dcrat | 5d363497c6056b5b71355359ad9cc781b59ffcf23147252aa8b6cb49a607d209

Analysis

max time kernel
147s
max time network
143s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 01:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_5d363497c6056b5b71355359ad9cc781b59ffcf23147252aa8b6cb49a607d209.exe
Size

1.3MB
MD5

4d613b65b3f4a7daafe6efb6172a1de7
SHA1

7d592053b446b3597b8663abbe4705bfa6c398aa
SHA256

5d363497c6056b5b71355359ad9cc781b59ffcf23147252aa8b6cb49a607d209
SHA512

20c40ed08f08517b34fb83312067c3bf678138ef55b414d479728a010cc2c6a1baf0205c45c58976900df418a5e4f1a1f0a7cf506f2352619f90619026524a8f
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2836	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	2836	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2836	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2836	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	2836	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	624	2836	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2836	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2836	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1332	2836	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2836	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2836	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	2836	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2836	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	2836	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	2836	schtasks.exe	34

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016d66-9.dat	dcrat
behavioral1/memory/1244-13-0x0000000001030000-0x0000000001140000-memory.dmp	dcrat
behavioral1/memory/1640-66-0x00000000012A0000-0x00000000013B0000-memory.dmp	dcrat
behavioral1/memory/1100-302-0x00000000001D0000-0x00000000002E0000-memory.dmp	dcrat
behavioral1/memory/2860-363-0x0000000000930000-0x0000000000A40000-memory.dmp	dcrat
behavioral1/memory/2072-423-0x0000000000D50000-0x0000000000E60000-memory.dmp	dcrat
behavioral1/memory/2908-543-0x00000000010A0000-0x00000000011B0000-memory.dmp	dcrat
behavioral1/memory/1160-604-0x0000000001100000-0x0000000001210000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2532	powershell.exe
1044	powershell.exe
1004	powershell.exe
1616	powershell.exe
1312	powershell.exe
1220	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
1244	DllCommonsvc.exe
1640	Idle.exe
2988	Idle.exe
2792	Idle.exe
1044	Idle.exe
1100	Idle.exe
2860	Idle.exe
2072	Idle.exe
2288	Idle.exe
2908	Idle.exe
1160	Idle.exe

Loads dropped DLL 2 IoCs

pid	Process
2044	cmd.exe
2044	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
17	raw.githubusercontent.com
20	raw.githubusercontent.com
27	raw.githubusercontent.com
30	raw.githubusercontent.com
34	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
13	raw.githubusercontent.com
4	raw.githubusercontent.com
24	raw.githubusercontent.com

