dcrat | b974c77114eb940fcfd34d3fcf7d4ed1ddb7fab25798a773bccef0a80a7de001

Analysis

max time kernel
146s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 01:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_b974c77114eb940fcfd34d3fcf7d4ed1ddb7fab25798a773bccef0a80a7de001.exe
Size

1.3MB
MD5

4b64d9459b058632c44b201fc49b6279
SHA1

1f8a5288c8a628f817996a8d3dd493241c2c784e
SHA256

b974c77114eb940fcfd34d3fcf7d4ed1ddb7fab25798a773bccef0a80a7de001
SHA512

b62275fdd2d83a02541b322bd564c3bc56b0ef742c16dd9fc976db18af80e5d2d6d043ac87d73ceec1b36b6ce4b3c9acbbc18d776ba043645454146822fb4b6c
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1136	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	2780	schtasks.exe	34

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000700000001920f-9.dat	dcrat
behavioral1/memory/2604-13-0x0000000001180000-0x0000000001290000-memory.dmp	dcrat
behavioral1/memory/848-41-0x0000000001260000-0x0000000001370000-memory.dmp	dcrat
behavioral1/memory/1768-118-0x00000000001A0000-0x00000000002B0000-memory.dmp	dcrat
behavioral1/memory/2660-178-0x00000000001D0000-0x00000000002E0000-memory.dmp	dcrat
behavioral1/memory/2352-238-0x0000000001080000-0x0000000001190000-memory.dmp	dcrat
behavioral1/memory/2088-357-0x0000000001290000-0x00000000013A0000-memory.dmp	dcrat
behavioral1/memory/1944-536-0x00000000001C0000-0x00000000002D0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1444	powershell.exe
1664	powershell.exe
1988	powershell.exe
1736	powershell.exe
1928	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
2604	DllCommonsvc.exe
848	OSPPSVC.exe
1768	OSPPSVC.exe
2660	OSPPSVC.exe
2352	OSPPSVC.exe
1456	OSPPSVC.exe
2088	OSPPSVC.exe
3064	OSPPSVC.exe
2100	OSPPSVC.exe
1944	OSPPSVC.exe

