Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 21:06
Behavioral task
behavioral1
Sample
JaffaCakes118_f6b69b8d3212c0af97fab437ebb7c1d6b4476cef0fd9d95f38a65f22b77b0188.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_f6b69b8d3212c0af97fab437ebb7c1d6b4476cef0fd9d95f38a65f22b77b0188.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_f6b69b8d3212c0af97fab437ebb7c1d6b4476cef0fd9d95f38a65f22b77b0188.exe
-
Size
1.3MB
-
MD5
5aa97c66abdc83e47738e8487aa30e9e
-
SHA1
c9ad68efde9614bf40cef43aa65f1b1db0af45fd
-
SHA256
f6b69b8d3212c0af97fab437ebb7c1d6b4476cef0fd9d95f38a65f22b77b0188
-
SHA512
3528930e138340786ade298a57a83a16b3ceee836cc1932edec0d8e395859776b3d9adade30283fe7b6f7df374d0e4742dd848dc752d58046c6555d3c6069b77
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2980 2352 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2428 2352 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1840 2352 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2944 2352 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2476 2352 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2168 2352 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2348 2352 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2372 2352 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 376 2352 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1844 2352 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1532 2352 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1508 2352 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2424 2352 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1088 2352 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2120 2352 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x0006000000019284-9.dat dcrat behavioral1/memory/2844-13-0x00000000009C0000-0x0000000000AD0000-memory.dmp dcrat behavioral1/memory/1992-34-0x0000000000C70000-0x0000000000D80000-memory.dmp dcrat behavioral1/memory/3004-125-0x00000000012D0000-0x00000000013E0000-memory.dmp dcrat behavioral1/memory/2888-304-0x0000000000370000-0x0000000000480000-memory.dmp dcrat behavioral1/memory/1344-364-0x0000000000E00000-0x0000000000F10000-memory.dmp dcrat behavioral1/memory/2124-601-0x0000000000280000-0x0000000000390000-memory.dmp dcrat behavioral1/memory/2432-661-0x0000000001270000-0x0000000001380000-memory.dmp dcrat behavioral1/memory/2668-721-0x00000000002F0000-0x0000000000400000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2744 powershell.exe 2108 powershell.exe 956 powershell.exe 668 powershell.exe 2860 powershell.exe 2836 powershell.exe -
Executes dropped EXE 13 IoCs
pid Process 2844 DllCommonsvc.exe 1992 lsass.exe 3004 lsass.exe 904 lsass.exe 1720 lsass.exe 2888 lsass.exe 1344 lsass.exe 1632 lsass.exe 236 lsass.exe 2348 lsass.exe 2124 lsass.exe 2432 lsass.exe 2668 lsass.exe -
Loads dropped DLL 2 IoCs
pid Process 2824 cmd.exe 2824 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs
