dcrat | 55008b6e5b922c53915f20037c1669fb91a888fd6beb41b4051e3f0ac811b313

Analysis

max time kernel
145s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 21:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_55008b6e5b922c53915f20037c1669fb91a888fd6beb41b4051e3f0ac811b313.exe
Size

1.3MB
MD5

99da1d5b06d7fc95d645428afe348458
SHA1

530239d5c67235c6e8891828ec5e1e113a6b9f7f
SHA256

55008b6e5b922c53915f20037c1669fb91a888fd6beb41b4051e3f0ac811b313
SHA512

f724dd409769aad7b4cf4942479b4210eff57fd1a6bc2cf4440fe25c12ba348ee0bd57ca8950fa2360f15e4cfaa02310a64b1e2d24cf938a71112d78b68bf90c
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2612	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	576	2612	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	540	2612	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2612	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	2612	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2612	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	2612	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	484	2612	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2612	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	2612	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	2612	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	2612	schtasks.exe	34

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00070000000193d9-12.dat	dcrat
behavioral1/memory/2824-13-0x00000000012D0000-0x00000000013E0000-memory.dmp	dcrat
behavioral1/memory/2268-59-0x0000000000C30000-0x0000000000D40000-memory.dmp	dcrat
behavioral1/memory/3060-119-0x0000000000FF0000-0x0000000001100000-memory.dmp	dcrat
behavioral1/memory/3060-356-0x0000000000390000-0x00000000004A0000-memory.dmp	dcrat
behavioral1/memory/2568-416-0x0000000000DD0000-0x0000000000EE0000-memory.dmp	dcrat
behavioral1/memory/1728-536-0x0000000001180000-0x0000000001290000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1148	powershell.exe
572	powershell.exe
1720	powershell.exe
2424	powershell.exe
1432	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2824	DllCommonsvc.exe
2268	dwm.exe
3060	dwm.exe
2568	dwm.exe
2040	dwm.exe
1748	dwm.exe
3060	dwm.exe
2568	dwm.exe
1472	dwm.exe
1728	dwm.exe
584	dwm.exe

Loads dropped DLL 2 IoCs

pid	Process
2776	cmd.exe
2776	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
26	raw.githubusercontent.com
33	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
19	raw.githubusercontent.com
23	raw.githubusercontent.com
16	raw.githubusercontent.com
30	raw.githubusercontent.com
37	raw.githubusercontent.com