Loads dropped DLL 2 IoCs

pid	Process
2336	cmd.exe
2336	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
32	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
15	raw.githubusercontent.com
22	raw.githubusercontent.com
28	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
18	raw.githubusercontent.com
25	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Sync Framework\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\0a1fd5f707cd16	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b974c77114eb940fcfd34d3fcf7d4ed1ddb7fab25798a773bccef0a80a7de001.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2372	schtasks.exe
2636	schtasks.exe
2808	schtasks.exe
2560	schtasks.exe
2516	schtasks.exe
2544	schtasks.exe
2984	schtasks.exe
1136	schtasks.exe
1992	schtasks.exe
768	schtasks.exe
1876	schtasks.exe
1960	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2604	DllCommonsvc.exe
1988	powershell.exe
1664	powershell.exe
1928	powershell.exe
1444	powershell.exe
1736	powershell.exe
848	OSPPSVC.exe
1768	OSPPSVC.exe
2660	OSPPSVC.exe
2352	OSPPSVC.exe
1456	OSPPSVC.exe
2088	OSPPSVC.exe
3064	OSPPSVC.exe
2100	OSPPSVC.exe
1944	OSPPSVC.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2604	DllCommonsvc.exe
Token: SeDebugPrivilege	848	OSPPSVC.exe
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeDebugPrivilege	1664	powershell.exe
Token: SeDebugPrivilege	1928	powershell.exe
Token: SeDebugPrivilege	1444	powershell.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	1768	OSPPSVC.exe
Token: SeDebugPrivilege	2660	OSPPSVC.exe
Token: SeDebugPrivilege	2352	OSPPSVC.exe
Token: SeDebugPrivilege	1456	OSPPSVC.exe
Token: SeDebugPrivilege	2088	OSPPSVC.exe
Token: SeDebugPrivilege	3064	OSPPSVC.exe
Token: SeDebugPrivilege	2100	OSPPSVC.exe
Token: SeDebugPrivilege	1944	OSPPSVC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1016 wrote to memory of 2388	1016	JaffaCakes118_b974c77114eb940fcfd34d3fcf7d4ed1ddb7fab25798a773bccef0a80a7de001.exe	30
PID 1016 wrote to memory of 2388	1016	JaffaCakes118_b974c77114eb940fcfd34d3fcf7d4ed1ddb7fab25798a773bccef0a80a7de001.exe	30
PID 1016 wrote to memory of 2388	1016	JaffaCakes118_b974c77114eb940fcfd34d3fcf7d4ed1ddb7fab25798a773bccef0a80a7de001.exe	30
PID 1016 wrote to memory of 2388	1016	JaffaCakes118_b974c77114eb940fcfd34d3fcf7d4ed1ddb7fab25798a773bccef0a80a7de001.exe	30
PID 2388 wrote to memory of 2336	2388	WScript.exe	31
PID 2388 wrote to memory of 2336	2388	WScript.exe	31
PID 2388 wrote to memory of 2336	2388	WScript.exe	31
PID 2388 wrote to memory of 2336	2388	WScript.exe	31
PID 2336 wrote to memory of 2604	2336	cmd.exe	33
PID 2336 wrote to memory of 2604	2336	cmd.exe	33
PID 2336 wrote to memory of 2604	2336	cmd.exe	33
PID 2336 wrote to memory of 2604	2336	cmd.exe	33
PID 2604 wrote to memory of 1444	2604	DllCommonsvc.exe	47
PID 2604 wrote to memory of 1444	2604	DllCommonsvc.exe	47
PID 2604 wrote to memory of 1444	2604	DllCommonsvc.exe	47
PID 2604 wrote to memory of 1664	2604	DllCommonsvc.exe	48
PID 2604 wrote to memory of 1664	2604	DllCommonsvc.exe	48
PID 2604 wrote to memory of 1664	2604	DllCommonsvc.exe	48
PID 2604 wrote to memory of 1928	2604	DllCommonsvc.exe	49
PID 2604 wrote to memory of 1928	2604	DllCommonsvc.exe	49
PID 2604 wrote to memory of 1928	2604	DllCommonsvc.exe	49
PID 2604 wrote to memory of 1988	2604	DllCommonsvc.exe	50
PID 2604 wrote to memory of 1988	2604	DllCommonsvc.exe	50
PID 2604 wrote to memory of 1988	2604	DllCommonsvc.exe	50
PID 2604 wrote to memory of 1736	2604	DllCommonsvc.exe	51
PID 2604 wrote to memory of 1736	2604	DllCommonsvc.exe	51
PID 2604 wrote to memory of 1736	2604	DllCommonsvc.exe	51
PID 2604 wrote to memory of 848	2604	DllCommonsvc.exe	57
PID 2604 wrote to memory of 848	2604	DllCommonsvc.exe	57
PID 2604 wrote to memory of 848	2604	DllCommonsvc.exe	57
PID 848 wrote to memory of 2052	848	OSPPSVC.exe	59
PID 848 wrote to memory of 2052	848	OSPPSVC.exe	59
PID 848 wrote to memory of 2052	848	OSPPSVC.exe	59
PID 2052 wrote to memory of 1516	2052	cmd.exe	61
PID 2052 wrote to memory of 1516	2052	cmd.exe	61
PID 2052 wrote to memory of 1516	2052	cmd.exe	61
PID 2052 wrote to memory of 1768	2052	cmd.exe	62
PID 2052 wrote to memory of 1768	2052	cmd.exe	62
PID 2052 wrote to memory of 1768	2052	cmd.exe	62
PID 1768 wrote to memory of 2732	1768	OSPPSVC.exe	63
PID 1768 wrote to memory of 2732	1768	OSPPSVC.exe	63
PID 1768 wrote to memory of 2732	1768	OSPPSVC.exe	63
PID 2732 wrote to memory of 2652	2732	cmd.exe	65
PID 2732 wrote to memory of 2652	2732	cmd.exe	65
PID 2732 wrote to memory of 2652	2732	cmd.exe	65
PID 2732 wrote to memory of 2660	2732	cmd.exe	66
PID 2732 wrote to memory of 2660	2732	cmd.exe	66
PID 2732 wrote to memory of 2660	2732	cmd.exe	66
PID 2660 wrote to memory of 832	2660	OSPPSVC.exe	67
PID 2660 wrote to memory of 832	2660	OSPPSVC.exe	67
PID 2660 wrote to memory of 832	2660	OSPPSVC.exe	67
PID 832 wrote to memory of 1884	832	cmd.exe	69
PID 832 wrote to memory of 1884	832	cmd.exe	69
PID 832 wrote to memory of 1884	832	cmd.exe	69
PID 832 wrote to memory of 2352	832	cmd.exe	70
PID 832 wrote to memory of 2352	832	cmd.exe	70
PID 832 wrote to memory of 2352	832	cmd.exe	70
PID 2352 wrote to memory of 2596	2352	OSPPSVC.exe	71
PID 2352 wrote to memory of 2596	2352	OSPPSVC.exe	71
PID 2352 wrote to memory of 2596	2352	OSPPSVC.exe	71
PID 2596 wrote to memory of 2972	2596	cmd.exe	73
PID 2596 wrote to memory of 2972	2596	cmd.exe	73
PID 2596 wrote to memory of 2972	2596	cmd.exe	73
PID 2596 wrote to memory of 1456	2596	cmd.exe	74

