dcrat | 616c9884d2c2bfa9f7e73c42edacb0be3f82c2de8fae9f691f036c72b49b7170

Analysis

max time kernel
143s
max time network
142s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 03:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_616c9884d2c2bfa9f7e73c42edacb0be3f82c2de8fae9f691f036c72b49b7170.exe
Size

1.3MB
MD5

1197f2d96726ec6c05819705526fd74e
SHA1

c50bb7940e11a4b1ab98043915b1c63123f5eeb8
SHA256

616c9884d2c2bfa9f7e73c42edacb0be3f82c2de8fae9f691f036c72b49b7170
SHA512

f51dfb7bb0aa6d6c4fc8489cef585df7a4e8a7b6b4d0f77f4c261652c43e2868427963b139c0abcf819c234fd71d4f248d8b12d5403dcc521049dd35f13918e2
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2956	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2956	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2956	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2956	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2956	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	2956	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	2956	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2956	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	2956	schtasks.exe	35

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000016cab-11.dat	dcrat
behavioral1/memory/2724-13-0x0000000001200000-0x0000000001310000-memory.dmp	dcrat
behavioral1/memory/1068-49-0x0000000000F30000-0x0000000001040000-memory.dmp	dcrat
behavioral1/memory/1344-111-0x00000000003B0000-0x00000000004C0000-memory.dmp	dcrat
behavioral1/memory/2868-172-0x00000000008B0000-0x00000000009C0000-memory.dmp	dcrat
behavioral1/memory/384-232-0x00000000010B0000-0x00000000011C0000-memory.dmp	dcrat
behavioral1/memory/1976-351-0x00000000000B0000-0x00000000001C0000-memory.dmp	dcrat
behavioral1/memory/1920-411-0x0000000000F40000-0x0000000001050000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2952	powershell.exe
3000	powershell.exe
2800	powershell.exe
2804	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
2724	DllCommonsvc.exe
1068	WmiPrvSE.exe
1344	WmiPrvSE.exe
2868	WmiPrvSE.exe
384	WmiPrvSE.exe
2264	WmiPrvSE.exe
1976	WmiPrvSE.exe
1920	WmiPrvSE.exe
2800	WmiPrvSE.exe
2620	WmiPrvSE.exe

Loads dropped DLL 2 IoCs

pid	Process
868	cmd.exe
868	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
16	raw.githubusercontent.com
20	raw.githubusercontent.com
23	raw.githubusercontent.com
31	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com
15	raw.githubusercontent.com
27	raw.githubusercontent.com
5	raw.githubusercontent.com
12	raw.githubusercontent.com