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows NT\TableTextService\it-IT\wininit.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\it-IT\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\it-IT\56085415360792	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\6cb0b6c459d5d3	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_55008b6e5b922c53915f20037c1669fb91a888fd6beb41b4051e3f0ac811b313.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1612	schtasks.exe
1636	schtasks.exe
1532	schtasks.exe
2936	schtasks.exe
576	schtasks.exe
2096	schtasks.exe
2364	schtasks.exe
2184	schtasks.exe
540	schtasks.exe
1632	schtasks.exe
484	schtasks.exe
1940	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2824	DllCommonsvc.exe
2424	powershell.exe
1148	powershell.exe
1720	powershell.exe
572	powershell.exe
1432	powershell.exe
2268	dwm.exe
3060	dwm.exe
2568	dwm.exe
2040	dwm.exe
1748	dwm.exe
3060	dwm.exe
2568	dwm.exe
1472	dwm.exe
1728	dwm.exe
584	dwm.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2824	DllCommonsvc.exe
Token: SeDebugPrivilege	2424	powershell.exe
Token: SeDebugPrivilege	1148	powershell.exe
Token: SeDebugPrivilege	1720	powershell.exe
Token: SeDebugPrivilege	1432	powershell.exe
Token: SeDebugPrivilege	572	powershell.exe
Token: SeDebugPrivilege	2268	dwm.exe
Token: SeDebugPrivilege	3060	dwm.exe
Token: SeDebugPrivilege	2568	dwm.exe
Token: SeDebugPrivilege	2040	dwm.exe
Token: SeDebugPrivilege	1748	dwm.exe
Token: SeDebugPrivilege	3060	dwm.exe
Token: SeDebugPrivilege	2568	dwm.exe
Token: SeDebugPrivilege	1472	dwm.exe
Token: SeDebugPrivilege	1728	dwm.exe
Token: SeDebugPrivilege	584	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 2796	2664	JaffaCakes118_55008b6e5b922c53915f20037c1669fb91a888fd6beb41b4051e3f0ac811b313.exe	30
PID 2664 wrote to memory of 2796	2664	JaffaCakes118_55008b6e5b922c53915f20037c1669fb91a888fd6beb41b4051e3f0ac811b313.exe	30
PID 2664 wrote to memory of 2796	2664	JaffaCakes118_55008b6e5b922c53915f20037c1669fb91a888fd6beb41b4051e3f0ac811b313.exe	30
PID 2664 wrote to memory of 2796	2664	JaffaCakes118_55008b6e5b922c53915f20037c1669fb91a888fd6beb41b4051e3f0ac811b313.exe	30
PID 2796 wrote to memory of 2776	2796	WScript.exe	31
PID 2796 wrote to memory of 2776	2796	WScript.exe	31
PID 2796 wrote to memory of 2776	2796	WScript.exe	31
PID 2796 wrote to memory of 2776	2796	WScript.exe	31
PID 2776 wrote to memory of 2824	2776	cmd.exe	33
PID 2776 wrote to memory of 2824	2776	cmd.exe	33
PID 2776 wrote to memory of 2824	2776	cmd.exe	33
PID 2776 wrote to memory of 2824	2776	cmd.exe	33
PID 2824 wrote to memory of 2424	2824	DllCommonsvc.exe	47
PID 2824 wrote to memory of 2424	2824	DllCommonsvc.exe	47
PID 2824 wrote to memory of 2424	2824	DllCommonsvc.exe	47
PID 2824 wrote to memory of 1720	2824	DllCommonsvc.exe	48
PID 2824 wrote to memory of 1720	2824	DllCommonsvc.exe	48
PID 2824 wrote to memory of 1720	2824	DllCommonsvc.exe	48
PID 2824 wrote to memory of 1432	2824	DllCommonsvc.exe	49
PID 2824 wrote to memory of 1432	2824	DllCommonsvc.exe	49
PID 2824 wrote to memory of 1432	2824	DllCommonsvc.exe	49
PID 2824 wrote to memory of 1148	2824	DllCommonsvc.exe	50
PID 2824 wrote to memory of 1148	2824	DllCommonsvc.exe	50
PID 2824 wrote to memory of 1148	2824	DllCommonsvc.exe	50
PID 2824 wrote to memory of 572	2824	DllCommonsvc.exe	51
PID 2824 wrote to memory of 572	2824	DllCommonsvc.exe	51
PID 2824 wrote to memory of 572	2824	DllCommonsvc.exe	51
PID 2824 wrote to memory of 1680	2824	DllCommonsvc.exe	57
PID 2824 wrote to memory of 1680	2824	DllCommonsvc.exe	57
PID 2824 wrote to memory of 1680	2824	DllCommonsvc.exe	57
PID 1680 wrote to memory of 956	1680	cmd.exe	59
PID 1680 wrote to memory of 956	1680	cmd.exe	59
PID 1680 wrote to memory of 956	1680	cmd.exe	59
PID 1680 wrote to memory of 2268	1680	cmd.exe	60
PID 1680 wrote to memory of 2268	1680	cmd.exe	60
PID 1680 wrote to memory of 2268	1680	cmd.exe	60
PID 2268 wrote to memory of 880	2268	dwm.exe	61
PID 2268 wrote to memory of 880	2268	dwm.exe	61
PID 2268 wrote to memory of 880	2268	dwm.exe	61
PID 880 wrote to memory of 2904	880	cmd.exe	63
PID 880 wrote to memory of 2904	880	cmd.exe	63
PID 880 wrote to memory of 2904	880	cmd.exe	63
PID 880 wrote to memory of 3060	880	cmd.exe	64
PID 880 wrote to memory of 3060	880	cmd.exe	64
PID 880 wrote to memory of 3060	880	cmd.exe	64
PID 3060 wrote to memory of 2788	3060	dwm.exe	65
PID 3060 wrote to memory of 2788	3060	dwm.exe	65
PID 3060 wrote to memory of 2788	3060	dwm.exe	65
PID 2788 wrote to memory of 1232	2788	cmd.exe	67
PID 2788 wrote to memory of 1232	2788	cmd.exe	67
PID 2788 wrote to memory of 1232	2788	cmd.exe	67
PID 2788 wrote to memory of 2568	2788	cmd.exe	68
PID 2788 wrote to memory of 2568	2788	cmd.exe	68
PID 2788 wrote to memory of 2568	2788	cmd.exe	68
PID 2568 wrote to memory of 2264	2568	dwm.exe	69
PID 2568 wrote to memory of 2264	2568	dwm.exe	69
PID 2568 wrote to memory of 2264	2568	dwm.exe	69
PID 2264 wrote to memory of 768	2264	cmd.exe	71
PID 2264 wrote to memory of 768	2264	cmd.exe	71
PID 2264 wrote to memory of 768	2264	cmd.exe	71
PID 2264 wrote to memory of 2040	2264	cmd.exe	72
PID 2264 wrote to memory of 2040	2264	cmd.exe	72
PID 2264 wrote to memory of 2040	2264	cmd.exe	72
PID 2040 wrote to memory of 1744	2040	dwm.exe	73

