Analysis
-
max time kernel
145s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 19:35
Behavioral task
behavioral1
Sample
JaffaCakes118_9f8dbd91e84073bd34f56c548a1dccad817f707218cd613f6c7706a201ca039e.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_9f8dbd91e84073bd34f56c548a1dccad817f707218cd613f6c7706a201ca039e.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_9f8dbd91e84073bd34f56c548a1dccad817f707218cd613f6c7706a201ca039e.exe
-
Size
1.3MB
-
MD5
478342eb310e398bd0484bb507cf3ccc
-
SHA1
a871a72edd8ec93e1916e1bf617943032a53e258
-
SHA256
9f8dbd91e84073bd34f56c548a1dccad817f707218cd613f6c7706a201ca039e
-
SHA512
ea069761d8f4c9dfef367b587f5e0f57693117d30213a663e955d7562bcc0d67854ce683a2280b95e159f71c8ce93c946462091cb5126b9d9d11f4d193d9ee88
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 21 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2988 2716 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1292 2716 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2724 2716 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2692 2716 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1700 2716 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2548 2716 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2508 2716 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1036 2716 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1480 2716 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1844 2716 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2480 2716 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1244 2716 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2740 2716 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2972 2716 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2120 2716 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2960 2716 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1772 2716 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2000 2716 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2040 2716 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1760 2716 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3040 2716 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x000700000001955c-9.dat dcrat behavioral1/memory/2788-13-0x0000000000810000-0x0000000000920000-memory.dmp dcrat behavioral1/memory/2160-42-0x00000000010C0000-0x00000000011D0000-memory.dmp dcrat behavioral1/memory/300-139-0x00000000001F0000-0x0000000000300000-memory.dmp dcrat behavioral1/memory/1140-200-0x00000000008E0000-0x00000000009F0000-memory.dmp dcrat behavioral1/memory/2412-261-0x0000000000270000-0x0000000000380000-memory.dmp dcrat behavioral1/memory/2044-321-0x00000000008C0000-0x00000000009D0000-memory.dmp dcrat behavioral1/memory/1576-381-0x0000000000CF0000-0x0000000000E00000-memory.dmp dcrat behavioral1/memory/1984-500-0x0000000001260000-0x0000000001370000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1928 powershell.exe 1152 powershell.exe 2616 powershell.exe 2412 powershell.exe 2180 powershell.exe 3048 powershell.exe 3008 powershell.exe 2504 powershell.exe -
Executes dropped EXE 11 IoCs
pid Process 2788 DllCommonsvc.exe 2160 taskhost.exe 300 taskhost.exe 1140 taskhost.exe 2412 taskhost.exe 2044 taskhost.exe 1576 taskhost.exe 2704 taskhost.exe 1984 taskhost.exe 944 taskhost.exe 2644 taskhost.exe -
Loads dropped DLL 2 IoCs
pid Process 484 cmd.exe 484 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 37 raw.githubusercontent.com 4 raw.githubusercontent.com 9 raw.githubusercontent.com 23 raw.githubusercontent.com 30 raw.githubusercontent.com 26 raw.githubusercontent.com 34 raw.githubusercontent.com 5 raw.githubusercontent.com 12 raw.githubusercontent.com 16 raw.githubusercontent.com 19 raw.githubusercontent.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_9f8dbd91e84073bd34f56c548a1dccad817f707218cd613f6c7706a201ca039e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1036 schtasks.exe 2740 schtasks.exe 2040 schtasks.exe 1292 schtasks.exe 1700 schtasks.exe 2548 schtasks.exe 1480 schtasks.exe 1844 schtasks.exe 1244 schtasks.exe 2120 schtasks.exe 2960 schtasks.exe 2972 schtasks.exe 2000 schtasks.exe 2988 schtasks.exe 2724 schtasks.exe 2692 schtasks.exe 2508 schtasks.exe 2480 schtasks.exe 1772 schtasks.exe 1760 schtasks.exe 3040 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