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Filters\56085415360792	DllCommonsvc.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Filters\wininit.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_616c9884d2c2bfa9f7e73c42edacb0be3f82c2de8fae9f691f036c72b49b7170.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3024	schtasks.exe
2732	schtasks.exe
2652	schtasks.exe
2740	schtasks.exe
2104	schtasks.exe
2276	schtasks.exe
2784	schtasks.exe
2688	schtasks.exe
2984	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2724	DllCommonsvc.exe
2952	powershell.exe
2804	powershell.exe
2800	powershell.exe
3000	powershell.exe
1068	WmiPrvSE.exe
1344	WmiPrvSE.exe
2868	WmiPrvSE.exe
384	WmiPrvSE.exe
2264	WmiPrvSE.exe
1976	WmiPrvSE.exe
1920	WmiPrvSE.exe
2800	WmiPrvSE.exe
2620	WmiPrvSE.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2724	DllCommonsvc.exe
Token: SeDebugPrivilege	2804	powershell.exe
Token: SeDebugPrivilege	2952	powershell.exe
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeDebugPrivilege	3000	powershell.exe
Token: SeDebugPrivilege	1068	WmiPrvSE.exe
Token: SeDebugPrivilege	1344	WmiPrvSE.exe
Token: SeDebugPrivilege	2868	WmiPrvSE.exe
Token: SeDebugPrivilege	384	WmiPrvSE.exe
Token: SeDebugPrivilege	2264	WmiPrvSE.exe
Token: SeDebugPrivilege	1976	WmiPrvSE.exe
Token: SeDebugPrivilege	1920	WmiPrvSE.exe
Token: SeDebugPrivilege	2800	WmiPrvSE.exe
Token: SeDebugPrivilege	2620	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 2000	2268	JaffaCakes118_616c9884d2c2bfa9f7e73c42edacb0be3f82c2de8fae9f691f036c72b49b7170.exe	31
PID 2268 wrote to memory of 2000	2268	JaffaCakes118_616c9884d2c2bfa9f7e73c42edacb0be3f82c2de8fae9f691f036c72b49b7170.exe	31
PID 2268 wrote to memory of 2000	2268	JaffaCakes118_616c9884d2c2bfa9f7e73c42edacb0be3f82c2de8fae9f691f036c72b49b7170.exe	31
PID 2268 wrote to memory of 2000	2268	JaffaCakes118_616c9884d2c2bfa9f7e73c42edacb0be3f82c2de8fae9f691f036c72b49b7170.exe	31
PID 2000 wrote to memory of 868	2000	WScript.exe	32
PID 2000 wrote to memory of 868	2000	WScript.exe	32
PID 2000 wrote to memory of 868	2000	WScript.exe	32
PID 2000 wrote to memory of 868	2000	WScript.exe	32
PID 868 wrote to memory of 2724	868	cmd.exe	34
PID 868 wrote to memory of 2724	868	cmd.exe	34
PID 868 wrote to memory of 2724	868	cmd.exe	34
PID 868 wrote to memory of 2724	868	cmd.exe	34
PID 2724 wrote to memory of 2952	2724	DllCommonsvc.exe	45
PID 2724 wrote to memory of 2952	2724	DllCommonsvc.exe	45
PID 2724 wrote to memory of 2952	2724	DllCommonsvc.exe	45
PID 2724 wrote to memory of 3000	2724	DllCommonsvc.exe	46
PID 2724 wrote to memory of 3000	2724	DllCommonsvc.exe	46
PID 2724 wrote to memory of 3000	2724	DllCommonsvc.exe	46
PID 2724 wrote to memory of 2800	2724	DllCommonsvc.exe	47
PID 2724 wrote to memory of 2800	2724	DllCommonsvc.exe	47
PID 2724 wrote to memory of 2800	2724	DllCommonsvc.exe	47
PID 2724 wrote to memory of 2804	2724	DllCommonsvc.exe	48
PID 2724 wrote to memory of 2804	2724	DllCommonsvc.exe	48
PID 2724 wrote to memory of 2804	2724	DllCommonsvc.exe	48
PID 2724 wrote to memory of 1068	2724	DllCommonsvc.exe	53
PID 2724 wrote to memory of 1068	2724	DllCommonsvc.exe	53
PID 2724 wrote to memory of 1068	2724	DllCommonsvc.exe	53
PID 1068 wrote to memory of 1660	1068	WmiPrvSE.exe	54
PID 1068 wrote to memory of 1660	1068	WmiPrvSE.exe	54
PID 1068 wrote to memory of 1660	1068	WmiPrvSE.exe	54
PID 1660 wrote to memory of 2116	1660	cmd.exe	56
PID 1660 wrote to memory of 2116	1660	cmd.exe	56
PID 1660 wrote to memory of 2116	1660	cmd.exe	56
PID 1660 wrote to memory of 1344	1660	cmd.exe	57
PID 1660 wrote to memory of 1344	1660	cmd.exe	57
PID 1660 wrote to memory of 1344	1660	cmd.exe	57
PID 1344 wrote to memory of 2088	1344	WmiPrvSE.exe	58
PID 1344 wrote to memory of 2088	1344	WmiPrvSE.exe	58
PID 1344 wrote to memory of 2088	1344	WmiPrvSE.exe	58
PID 2088 wrote to memory of 1868	2088	cmd.exe	60
PID 2088 wrote to memory of 1868	2088	cmd.exe	60
PID 2088 wrote to memory of 1868	2088	cmd.exe	60
PID 2088 wrote to memory of 2868	2088	cmd.exe	61
PID 2088 wrote to memory of 2868	2088	cmd.exe	61
PID 2088 wrote to memory of 2868	2088	cmd.exe	61
PID 2868 wrote to memory of 1136	2868	WmiPrvSE.exe	62
PID 2868 wrote to memory of 1136	2868	WmiPrvSE.exe	62
PID 2868 wrote to memory of 1136	2868	WmiPrvSE.exe	62
PID 1136 wrote to memory of 1888	1136	cmd.exe	64
PID 1136 wrote to memory of 1888	1136	cmd.exe	64
PID 1136 wrote to memory of 1888	1136	cmd.exe	64
PID 1136 wrote to memory of 384	1136	cmd.exe	65
PID 1136 wrote to memory of 384	1136	cmd.exe	65
PID 1136 wrote to memory of 384	1136	cmd.exe	65
PID 384 wrote to memory of 3064	384	WmiPrvSE.exe	66
PID 384 wrote to memory of 3064	384	WmiPrvSE.exe	66
PID 384 wrote to memory of 3064	384	WmiPrvSE.exe	66
PID 3064 wrote to memory of 1332	3064	cmd.exe	68
PID 3064 wrote to memory of 1332	3064	cmd.exe	68
PID 3064 wrote to memory of 1332	3064	cmd.exe	68
PID 3064 wrote to memory of 2264	3064	cmd.exe	69
PID 3064 wrote to memory of 2264	3064	cmd.exe	69
PID 3064 wrote to memory of 2264	3064	cmd.exe	69
PID 2264 wrote to memory of 2340	2264	WmiPrvSE.exe	70