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b974c77114eb940fcfd34d3fcf7d4ed1ddb7fab25798a773bccef0a80a7de001.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b974c77114eb940fcfd34d3fcf7d4ed1ddb7fab25798a773bccef0a80a7de001.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1016
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2336
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2604
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1444
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1664
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1928
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1988
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1736
    - - C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\OSPPSVC.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\OSPPSVC.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:848
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vbXk1H8t4K.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1516
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\OSPPSVC.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\OSPPSVC.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Wm5t4PlH1R.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2652
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\OSPPSVC.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\OSPPSVC.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\60iZj2KDpL.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:832
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1884
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\OSPPSVC.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\OSPPSVC.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Rhkc0SdEF2.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2596
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2972
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\OSPPSVC.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\OSPPSVC.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1456
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6x2cfOw3ED.bat"
        14⤵
        
        PID:1096
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2800
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\OSPPSVC.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\OSPPSVC.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2088
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3j9hYFnRH7.bat"
        16⤵
        
        PID:2960
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2324
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\OSPPSVC.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\OSPPSVC.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3064
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KxKP0srito.bat"
        18⤵
        
        PID:2604
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1984
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\OSPPSVC.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\OSPPSVC.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2100
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c0ZYbu3Enn.bat"
        20⤵
        
        PID:2564
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2636
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\OSPPSVC.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\OSPPSVC.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1944
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nDq7RH5Uwz.bat"
        22⤵
        
        PID:1960
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
52e5ff0538a4448d04038ef3c318aae0

SHA1
26c3036180c849fb8e2951897b28bdad82f39051

SHA256
c50ff48a1d383d9a52373726e71d508e330bc5d99599ddc70ef519983afa0d29

SHA512
8856f883ae30a39279ed5798c7c2df2399c714d0f924ddcfafd1edcf27a3ecffb7ca3e246a4392ac44d2900015a8d609914524c927ffe037c022c6ce510973ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1491cbbeee7391710c9a7fd26cfa0078

SHA1
c56472527c751cf8986fddd7477efabc3cc2841c

SHA256
2242a1f3d89570b4be296a505dbee28d2ce2357f6c663768dc2d719a6aef0bf6

SHA512
99040ea6b3731504dac0671a45176c5399324a55eb1e4576c9caf837cfff82158d85c550b4555605d171971b9f99337527c8c235b996571b044da038f2655c46

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6edf08ad7e67797ea084b9fa14deadca

SHA1
199e97827faed641e9cb37f6aa7263b580716007

SHA256
e6a55df2cc892c9b9d1d993b141af01a2ab229d63f1ef6d419a81fce32403ac7

SHA512
48838c8a1d91c62ffb1cde87b1a6bcf675e28f13e2deddec06b7790b8df10c679c5df05dd2948c379f8f569d003458e004a0dbc5710dfffd0e94cb45121d757c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1fc86b1748d0ecff986b8ac9fad41bfd

SHA1
3eff631aaaebbf22a567aadd8cad22cb348dc676

SHA256
44fae4425b751118f823943cbcec5dc215d0c96744258aaccc35a2ac18cb89be

SHA512
608b7b2bfe172069c0656e67bb9561d8d5b9779a4f7ed66f536b7701f720a057c65496143db1494d112154634801b9fa6bd688aab166d497066f158ed9890d5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aae084cfd3c12333a8c8b7e9ac0d3f54