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\lsass.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\it-IT\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\6203df4a6bafc7	DllCommonsvc.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\ShellNew\lsm.exe	DllCommonsvc.exe
File created	C:\Windows\ShellNew\101b941d020240	DllCommonsvc.exe
File created	C:\Windows\Cursors\Idle.exe	DllCommonsvc.exe
File created	C:\Windows\Cursors\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Windows\Branding\Basebrd\it-IT\dllhost.exe	DllCommonsvc.exe
File created	C:\Windows\Branding\Basebrd\it-IT\5940a34987c991	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_5d363497c6056b5b71355359ad9cc781b59ffcf23147252aa8b6cb49a607d209.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2908	schtasks.exe
2904	schtasks.exe
2688	schtasks.exe
2372	schtasks.exe
624	schtasks.exe
2796	schtasks.exe
592	schtasks.exe
3024	schtasks.exe
2948	schtasks.exe
2660	schtasks.exe
2772	schtasks.exe
2628	schtasks.exe
1332	schtasks.exe
2000	schtasks.exe
1912	schtasks.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
1244	DllCommonsvc.exe
1244	DllCommonsvc.exe
1244	DllCommonsvc.exe
1244	DllCommonsvc.exe
1244	DllCommonsvc.exe
1220	powershell.exe
1004	powershell.exe
2532	powershell.exe
1616	powershell.exe
1312	powershell.exe
1044	powershell.exe
1640	Idle.exe
2988	Idle.exe
2792	Idle.exe
1044	Idle.exe
1100	Idle.exe
2860	Idle.exe
2072	Idle.exe
2288	Idle.exe
2908	Idle.exe
1160	Idle.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	1244	DllCommonsvc.exe
Token: SeDebugPrivilege	1220	powershell.exe
Token: SeDebugPrivilege	1004	powershell.exe
Token: SeDebugPrivilege	2532	powershell.exe
Token: SeDebugPrivilege	1616	powershell.exe
Token: SeDebugPrivilege	1312	powershell.exe
Token: SeDebugPrivilege	1044	powershell.exe
Token: SeDebugPrivilege	1640	Idle.exe
Token: SeDebugPrivilege	2988	Idle.exe
Token: SeDebugPrivilege	2792	Idle.exe
Token: SeDebugPrivilege	1044	Idle.exe
Token: SeDebugPrivilege	1100	Idle.exe
Token: SeDebugPrivilege	2860	Idle.exe
Token: SeDebugPrivilege	2072	Idle.exe
Token: SeDebugPrivilege	2288	Idle.exe
Token: SeDebugPrivilege	2908	Idle.exe
Token: SeDebugPrivilege	1160	Idle.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 2492	2708	JaffaCakes118_5d363497c6056b5b71355359ad9cc781b59ffcf23147252aa8b6cb49a607d209.exe	30
PID 2708 wrote to memory of 2492	2708	JaffaCakes118_5d363497c6056b5b71355359ad9cc781b59ffcf23147252aa8b6cb49a607d209.exe	30
PID 2708 wrote to memory of 2492	2708	JaffaCakes118_5d363497c6056b5b71355359ad9cc781b59ffcf23147252aa8b6cb49a607d209.exe	30
PID 2708 wrote to memory of 2492	2708	JaffaCakes118_5d363497c6056b5b71355359ad9cc781b59ffcf23147252aa8b6cb49a607d209.exe	30
PID 2492 wrote to memory of 2044	2492	WScript.exe	31
PID 2492 wrote to memory of 2044	2492	WScript.exe	31
PID 2492 wrote to memory of 2044	2492	WScript.exe	31
PID 2492 wrote to memory of 2044	2492	WScript.exe	31
PID 2044 wrote to memory of 1244	2044	cmd.exe	33
PID 2044 wrote to memory of 1244	2044	cmd.exe	33
PID 2044 wrote to memory of 1244	2044	cmd.exe	33
PID 2044 wrote to memory of 1244	2044	cmd.exe	33
PID 1244 wrote to memory of 2532	1244	DllCommonsvc.exe	50
PID 1244 wrote to memory of 2532	1244	DllCommonsvc.exe	50
PID 1244 wrote to memory of 2532	1244	DllCommonsvc.exe	50
PID 1244 wrote to memory of 1044	1244	DllCommonsvc.exe	51
PID 1244 wrote to memory of 1044	1244	DllCommonsvc.exe	51
PID 1244 wrote to memory of 1044	1244	DllCommonsvc.exe	51
PID 1244 wrote to memory of 1004	1244	DllCommonsvc.exe	53
PID 1244 wrote to memory of 1004	1244	DllCommonsvc.exe	53
PID 1244 wrote to memory of 1004	1244	DllCommonsvc.exe	53
PID 1244 wrote to memory of 1220	1244	DllCommonsvc.exe	54
PID 1244 wrote to memory of 1220	1244	DllCommonsvc.exe	54
PID 1244 wrote to memory of 1220	1244	DllCommonsvc.exe	54
PID 1244 wrote to memory of 1312	1244	DllCommonsvc.exe	55
PID 1244 wrote to memory of 1312	1244	DllCommonsvc.exe	55
PID 1244 wrote to memory of 1312	1244	DllCommonsvc.exe	55
PID 1244 wrote to memory of 1616	1244	DllCommonsvc.exe	56
PID 1244 wrote to memory of 1616	1244	DllCommonsvc.exe	56
PID 1244 wrote to memory of 1616	1244	DllCommonsvc.exe	56
PID 1244 wrote to memory of 1816	1244	DllCommonsvc.exe	62
PID 1244 wrote to memory of 1816	1244	DllCommonsvc.exe	62
PID 1244 wrote to memory of 1816	1244	DllCommonsvc.exe	62
PID 1816 wrote to memory of 1000	1816	cmd.exe	64
PID 1816 wrote to memory of 1000	1816	cmd.exe	64
PID 1816 wrote to memory of 1000	1816	cmd.exe	64
PID 1816 wrote to memory of 1640	1816	cmd.exe	65
PID 1816 wrote to memory of 1640	1816	cmd.exe	65
PID 1816 wrote to memory of 1640	1816	cmd.exe	65
PID 1640 wrote to memory of 2916	1640	Idle.exe	67
PID 1640 wrote to memory of 2916	1640	Idle.exe	67
PID 1640 wrote to memory of 2916	1640	Idle.exe	67
PID 2916 wrote to memory of 2588	2916	cmd.exe	69
PID 2916 wrote to memory of 2588	2916	cmd.exe	69
PID 2916 wrote to memory of 2588	2916	cmd.exe	69
PID 2916 wrote to memory of 2988	2916	cmd.exe	70
PID 2916 wrote to memory of 2988	2916	cmd.exe	70
PID 2916 wrote to memory of 2988	2916	cmd.exe	70
PID 2988 wrote to memory of 1900	2988	Idle.exe	71
PID 2988 wrote to memory of 1900	2988	Idle.exe	71
PID 2988 wrote to memory of 1900	2988	Idle.exe	71
PID 1900 wrote to memory of 2056	1900	cmd.exe	73
PID 1900 wrote to memory of 2056	1900	cmd.exe	73
PID 1900 wrote to memory of 2056	1900	cmd.exe	73
PID 1900 wrote to memory of 2792	1900	cmd.exe	74
PID 1900 wrote to memory of 2792	1900	cmd.exe	74
PID 1900 wrote to memory of 2792	1900	cmd.exe	74
PID 2792 wrote to memory of 1964	2792	Idle.exe	75
PID 2792 wrote to memory of 1964	2792	Idle.exe	75
PID 2792 wrote to memory of 1964	2792	Idle.exe	75
PID 1964 wrote to memory of 1212	1964	cmd.exe	77
PID 1964 wrote to memory of 1212	1964	cmd.exe	77
PID 1964 wrote to memory of 1212	1964	cmd.exe	77
PID 1964 wrote to memory of 1044	1964	cmd.exe	78