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_55008b6e5b922c53915f20037c1669fb91a888fd6beb41b4051e3f0ac811b313.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_55008b6e5b922c53915f20037c1669fb91a888fd6beb41b4051e3f0ac811b313.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2824
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2424
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1720
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1432
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1148
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Downloads\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:572
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4C5OnvVXGa.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1680
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:956
      - C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JhLzHEla3w.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:880
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2904
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rcE1qBYVKA.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2788
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1232
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hevtjRcN1r.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:768
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\N4rS0hE0df.bat"
        13⤵
        
        PID:1744
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1804
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1748
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\M53DwaTFc6.bat"
        15⤵
        
        PID:1000
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2876
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3060
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J91AFVPMIK.bat"
        17⤵
        
        PID:2868
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2392
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2568
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\60iZj2KDpL.bat"
        19⤵
        
        PID:2280
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2076
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1472
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fdSjcfTSOA.bat"
        21⤵
        
        PID:2372
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1648
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1728
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\P9uKrkSNlp.bat"
        23⤵
        
        PID:864
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2872
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:584
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9gNv7qRJ8U.bat"
        25⤵
        
        PID:2452
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Downloads\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Downloads\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Downloads\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
05d3187b1e3c68b8b5cae4ce58d964f7

SHA1
963f9c5418840f84d240909700fc776c4738c5bf

SHA256
4e92ecf0656f1efc1e329cd6efce7caf4c693158c74979010fd108b9046b5e5e

SHA512
efd8e76b6c53200da0772b14d645554f91cbcb9f92ac9bc2eba5f7c23c91efb2735cd0254668bf60889f8234bbcea76ff86434dacdfe1b06e6eb846fdb522f57

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a9ce63137f31a490e63e32e9975edf2d

SHA1
ae58c2678160f0c45db9fa57ae7a4d11697e4ff3

SHA256
1f09d1816cd4bcbb632835572bcbb1b4591844a048f7f1800509e12c55eacd9c

SHA512
6eaeb0cd826cc606a6b345772b271eb86af1e0fd30f667882530537e5f624b28908b0089ee7b85ed228163fd2540356431be3e59ef9da1d08cd5b675dd5e5794

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f0670f5ac0de01fe8ae090ce40dd1755