pid Process 2788 DllCommonsvc.exe 2504 powershell.exe 1928 powershell.exe 3048 powershell.exe 2616 powershell.exe 1152 powershell.exe 2180 powershell.exe 2412 powershell.exe 3008 powershell.exe 2160 taskhost.exe 300 taskhost.exe 1140 taskhost.exe 2412 taskhost.exe 2044 taskhost.exe 1576 taskhost.exe 2704 taskhost.exe 1984 taskhost.exe 944 taskhost.exe 2644 taskhost.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
description pid Process Token: SeDebugPrivilege 2788 DllCommonsvc.exe Token: SeDebugPrivilege 2504 powershell.exe Token: SeDebugPrivilege 1928 powershell.exe Token: SeDebugPrivilege 3048 powershell.exe Token: SeDebugPrivilege 2160 taskhost.exe Token: SeDebugPrivilege 1152 powershell.exe Token: SeDebugPrivilege 2616 powershell.exe Token: SeDebugPrivilege 2180 powershell.exe Token: SeDebugPrivilege 2412 powershell.exe Token: SeDebugPrivilege 3008 powershell.exe Token: SeDebugPrivilege 300 taskhost.exe Token: SeDebugPrivilege 1140 taskhost.exe Token: SeDebugPrivilege 2412 taskhost.exe Token: SeDebugPrivilege 2044 taskhost.exe Token: SeDebugPrivilege 1576 taskhost.exe Token: SeDebugPrivilege 2704 taskhost.exe Token: SeDebugPrivilege 1984 taskhost.exe Token: SeDebugPrivilege 944 taskhost.exe Token: SeDebugPrivilege 2644 taskhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2392 wrote to memory of 2596 2392 JaffaCakes118_9f8dbd91e84073bd34f56c548a1dccad817f707218cd613f6c7706a201ca039e.exe 30 PID 2392 wrote to memory of 2596 2392 JaffaCakes118_9f8dbd91e84073bd34f56c548a1dccad817f707218cd613f6c7706a201ca039e.exe 30 PID 2392 wrote to memory of 2596 2392 JaffaCakes118_9f8dbd91e84073bd34f56c548a1dccad817f707218cd613f6c7706a201ca039e.exe 30 PID 2392 wrote to memory of 2596 2392 JaffaCakes118_9f8dbd91e84073bd34f56c548a1dccad817f707218cd613f6c7706a201ca039e.exe 30 PID 2596 wrote to memory of 484 2596 WScript.exe 32 PID 2596 wrote to memory of 484 2596 WScript.exe 32 PID 2596 wrote to memory of 484 2596 WScript.exe 32 PID 2596 wrote to memory of 484 2596 WScript.exe 32 PID 484 wrote to memory of 2788 484 cmd.exe 34 PID 484 wrote to memory of 2788 484 cmd.exe 34 PID 484 wrote to memory of 2788 484 cmd.exe 34 PID 484 wrote to memory of 2788 484 cmd.exe 34 PID 2788 wrote to memory of 3048 2788 DllCommonsvc.exe 57 PID 2788 wrote to memory of 3048 2788 DllCommonsvc.exe 57 PID 2788 wrote to memory of 3048 2788 DllCommonsvc.exe 57 PID 2788 wrote to memory of 3008 2788 DllCommonsvc.exe 58 PID 2788 wrote to memory of 3008 2788 DllCommonsvc.exe 58 PID 2788 wrote to memory of 3008 2788 DllCommonsvc.exe 58 PID 2788 wrote to memory of 2504 2788 DllCommonsvc.exe 59 PID 2788 wrote to memory of 2504 2788 DllCommonsvc.exe 59 PID 2788 wrote to memory of 2504 2788 DllCommonsvc.exe 59 PID 2788 wrote to memory of 2180 2788 DllCommonsvc.exe 60 PID 2788 wrote to memory of 2180 2788 DllCommonsvc.exe 60 PID 2788 wrote to memory of 2180 2788 DllCommonsvc.exe 60 PID 2788 wrote to memory of 2412 2788 DllCommonsvc.exe 62 PID 2788 wrote to memory of 2412 2788 DllCommonsvc.exe 62 PID 2788 wrote to memory of 2412 2788 DllCommonsvc.exe 62 PID 2788 wrote to memory of 1928 2788 DllCommonsvc.exe 63 PID 2788 wrote to memory of 1928 2788 DllCommonsvc.exe 63 PID 2788 wrote to memory of 1928 2788 DllCommonsvc.exe 63 PID 2788 wrote to memory of 2616 2788 DllCommonsvc.exe 64 PID 2788 wrote to memory of 2616 2788 DllCommonsvc.exe 64 PID 2788 wrote to memory of 2616 2788 DllCommonsvc.exe 64 PID 2788 wrote to memory of 1152 2788 DllCommonsvc.exe 65 PID 2788 wrote to memory of 1152 2788 DllCommonsvc.exe 65 PID 2788 wrote to memory of 1152 2788 DllCommonsvc.exe 