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5d363497c6056b5b71355359ad9cc781b59ffcf23147252aa8b6cb49a607d209.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5d363497c6056b5b71355359ad9cc781b59ffcf23147252aa8b6cb49a607d209.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2492
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2044
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1244
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2532
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\it-IT\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1044
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1004
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ShellNew\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1220
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1312
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Branding\Basebrd\it-IT\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1616
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ab5sWPCCjC.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1816
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1000
      - C:\Windows\Cursors\Idle.exe
        
        "C:\Windows\Cursors\Idle.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OWdtHMBUzi.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2588
        
        C:\Windows\Cursors\Idle.exe
        
        "C:\Windows\Cursors\Idle.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\K3fI8Bd254.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1900
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2056
        
        C:\Windows\Cursors\Idle.exe
        
        "C:\Windows\Cursors\Idle.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2792
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aPx44ABVco.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1212
        
        C:\Windows\Cursors\Idle.exe
        
        "C:\Windows\Cursors\Idle.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1044
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U04fYIssV3.bat"
        13⤵
        
        PID:1480
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2784
        
        C:\Windows\Cursors\Idle.exe
        
        "C:\Windows\Cursors\Idle.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1100
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iRE9Vp3kbL.bat"
        15⤵
        
        PID:2816
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1408
        
        C:\Windows\Cursors\Idle.exe
        
        "C:\Windows\Cursors\Idle.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2860
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nm0aad8I0L.bat"
        17⤵
        
        PID:1788
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1244
        
        C:\Windows\Cursors\Idle.exe
        
        "C:\Windows\Cursors\Idle.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2072
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QOz0umrEhM.bat"
        19⤵
        
