Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 20:14
Behavioral task
behavioral1
Sample
JaffaCakes118_174022270166857b68fca652e45f4b3dab843e89180ca31d19891855ef595372.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_174022270166857b68fca652e45f4b3dab843e89180ca31d19891855ef595372.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_174022270166857b68fca652e45f4b3dab843e89180ca31d19891855ef595372.exe
-
Size
1.3MB
-
MD5
ee27ba05bbfd6f5e4f018ce62c807cce
-
SHA1
757b17f0231ddb98137b342da9bd23dc146f91b2
-
SHA256
174022270166857b68fca652e45f4b3dab843e89180ca31d19891855ef595372
-
SHA512
10703d6e7da9a53a5e73e88cb6b855b866ee41e6c8f1ac6cb8510f0c43ed05b67beca0ab955028f2ed9aa91920d8501cb051be094011d54f281bc40f680583c2
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 39 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2644 3020 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2908 3020 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2776 3020 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2608 3020 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2624 3020 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1816 3020 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2672 3020 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2656 3020 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 484 3020 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2852 3020 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2864 3020 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2008 3020 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 740 3020 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2596 3020 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2336 3020 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2012 3020 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2856 3020 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2120 3020 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2896 3020 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1620 3020 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1760 3020 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2940 3020 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2252 3020 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2052 3020 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1736 3020 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2244 3020 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 576 3020 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1304 3020 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 836 3020 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1872 3020 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2588 3020 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1360 3020 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1596 3020 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2560 3020 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2880 3020 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2116 3020 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2300 3020 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1556 3020 schtasks.exe 34 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2640 3020 schtasks.exe 34 -
resource yara_rule behavioral1/files/0x000700000001945c-12.dat dcrat behavioral1/memory/2296-13-0x0000000000260000-0x0000000000370000-memory.dmp dcrat behavioral1/memory/1456-101-0x0000000000F40000-0x0000000001050000-memory.dmp dcrat behavioral1/memory/2172-112-0x0000000000130000-0x0000000000240000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1684 powershell.exe 496 powershell.exe 2660 powershell.exe 1716 powershell.exe 1808 powershell.exe 1588 powershell.exe 1080 powershell.exe 1824 powershell.exe 1748 powershell.exe 2348 powershell.exe 1328 powershell.exe 2472 powershell.exe 1316 powershell.exe 1780 powershell.exe 2292 powershell.exe -
Executes dropped EXE 3 IoCs
pid Process 2296 DllCommonsvc.exe 1456 DllCommonsvc.exe 2172 services.exe -
Loads dropped DLL 2 IoCs
pid Process 2180 cmd.exe 2180 cmd.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\GroupPolicy\lsass.exe DllCommonsvc.exe File created C:\Windows\SysWOW64\GroupPolicy\6203df4a6bafc7 DllCommonsvc.exe -
Drops file in Program Files directory 10 IoCs
description ioc Process File created C:\Program Files\Internet Explorer\images\56085415360792 DllCommonsvc.exe File created C:\Program Files\Uninstall Information\lsm.exe DllCommonsvc.exe File created C:\Program Files\Uninstall Information\101b941d020240 DllCommonsvc.exe File created C:\Program Files\Windows Media Player\it-IT\56085415360792 DllCommonsvc.exe File opened for modification C:\Program Files\Windows Media Player\it-IT\wininit.exe DllCommonsvc.exe File created C:\Program Files\Windows Media Player\Icons\taskhost.exe DllCommonsvc.exe File created C:\Program Files\Internet Explorer\images\wininit.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Mail\it-IT\services.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Mail\it-IT\c5b4cb5e9653cc DllCommonsvc.exe File created C:\Program Files\Windows Media Player\it-IT\wininit.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_174022270166857b68fca652e45f4b3dab843e89180ca31d19891855ef595372.