SHA1
aa7a98eb950856b543a91d1a1f920dd1b38c08c4

SHA256
9879ab177c08ee968a3bc75b55036d250030177234fdbb4071dbb2614782fedc

SHA512
47c5f9a098f40d770dec93049c6135b5d824cb620dbd85c0e1ac97aba5f24206311d72d8dcf26c281d9965bdd51c856d88366a81ca9d4defb6e38b44c2a3e20e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e73ba1bf0a3cdc0668314372bcced2df

SHA1
30e9bff4ac2eedb523cc9939b88170e4cb7a64be

SHA256
b2fe9f0a9502f940aa7f19386ad33a47a6692ee6b99cb1e0640b315afe4274ae

SHA512
3eaa51fadef2cca1d665a81b9ce6d5d3f24032761a247ad36a091d548ff3f25fb5b2c77eb9d1f9f439b76ac0d90fb788cd5c6587518cc1a5c33d7077ce4bfb71

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b10002dcb3c99f7df4aed356e6336d22

SHA1
7c1320751ce1b74c7683f7ce03ae382382fd3bc0

SHA256
b78da07d501b9ab4646c8f346191b75cbc25fa0b4873489854e57683ba9600a0

SHA512
2bdab69b65e572ca7ada3b47bf01f71866946943cb7d9a0d354296367f16e5786a86688e79bf195f270ca8bb59fcdb22c721cb57f8b51b4946302f830b2615c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d9011e95c37f3665d9ba0f68f8910cd8

SHA1
3ee22b8bdc61f118b4f6ffe300b430ba05b80fc3

SHA256
7a6d54ee1f0965fbe1be692d9ab03b2f9d8f0db6fc8f430f1a26d146c4c6a079

SHA512
db62870d7257286ed3c8baa5abb413d75b52ce31dd3798f115f3b1f772e1f0353e6dde2fb72c0943954dbbbae57fe307aff49bb5575d9a945654a10bbb565a0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3j9hYFnRH7.bat

Filesize
252B

MD5
29f380531959e8c414450183179c1759

SHA1
2eb3401aca8a7eb32df8e3bed2d0d8e8f8ec581b

SHA256
87bb73a4994fdd75b18e11334f758a3a3db2540a6183b2856eebfba9eb96e9f6

SHA512
8673c20de01723a173cacb27fbc320170aaf78b768de55539920a89ecb230a7e75a319d34774eb1de675e8d34634d7af5af554ed4e8d0d4aaf88a35432c0e0bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\60iZj2KDpL.bat

Filesize
252B

MD5
25e9e786497ff054148bef4090f2e87c

SHA1
e4e66d9af37ba7d7b365596087c7cdd92e1d2e94

SHA256
06f7223fd097bd213b98500cdea01dafc7476690c8ce8e57ca3d00b2a9d2d514

SHA512
9f7f13d2433a33cacbf864c38ff93527c9677231f23e432dc5bd1497ceb5f6609cecd4ff093bcbba3e173696f7d3764bbcbf8ddabcc4a20b8ae533ab9ce89da2

Download Submit
C:\Users\Admin\AppData\Local\Temp\6x2cfOw3ED.bat

Filesize
252B

MD5
5f54a2fa7f860aab9f3c6e82a2b9176c

SHA1
c1947ac03677a7d5938db3bcffca395b1359a672

SHA256
c91cffa39b6d9cc036970c22ef0e6e4dedda3f14383db83052b45f9284210068

SHA512
b9fc98fc0740e97c2972e7356f4a59a66ba1fdad6452eacb473346914dc3143df1fa621223b7509c54382b9752a2c12b7f8e33741b5dcf0bea02b2503ff48091

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF356.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\KxKP0srito.bat

Filesize
252B

MD5
1c99830bc224b6705bd176303e59e638

SHA1
f43245d79f1d7e4a0154b3e267d0b15927656081

SHA256
94a9e45e2eb4610b4ed7d322340f78c3384353ad6d7f53d1b4a683e34bb50d7c

SHA512
cfd08d40656a923c20ecd4064bfe4bc714045742076cf4aea119cac8140191e88946522ee8d7400a87bd126336a980ecb9bd77431b311fbd81a3af411e32094b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rhkc0SdEF2.bat

Filesize
252B

MD5
ac18eefdf039f0bf538c8da5ae9b2a23

SHA1
681778f1901d7f600d52225e8c7b25d7fcc4c79d

SHA256
6339ea98061c6126e2556f316ff362fa96350634f72f1d1429f40c80f8502b1b

SHA512
340a27b3e2093324b33d8cf24db05f8c4667a1d03327cb9b419ac38c3f07255282eb3df9d66e5889d2e86ebbc80f070d707ba6ed351a0bcfd0f47df8a54cfdd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF369.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wm5t4PlH1R.bat