        PID:1736
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2236
        
        C:\Windows\Cursors\Idle.exe
        
        "C:\Windows\Cursors\Idle.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2288
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nKCzYbro9F.bat"
        21⤵
        
        PID:2012
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2300
        
        C:\Windows\Cursors\Idle.exe
        
        "C:\Windows\Cursors\Idle.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2908
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zi7wkUpBKE.bat"
        23⤵
        
        PID:2940
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1264
        
        C:\Windows\Cursors\Idle.exe
        
        "C:\Windows\Cursors\Idle.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Windows\ShellNew\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\ShellNew\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Windows\ShellNew\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\Cursors\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Cursors\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Windows\Cursors\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Windows\Branding\Basebrd\it-IT\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Branding\Basebrd\it-IT\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\Branding\Basebrd\it-IT\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f034bd4d35959f3a0a60f07a9bd818e8

SHA1
30b783453b7eb0e1cccded740d67757a192016a2

SHA256
27c1f9fd4df7ac5db702684d8c710d436ecf60efd6e404d68bdf77f7d3e673d9

SHA512
7b1061f2b041128a950d2cdda18f7828590218f5fbde53af15eeff09a46b6ee232fbb4b97a424efd2214694e66ae0d7de6354fcb90b1dff276d61dfed45a1065

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bf1e0710903f531ec48eb78a06f31f4a

SHA1
9c30a7122bf504b2ace73f301fd6b9a6cea06162

SHA256
8a50b20b47b61c9196bc8e7866bf29913c900fbe8cb40818c3b0dfd0e4f2153d

SHA512
5c23730839754339b16c26652347932ce9758ff341795dbb7bf68a799a0eea9176610ebe664f0ab74089fad620914127a03f01cae687a3c36306e6af6fb319bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fef4d16fd9fb4bf4de545f5a6b47f221

SHA1
299982f1a22d4261b7bb47f098a4f1e694436e72

SHA256
2ca7ee06eceb4654e6f385f685dc5bab5ebe48d9e5230ca67c731bc8c48ea022

SHA512
42dd78f54bea56ac8db4c74654619f0c22fad2c6ffd6a27a1d69ba52b5fb6cd7ffe636ec6a9ed80ae4f169336008e4cef676167816ac4a9f7d0ead307eee3b8e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3060476eb312085ab0ba28ba2a5fa24f

SHA1
ae2187733d2aa9c4e500991564da606c0e4de51d

SHA256
96e239dc06cd73054e87db757c3fda1318efe015a34a647ee85f1ad8922381b4

SHA512
dd2fd78ec77be101eb7e08318a561b24c369b83b373426c90fa59a673d0beb80ecae1e76ba4f6004ef7f911d54d9a6eb5d6236691f42e5e29097061c4209f22b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
239095e2397a6ba6016c8f5d893f6778

SHA1
5ae39f243b39228bb36d554ac3b9044226640976

SHA256
0ca43e9fbcb58fc52a9290354fdc0f5ba73b499ef6c0838360a7485441b60131

SHA512
cac198d4df64d0d97a9331e3520cba0f028749e064829711f3e5e63ff9068fa9136683f9253434ed5a4d485ce054b73c70b14d7ed588ec7d8ad41235d5f2db73

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
25193331c15e3d7078bf57eea5d70476

SHA1
38af4d389b807e15a855c98746422e8970ec7d9f

SHA256
566570b58a57f2d686181fd245eaa48c062dff1d3c643c639d203a10bb784476

SHA512
9ac43b39e5676d5322865721f6e100d048e009885e14cb5547b5c83892a7633fdfc1287ecf5dd2c9b73324944af4834e7cf0ed50c7027ebc568b177dbb126298

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f88675f9cbf0f811c7cf1b9f1a8d9f62