65 PID 2788 wrote to memory of 2160 2788 DllCommonsvc.exe 72 PID 2788 wrote to memory of 2160 2788 DllCommonsvc.exe 72 PID 2788 wrote to memory of 2160 2788 DllCommonsvc.exe 72 PID 2160 wrote to memory of 1092 2160 taskhost.exe 74 PID 2160 wrote to memory of 1092 2160 taskhost.exe 74 PID 2160 wrote to memory of 1092 2160 taskhost.exe 74 PID 1092 wrote to memory of 2540 1092 cmd.exe 76 PID 1092 wrote to memory of 2540 1092 cmd.exe 76 PID 1092 wrote to memory of 2540 1092 cmd.exe 76 PID 1092 wrote to memory of 300 1092 cmd.exe 77 PID 1092 wrote to memory of 300 1092 cmd.exe 77 PID 1092 wrote to memory of 300 1092 cmd.exe 77 PID 300 wrote to memory of 1064 300 taskhost.exe 78 PID 300 wrote to memory of 1064 300 taskhost.exe 78 PID 300 wrote to memory of 1064 300 taskhost.exe 78 PID 1064 wrote to memory of 1640 1064 cmd.exe 80 PID 1064 wrote to memory of 1640 1064 cmd.exe 80 PID 1064 wrote to memory of 1640 1064 cmd.exe 80 PID 1064 wrote to memory of 1140 1064 cmd.exe 81 PID 1064 wrote to memory of 1140 1064 cmd.exe 81 PID 1064 wrote to memory of 1140 1064 cmd.exe 81 PID 1140 wrote to memory of 2776 1140 taskhost.exe 82 PID 1140 wrote to memory of 2776 1140 taskhost.exe 82 PID 1140 wrote to memory of 2776 1140 taskhost.exe 82 PID 2776 wrote to memory of 268 2776 cmd.exe 84 PID 2776 wrote to memory of 268 2776 cmd.exe 84 PID 2776 wrote to memory of 268 2776 cmd.exe 84 PID 2776 wrote to memory of 2412 2776 cmd.exe 85 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9f8dbd91e84073bd34f56c548a1dccad817f707218cd613f6c7706a201ca039e.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9f8dbd91e84073bd34f56c548a1dccad817f707218cd613f6c7706a201ca039e.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:484 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3048
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WMIADAP.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3008
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2504
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2180
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2412
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1928
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\Idle.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2616
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Links\WMIADAP.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1152
-
-
C:\providercommon\taskhost.exe"C:\providercommon\taskhost.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\f4KPDhjeqr.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:2540
-
-
C:\providercommon\taskhost.exe"C:\providercommon\taskhost.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:300 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KLWAYFjljO.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:1640
-
-
C:\providercommon\taskhost.exe"C:\providercommon\taskhost.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AJeLhFiBvb.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:268
-
-
C:\providercommon\taskhost.exe"C:\providercommon\taskhost.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2412 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HEz7ZQMTyX.bat"12⤵PID:1984
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:2872
-
-
C:\providercommon\taskhost.exe"C:\providercommon\taskhost.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2044 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Db6xYfwFNB.bat"14⤵PID:1428
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:2204
-
-
C:\providercommon\taskhost.exe"C:\providercommon\taskhost.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1576 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rd8mWnFnEV.bat"16⤵PID:2436
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:2208
-
-
C:\providercommon\taskhost.exe"C:\providercommon\taskhost.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2704 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bDGJqXcsCJ.bat"18⤵PID:2900