flow ioc 39 raw.githubusercontent.com 43 raw.githubusercontent.com 13 raw.githubusercontent.com 16 raw.githubusercontent.com 26 raw.githubusercontent.com 29 raw.githubusercontent.com 23 raw.githubusercontent.com 33 raw.githubusercontent.com 36 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com 9 raw.githubusercontent.com 20 raw.githubusercontent.com -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files\DVD Maker\0a1fd5f707cd16 DllCommonsvc.exe File created C:\Program Files (x86)\Windows Mail\dwm.exe DllCommonsvc.exe File created C:\Program Files (x86)\Windows Mail\6cb0b6c459d5d3 DllCommonsvc.exe File created C:\Program Files\DVD Maker\sppsvc.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_f6b69b8d3212c0af97fab437ebb7c1d6b4476cef0fd9d95f38a65f22b77b0188.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1508 schtasks.exe 1088 schtasks.exe 2120 schtasks.exe 2980 schtasks.exe 2348 schtasks.exe 2372 schtasks.exe 2168 schtasks.exe 376 schtasks.exe 1532 schtasks.exe 1844 schtasks.exe 2424 schtasks.exe 2428 schtasks.exe 2944 schtasks.exe 2476 schtasks.exe 1840 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
pid Process 2844 DllCommonsvc.exe 956 powershell.exe 2108 powershell.exe 2744 powershell.exe 2836 powershell.exe 2860 powershell.exe 668 powershell.exe 1992 lsass.exe 3004 lsass.exe 904 lsass.exe 1720 lsass.exe 2888 lsass.exe 1344 lsass.exe 1632 lsass.exe 236 lsass.exe 2348 lsass.exe 2124 lsass.exe 2432 lsass.exe 2668 lsass.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
description pid Process Token: SeDebugPrivilege 2844 DllCommonsvc.exe Token: SeDebugPrivilege 956 powershell.exe Token: SeDebugPrivilege 2108 powershell.exe Token: SeDebugPrivilege 2744 powershell.exe Token: SeDebugPrivilege 2836 powershell.exe Token: SeDebugPrivilege 2860 powershell.exe Token: SeDebugPrivilege 1992 lsass.exe Token: SeDebugPrivilege 668 powershell.exe Token: SeDebugPrivilege 3004 lsass.exe Token: SeDebugPrivilege 904 lsass.exe Token: SeDebugPrivilege 1720 lsass.exe Token: SeDebugPrivilege 2888 lsass.exe Token: SeDebugPrivilege 1344 lsass.exe Token: SeDebugPrivilege 1632 lsass.exe Token: SeDebugPrivilege 236 lsass.exe Token: SeDebugPrivilege 2348 lsass.exe Token: SeDebugPrivilege 2124 lsass.exe Token: SeDebugPrivilege 2432 lsass.exe Token: SeDebugPrivilege 2668 lsass.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 816 wrote to memory of 2644 816 JaffaCakes118_f6b69b8d3212c0af97fab437ebb7c1d6b4476cef0fd9d95f38a65f22b77b0188.exe 31 PID 816 wrote to memory of 2644 816 JaffaCakes118_f6b69b8d3212c0af97fab437ebb7c1d6b4476cef0fd9d95f38a65f22b77b0188.exe 31 PID 816 wrote to memory of 2644 816 JaffaCakes118_f6b69b8d3212c0af97fab437ebb7c1d6b4476cef0fd9d95f38a65f22b77b0188.exe 31 PID 816 wrote to memory of 2644 816 JaffaCakes118_f6b69b8d3212c0af97fab437ebb7c1d6b4476cef0fd9d95f38a65f22b77b0188.exe 31 PID 2644 wrote to memory of 2824 2644 WScript.exe 32 PID 2644 wrote to memory of 2824 2644 WScript.exe 32 PID 2644 wrote to memory of 2824 2644 WScript.exe 32 PID 2644 wrote to memory of 2824 2644 WScript.exe 32 PID 2824 wrote to memory of 2844 2824 cmd.exe 34 PID 2824 wrote to memory of 2844 2824 cmd.exe 34 PID 2824 wrote to memory of 2844 2824 cmd.exe 34 PID 2824 wrote to memory of 2844 2824 cmd.exe 34 PID 2844 wrote to memory of 2836 2844 DllCommonsvc.exe 51 PID 2844 wrote to memory of 2836 2844 DllCommonsvc.exe 51 PID 2844 wrote to memory of 2836 2844 DllCommonsvc.exe 51 PID 2844 wrote to memory of 2860 2844 DllCommonsvc.exe 52 PID 2844 wrote to memory of 2860 2844 DllCommonsvc.exe 52 PID 2844 wrote to memory of 2860 2844 DllCommonsvc.exe 52 PID 2844 wrote to memory of 2744 2844 DllCommonsvc.exe 53 PID 2844 wrote to memory of 2744 2844 DllCommonsvc.exe 53 PID 2844 wrote to memory of 2744 2844 DllCommonsvc.exe 53 PID 2844 wrote to memory of 2108 2844 DllCommonsvc.exe 55 PID 2844 wrote to memory of 2108 2844 DllCommonsvc.exe 55 PID 2844 wrote to memory of 