc3.exe
"C:\Users\Admin\AppData\Local\Temp\edd84255835c79c57e078dda2a58c4bef0266a9ad2133030301f8501252d6bc3.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1152
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1644
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2424
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1620
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:296
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1708
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1692
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1912
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aURWjxsM8E.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1528
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:288
      - C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\WmiPrvSE.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\L9j9zErPDE.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1712
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\WmiPrvSE.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FBiR4PpyYA.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2600
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\WmiPrvSE.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:484
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eG7Plib0M1.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2424
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\WmiPrvSE.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sSDDfDN1Wn.bat"
        13⤵
        
        PID:2500
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1356
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\WmiPrvSE.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1028
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zGIMjSYhT8.bat"
        15⤵
        
        PID:1272
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2400
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\WmiPrvSE.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2264
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x1DfgQ9qXa.bat"
        17⤵
        
        PID:2040
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2756
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\WmiPrvSE.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2920
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J97QZsi4Oz.bat"
        19⤵
        
        PID:2004
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:888
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\WmiPrvSE.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:916
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VAhDAdBh8f.bat"
        21⤵
        
        PID:2852
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:304
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\WmiPrvSE.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0LMDaVm4bI.bat"
        23⤵
        
        PID:292
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1708
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\WmiPrvSE.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\providercommon\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\providercommon\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
617e25feccecfbda233fe6e891a4a07e

SHA1
ea38c8ce171e0233996b9259a749e2379d34ff95

SHA256
e55fc6680af076cd235d1c339d567cbc8e521ad4622403e3451c8ca7e1f6fe1c

SHA512
ab662480a72acd9f61566ffa2bf5f7a785014c4f794a7e591d1e71186c2e398cdceaf5931618310524191b5bb27b1881bb0030c2837e55bdb944ecb429ba067c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ecec415c599dc24d8b20996af4820642

SHA1
90917e0167a4f957102ec8d63b7a368d7e37918c

SHA256
27ce714ee55de82575edda896b3b6e45017e21e73e93b020e6bf3cf3274d0346

SHA512
8dcd6fd80857d5bd30b2ed4dd76b20e9828ecef68da58bc233e1472ee7b938b62a0c071de041cc7982c6f55d1f6d185f8080eea6177d8a9e369e5680cdb4bada

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8657038ab2fb49a6a6aee82b8d3190c9

SHA1
89c6647413bcbae86264046a851ea49cbc89e63e

SHA256
32bf3ed0c89203c6e6774602797f4fab6495c229bcc47411593bd350221f44db

SHA512
2bd9286bdb5873120c4c784177f0ffd820f87f473c065c45cd5ad0ba616bd29fd96ff2b6a2b26e256100776f781ed40781c61cf3cb9d83ad278da5ae91163cdf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
04e1271feb4896e9824a9ca85af8ab32

SHA1
700e1e4f1ff4f85379395c424ed5a13b5253c84f

SHA256
3503cbf0849fc46dbbb8f594f65b2444d44748fa34fb7bbf3f7ac04c72d77e16

SHA512
211bd7399bd06f97cbb8f5f633c4978569e0c32b9548c3cb259e995a44b215945a5aacf61f40e9f14128f1d13214eb270580bec0e985655741fad6c50803c26c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6dbae479c5907ca44b224c9842ab9785

SHA1
4e73a5344768524a4fc034a98c6a9f459c94d3b2

SHA256
3c5d97947484980a12bb08b82a8c3d5275616b565315887b97a4896bd4480120

SHA512
34ef49ad8ad070611793a20926787ac699a6ea04232894baaca2126d36f0663999e5c971b0754a42ac9f1db6a604d5fd90ac41dd1ea1e76146e153abdb6939c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4393722546b8bc978fcda980201e69d1

SHA1
a5968d1d1ca788c7069be8df396f44e8a25627d0

SHA256
672590feea2f075025ca4261da3e3f42eb172877f0ce97f4c46791dd4b161e28

SHA512
99e165cc3224ed7136d80bcf0f2e95d8127dceeb039aed72c748d5941fde4f8394e2413cf30c2dbfb24cabb233f288bcefb4dc1aac315ef4613e938bf682171b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8d033a4bdba9bef8b8410562fc45b43a

SHA1
d97e8e101f97aec2c030c0970c61888684129133

SHA256
d895a4e75a2ec7e7be478766ac27343aee1b4beab07d7c27c0dc46fdb0b11d44

SHA512
568cad4e90da2ab863735e47edcc442573c9ae375fc6b93b9e9a681cfb1fd121f975e0bc90cb5de7f45b426b47a1aa54fd48477af364ea787967e483cc685474

