Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 19:49
Behavioral task
behavioral1
Sample
JaffaCakes118_fb541d074284a12cd503775e8387216dab54816303a08b94f7eacfc7387fa14c.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_fb541d074284a12cd503775e8387216dab54816303a08b94f7eacfc7387fa14c.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_fb541d074284a12cd503775e8387216dab54816303a08b94f7eacfc7387fa14c.exe
-
Size
1.3MB
-
MD5
3fce60b6bf907780d774d81fa981bfe4
-
SHA1
30d3019e6c5ab5719cd192d097d0989a92b8c54e
-
SHA256
fb541d074284a12cd503775e8387216dab54816303a08b94f7eacfc7387fa14c
-
SHA512
cb7ee9398e5492d0b5df6b423ada0739f02e59ae1d49328a11df90c4da0c612efa938220e940f8b5c2a33d85094422fa29603c5155a6c7cddcb1680dbcc32f0a
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 12 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2644 2616 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2636 2616 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2780 2616 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2612 2616 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2660 2616 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2004 2616 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2428 2616 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1992 2616 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 344 2616 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1008 2616 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2964 2616 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2996 2616 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x0008000000016dc8-10.dat dcrat behavioral1/memory/2752-13-0x00000000011C0000-0x00000000012D0000-memory.dmp dcrat behavioral1/memory/2972-32-0x0000000000150000-0x0000000000260000-memory.dmp dcrat behavioral1/memory/2212-117-0x00000000008B0000-0x00000000009C0000-memory.dmp dcrat behavioral1/memory/2816-177-0x00000000011A0000-0x00000000012B0000-memory.dmp dcrat behavioral1/memory/1912-416-0x00000000011B0000-0x00000000012C0000-memory.dmp dcrat behavioral1/memory/2324-535-0x00000000013C0000-0x00000000014D0000-memory.dmp dcrat behavioral1/memory/2484-596-0x00000000001B0000-0x00000000002C0000-memory.dmp dcrat behavioral1/memory/612-657-0x0000000000B10000-0x0000000000C20000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2796 powershell.exe 1180 powershell.exe 2948 powershell.exe 2504 powershell.exe 1748 powershell.exe -
Executes dropped EXE 12 IoCs
pid Process 2752 DllCommonsvc.exe 2972 WmiPrvSE.exe 2212 WmiPrvSE.exe 2816 WmiPrvSE.exe 2540 WmiPrvSE.exe 836 WmiPrvSE.exe 2980 WmiPrvSE.exe 1912 WmiPrvSE.exe 2308 WmiPrvSE.exe 2324 WmiPrvSE.exe 2484 WmiPrvSE.exe 612 WmiPrvSE.exe -
Loads dropped DLL 2 IoCs
pid Process 2488 cmd.exe 2488 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
flow ioc 4 raw.githubusercontent.com 12 raw.githubusercontent.com 16 raw.githubusercontent.com 30 raw.githubusercontent.com 34 raw.githubusercontent.com 37 raw.githubusercontent.com 41 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com 20 raw.githubusercontent.com 23 raw.githubusercontent.com 27 raw.githubusercontent.com -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Portable Devices\a76d7bf15d8370 DllCommonsvc.exe File created C:\Program Files\Java\jdk1.7.0_80\csrss.exe DllCommonsvc.exe File created C:\Program Files\Java\jdk1.7.0_80\886983d96e3d3e DllCommonsvc.exe File created C:\Program Files (x86)\Windows Portable Devices\DllCommonsvc.exe DllCommonsvc.