Filesize
252B

MD5
5116291ba8792841ad2052ae1cdab682

SHA1
24f9893e7740f2bc578189e8fe398045ea8cbba8

SHA256
ded159abc53d521ef6165e735357c5d0da3fafb15ab50b75fa3f08abf8a2275a

SHA512
8904e713885efaf341aef0157497ae93722b04c5b5d9dded99f4dc670dc728986422aa3860125c24e4f49f3c0c3eb4e5a295caabfd360e45eee2363c3e4ddfb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\c0ZYbu3Enn.bat

Filesize
252B

MD5
670c11d8eb92d986141b656ba7003c2e

SHA1
14177c78e4fa2cb55bec6af46f3162803c4ca038

SHA256
a39c70e9c73081bf2b91bdb068adda826c42698d831a467efef5be758d50c279

SHA512
51dd8ddab8bc5bbcc4db032bf21ec28ff58ea7d8bce24b86c38d1f607e4ec26c8b2a2420b75438b3994870264532a0e76c5d66e04803e8f85e81e2c141a4a74d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nDq7RH5Uwz.bat

Filesize
252B

MD5
e8ee4485252839a28026c620bf7649a0

SHA1
fd3e5a3dd4ae32ed369a2ef70ba59f85339b0b71

SHA256
00f31e1645f4f6197673b6e50e45f91b34a7c6823aa1ee92f48d74b43b00bd94

SHA512
4ed42ca874b7c8bcfb53e737fc405b46a4823ffd61ba470073474ff012a0499c44885eafee55dc2e686ba790ac17b4f3117e1b89d048f50835606bd95f96a746

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbXk1H8t4K.bat

Filesize
252B

MD5
81ea5d4e76a7cecb562548059f46cf33

SHA1
8caa32201169dde137e8f6265d6ee6543e3cda42

SHA256
aa9138302662bd340fa32abe731243a5d498255cb24898995acae0386160cfde

SHA512
75b89c44513971e4fac22a4465105c8af447276cb981d120d883c0bff1d6eda979881cdfb7200bef26b1aaaed788b1ac459186333feb4eefcd9865082f6f0300

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5CYHP3VJBCZ0OICCQ27E.temp

Filesize
7KB

MD5
db0ab7059c59618269557aff386bc1e3

SHA1
9ba518fea149e28e7e0dbc848094c0781d9d6c79

SHA256
85232fd2aabbb501c0d0eb5856c32ffae675438175022652b205567b567d3d34

SHA512
3b3bfbe94f295de380982cd9f8a01bf30eaa689ce0b8b1a0dcece7fa81f937579df4deedb5988b13f192349f985a74e5a49a8c942b6ce70eb0fb9ad856622c2e

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/848-41-0x0000000001260000-0x0000000001370000-memory.dmp

Filesize
1.1MB

Download
memory/848-59-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/1768-118-0x00000000001A0000-0x00000000002B0000-memory.dmp

Filesize
1.1MB

Download
memory/1944-536-0x00000000001C0000-0x00000000002D0000-memory.dmp

Filesize
1.1MB

Download
memory/1988-58-0x0000000001F70000-0x0000000001F78000-memory.dmp

Filesize
32KB

Download
memory/1988-52-0x000000001B520000-0x000000001B802000-memory.dmp

Filesize
2.9MB

Download
memory/2088-357-0x0000000001290000-0x00000000013A0000-memory.dmp

Filesize
1.1MB

Download
memory/2100-476-0x00000000001E0000-0x00000000001F2000-memory.dmp

Filesize
72KB

Download
memory/2352-238-0x0000000001080000-0x0000000001190000-memory.dmp

Filesize
1.1MB

Download
memory/2604-17-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download
memory/2604-16-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/2604-15-0x00000000003D0000-0x00000000003DC000-memory.dmp

Filesize
48KB

Download
memory/2604-14-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2604-13-0x0000000001180000-0x0000000001290000-memory.dmp

Filesize
1.1MB

Download
memory/2660-178-0x00000000001D0000-0x00000000002E0000-memory.dmp

Filesize
1.1MB

Download