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b5a976a1b7575853e664eb0ec0e38f6d

SHA1
029073b1e955e16f7b0504dac389f826394465e3

SHA256
a1a8b2ad1da33edf7370f001121f71b04626d448239a1df4ff05fa6915557ef9

SHA512
cc6077d4c8a44a4d97e7ed4ead6eeb53d04a00aeab33398154379bed920d51401032a01d3df3edbc67968f437d2e0c7d31c703593573ab14be02263ee1d73194

Download Submit
C:\Users\Admin\AppData\Local\Temp\0LMDaVm4bI.bat

Filesize
253B

MD5
9f85238ef00573b9ebed7fe931b32184

SHA1
827aa812d97357ff25e7b00145fc8e9abf48779d

SHA256
9ff0bd3b4426af7c7af664153ab75926d57fb74863c44432d41299c8f3a893fc

SHA512
e661c30338b9486a9c3d4ed4c5f36e1173d1c579c245282ed6584efc9a8c60848be6c1ce2525d91b72242222b062e3135d4866140504306a9b5a3963830ff986

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2AF9.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FBiR4PpyYA.bat

Filesize
253B

MD5
46afafad17a370bb2e3cfe2d42219b3a

SHA1
a660e1bda3f4256d09f17d3fa6affea550449372

SHA256
7ed4740bcea7a2c90637fdfe2218247c90985967fa0693a6b54784285bd20ebd

SHA512
7794cb6e3bf736efd9b55292e57535d7526b73c4020af68c35ec41c1f00752ec8b86362f65c350a3207f17908e013c80bb6851ad5e625d6f967ba5c37e8cd1ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\J97QZsi4Oz.bat

Filesize
253B

MD5
a090d43c6acd996861f91419011b0077

SHA1
de0614f7729281e9fee7a17680b903ababc63073

SHA256
2f418f5de5f63a0c3b9f064ac2e1ab45338b981689d514d8d233eac133f7ef93

SHA512
40a636eca6b846140d19a3357ad9e71c25c48159378b04f1add562c7919e75877e14523d3bedaf2b0ecf8e11d54117a5fcd7ce6b6685dfb3a3b91b07a508645f

Download Submit
C:\Users\Admin\AppData\Local\Temp\L9j9zErPDE.bat

Filesize
253B

MD5
61e1b5f86dc88164154439dc455fdb16

SHA1
809fa8e5f8b8b3e616004d03947d4719122c52e8

SHA256
4c1060e42c7722f05144762cf8017f859fb0f7eb69f033812efb329bd83e528f

SHA512
92a3a1951822cc0942f1fb642ebe72f0b3d6b486462f003c8e5efce2398db6453118f524c1137bee6ac1edca2eebfe34f041d1666d9536164ed5ad3c368b3280

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2B0B.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VAhDAdBh8f.bat

Filesize
253B

MD5
686f4e50f56192af4b4d9ec63f5079f8

SHA1
55dc4fef4a25af005a96c50d9a9cdd04f38c27f7

SHA256
5211993c4306aae77d3557a296663d42bda00601021d42f98b151e40fc3f3cc0

SHA512
5939bce1532b5d4a713889b4cd4e98c20cdbaf68f1c1662753d80ae7a7b79b2d76948301c4e109672e363f686003a7dbb9c0c981e6fd17a8f9509b7f0c32f26e

Download Submit
C:\Users\Admin\AppData\Local\Temp\aURWjxsM8E.bat

Filesize
253B

MD5
acbb2a7f0715361a3f073eea4d54eb10

SHA1
87b249d3af6881a6fb90e3b0151201aea2329ed1

SHA256
ecf34baca52a8a08675fa81dbffb107a6cdb86989db0820f26d71f027f009e45

SHA512
7fffda58b5166557a715253bd47641076fe87a2c5f38361c4ea7cec6bb4f5b6858d2096be3116146fb2a9171938689ce8273bf9bb97a8e73da44001a811a201c

Download Submit
C:\Users\Admin\AppData\Local\Temp\eG7Plib0M1.bat

Filesize
253B

MD5
e813c838f74a1dbba5749f9e19332ea1

SHA1
a943dc2ec0e760e71a97944edbcaecc3bdedbbcb

SHA256
234bed509522604b8995a95640aac714b06998d07927a0702d45aece3854bba7

SHA512
d3c57df24aac4d11f626f64c626b0fc832469b361d515f082dd958b1b5a6f2d15ecc9f15529c32ddb9ff0a9b452ea587f6ed4bd07b148ac68689cdf27101366d