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2644 schtasks.exe 2608 schtasks.exe 2336 schtasks.exe 2244 schtasks.exe 2856 schtasks.exe 1620 schtasks.exe 1760 schtasks.exe 576 schtasks.exe 2908 schtasks.exe 2672 schtasks.exe 2008 schtasks.exe 2012 schtasks.exe 836 schtasks.exe 2588 schtasks.exe 2852 schtasks.exe 740 schtasks.exe 2120 schtasks.exe 2560 schtasks.exe 1816 schtasks.exe 1872 schtasks.exe 2300 schtasks.exe 2776 schtasks.exe 2656 schtasks.exe 2940 schtasks.exe 1736 schtasks.exe 2624 schtasks.exe 484 schtasks.exe 1360 schtasks.exe 2640 schtasks.exe 2596 schtasks.exe 2896 schtasks.exe 2880 schtasks.exe 2116 schtasks.exe 1596 schtasks.exe 1556 schtasks.exe 2864 schtasks.exe 2252 schtasks.exe 2052 schtasks.exe 1304 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 2296 DllCommonsvc.exe 2296 DllCommonsvc.exe 2296 DllCommonsvc.exe 2296 DllCommonsvc.exe 2296 DllCommonsvc.exe 2296 DllCommonsvc.exe 2296 DllCommonsvc.exe 2296 DllCommonsvc.exe 2296 DllCommonsvc.exe 1748 powershell.exe 1588 powershell.exe 2348 powershell.exe 2292 powershell.exe 1316 powershell.exe 1684 powershell.exe 1328 powershell.exe 1080 powershell.exe 1780 powershell.exe 1808 powershell.exe 1716 powershell.exe 2472 powershell.exe 1456 DllCommonsvc.exe 1824 powershell.exe 496 powershell.exe 2660 powershell.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
description pid Process Token: SeDebugPrivilege 2296 DllCommonsvc.exe Token: SeDebugPrivilege 1748 powershell.exe Token: SeDebugPrivilege 1588 powershell.exe Token: SeDebugPrivilege 2348 powershell.exe Token: SeDebugPrivilege 2292 powershell.exe Token: SeDebugPrivilege 1316 powershell.exe Token: SeDebugPrivilege 1684 powershell.exe Token: SeDebugPrivilege 1328 powershell.exe Token: SeDebugPrivilege 1080 powershell.exe Token: SeDebugPrivilege 1780 powershell.exe Token: SeDebugPrivilege 1808 powershell.exe Token: SeDebugPrivilege 1716 powershell.exe Token: SeDebugPrivilege 2472 powershell.exe Token: SeDebugPrivilege 1456 DllCommonsvc.exe Token: SeDebugPrivilege 2172 services.exe Token: SeDebugPrivilege 1824 powershell.exe Token: SeDebugPrivilege 496 powershell.exe Token: SeDebugPrivilege 2660 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2104 wrote to memory of 2400 2104 JaffaCakes118_174022270166857b68fca652e45f4b3dab843e89180ca31d19891855ef595372.exe 30 PID 2104 wrote to memory of 2400 2104 JaffaCakes118_174022270166857b68fca652e45f4b3dab843e89180ca31d19891855ef595372.exe 30 PID 2104 wrote to memory of 2400 2104 JaffaCakes118_174022270166857b68fca652e45f4b3dab843e89180ca31d19891855ef595372.exe 30 PID 2104 wrote to memory of 2400 2104 JaffaCakes118_174022270166857b68fca652e45f4b3dab843e89180ca31d19891855ef595372.exe 30 PID 2400 wrote to memory of 2180 2400 WScript.exe 31 PID 2400 wrote to memory of 2180 2400 WScript.exe 31 PID 2400 wrote to memory of 2180 2400 WScript.exe 31 PID 2400 wrote to memory of 2180 2400 WScript.exe 31 PID 2180 wrote to memory of 2296 2180 cmd.exe 33 PID 2180 wrote to memory of 2296 2180 cmd.exe 33 PID 2180 wrote to memory of 2296 2180 cmd.exe 33 PID 2180 wrote to memory of 2296 2180 cmd.exe 33 PID 2296 wrote to memory of 1316 2296 DllCommonsvc.exe 68 PID 2296 wrote to memory of 1316 2296 DllCommonsvc.exe 68 PID 2296 wrote to memory of 1316 2296 DllCommonsvc.exe 68 PID 2296 wrote to memory of 1748 2296 DllCommonsvc.exe 69 PID 2296 wrote to memory of 1748 2296 DllCommonsvc.exe 69 PID 2296 wrote to memory of 1748 2296 DllCommonsvc.exe 69 PID 2296 wrote to memory of 1080 2296 DllCommonsvc.exe 70 PID 2296 wrote to memory of 1080 2296 DllCommonsvc.exe 70 PID 2296 wrote to memory of 1080 2296 DllCommonsvc.exe 70 PID 2296 wrote to memory of 1588 2296 DllCommonsvc.exe 72 PID 2296 wrote to memory of 1588 2296 DllCommonsvc.exe 72 PID 2296 wrote to memory of 1588 2296 DllCommonsvc.exe 72 PID 2296 wrote to memory of 1808 2296 DllCommonsvc.exe 73 PID 2296 wrote to memory of 1808 2296 DllCommonsvc.exe 73 PID 2296 wrote to memory of 1808 2296 DllCommonsvc.exe 73 PID 2296 wrote to memory of 1328 2296 DllCommonsvc.exe 75 PID 2296 wrote to memory of 1328 2296 DllCommonsvc.exe 75 PID 2296 wrote to memory of 1328 2296 DllCommonsvc.exe 75 PID 2296 wrote to memory of 2472 2296 DllCommonsvc.exe 77 PID 2296 wrote to memory of 2472 2296 DllCommonsvc.exe 77 PID 2296 wrote to memory of 2472 2296 DllCommonsvc.exe 77 PID 2296 wrote to memory of 1684 2296 DllCommonsvc.exe 78 PID 2296 wrote to memory of 1684 2296 DllCommonsvc.exe 78 PID 2296 wrote to memory of 1684 2296 DllCommonsvc.exe 78 PID 2296 wrote to memory of 2292 2296 DllCommonsvc.exe 79 PID 2296 wrote to memory of 2292 2296 DllCommonsvc.exe 79 PID 2296 wrote to memory of 2292 2296 DllCommonsvc.exe 79 PID 2296 wrote to memory of 2348 2296 DllCommonsvc.exe 80 PID 2296 wrote to memory of 2348 2296 DllCommonsvc.exe 80 PID 2296 wrote to memory of 2348 2296 DllCommonsvc.exe 80 PID 2296 wrote to memory of 1716 2296 DllCommonsvc.exe 81 PID 2296 wrote to memory of 1716 2296 DllCommonsvc.exe 81 PID 2296 wrote to memory of 1716 2296 DllCommonsvc.exe 81 PID 2296 wrote to memory of 1780 2296 DllCommonsvc.exe 82 PID 2296 wrote to memory of 1780 2296 DllCommonsvc.exe 82 PID 2296 wrote to memory of 1780 2296 DllCommonsvc.exe 82 PID 2296 wrote to memory of 2072 2296 DllCommonsvc.exe 