SHA1
1204fa2bcf184bf0544ca3abfcd9cc847af99095

SHA256
95806747ba70d2554c819b99f234f15f46045371040a0a1bed38ae4fa37ba715

SHA512
e420a2d7d173a0f0c5d4400749ec2dcd63863108fdd1ad61fce3f11337943eedaac9e90b62594c31567a9a8680c3ae97e7c0aa036fdb3517e2ed1a7027c424b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a7501d8a26802a780c7f406f2e840777

SHA1
d7e83257edfb001b3cde3ab20a04c14821542f0f

SHA256
63fb1c18786161512ca89c5b29f67fb27e6ae43ceefe76c3eb79057ebc14019b

SHA512
d6114ca823746ef1788a65e22a228819feebb2a4bb347d1549de9276d8a79b44b4a98fdebcc4f86ea0706a5b20bd1e24eb6d051bab2a1b390d95eeeed834e2b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c7cecc3e7c204c14bfdc9d7ec879f517

SHA1
380c0674405c2ca55eeb5ea2e78b9602dae053c2

SHA256
3e49acf905ab720a77a0ee5c4bee856cdf0bb788b7671dee116f1b872630bbb6

SHA512
8f14a4b942636790641ef06000c6690677a88b52ec77c221e82af8e708a1145e83934d7f6afd079fca0d7fd3a4c2cd93cfa4971b012b9dbab9a42da3d821c827

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4d107d715ca594eac85d9336922c5bb7

SHA1
b1f9cf2fdf89f0c075356159f1b7d37c582b226c

SHA256
74356d125cc34dbb10909e499e127fbd89dcbdf8c3ce033f88058b0a44a76e1f

SHA512
45cf5f0a0331a85dc1f3abdef6b2bd4df372f7998da1fb81c6ace74b260c48828197267b6d68270802eede796b86a0f8b197b29828e0e5077956c7e4ecaac898

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
32cd7585751fed7757bf3046f5e469b2

SHA1
904cab5aba9679a8a3354ff2e6a37e77605f0fc8

SHA256
b307572a95cdcef1c6975b989d5571b88db1e10692302f261f4ad054b5358d2c

SHA512
262c3122a311b004525c96f034a02a72b5e82885c82e4540e88d8e5c8fc4d00b5eecf408a24b6742c92a0f8e89a5412318a54bdc02c6c60c57b6de30f1aaa372

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d4255e959fc4cc817abb7452d41ecf33

SHA1
58be4374189ce45eb5945dc7e273fc64e057584f

SHA256
76e32cba0bdf7d7875db0b40824a39cf7747993bdafec39a9e8cc364617c84c3

SHA512
b9f9545edcf8fffef8cdc0ff69c6d1b915015bab0868b034221545d408de15031bed0122eb922e8a895b79fea9d482a9613cbe0d585e805ae039e4f8f07a2594

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
62ee68c0b7fbe0cec451cb6e10f0f1a2

SHA1
37efde41103856d6ec0c6f851e95dfce59aa4211

SHA256
438e726ca0b3f542d1feab27527d8e59c6c297f8f460e451ff0c4f3dab98af5a

SHA512
cec0dd514520079487ccf0b8fcef25d87e2d30d8327f8c6860d0d6889a3ed267b16d514f01c67c69f5feb35795122f4bee4151f3c8e078eb99108be6497c350f

Download Submit
C:\Users\Admin\AppData\Local\Temp\4C5OnvVXGa.bat

Filesize
220B

MD5
2b649a57b72f7fc5923f08b8319f7cf5

SHA1
9440712bbcb7ef872ec33eb0aa80d8258ac32c33

SHA256
12b82c61e0e6317184e07f561838035b65d840748432101f412eea739a78e659

SHA512
c5d7ebcb0e5c8e31b2525d4d5c76189750b6fbc2afff1d4824c6696bf2f85795cdef827a7c36ef7f94ab70c4d3d58dda1ab54f912bae3f4ae2c0b4ccb7f5d553