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\ServiceProfiles\NetworkService\Pictures\a76d7bf15d8370 DllCommonsvc.exe File created C:\Windows\ServiceProfiles\NetworkService\Pictures\DllCommonsvc.exe DllCommonsvc.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\Pictures\DllCommonsvc.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_fb541d074284a12cd503775e8387216dab54816303a08b94f7eacfc7387fa14c.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2004 schtasks.exe 1992 schtasks.exe 344 schtasks.exe 1008 schtasks.exe 2644 schtasks.exe 2636 schtasks.exe 2780 schtasks.exe 2660 schtasks.exe 2996 schtasks.exe 2612 schtasks.exe 2428 schtasks.exe 2964 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
pid Process 2752 DllCommonsvc.exe 2752 DllCommonsvc.exe 2752 DllCommonsvc.exe 2796 powershell.exe 2948 powershell.exe 1180 powershell.exe 1748 powershell.exe 2504 powershell.exe 2972 WmiPrvSE.exe 2212 WmiPrvSE.exe 2816 WmiPrvSE.exe 2540 WmiPrvSE.exe 836 WmiPrvSE.exe 2980 WmiPrvSE.exe 1912 WmiPrvSE.exe 2308 WmiPrvSE.exe 2324 WmiPrvSE.exe 2484 WmiPrvSE.exe 612 WmiPrvSE.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
description pid Process Token: SeDebugPrivilege 2752 DllCommonsvc.exe Token: SeDebugPrivilege 2796 powershell.exe Token: SeDebugPrivilege 2948 powershell.exe Token: SeDebugPrivilege 2972 WmiPrvSE.exe Token: SeDebugPrivilege 1180 powershell.exe Token: SeDebugPrivilege 1748 powershell.exe Token: SeDebugPrivilege 2504 powershell.exe Token: SeDebugPrivilege 2212 WmiPrvSE.exe Token: SeDebugPrivilege 2816 WmiPrvSE.exe Token: SeDebugPrivilege 2540 WmiPrvSE.exe Token: SeDebugPrivilege 836 WmiPrvSE.exe Token: SeDebugPrivilege 2980 WmiPrvSE.exe Token: SeDebugPrivilege 1912 WmiPrvSE.exe Token: SeDebugPrivilege 2308 WmiPrvSE.exe Token: SeDebugPrivilege 2324 WmiPrvSE.exe Token: SeDebugPrivilege 2484 WmiPrvSE.exe Token: SeDebugPrivilege 612 WmiPrvSE.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1616 wrote to memory of 1980 1616 JaffaCakes118_fb541d074284a12cd503775e8387216dab54816303a08b94f7eacfc7387fa14c.exe 30 PID 1616 wrote to memory of 1980 1616 JaffaCakes118_fb541d074284a12cd503775e8387216dab54816303a08b94f7eacfc7387fa14c.exe 30 PID 1616 wrote to memory of 1980 1616 JaffaCakes118_fb541d074284a12cd503775e8387216dab54816303a08b94f7eacfc7387fa14c.exe 30 PID 1616 wrote to memory of 1980 1616 JaffaCakes118_fb541d074284a12cd503775e8387216dab54816303a08b94f7eacfc7387fa14c.exe 30 PID 1980 wrote to memory of 2488 1980 WScript.exe 32 PID 1980 wrote to memory of 2488 1980 WScript.exe 32 PID 1980 wrote to memory of 2488 1980 WScript.exe 32 PID 1980 wrote to memory of 2488 1980 WScript.exe 32 PID 2488 wrote to memory of 2752 2488 cmd.exe 34 PID 2488 wrote to memory of 2752 2488 cmd.exe 34 PID 2488 wrote to memory of 2752 2488 cmd.exe 34 PID 2488 wrote to memory of 2752 2488 cmd.exe 34 PID 2752 wrote to memory of 2504 2752 DllCommonsvc.exe 48 PID 2752 wrote to memory of 2504 2752 DllCommonsvc.exe 48 PID 2752 wrote to memory of 2504 2752 DllCommonsvc.exe 48 PID 2752 wrote to memory of 1748 2752 DllCommonsvc.exe 49 PID 2752 wrote to memory of 1748 2752 DllCommonsvc.exe 49 PID 2752 wrote to memory of 1748 2752 DllCommonsvc.exe 49 PID 2752 wrote to memory of 2796 2752 DllCommonsvc.exe 51 PID 2752 wrote to memory of 2796 2752 DllCommonsvc.exe 51 PID 2752 wrote to memory of 