2108 2844 DllCommonsvc.exe 55 PID 2844 wrote to memory of 956 2844 DllCommonsvc.exe 57 PID 2844 wrote to memory of 956 2844 DllCommonsvc.exe 57 PID 2844 wrote to memory of 956 2844 DllCommonsvc.exe 57 PID 2844 wrote to memory of 668 2844 DllCommonsvc.exe 58 PID 2844 wrote to memory of 668 2844 DllCommonsvc.exe 58 PID 2844 wrote to memory of 668 2844 DllCommonsvc.exe 58 PID 2844 wrote to memory of 1992 2844 DllCommonsvc.exe 63 PID 2844 wrote to memory of 1992 2844 DllCommonsvc.exe 63 PID 2844 wrote to memory of 1992 2844 DllCommonsvc.exe 63 PID 1992 wrote to memory of 2668 1992 lsass.exe 64 PID 1992 wrote to memory of 2668 1992 lsass.exe 64 PID 1992 wrote to memory of 2668 1992 lsass.exe 64 PID 2668 wrote to memory of 2620 2668 cmd.exe 66 PID 2668 wrote to memory of 2620 2668 cmd.exe 66 PID 2668 wrote to memory of 2620 2668 cmd.exe 66 PID 2668 wrote to memory of 3004 2668 cmd.exe 67 PID 2668 wrote to memory of 3004 2668 cmd.exe 67 PID 2668 wrote to memory of 3004 2668 cmd.exe 67 PID 3004 wrote to memory of 3060 3004 lsass.exe 68 PID 3004 wrote to memory of 3060 3004 lsass.exe 68 PID 3004 wrote to memory of 3060 3004 lsass.exe 68 PID 3060 wrote to memory of 2420 3060 cmd.exe 70 PID 3060 wrote to memory of 2420 3060 cmd.exe 70 PID 3060 wrote to memory of 2420 3060 cmd.exe 70 PID 3060 wrote to memory of 904 3060 cmd.exe 71 PID 3060 wrote to memory of 904 3060 cmd.exe 71 PID 3060 wrote to memory of 904 3060 cmd.exe 71 PID 904 wrote to memory of 2600 904 lsass.exe 72 PID 904 wrote to memory of 2600 904 lsass.exe 72 PID 904 wrote to memory of 2600 904 lsass.exe 72 PID 2600 wrote to memory of 2064 2600 cmd.exe 74 PID 2600 wrote to memory of 2064 2600 cmd.exe 74 PID 2600 wrote to memory of 2064 2600 cmd.exe 74 PID 2600 wrote to memory of 1720 2600 cmd.exe 75 PID 2600 wrote to memory of 1720 2600 cmd.exe 75 PID 2600 wrote to memory of 1720 2600 cmd.exe 75 PID 1720 wrote to memory of 1572 1720 lsass.exe 76 PID 1720 wrote to memory of 1572 1720 lsass.exe 76 PID 1720 wrote to memory of 1572 1720 lsass.exe 76 PID 1572 wrote to memory of 2772 1572 cmd.exe 78 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f6b69b8d3212c0af97fab437ebb7c1d6b4476cef0fd9d95f38a65f22b77b0188.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f6b69b8d3212c0af97fab437ebb7c1d6b4476cef0fd9d95f38a65f22b77b0188.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:816 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2836
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2860
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\sppsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2744
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2108
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:956
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:668
-
-
C:\Users\Default\lsass.exe"C:\Users\Default\lsass.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\g1eT93LUFj.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:2620
-
-
C:\Users\Default\lsass.exe"C:\Users\Default\lsass.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\i32OxRBhll.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2420
-
-
C:\Users\Default\lsass.exe"C:\Users\Default\lsass.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ww4YVzclJm.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:2064
-
-
C:\Users\Default\lsass.exe"C:\Users\Default\lsass.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BlQmztffGe.bat"12⤵