Download Submit
C:\Users\Admin\AppData\Local\Temp\60iZj2KDpL.bat

Filesize
220B

MD5
d9ed8fb0feddf100b3d7140fee087118

SHA1
c31f82257dcae739ecbd5e2c0812ad3ad895a453

SHA256
f226342d7b99a628e63d9a91ea1d2a0d5e4373b1737490ac05981a978ff6efa8

SHA512
4954b5129dcea04f49a5f1dc38bc631966e7e76e4571e7b40c0195c8f3aff2e271fa626ca5b48776c572cab5f2d41aeab7068df810398c76cd03b7eeae75ead6

Download Submit
C:\Users\Admin\AppData\Local\Temp\9gNv7qRJ8U.bat

Filesize
220B

MD5
4cdec2ef1898404338103c625a8081ea

SHA1
1eca09fdc0eb4492652d160cfa0285104f6b1268

SHA256
d813b9d970428be6be220119f6cfab4e1648fb864c9ce46fe90bed2a4c240a37

SHA512
9c51a8e081f3d97ff54348ad026e1429bce098e113ce664f1abb0a98f12d9337fa06ac53a47984edf17476fe0d4669f9fd800975a074c014627e6e965a72e25b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3E0C.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\J91AFVPMIK.bat

Filesize
220B

MD5
c75a9176c6579102e121abb10eb8e51a

SHA1
7986eca1a0aaa7e6d5f3e4da72ee0ad502f20105

SHA256
b9b9006fb51af16961f7320b57aa5a0193b08b6260a77c76d6b6ea7fcc09064f

SHA512
7f8338692cccbee41061080d41a2be63862665c09cd08d50fe71a6e9bf107cc481f5714fe060f3747a8921fec08d0376e54d193ea134579248a4f73b19f0f00b

Download Submit
C:\Users\Admin\AppData\Local\Temp\JhLzHEla3w.bat

Filesize
220B

MD5
bc49b8adaac24846d16ad7b9a490f121

SHA1
1889e1ac707b6fd7459cb6a0885d86903b89c5a0

SHA256
731e10bf5b7d27ce07e36d92d4f6179b412658073bda165002b0bc502732ec6b

SHA512
75c20fb2831ee105f07d0c020f739c36f6421a0ca6a6423e5d99076656e032ba591df670452ae12a08cbb32ee71f06c66489df7391ce9b3e3c311c1bc1634992

Download Submit
C:\Users\Admin\AppData\Local\Temp\M53DwaTFc6.bat

Filesize
220B

MD5
aa2656904ac59ce74f0662dc77eded5a

SHA1
c8847ecf4de1f12e251908d211d17e6c0a711cac

SHA256
849d2c2b5bc726ad97426764fa2ac70d7a323f7cb2d4d4997d0f27faf75d5562

SHA512
a3d31049172375e50397a2ab75cff9cc5af969bebb814dd5f6110e9291fcc59a02fd9dffd8211d61e7696f44096fce7f0a2e03b27d388ac6e23ece3983a9df20

Download Submit
C:\Users\Admin\AppData\Local\Temp\N4rS0hE0df.bat

Filesize
220B

MD5
4f915bd33ea9421a65d7b78fb047949f

SHA1
f93c87f89a8a80437fd05b51e2ce6ddff5889362

SHA256
e5a2e1d95ffb2d9db8c0c5ffe676ebb5ec218b7a6b9b2a2faffa363f83bdd824

SHA512
3ec190c9e99a664ede832326a5cabb5c05aada683325a86464fac450cdae57576b7a086dca114163691667f09557c4219d9cc44e8379283186e9911d2aaed2e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\P9uKrkSNlp.bat