2796 2752 DllCommonsvc.exe 51 PID 2752 wrote to memory of 2948 2752 DllCommonsvc.exe 54 PID 2752 wrote to memory of 2948 2752 DllCommonsvc.exe 54 PID 2752 wrote to memory of 2948 2752 DllCommonsvc.exe 54 PID 2752 wrote to memory of 1180 2752 DllCommonsvc.exe 55 PID 2752 wrote to memory of 1180 2752 DllCommonsvc.exe 55 PID 2752 wrote to memory of 1180 2752 DllCommonsvc.exe 55 PID 2752 wrote to memory of 2972 2752 DllCommonsvc.exe 58 PID 2752 wrote to memory of 2972 2752 DllCommonsvc.exe 58 PID 2752 wrote to memory of 2972 2752 DllCommonsvc.exe 58 PID 2972 wrote to memory of 2384 2972 WmiPrvSE.exe 59 PID 2972 wrote to memory of 2384 2972 WmiPrvSE.exe 59 PID 2972 wrote to memory of 2384 2972 WmiPrvSE.exe 59 PID 2384 wrote to memory of 892 2384 cmd.exe 61 PID 2384 wrote to memory of 892 2384 cmd.exe 61 PID 2384 wrote to memory of 892 2384 cmd.exe 61 PID 2384 wrote to memory of 2212 2384 cmd.exe 62 PID 2384 wrote to memory of 2212 2384 cmd.exe 62 PID 2384 wrote to memory of 2212 2384 cmd.exe 62 PID 2212 wrote to memory of 2944 2212 WmiPrvSE.exe 63 PID 2212 wrote to memory of 2944 2212 WmiPrvSE.exe 63 PID 2212 wrote to memory of 2944 2212 WmiPrvSE.exe 63 PID 2944 wrote to memory of 2636 2944 cmd.exe 65 PID 2944 wrote to memory of 2636 2944 cmd.exe 65 PID 2944 wrote to memory of 2636 2944 cmd.exe 65 PID 2944 wrote to memory of 2816 2944 cmd.exe 66 PID 2944 wrote to memory of 2816 2944 cmd.exe 66 PID 2944 wrote to memory of 2816 2944 cmd.exe 66 PID 2816 wrote to memory of 2648 2816 WmiPrvSE.exe 67 PID 2816 wrote to memory of 2648 2816 WmiPrvSE.exe 67 PID 2816 wrote to memory of 2648 2816 WmiPrvSE.exe 67 PID 2648 wrote to memory of 2780 2648 cmd.exe 69 PID 2648 wrote to memory of 2780 2648 cmd.exe 69 PID 2648 wrote to memory of 2780 2648 cmd.exe 69 PID 2648 wrote to memory of 2540 2648 cmd.exe 70 PID 2648 wrote to memory of 2540 2648 cmd.exe 70 PID 2648 wrote to memory of 2540 2648 cmd.exe 70 PID 2540 wrote to memory of 2444 2540 WmiPrvSE.exe 71 PID 2540 wrote to memory of 2444 2540 WmiPrvSE.exe 71 PID 2540 wrote to memory of 2444 2540 WmiPrvSE.exe 71 PID 2444 wrote to memory of 1588 2444 cmd.exe 73 PID 2444 wrote to memory of 1588 2444 cmd.exe 73 PID 2444 wrote to memory of 1588 2444 cmd.exe 73 PID 2444 wrote to memory of 836 2444 cmd.exe 74 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fb541d074284a12cd503775e8387216dab54816303a08b94f7eacfc7387fa14c.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fb541d074284a12cd503775e8387216dab54816303a08b94f7eacfc7387fa14c.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2504
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ServiceProfiles\NetworkService\Pictures\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1748
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2796
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jdk1.7.0_80\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2948
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1180
-
-
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\WmiPrvSE.exe"C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\WmiPrvSE.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uZApDsIgYI.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:892
-
-
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\WmiPrvSE.exe"C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\WmiPrvSE.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\H7kUlUtrsw.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2636