SHA1
286ac982498a5e5b0d1f52d0398d35ce2181b1e3

SHA256
ace02b30d39477dcaade923c5e610fb351a3891e7956b09c3507fd549795c954

SHA512
59156e50c2436c594f9e15b2ff3ee2d35e13dfe547155b5782c3d11017921fa68fdb8a534b3e45a6b8a3748fef3368df1209d8ef85ad4ad5e912e3648fb570da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3ebb77c2317a82ad4bba2839c484fc24

SHA1
d47149cb27f43f74b6f7901016ebd9af527b35b9

SHA256
b1916353f97713ebdd16585323f68282de7a5797a6af147e1a180e262567a356

SHA512
c9ca7919afcc1e33bf53e4e127553e9f81a8e026b0730e4230e0c876fbf128da7efe629cf5ab0c043a95d662ad6c2244b986a8a262c396ec29a6b364d8d91978

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFCC8.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\K3fI8Bd254.bat

Filesize
192B

MD5
803c9db912d9cd601ff14305b5305d8d

SHA1
e2405ee490560d369b35b661d6f203576f433659

SHA256
e068986253c8668c914d5762af26e832c4f5c070a72c97de85023fcc5ebd707c

SHA512
cbbebb490a11fbacfd8f84abc42fa34fedc43b7eb0d06840346eb82a0421b07eff18ea3cd8f85c0baf6a1ddfcb89a299a2317f72cde5c4515fc141569605f4a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nm0aad8I0L.bat

Filesize
192B

MD5
728302a7b42b8b4a799ab2b0511168a6

SHA1
982bf533c41022f5e14524a4715b9e9ead7ae7cd

SHA256
39a4696c41d472ae3128fd043b5629973f91684061c6911eca363e75615ade5f

SHA512
4a020065a9fc1217631fac4828044c1fecc688c42c0eb9ecd7554f89f0ee681feef8ea3d802d68aebfe67af2e0d70e5ea9fa7fb745f37bd97f901284f72cfd75

Download Submit
C:\Users\Admin\AppData\Local\Temp\OWdtHMBUzi.bat

Filesize
192B

MD5
967664f171298cdb00ec5ea5c8d847bf

SHA1
c1bf19ce8404eef9872d7d651242d219f41a693c

SHA256
ecfe3b8815881cb3f3e0dc05c64466b10aa521a59df8bf2f48d30d668e29a511

SHA512
12c96a7854d001178db8709e010d9bab1756299d6f3e1e588509b944e3fad845324f28c11526348cc90f26374be671692ce1c9292d5f7ae434ae80d9ba3eabd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\QOz0umrEhM.bat

Filesize
192B

MD5
bf0076a3dabd6c4d25a7bde1806f72ce

SHA1
f848d8b7d7cde81cf576b2f5ff15c78e536889a3

SHA256
c479e50dc8b4698c7afa8e8cf22fdd97bd827bf798562f629f26efdc2703335c

SHA512
15131478e611e6606b555c448795130c4060d0188831a9bdd218b7d3c24e49a7d4d8b50a4b6f615c3eef04259beae3bebb44d43143594f9de9079909f2d1e33e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFCEA.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\U04fYIssV3.bat

Filesize
192B

MD5
203ee82cb02b2656cdcdd4078d1515ef

SHA1
8c079493811d57efc6155683b7a46492ef33db4f

SHA256
dfe54501cf08d4cfad9feded52875bbccb66b7e0ae915fe9eea48a545f2d1b80

SHA512
245ad8c5ff48c2cc16a815e688f632ba0372b2c915acfae6a31724e591cbbdf90adb0afa0f2263a722d7655fd724441d191514e401ee48c3dd4359435c77faed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zi7wkUpBKE.bat

Filesize
192B

MD5
8de115c7bb4f7d6eee74d2769980aeef

SHA1
ff0ef25914f2df724203002e953da2977dffdcfd

SHA256
a9f7829189a778c76a53c9da28cbc89d5a757d2ecf343c3b03faead528352236

SHA512
be932340868c78cbe5bd537343aa420bb2b4f102bea8d29e85058ddd1508123f9f2fefe936de03900123e22722e966e401a02169ab2d651ed9d897f92ac69f23