Filesize
220B

MD5
68181c49840f3b880596c6bfd63ecb80

SHA1
fddd05db411d6c13b6b2738409b8286b6d42b0ad

SHA256
759f1125ca3bd2b35e4224e8557368d3b352ceb8f0aca0c5e23a2f0445db3803

SHA512
e2f14cbf5b31649efbf0b91c1d51e618596f54a7c5d837802a452af0e77f3394e729d66d088038092fa8f6bef4b0647361b5738f0b8eed019ace0c14a0b49f40

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3E1E.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\fdSjcfTSOA.bat

Filesize
220B

MD5
51c2a8d31fa8cace016c02f9885d9db3

SHA1
721dc17cc318711ba3cd94423b96235ca32ae358

SHA256
37fb774bb3a528947e8a9dcc3327096079f1f4007a324eef7def766f6b2bfad2

SHA512
c2987cf3b0401a0a637f49a4be08a8a85b5e3bf8d5a998476d6a00836450f364143eb9c8180a074a0568e6338c9a168a70e1b88fad1a7d06d85856998c4f9a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\hevtjRcN1r.bat

Filesize
220B

MD5
5f6123a1ae2d3017703a0b67ca520392

SHA1
7945fcecdab5ca567821b8a4dc3733cba9b8bb5d

SHA256
d4ee267011ef354c421586b3b4755d170c767cdf0b7069a353976058441d936b

SHA512
5b9f3df92d6acb1a3dbc721125dc476a4bb413de930e9067c34d0886c37d92e18a441e8c5495e056671c2e746f61e8cfe745540fb0e0f85e355625890f205580

Download Submit
C:\Users\Admin\AppData\Local\Temp\rcE1qBYVKA.bat

Filesize
220B

MD5
ae11e348e82c3de57da4e23425aa4674

SHA1
70d0775d07ead202a2957cd81bbb3a314bd3500a

SHA256
473ddfdd1a29c2c8113422ff530714b4bab4012e4c5e919199c193b41624f901

SHA512
dff3f8cb9a72ab1ff9780653a162d14caa597f21255328b91af828d18e33b795efb96cbc161ec5a913e7893915f48d0a148f655d6a639ad0b63f49b1fececfd8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e939c12cf10e832414a0b46e15096a9e

SHA1
fb7539c85e060066991d94e30674d61bd977ed86

SHA256
8749d530ee185686d68e536a79dde1287b05535db5c3754fcc124d833bc233bd

SHA512
a868d80245ef3506b813f7b69ce1ab0c4281437a287c2bef1b2102aa7953f0d71988a3c8b495c9b733d6efc4c1990a9db2c3a6f52a1c97e8a9a32e6efd538e58

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/584-597-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/1472-476-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/1728-537-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/1728-536-0x0000000001180000-0x0000000001290000-memory.dmp

Filesize
1.1MB

Download
memory/2268-59-0x0000000000C30000-0x0000000000D40000-memory.dmp

Filesize
1.1MB

Download
memory/2268-60-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/2424-54-0x000000001B6A0000-0x000000001B982000-memory.dmp

Filesize
2.9MB

Download
memory/2424-55-0x0000000001E20000-0x0000000001E28000-memory.dmp

Filesize
32KB

Download
memory/2568-416-0x0000000000DD0000-0x0000000000EE0000-memory.dmp

Filesize
1.1MB

Download
memory/2824-13-0x00000000012D0000-0x00000000013E0000-memory.dmp

Filesize
1.1MB

Download
memory/2824-16-0x0000000000550000-0x000000000055C000-memory.dmp

Filesize
48KB

Download
memory/2824-15-0x0000000000560000-0x000000000056C000-memory.dmp

Filesize
48KB

Download
memory/2824-14-0x0000000000540000-0x0000000000552000-memory.dmp

Filesize
72KB

Download
memory/2824-17-0x0000000000780000-0x000000000078C000-memory.dmp

Filesize
48KB

Download
memory/3060-119-0x0000000000FF0000-0x0000000001100000-memory.dmp

Filesize
1.1MB

Download
memory/3060-356-0x0000000000390000-0x00000000004A0000-memory.dmp

Filesize
1.1MB

Download