-
-
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\WmiPrvSE.exe"C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\WmiPrvSE.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nflxmifgtk.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:2780
-
-
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\WmiPrvSE.exe"C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\WmiPrvSE.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kRqsvBC5Qb.bat"12⤵
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:1588
-
-
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\WmiPrvSE.exe"C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\WmiPrvSE.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:836 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nKCzYbro9F.bat"14⤵PID:352
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:2640
-
-
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\WmiPrvSE.exe"C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\WmiPrvSE.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2980 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4stVUxPy0P.bat"16⤵PID:2992
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:1012
-
-
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\WmiPrvSE.exe"C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\WmiPrvSE.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1912 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rfuxuqwfwI.bat"18⤵PID:2008
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:544
-
-
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\WmiPrvSE.exe"C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\WmiPrvSE.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2308 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\l4DYpxlgJN.bat"20⤵PID:2860
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:1976
-
-
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\WmiPrvSE.exe"C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\WmiPrvSE.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2324 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iqKdioc4MG.bat"22⤵PID:1836
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:3064
-
-
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\WmiPrvSE.exe"C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\WmiPrvSE.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2484 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hbGxgnDDQj.bat"24⤵PID:1116
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:900
-
-
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\WmiPrvSE.exe"C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\WmiPrvSE.exe"25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:612
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Windows\ServiceProfiles\NetworkService\Pictures\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\NetworkService\Pictures\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Windows\ServiceProfiles\NetworkService\Pictures\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Java\jdk1.7.0_80\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\jdk1.7.0_80\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:344
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Portable Devices\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ee43fd8362b743cfa4d7a15d7440fa6f