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_616c9884d2c2bfa9f7e73c42edacb0be3f82c2de8fae9f691f036c72b49b7170.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_616c9884d2c2bfa9f7e73c42edacb0be3f82c2de8fae9f691f036c72b49b7170.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:868
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2724
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2952
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\Microsoft Shared\Filters\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3000
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2800
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2804
    - - C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1068
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xkGYwzkQoc.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2116
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1344
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZfR0hqQ1j6.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1868
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RId7nS4uU7.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1136
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1888
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:384
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6n1oUPmZQq.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1332
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uVa8TbDE3p.bat"
        14⤵
        
        PID:2340
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2092
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1976
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3j9hYFnRH7.bat"
        16⤵
        
        PID:2404
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:3004
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1920
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\T7QXgceCiI.bat"
        18⤵
        
        PID:1524
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2916
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2800
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lLU0orPlEL.bat"
        20⤵
        
        PID:2936
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2908
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\Microsoft Shared\Filters\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\Filters\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\Microsoft Shared\Filters\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8effce37612d8868a62f39c30c9f2245

SHA1
61e3e51fe5216082e0c3db3d01f652de86c267b1

SHA256
2869e46ae3d553a64c47f8c98e2fa0f27ffc149bb8518656f0c463863db0d3a1

SHA512
68dc41a5a10935d84001fe9b9dc366c087b1aabe1a08227a079ae0cef8fec40631cbe1e81e7f9c8328d2578de7951a9fc6de002e6b83eb5e7d2b91bdcc981305

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
be9ddb5dce9fbff0f0163acb678a072a

SHA1
57fab54dd1a0c70ce33147033c194d56f72055f7

SHA256
137a425f60dbffabda7c1d3db15c650c32de2ea0d1b2b64e836a0a81cdb1ff6f

SHA512
9a1028696b97f20d590a3109e80ca7c82ee798a01be2aa52619d70f9d9428293f5a1a1a4a0f1ca0d6691a16145937a11f7a138aed3bd44ca6aa2f2510ebc412b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b9e4278492cea944ed9a0c6f36666f7d

SHA1
cd90e45a4a565affce9db53b492e32ba2e4ba0bd

SHA256
47ce32ec5deea60df4a090d7f766fabeef61af9b780991bfe6a15d1b31757a1b

SHA512
b3ef97f3b8014614d14868304970a6e54a910e992a6376197f7138a0e9be7d7c420de6a7c3ba6fc6a8b10b7515e127ae526d82130fa155bcd2d3320e00fb3506

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
78c95fe6a6cfbf485709bb45b7716093

SHA1
1c245cbf729ab5778bdf1c5765000b4c973e9d94

SHA256
071ce680baa02fdd871ef3751ed0f803834a09845d5ad5515d7920e4c812d501

SHA512
3472c2dfe8872a2dc40862e9cc19ed5fcf2b702876d3c476aea9ac7a30016092026c3ff2c0d985666a22bcb1f35caf5087aab4f9bee0dd0b85ed2c9ada5b733f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9695783176aeaebf979d046f3ed9cecb