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:2160
-
-
C:\providercommon\taskhost.exe"C:\providercommon\taskhost.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1984 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D6YKtyItKL.bat"20⤵PID:2740
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:448
-
-
C:\providercommon\taskhost.exe"C:\providercommon\taskhost.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:944 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hD3D8PLBZ9.bat"22⤵PID:2996
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:1980
-
-
C:\providercommon\taskhost.exe"C:\providercommon\taskhost.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2644 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\574RqM7W2b.bat"24⤵PID:2876
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:2988
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 6 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WMIADAP.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\providercommon\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\providercommon\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\providercommon\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Links\WMIADAP.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Users\Default\Links\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Links\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57abe7dd00a67283d82592f623a78af10
SHA1fc0c99d8c5b0bd02513ba36faa2e4470a743c64a
SHA256b8ec95bba06f2bdf776aa0c26511f73fe40f7641efae1947ddf41b0b8d68c6d0
SHA512ecef8207c8d291448f813c46b92e33beea48da3a678724c4eeab9ca1792f065796ac3e72103178d5e23714851eaa7814ee7f5af80e7c591d6c911c815a1237ca
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5eaa96e7522d7e9e8d0cd90d6379a3808
SHA18d81bd3b89ab11abc8b48bf3a3be33dd78117c72
SHA25640a01e32bfd1532f9a593c2de88cc90a4a6755713194d57f7f269ad5e762bc23
SHA5128b96ec8f03155c497b07009be65b5597e9247bf4ba38a760d60e387daa682f5ddfd4f77478618936de98fde361ede419a940fb656ccb1573b3d0ae7d419cc233
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5915ead2caeb97b28889144489c5e8145
SHA1f76057d84a3a81a500989f4773e53388820f53fd
SHA25605d5ba9672a00e405cf301bc37766f35b531ef29189b3e98945b62177e1c6228
SHA512a75a0ba2755f0e95d67dccb89f1dbef3fcd063341243b293e0c12cf9ce181b2c97d078fc1dc024b4ac52726707a7eeb2c7b57dbea5c6f046abd98d2e8e7cc717
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51787344b1a4dc98f8ac787137e49b5d4
SHA167ebf080a623b340244d11106bca71e66d47cb50
SHA256319eafe00807422da8805d2e6e4e61cdf1d162295d66cb2eba46733117e2a36a
SHA512884d0f775ccb2f8058b0b54adc4da3be24e3f6f221ee5ebd2094b83544e97ea1e80b0483261ffab5979713cd59b63abb9e308a92088d8a3552587209187e7d0c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57fe8716c948544c8569da74fe17ba9a9
SHA105a0663e84c9d8300eebe2d8ddbb3ebd784191d1
SHA256439a27550d992de165d85dece2ed007ccb2f5baac9f8aac3485d5d10cbc251a9
SHA512a1c297ad8e0624e02e79dd4f97cad2c99682723323cad019001c0322c7b305582bd6e5a53246b0a6d73d48ee60aa3e8a90173b30682285ef622215842355b20b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ebdb809e2781831bc9f549a2974298a2
SHA19c57ad86d339d78ca3cea53c2dfd160c7ab68282
SHA256a1de7f9cf2208d226fd9afeb9a3ca476db7accb36d4451aa7a05aef550eba817
SHA51282f268055946c92046feaa56cdca357609ea2b86a9799a431f06897cfd296b9e5adc4fb4fe61a21b80a4e56504b8b2952e5dba42af13a50f532b135250d48a3b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5933e9c094d1d1a59a3962a364d12db5b
SHA1b0f1a4064e3b1ae1ff8358910409511b8b6b522f
SHA256dcecd1acb3abb429fabe80e67e5237631f7c0ef203e23fa6a28c8b9904f1d620
SHA5121073e15caf62a610445857f8fb6fad06b0ae45c214b3194eb962a0aecdce9a9b67255b2ab1ce47fc058494a4ccc04db454ad3bfa5dcce327d6b91cdaf087d7d4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5de95eda6e66d468e0ec2e47d65acbedf
SHA196e8b941bc5bc7cacd0dd3ef35720c7a603b7f79
SHA25672af31caba9fa6c81cebc7eaa8fbe10ab85c92d61a40ca2e38ea27e389db63c7