SHA1ff7429abb017ee19d8780c2c436529fe7f4afefc
SHA2560c3bd6617e700e3872ca260e2fd63aac8d925ea3dcdb31f070595e9e3727a28b
SHA512f7ff63c23e265f4d23e0909e9bed493c00d7ee62146a938ae9e19bc1344145e37c3b4d406c7473a05e19a9aafcb5f057c4637bd1091c4bda8bd31b8c442a52ce
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD587f10de7231e5bc4227cc6856ebfbc6f
SHA1fa6845f4a39080c4bb3dc1911ec75cc5a408e9ea
SHA2566dd3e26a009e1ea3ea3f86838b2f71fd7148510c95ba8a45d5d03299009cd465
SHA512f06597f1eb62e2b91b350d4534ca292f0ec2313da36d2a7dacf66fb149cd67dba0f2ba3b20916ca886d9cfba3cba6e5ea0bc7e6ec0144d7e93aa3d982a758d9b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d22b5574f1d14bb6b6c8ed1c13b30d92
SHA12c52024dac16c755f8b014f1c53f15cae7a2c273
SHA2560e712a162314dfec714e33b168163994430abf4471455dac18ddd4042a34d822
SHA512a5cbe571f05e3d473136c37ec1e1477bd170b02e3f74bf1abfc19743143c0ab7b915f02ebfede2f2c5fededf869b58eecba7ebe6e363c8178593202db2bf6b6a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a58ae69ae273bf4cdcaadedff0de0ed8
SHA1204f798ec9c1cab8c77c6f17bb8910870cb511de
SHA2561dd86e4d63c1139e7a91ff540822a971e77cf8e1be42e5ee2defbc4649cc772c
SHA512b99bbea9d4ba8408ad372d428de386879b0a13d713829073b4e5839276756377cac873ee96b6f9ab5bd8b405f4c8468a80cc65ca30ccc4c03edb08e6a80792d7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5405163d4f28e9329a3f03483fbb8b07d
SHA1fbe43bc5a8c9bbc2e5d0a2600c0a2a624cfa211c
SHA256242413a07a683b3b8b144e7c3df87bd2d1e7f8d91e3ddfabb3861f6294442782
SHA5124771f40535936ba4c85693e23d2ae886615789e0b5753fd3e7fd3627b89a7a873b9b2f5f4e69ffc80104eddebb070cfc5c2dbb50c7082e01408327ed87c233a9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5758d2414d445d7061ffb864409a0d90d
SHA137ea0bf03b2cc601d12c561bb9806a85ebbedf71
SHA256428c720a1d609244df7af13e797ee835636910eeec41b02fe26cf66fb8f224d0
SHA512f923d69fd6aa4ac760a06e0f7f7392598accb2f9e3d32fbb667c3436329f841e8d316eb9d2ff59f221a922c60d6cf2dd52316bf7fb0afe9205f925daf7cdcbdd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD529829d8175fb30444191d2debea633ed
SHA1a2ad5679ddf35b38eb0dec6c4a0d305610716840
SHA256f8842be4d859829d47ef329d405cac7553d2d8177c8ac1e86575a01796d66117
SHA512f608f619319ca348b0905c25be98a99bbff9a97ddb44dca3ad3cff8c92b96d97d45d6f761563cb13b58697082d4de3cf50a7df5c4e48dd84e543ac1fe2814ffd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD519067cdf28611fdf806bac6ff50bedf0
SHA13e7aa58e85f613fe49a0a171faaa80f909ecb7f1
SHA256fabb87bcffb8cf803f22cec65029f6f2a4f4534f0761babd4c07296acd2905fa
SHA51278a8f7c0b35b1701ca20edc7c4be88744d8ce3fb098fd1ea49c18a76014c86189a875765303ba607ccc15b5bfa4f59fe2001be409a726d98445cf9a0c9ba4c15
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5943f857f1d7f63fe72b4fb04bff97cab
SHA1ac047b94a480159f553a1fa1994e70772e96130c
SHA256de8c1a8fa63f0378d34b1ca14f6b1a2e91f737842b16c0c7ae7c0186c73e6806
SHA51253ed08eb162dcce404612942b2b8d8c3bc6d63444be75f974c9326250cb5c162bb986ad22ea0c8aa9cbb9eec44b3a7de4098a30fa19535e507f77d54130a4a09
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD596c2143bba7b3eb77d3987998d9f6a90
SHA1cb418c787d5a607db96923161056307ee1cdfd69
SHA2567ef3b48f0ffef1373c941fa377f19291b147cb25318e77fd52692507863391a0
SHA51269dae3c29b1e7096fac4dbbcf2f22f34f524b979468340581aa3dfc1a8861d9d65cc095b338825b6eef14458f42455e3b4be1dd624d18ad97361910826224a08
-
Filesize
226B
MD549680c09f0cc1274f90c0e58a8daad10
SHA1c3b9f0cdef751d1f15acd4d1e85545963eb7e069