Download Submit
C:\Users\Admin\AppData\Local\Temp\sSDDfDN1Wn.bat

Filesize
253B

MD5
a7dbaac02bf8795e4cc4129dd4ceb088

SHA1
c00e1a812f30a980f52ab2f245ed2f9ff54fd1f7

SHA256
291152cd024f7a9f612b9a51f98cd107f4b9dd1f643f9a25b3ad25d6c86a5828

SHA512
cb5bdb200b31cf56d3559592e623c0ce57ac295d557c6105a66435658cd82d1e7e2ba0c79f582ed44dafd44abb667f01631bead521f6963baad01b66fab50b0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\x1DfgQ9qXa.bat

Filesize
253B

MD5
19145b20c0baed3ee2f5d256b0d4bfff

SHA1
1b88badacde58c2c2d08ec4040f9797652c1f901

SHA256
19c907c71954d2d66ab05e0fab13ba5ca53c740dd55cbaad243203ba3c0a19e0

SHA512
9b8852846e6ddc162e6ec13ba5951492c4a7bfddb15dc505a751a330033a6390a6eba1c6d01f450224b307821c2db73df00c70ddd19a569cadf8b8372c3ea11f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zGIMjSYhT8.bat

Filesize
253B

MD5
5800613463c5314048def607d314c062

SHA1
48b68ee23f0be22ce7ce484555e6187d00c29a04

SHA256
e0374a2e295f0dc60afcd52e6e9559f4038d3a777a2f1981bb8d6728ab3ac38c

SHA512
5013e1aad170371f83fb457c0aaa631032fcc99813a31e6c17d8d6ef564272227bf6e4021f02f6297b51581e072ce7bcef87aab4f04968906e34f599e05907c1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NH3LVXANZ3RTMXARB9AZ.temp

Filesize
7KB

MD5
1be4050db9145a5af83a64fd91ea2d4f

SHA1
09ea0d64bf96c86cd8ec6a3f36affeab5843e53e

SHA256
4006ab012c8a0c5783d51e9101f8af46793fa8b1f25acc391db684277e753787

SHA512
4afbb19b3a02101fc9121ff27e8f4e83f6b083ae94ff31c59fbd5175deced1d9ea4efead5a42f8adc534eaf60b81ae6f543429dffb62196843f3a6a6cac9959d

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/484-179-0x0000000000340000-0x0000000000450000-memory.dmp

Filesize
1.1MB

Download
memory/484-180-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/916-481-0x0000000001000000-0x0000000001110000-memory.dmp

Filesize
1.1MB

Download
memory/1028-301-0x0000000000A80000-0x0000000000B90000-memory.dmp

Filesize
1.1MB

Download
memory/1516-59-0x0000000000320000-0x0000000000430000-memory.dmp

Filesize
1.1MB

Download
memory/1516-60-0x00000000007E0000-0x00000000007F2000-memory.dmp

Filesize
72KB

Download
memory/1620-240-0x0000000000260000-0x0000000000370000-memory.dmp

Filesize
1.1MB

Download
memory/1620-241-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/1692-54-0x000000001B750000-0x000000001BA32000-memory.dmp

Filesize
2.9MB

Download
memory/1692-55-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/2264-361-0x0000000000180000-0x0000000000290000-memory.dmp

Filesize
1.1MB

Download
memory/2424-17-0x0000000000A30000-0x0000000000A3C000-memory.dmp

Filesize
48KB

Download
memory/2424-16-0x0000000000A20000-0x0000000000A2C000-memory.dmp

Filesize
48KB

Download
memory/2424-15-0x0000000000A10000-0x0000000000A1C000-memory.dmp

Filesize
48KB

Download
memory/2424-14-0x00000000006F0000-0x0000000000702000-memory.dmp

Filesize
72KB

Download
memory/2424-13-0x0000000001290000-0x00000000013A0000-memory.dmp

Filesize
1.1MB

Download
memory/2528-119-0x0000000000970000-0x0000000000A80000-memory.dmp

Filesize
1.1MB

Download
memory/2548-600-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2920-421-0x0000000000BE0000-0x0000000000CF0000-memory.dmp

Filesize
1.1MB

Download