Download Submit
C:\Users\Admin\AppData\Local\Temp\aPx44ABVco.bat

Filesize
192B

MD5
c6809e1e142c8700795bbb5901d8cf05

SHA1
4a7c163b19249696c882d022bb796ad3c6fa47c1

SHA256
ccf9552620d4f69f15803a828f5c67b3f3e80dc2ff8c76b12653438792db43e4

SHA512
ad54c2b2756d42963eb7b3907e59ee534f87f2e187df1c1212300952888de9a2cb65582080a1de7091f362d445d4f71b2711c87a658f7fead00b87395e084227

Download Submit
C:\Users\Admin\AppData\Local\Temp\ab5sWPCCjC.bat

Filesize
192B

MD5
93ecb34950f89c1387f051ba598b6505

SHA1
3aa97be77828167b21fed4ddb5d82546e0fc745c

SHA256
25022cccd5e537ce0b6bb83ae5d3c493efc67f53560c975e47aac65047745991

SHA512
cf9e4e3ab0f7372783e107b2b720504f8cda21e1aa09fd1251edcbb15f3f7a228063b54ba1f65cfa77dd2099ea7929558a204ddc82da0e7bf678d0885297507d

Download Submit
C:\Users\Admin\AppData\Local\Temp\iRE9Vp3kbL.bat

Filesize
192B

MD5
60a03f84e6064e78090ad1511285e724

SHA1
7865dc1e94f10882c7c9351eb3ee8b12b4859399

SHA256
3c007b11ec88b38452f641151b98770ab4f894831a89181b9aa7c0adc85bf50e

SHA512
b885de9358cd2f4a347d416fa9b06ed92678bf6b684430f1718b577a067538cd85ff8845c60d54809e1d7e14dd542734b92da61347c75d9e108bdf3de656a1e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nKCzYbro9F.bat

Filesize
192B

MD5
98e893ce0b0d71c195c80d29345829ca

SHA1
3f91595a5c99acd4ea34637641513fc6160fa3a8

SHA256
34b17207afd641253b0a9568df31c26212eef60d3eb69cf823037976a7ce2167

SHA512
b44e1753fd973cb56022ad7f6c3a1e0159c47afc387fcdaa3806579d9bda8ca6cb47075b83fb2262653c83fe250ecb082e4d0a63e064fa20442905c62fdb3e91

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
cd0067b6370058c0d2eeb37eac409aa2

SHA1
88e8c82f6ad4a0cd7c429c4f1309d3b624ab8269

SHA256
765d64db5e69e4c76df2e4c9c888e3188433d89e3dc5fd91bab64547cd442af1

SHA512
86e20aa93c09814636431bf5e640a9c0f6885464e3e68f2a04f600081181480cef888722cd56ad13ea34b0eb812ebb26da47b85b88f894f0b0a5ec8f5f8448d0

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1004-46-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download
memory/1100-303-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/1100-302-0x00000000001D0000-0x00000000002E0000-memory.dmp

Filesize
1.1MB

Download
memory/1160-604-0x0000000001100000-0x0000000001210000-memory.dmp

Filesize
1.1MB

Download
memory/1220-53-0x0000000002870000-0x0000000002878000-memory.dmp

Filesize
32KB

Download
memory/1244-15-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/1244-16-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download
memory/1244-14-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/1244-13-0x0000000001030000-0x0000000001140000-memory.dmp

Filesize
1.1MB

Download
memory/1244-17-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1640-66-0x00000000012A0000-0x00000000013B0000-memory.dmp

Filesize
1.1MB

Download
memory/2072-423-0x0000000000D50000-0x0000000000E60000-memory.dmp

Filesize
1.1MB

Download
memory/2288-483-0x00000000002E0000-0x00000000002F2000-memory.dmp

Filesize
72KB

Download
memory/2860-363-0x0000000000930000-0x0000000000A40000-memory.dmp

Filesize
1.1MB

Download
memory/2908-543-0x00000000010A0000-0x00000000011B0000-memory.dmp

Filesize
1.1MB

Download
memory/2908-544-0x00000000005C0000-0x00000000005D2000-memory.dmp

Filesize
72KB

Download