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:2772
-
-
C:\Users\Default\lsass.exe"C:\Users\Default\lsass.exe"13⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2888 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9gNv7qRJ8U.bat"14⤵PID:356
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:2080
-
-
C:\Users\Default\lsass.exe"C:\Users\Default\lsass.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1344 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DCuC0H4DXb.bat"16⤵PID:1292
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:1088
-
-
C:\Users\Default\lsass.exe"C:\Users\Default\lsass.exe"17⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1632 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X5jGqiFaSS.bat"18⤵PID:2844
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:1944
-
-
C:\Users\Default\lsass.exe"C:\Users\Default\lsass.exe"19⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:236 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7Xe7C8pmPD.bat"20⤵PID:1776
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:796
-
-
C:\Users\Default\lsass.exe"C:\Users\Default\lsass.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2348 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Y23Kn3rQqK.bat"22⤵PID:2588
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:2840
-
-
C:\Users\Default\lsass.exe"C:\Users\Default\lsass.exe"23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2124 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J91AFVPMIK.bat"24⤵PID:2148
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:2948
-
-
C:\Users\Default\lsass.exe"C:\Users\Default\lsass.exe"25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2432 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2K3DLFE7WC.bat"26⤵PID:1692
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:1284
-
-
C:\Users\Default\lsass.exe"C:\Users\Default\lsass.exe"27⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2668 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wRcBAgH7Mb.bat"28⤵PID:2560
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:229⤵PID:2360
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Users\Default\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\Default\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files\DVD Maker\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files\DVD Maker\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\providercommon\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD518ecf9fdeacbee008f9559f5cdebe21d
SHA120d58c3154482520688f64c6738c1b04b453c446
SHA256237712894c8b33f79a4a58f8e37e6f0c1d6493df587f83abdd30bfdb7e2e2475
SHA512c27b9f333238f4fabb9ed93c7484f0dc8ecdb8a3135708d810c15000eae95721879ca1d7fa54c88eb517496c7df789ecf20a1ddf9c7fed0f5cbe85aeaf0a5a90
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53bf07d8e518a387b750e3db41ab4806f
SHA13ec13814844064661869a9be2cb83acaca9626bc
SHA25633e938c79626c9cfe4255aee32947b99b4a3ce6140735ce89a780b7b9da6cfe8
SHA512c99aeca46588f22a38156e54922884bc33cf0725f67bd4618f37590c3a24938b8e82e64d4a64863b351c81f87bfd4ba96db05a2e863bad73add9b48bd9fca3ae
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59b1e7eb647bf2f753b129de879bf8524
SHA1dab542f7edd39475d81c41e2a049b664738a1698
SHA256b26c2fdfc8e63727801f89c8f43bf2f1589abb11e2c7881491229e2d12fdf86e
SHA51223ac27329598363b84295a898eaa7f4021289627c65aec7881643b03ff5c6162725f42bc6d5f3731c420ed555638a83a6cddc275693f834ed7fa9f7060f2f045