SHA1
5e174a46ab16a03e0be1ffebde76a0956a26ed95

SHA256
8e505be37f2a5f4c209b1a887463ecd8d3e45f8164db21a8be51daf57813af9d

SHA512
667daec4888eeaa7c6700fec1503e4f92e336253669c883a8da08b7f006aeae933cbd083592b4abb42f4ddaacf594b29e94bdade717407138e4f0b898e7b4ed2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
95609a22685942c33046d819f27b3dd0

SHA1
9994d2200e004bd0bbe70bf76dfb62f4021ff6c1

SHA256
a335154986d82a94d6b4c80fff98937ee5a456fe74711cf66cd38d06895bf5af

SHA512
15afe6ff4e78acdf1e7cdc3b99616746681245cce5b3276668d08765c50a37639ad2661187df71db472b201bd74270eaaf663f76645fb58a093d31ad32395c9f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f5c042d6ba457c823e66ff95dc2784c7

SHA1
c0812bb524ab1b177b4d93db4077583b62532a4c

SHA256
266d04ed33a0a38093a3f5440f423272907f7e30bd5f725f7a2908903ef0fb45

SHA512
0fc2a4f190816d8a371f30d93e79af6f2c4a3068b409b5e6ea0a2c4c4fcf2d0e8fa134da820068a3c579b95b2aecc92cea2b7f260d5c9b10d947e522688bc28f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3j9hYFnRH7.bat

Filesize
226B

MD5
249e5d510e00bbfd9ea1ce400b5ee56a

SHA1
2af1b966334cf2de00a604ff983bcdf802474004

SHA256
789660ec4dc8dd440e9d5fc04effb4c7611319d9ed900b9e4b1220a0e429503b

SHA512
c262335230d200788953bd9e72756251f58ef708cd70a099aa7543e9d13a42f84f0fd66d46089e9e3dc6e91284852c51ba7cbe932f76a30fe4cd4fddbd93dbca

Download Submit
C:\Users\Admin\AppData\Local\Temp\6n1oUPmZQq.bat

Filesize
226B

MD5
65a96019c0b6caf9578f2ade31e558f9

SHA1
73e55a6592db71c144e303004b52b31a2adcab6d

SHA256
f535562fca728bfc69824f50323c40d64f5365f168180824e665d516e82d6113

SHA512
53a338aef084f645353e30d4796b1de4fc25603648f43d9facd9fc0a8ba3bd2d9cd8ab5096b3516a6fb5c5826a14c2c564871ed591440531d5263c44dcadf77e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3842.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RId7nS4uU7.bat

Filesize
226B

MD5
722549bf80f9419ea59df292a2dac017

SHA1
6f063c89b362f9222c33d44670f08b65f5e2a138

SHA256
d436100d256907d078502f4a4db7e6d70db830e405d1f0a56d243767a7b45be6

SHA512
7e8a57e99e1bea908adb3d9a266c0eea76eedfd8ec8c167412df0aa4152a54bf988b8d2feb07a3ab92842161d16927f4b9f70f982dbe0dcb812e8b19fd2fc652

Download Submit
C:\Users\Admin\AppData\Local\Temp\T7QXgceCiI.bat

Filesize
226B

MD5
f332361366ad77f2b6f6da978eb88608

SHA1
1568f8e96feda8bc8f96568821f247a493f1643c

SHA256
3db757e6ca67b0d4469e8f1937e4a2405f677ee4d4c3dd72c4e63ae92d22c85c

SHA512
a7a5f93525301569b037bbcc6dfed76b0c6b2055338dcb4299d97b32c2f33fdf6293fe7c2963d961ec77407604f89526a0caab09582085057cad7cc7f9c41f47

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3893.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZfR0hqQ1j6.bat

Filesize
226B

MD5
96651ad2053f2bd70a63b9125b7d7d0d

SHA1
e118f9ff9c91233f3211d3c80123c88ac72070fc

SHA256
16dcf02ff9ab723117b1d9640e5fe74250d0579c2178f83ca8b2204da070b92f

SHA512
de130e9fd92e84aa83fde3388dc8bb37b48cecf17d518242591fc3e4105c7c8686b4268912ee18c85830cb07ef31f23e1e4d9fadc0de59c9b5315694e6bb0b20