92 PID 2296 wrote to memory of 2072 2296 DllCommonsvc.exe 92 PID 2296 wrote to memory of 2072 2296 DllCommonsvc.exe 92 PID 2072 wrote to memory of 680 2072 cmd.exe 94 PID 2072 wrote to memory of 680 2072 cmd.exe 94 PID 2072 wrote to memory of 680 2072 cmd.exe 94 PID 2072 wrote to memory of 1456 2072 cmd.exe 96 PID 2072 wrote to memory of 1456 2072 cmd.exe 96 PID 2072 wrote to memory of 1456 2072 cmd.exe 96 PID 1456 wrote to memory of 496 1456 DllCommonsvc.exe 103 PID 1456 wrote to memory of 496 1456 DllCommonsvc.exe 103 PID 1456 wrote to memory of 496 1456 DllCommonsvc.exe 103 PID 1456 wrote to memory of 1824 1456 DllCommonsvc.exe 104 PID 1456 wrote to memory of 1824 1456 DllCommonsvc.exe 104 PID 1456 wrote to memory of 1824 1456 DllCommonsvc.exe 104 PID 1456 wrote to memory of 2660 1456 DllCommonsvc.exe 105 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_174022270166857b68fca652e45f4b3dab843e89180ca31d19891855ef595372.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_174022270166857b68fca652e45f4b3dab843e89180ca31d19891855ef595372.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1316
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\it-IT\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1748
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SysWOW64\GroupPolicy\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1080
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1588
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\My Music\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1808
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Cookies\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1328
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2472
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Music\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1684
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2292
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2348
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\images\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1716
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1780
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iIoLvXVZTT.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:680
-
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:496
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OSPPSVC.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1824
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\it-IT\services.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2660
-
-
C:\Program Files (x86)\Windows Mail\it-IT\services.exe"C:\Program Files (x86)\Windows Mail\it-IT\services.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2172
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Media Player\it-IT\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\it-IT\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Media Player\it-IT\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Windows\SysWOW64\GroupPolicy\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\SysWOW64\GroupPolicy\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Windows\SysWOW64\GroupPolicy\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Pictures\DllCommonsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\Public\Pictures\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Pictures\DllCommonsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Documents\My Music\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Music\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Documents\My Music\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Cookies\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default\Cookies\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Cookies\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Music\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\Music\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Music\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\providercommon\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\images\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\images\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Internet Explorer\images\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\providercommon\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\it-IT\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\it-IT\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\it-IT\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
199B
MD5e0d67dd4a9aa68240b406950301cc168
SHA16bbeb55a98ce6f93f29e89f9bdfbd40423805c56
SHA2566a273123d159299c5f0172cefa0cd928f6cfbb08e757180097a2fd43d68ab14a
SHA51250fa04350e8279569da2d6d12a31c18219378e66eb91fd430684be6cda0a5f188149d997db5066037bf63dc65814c972320a24f6f5b489a430db222ac4662ed4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\P7WQZ5M9LW8SEKPQ6TVL.temp
Filesize7KB
MD51d658f4a1d356e61249bbd57191f9b5d
SHA1ee52d4642e42efcc27f01459026bd0d0d6b22485
SHA2565385ab54da399d43be1defde9cff21b3aa4e7c0ab9cc789aa5be62f7c6e7400d
SHA51203650eeb318d510f02b839939ff92d2b4b03ef0a484eeb241ff21387ce17db654cac42b610add9fe9af9b2e0b75249488ffaf1e89a1c6ae034c75a94d7f1def1
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478