SHA512d5b5f1f9fc2ff50055b75ea694e3bf50e6f4cc7b312cb88429acb1bee38bc23eb3127185dd8ad933226b4f64db051ffecab60d0ef32e50d948e0cbe9becc1643
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD529347996c391de3201515e6f0429492a
SHA1feffc77ba4409917879cb7cb87301804ef729c2a
SHA25692a66d17a98e7a5fe8d4289e7a8a8dfa7e8614dfed7ad28be214772af9492278
SHA512e49ddcec591d8ec56efd8a6adb744a6b178df976f00f0d85ea550b0a3d08167d7263dd64f110a277f29f85310dd3b981fdac4098bf7e6e23c160daf3bbb8ac24
-
Filesize
195B
MD534f7ebaadb3d2d1eeba464fe7b32c4c0
SHA1a05a36495dde07db5e2fbdc57f656805e24b0a02
SHA2564e244b8854e411066457d2beca0d499c7ab68f7eb748bbad776adaf17e78385e
SHA512e6911b464c16fcb978485517241048e9a69dc57234c87393405d2152852748a5511343f1acc0ebad0af6b062fe7be99dc5213c5e14e098c34f368f30e07c11b2
-
Filesize
195B
MD567a105a9b886ef15bb00be687af4ba7a
SHA1109c36f7bcb4fcfc47725d07b13de200dd7ad6a7
SHA25614ab9743a6480fb196315b295da8c60b9dde3c2007c7c550e0752d5590490662
SHA512ad332d3d8398eaea16c4c9f9c05435e8515fd0b2c4502b595ddc2af56017b084fa20b45aa591c1dbbc14e0edd36b9c5934e9d7e5864427516a2816594c4ca827
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
195B
MD568277a2c58e143e629a786b29a8bdd08
SHA162c505f7e08b4d1c5b010fc2525fbfc905eea990
SHA256f9366e5a23ce193f15285a7d796b9d3c1ffdf6c1657a47bc347e1484a6b31ba6
SHA512981f95545cf04ada43b6dc60b3a1673bcb558b160636cd2904d2577a50387738cd38a8c8e356a624bf28c7ec92169396b060f2f96e5a1e5e50e9434c7de37cac
-
Filesize
195B
MD5077bbaac22e092a8a7b68861287ba809
SHA12681665c24e6bc51ed123015650d8602fc43969c
SHA2569cc071d73232cba5d781fd77a112c7a613bb4df04b877b89817aef90a580bba9
SHA51279de6ec213b8f01e8c3d6f82ab1e1c14a3bcf81e5150dba1c0b2f6a9352baff0cd9cab50fd5667311dac1f28301fdbf210c49fc28bcd3049a30ede531e63ea6d
-
Filesize
195B
MD54c04c15cecb67e07d0d3e9bf2162b95c
SHA1de2b65a40d385e7eb1226421753fe1ed0c88251a
SHA256e23221d413255d10c20831e128fc6a39de0b447c6c0587f4b189ca05753f796c
SHA5124ad2c6154522d4fe0bd1ad171b6c84b19b95ba5a2e0f468bcca05e5e0c6634018cabaa2571ac798ab4d771414546024e72090bfd596be6431e58443dced0e090
-
Filesize
195B
MD504ec1dd7a0fc4cd3ea9062ce580c6e67
SHA1bd425fa8a8748ec85140a197b3cadee98b9132dd
SHA2564cdce0afc5da97e697471824b59f5be41de5582335b62a474229eda9e47dee62
SHA5122114e1a71e1256b665fa315d2cc88c6c229456cd8ee224a6c6bef95cd8dd8f1c1734190f5a0c996d5d6b8509c386b4a04d585e6effd3f64bb707c1d8832a8214
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
195B
MD50c2824fc6d49dc8d276fada9ccbee5cd
SHA1baccef643703669df524d37c552c64b53e120c12
SHA256c8bc1d1e8d35411ba1f953250d97d70421ab01352a200f132ffa65d1cbb7b221
SHA5125a1b5848878e77446daf68d6356842bf577d9dfc3b4a8b1cdc4f38e721387c9fbbbafebc76cb46fa0fa40a73bc23fa1891b983326a0283008b2d7d0fd1673b74
-
Filesize
195B
MD50a5c757e168dbe55c34e1922a7044858
SHA18112beccd538a4f96b6b7694f3d56d04e08759ed
SHA2564f8244140366ba23d86e3de2288080e11e75d506a26d8c5680cebad9b212ca7c
SHA5129221b2cd6a706ee9c4d5b836ff2f1582db69e0ea86bb5a0cac5c98bee1c95c87c30e85313d02c72113536c3615de9cff5c34b87f4d070c47730aef514c25cdf5
-
Filesize
195B
MD556b6ca74bc5e73f79ecbf8d1a66196bb
SHA1621bca834db746819c9c0fb0e69dbd8d07fb7ea5
SHA25693a1b8297befc6cf05bb9fb0a0ea96183c82a17df6563b06702ca53d2417e055
SHA512e91018b7fd8f4715b8c043b91eab6a64ec9f9fedbcce21027d04b27411ac2c311769a58078ddb33ad6c9c981ea0408bb4e143de033613359736933be19514d7e
-
Filesize
195B
MD5a5b4cb7b2a791c430410283a61998f93
SHA1db9a88f55e2d797fc2c38dc7db2e327cef0f01ae
SHA256748d0e2c7659ad14fe49ba2a73e0a52797013d54163879c3e79c6922bba66956
SHA512e235aede87f2828ad1cb011692409e5be9a8ffaeb1ec42f5150ea830b880f23ed3c357becbdad5f4f5747dcb31ee2caeac1687c0534d73636bf8177a5d3b237f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5a02802491aa26b32eddfababcc693217
SHA1ce0db833da77a248f7ffbcd3ec98f90fa718d074
SHA25631b335d00570cbb2b31ee3109ee604338d64073dcec825eabc5f9166e119986e
SHA5128b1ff61948bc1c4a7514d82ac6edc8bc6e9a72b6fa0acbc6c4919035610b68151acaacdbc161a591dfc916a1a04ed504c2918c27dc8fe27369aacde5e882773c
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394