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD503d457b0fca92eea339c92a72b1b3d55
SHA10a3e17f8c8f99ac15dff2464aa3e03640879d413
SHA256d9457cf743c58cae0a7d53adda6e76d48c903b17f776f0e75abc40612644f85c
SHA512f2c8f9ba17aeb63f0d3679cb402547709ae67187c36caa237f998b6ecfc735195210e019d8f4e1c062ecf4530ee33e31bb2073139fa018f814fa285fc6928af7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5137aeb01bff7d22cf845615549c81254
SHA1c605a8098fcb16517749be91ba42487aef8df3b5
SHA256236acefcd7289eb1d0412b2e75fc7ee28274ad628b8d4300b5bd68d4b5c4e5e6
SHA512fb4bc10e17cc71c402fc341a5919157b3ce16e4721fc871ef48663ccf650f08edf73acc97af4800c4b3ccb508930bc6ff3299b1bfeedd4cbf070791f0a616428
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57ab332c6c99661a546581f0d18861c27
SHA1666fb8c5bc68ee11df0f9c81219e32567fe61dbe
SHA25624e7d2229f394675df6623a93e06e5cbf5d3926bda44b3ec2dd1683e09983e55
SHA512d00d6465dee9681e47ba51cb11787939a4e5bb15d6a73f823ae5568d1e5c53ece1865a93b88b751998942ccc507ee7397ce0e04a33ca540cc5555ed3c30230a1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD548a030f9580e335488fd2723a070c7f8
SHA16b6fffd7f7d32d4c7e719736be383a35fb7825c8
SHA25627861b464403a19f525ae7053103d58676cce9c39b6d768659e1fc2e0aceba2a
SHA512084721f61fa59936d7d3f6f9de754d6cdb7c67ac1a43e43e531f5a2dc8f2ddfd3561479198681f2d568ffb45e54049fcf5df09938b69687edd43f4630d1bcbdb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a3d0e925416277ab34f6bc22bf464459
SHA1b0850926b65b8af1442580a24dbbe7b14bcce6cd
SHA256218826d58ee9b653252db1dccf6f117bf7a00693453cd84f7cbf06c4aaff2f2b
SHA512058863705669d437bf688c7494f23b707c5c325f0e9c7071c0c02d63400d8c252995f53a1cf863e0023720405cc152308f313f46e17cc721f343e9ac5c081736
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5744e78b1b2c7f4b1916edfe11ad97b4d
SHA11ee033110ccc736d6683b464d12fb8c8fec7a37c
SHA25606f90dbf9c508409c17bf2bcedb8c22ba307f6d584393654cf68c9ac79b9d5a7
SHA51297a43310a054462c3d9ad004bf4112652e4a84448ed5ac2a6b1063a849567f0639dec464abf31b849e375b22dcfb7c57d2cbebbefe5120675bdbb51ae2c2a2bb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55ec54e0e13609d4f3265e159257e1bc8
SHA1847f3369b713eb9b2722741a2572e923712df710
SHA256245c039680b7e750caf8fad65b05fc7e13dd2690e112bd37a2816ee4c80a8445
SHA5129a0636e5d077a3f488a4be9157de5221d797e05cb010742ae122fb13ef832b9857d2023d78df09b1a07c9ae663e5685a3c5e11b581c646d48de29004cb3db03f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5bfdd431d41aa5ce9ae2c363323bf22d1
SHA1561e1cfa7f20986a76ce32b4231f94e140c35eac
SHA256c7a79e2f3e2de7915e1f9436ce45269e0b536d37bd84dd1eba9594ef63e844e2
SHA512cea3244a5f2406e31829a6d6aab33f3012dfcbcb9c3a159745c10f9f878afa8ca69b62320cd93178abf8ec9b7aae8b96bb8610076e0bc2225249b629ce2c433d
-
Filesize
191B
MD51096f0411ad5d0549e8314f527d87f4d
SHA1b996d79fe711f02bd4234e44245998a0c9d1fdc1
SHA256f8a647ceef200de9f5315e8a1bd351cd38f743c39ec9677698d2a1915c2d5996
SHA512c2aba66ca41e41704efb30f5b3ccaf868041c3d1d4c6e842b01ed7e6947c50ea570988149b66001f5cbd47e77769a82a09758b294575b555d4846ff0ab79a254
-
Filesize
191B
MD5aff851ff99555176a86beb32ba310acd
SHA10bdebd89b2f8300f8b9f87622a6932ebf3857aac
SHA2564ead115d6b05bae412f246a507370f432406bd914bf9c7be1e651319616b1d3d
SHA512a9d968a9d108c9f326473cbfb8272ec267aef78da0dd055fab86fa9a911ea76e722b0bb873c1b68abed23badee25efd100a097fc092174e5422768dbbfafd009
-
Filesize
191B
MD5575b78e0584ddbae7dbfc766bac48756
SHA1453210bdd9203bc94302e6dc732f5b9c87a4d099