Download Submit
C:\Users\Admin\AppData\Local\Temp\lLU0orPlEL.bat

Filesize
226B

MD5
3a1efd312898268222e984700f071c10

SHA1
4dea776ea87731566d597424a9f8683826e4ace9

SHA256
aa53cf065d9710c5eaa3e82c2372900c0cd20f23d364c9b59ac90436a8c4daac

SHA512
94c23cb33264fc8fab23c76094a94e26ca5a0c9d36ea27fd1284281bede05b2d8cabcf76ca32628027241ede6dfb34dbf16a9ba7d30cd4d9bea48f63bdac661c

Download Submit
C:\Users\Admin\AppData\Local\Temp\uVa8TbDE3p.bat

Filesize
226B

MD5
c9ba82e012104daf9a138ee1542af970

SHA1
056d32261e7c3ff314ff161c0269ca5d165bf96b

SHA256
520faf0e0ff90eb1d808b8dc22b62485948f4e6ac5ecf6324b4071709badf33a

SHA512
475e7f5532cee781898d6c2b4ef7893c213dc0ef921eabb6f3614b5558643126b4ca1120922f40c3cd2b8962849179904cc5515e2cb036b53aee59257dc0e811

Download Submit
C:\Users\Admin\AppData\Local\Temp\xkGYwzkQoc.bat

Filesize
226B

MD5
6f17b3f338de220b5889bd2316fc51a6

SHA1
80d88010736e26b6eb63dc2ef3d4fb5181a6aa01

SHA256
6391d911c43249f9da52749611a2ab4d4250de092791a3cca28cc1e60578cb73

SHA512
46566983a530da372db77bf97b76a6cfbf582de231623dc3bb0a7c351b925c272d21df1c6eda52c2b2dd11bf010ab70e46c330235c36d4412c3d6f83bbb43d53

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f654caa232c15446858d4ae55e859214

SHA1
0c4e978c4db93337bd767d183a18bd84bdc7a11e

SHA256
94c0b87872fa796eb43b7364fe40458cad976fa6fd1e4e8dbbf12a56a54d66d8

SHA512
4b9cade9212f6cda3a73ea5ed95256583b3fd83076699bfc2b350475e37dd820eb6203bf69ae5dacd95107995c07a4a806483e80c83f96f5d36214f6b6e3270b

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/384-232-0x00000000010B0000-0x00000000011C0000-memory.dmp

Filesize
1.1MB

Download
memory/1068-52-0x0000000000310000-0x0000000000322000-memory.dmp

Filesize
72KB

Download
memory/1068-49-0x0000000000F30000-0x0000000001040000-memory.dmp

Filesize
1.1MB

Download
memory/1344-112-0x0000000000660000-0x0000000000672000-memory.dmp

Filesize
72KB

Download
memory/1344-111-0x00000000003B0000-0x00000000004C0000-memory.dmp

Filesize
1.1MB

Download
memory/1920-411-0x0000000000F40000-0x0000000001050000-memory.dmp

Filesize
1.1MB

Download
memory/1976-351-0x00000000000B0000-0x00000000001C0000-memory.dmp

Filesize
1.1MB

Download
memory/2724-17-0x0000000000700000-0x000000000070C000-memory.dmp

Filesize
48KB

Download
memory/2724-16-0x0000000000550000-0x000000000055C000-memory.dmp

Filesize
48KB

Download
memory/2724-15-0x0000000000710000-0x000000000071C000-memory.dmp

Filesize
48KB

Download
memory/2724-14-0x00000000004C0000-0x00000000004D2000-memory.dmp

Filesize
72KB

Download
memory/2724-13-0x0000000001200000-0x0000000001310000-memory.dmp

Filesize
1.1MB

Download
memory/2804-51-0x0000000002460000-0x0000000002468000-memory.dmp

Filesize
32KB

Download
memory/2868-172-0x00000000008B0000-0x00000000009C0000-memory.dmp

Filesize
1.1MB

Download
memory/2952-50-0x000000001B1D0000-0x000000001B4B2000-memory.dmp

Filesize
2.9MB

Download