SHA256764cfd6a9a02d43f56cd2bfc3f77055d7258a862206fd8869da63b5d3d4f4133
SHA5122303f63142d8208a65e292bde21b834db15ecc8a3e90541b334b7d1b6532e31f749c3e81d7095623edde7bf3de2af408027234955481db5078b7cbf8ffa72dcc
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
226B
MD5a248f62c50e16b2b6ef0caa4b208d68f
SHA19cb87c4de1258ed7f88e2ce9cce9701423fd3303
SHA256de3a814a60e66e07e7227705e4441f7eb6a75971f0736d7813c7da0445d3609a
SHA512ce168fdb243869ff3df5e7728f1d9db273227f1aea3df95b1aef74e9c6c8d4c3fbd029d3e06c064f7a4c73b687c278ee31ffb9a99fae859c93230537a40e42ac
-
Filesize
226B
MD500390fa252a1a9edcb0558e62749e43c
SHA178a16980ed74ad2f3cb00e6320f2055fb322c206
SHA256035b80be9b9eb67ac28992931e3d48bfd74c5847ede5591b9714f366da22aa42
SHA512f33177087c3e1ef7d82ecce247f0a6df19676aefd7ebd196a2829cef4ed8e4874ea94a5bd7436cdd86800b95c3291e8cdda7174c6cf0d01ddcd8d59603787bbc
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
226B
MD5421bc57c8fe245ae372568125bdf1251
SHA170380f3fe50fa7c0d6d034a24d4d970d51bfcf14
SHA256fc43fbf231b811f429d89e7644b6f7d50236ae285e35ea7bbc0548fc9e0ea344
SHA512028918efa82dc590b422d32aa83945d491d373b09dfc6982cbd9bf517c533cd71cccb22e6db33c75b2f81eac7fa19b00172a9c72d971cf0e8b50fe99b4435db4
-
Filesize
226B
MD5adc7315070047ecda8c28c15e6595ce6
SHA182d12cad024fefae6f8f6cee70eeddf18c9d5371
SHA25673165e1d26872004a235991363f7a86537db22627f4b1214dfbed6c31ba74492
SHA51265ab838615b31a356b20d6f701c3cd7a5b79102a9e1bd8d5be0a72ba2abf53edb6ca67077535ffa41521cb7730de55a42c7a2d962fe6f51b1a5b08ef4ab2da9c
-
Filesize
226B
MD5c7eb8277b57d3b83f5fc77e7ef471478
SHA1eb9930bb3ef3d8b1937cdf276ca5091fdec57a20
SHA2564da428c5dfe1de2ac3f706f1094566b88817195fde62ecfb4f09aa0a3d11de35
SHA512008f344199f325d4f15ec3593edb26750db74130b43cf1216cfcabb60074dae10f719e162def4a359a904839f30a073ca4691456e7950499c5f59faf5597cfaf
-
Filesize
226B
MD50f1fd803e66b5063fd4248afcb884f2f
SHA1f224d6a73a82487f894d11a2a1b94bd229a32f8d
SHA2560304673a38ca0f8c4c2aa604c232fcdea40eafb8c6904ebe810c49801289e496
SHA5126b70f3c5afa4aaf6969fd75a6fe7113b21d5b10db2995e5c8a39d987db05c1561317cf8a9d6b8e1abae6c70238fb4f84e9303c917c26fb7f374fb5211d6efb8b
-
Filesize
226B
MD5f19ad4b71371ba4dad6d4c083b1e722d
SHA13b44f02b627db059f6833ae10cd9b72977fe35ef
SHA2562a072babb396c241f93b3b6d141097692f4361255a6d02662644a06235ab4b30
SHA51259ae234058fb031384d0bd12cdac4c329d9fd1a18822a7377a7edd11874ae903333e6aadd0aa9605c02c880800967701aaa2c4d26619bb697c60d7e32a294bb2
-
Filesize
226B
MD5d8b67d052c8923b90e6611ba6589e115
SHA14f82b944c89a5460baaa2f1c119d5590823ffdbb
SHA2567cc1f00370a11e92446af66e8f5056593886876701cd3e8760c4e50e5e59e9ba
SHA51298ce4da4f263f5a202d3f9fe8032ddab06a8db6211fe6d6d0e8606770fa5a6f296a7838f2669b2b59c5ce57ce85ce8c5db504a0e569af1d065200a6200ae324e
-
Filesize
226B
MD573db4e005c097b64edf6708c39aaa5dd
SHA1f74f89a025c17f74e7108968fb3053da0d0ddc48
SHA25661667b85af72d65824507cc4c6879fc072b4bdf8662151b74c2c8993bcc30e85
SHA51281e535fef79bbc752d64a9eac966a4b3162c9c5c5c2e62272319cf3f090e16d9ded870d73578abc52a8805646759388ef97462e074f2fe28cdcf687048114c49
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD528180e4daaea92bf769782b4d78452e5
SHA110f9657c4b5336bebffe18b9ad4e41e78bbb7c11
SHA2562357860e8830becfcb46dc7b275c8312b70ed83746cfa6bd87546d0653c6a1ac
SHA512dfb57c7624735a6a6c99a91a5f9dbb68599fd1be4f83c17c1abd97b501def0e35b9460d5c0e34ab5753cc0b1fc9935db4648875e3ba424b6af5c07f518a27ea8
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478