SHA2561b9a4ad954c74ca82742175b1850d927ed6ff9e2008101231b3e4b6e77e5be25
SHA5122b5c9fbe77e3aab571b767e1412a88e6f3962c8dd5a7857c6b1cd917184c126ad554dcb1f51e5b94c160bb191329fc3ed60a29f43f0558779820731f7e89ae1a
-
Filesize
191B
MD5aac8de4779e6811a9945bb2d888d0462
SHA1ab53ae252882ea8c9b0195ae20d42c1ddfcde028
SHA256bca895392b47a648707c04c1c058593d38591ae22bbadde052583569e5e21f82
SHA5122d5106b07e0b597f708aa00ee004e2f5f40c93e6c6781a1669bd140b4cb78b0397fb3c4b64db8ce3a38d4b60668766ebc78f1e2677767955f12ade7aeb21b76f
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
191B
MD52e299738c2e6d7f41a21a008468af214
SHA101f17045e6dc09692f91a4e12c117ea06b3e54cd
SHA2568126c9fd629f1c9569d3349c9c1d996dac6f5700878a07b5db9f5acf7ec5d4dd
SHA5126023cfa27cdc80f61b0f220483044d0618c257bf7fa8be9978ece6dd6d1a8add8c3d05b07dc3b6f6465e850a1dd231db86ea963525d5e82e75871a6eeb3484cc
-
Filesize
191B
MD5e1748edc42aa680a4006062b2dd3eed8
SHA14984a0387e81580d094c8a8dd48559399e6acd09
SHA256ee9e25eca24185c542a1c8d59b34e0a36bdd4bcced42dbaed835d9ef7ea7531c
SHA512e3457015479905cdec29e3b5c619edb997e2076f9acd658fc3935e7023370bdf37595a30f94a50d77f820568d18e73217028c8dc305bf09511895f58bcf9b6b7
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
191B
MD5ccbda76d1ac3f9054ad9e85ee976d165
SHA18642ba90aa7e56a2911ec4c6d14f288a2157b2b2
SHA256d42e3d35b3d640addcbaa9ebe293fd011a0a62ade26271babf884bdb3e791729
SHA5127a86c90d7c7909aa97cabbd88370226cd246dc267913fbcfb7c5b83630db0312b4ebaba5ea6a44cb22e9f712e36915d523981693b4e17e3fce9818cb2003791a
-
Filesize
191B
MD5cb16b64061ce4014de2570c6c97e301a
SHA1d00e6ba4b313f536f013763cf0c77c194efaeb75
SHA256acbe9c50abbc02815cdb5cce03ebdbf6c219625daf11d3ca2766367676746ba5
SHA512bdeb20b1dabde290edead5e9bedaf2919b17cf4b3f9d71cd6593175e74f2c317f979e5213e5cf7867284e667327d21348d4020123527c76f7cfc779ed9664ff5
-
Filesize
191B
MD59c4b5d32624ffefa00c2633f58f57d00
SHA1ae2d07183017354440ad2fc0b3ee9908367bdc6b
SHA2560ed63568ae90be7681afda5bd2868a79ad6ee9f44b05294b6926165ab5e6aa7c
SHA5120643fd430eb611b15616214f13b3a419ebf6f2b127ccb1c6719b4e061e290285e6265856fb507f61dd6bdab2964994959f142474898bcfb794931a3e3b05d9cf
-
Filesize
191B
MD56fb9a15d0e2af2867610fce989bb56f5
SHA1e816c732e1d262e9c86fc5a75e92709cf049ba2f
SHA256ab2b0f5846935fdbd92daef57ccd0841afd16db36aa4d63219e0089876a7c600
SHA5125e147ca5e7dd5b8f3477d6c6dd668f0589f0f34fbb2e4be34b14cbd7d96e719f8e546131f81a18eced895bf27527cd4b5d7bf341f66aa8f988102edc737c76e9
-
Filesize
191B
MD5e15daa493dd242a8059472f3bcae0440
SHA16ef80839dabac5cffdd19b57346997529bf87dba
SHA2561c707ffaaadaf924ba618890e99d236c64afb391f30af4001845bd016047b935
SHA512b81bc731eae698f30c8b64e1d3f492f0fe57e7bce5c583ec1c162fcf38dfb0698f773f5e6ae2d99fb4af5bed64fd5d8fedd638188e5daa87250503edfc4a26fc
-
Filesize
191B
MD5410d40814b41da6b48521073570dd03d
SHA10ec1402be91297311f7a4bad61d3aeca7311cac0
SHA25687930bea1c410c307258b5dfc850d32c17606038422a57b46a3a6b46ba089096
SHA512ba519a1c2309b84d16c2cde07522ba4bf57bc472b26a543c485994250a0bc649dc8aec6cb17951de425fabbd2d525ebf220a868c95f394360e2ccdf221dbfd82
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD59cc258b9e4fac3b945647c59f8c795d9
SHA1026280f6bb5ed67cd1223f7fab73b56ef8cae4cb
SHA2566f0ab3f39c7beb4a8c1c5235372dedf1133616a8d30618c62234213911c72d1d
SHA512a9f3d67fe0f5a31d3d2358d0578eed3110ae93181def5e81271201f150d5859ade014fc053b77282dcfbbfc51c0e76dd6805579d015adcc35b00ea1c685a677b
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394