dcrat | 6321db3417e55f11dab4ae1801f62f7b9d7c485c0c4a5596cd6c90a644231b19

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 02:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_6321db3417e55f11dab4ae1801f62f7b9d7c485c0c4a5596cd6c90a644231b19.exe
Size

1.3MB
MD5

6ad6543d5dd8c54bf7d84a140974b9e8
SHA1

89e8c42529cf32ba6abbc60b8e14b9f4ed6d80df
SHA256

6321db3417e55f11dab4ae1801f62f7b9d7c485c0c4a5596cd6c90a644231b19
SHA512

4e339582a3d85a9575988d23b97f8742cceae86d8f5df8affd1cdd39215493cfc207d986be453244cb26488d7473bb764d8095965910099bd34756248b34ac71
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1396	2844	schtasks.exe	34

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000016c4a-12.dat	dcrat
behavioral1/memory/2812-13-0x0000000000160000-0x0000000000270000-memory.dmp	dcrat
behavioral1/memory/2112-52-0x0000000000B80000-0x0000000000C90000-memory.dmp	dcrat
behavioral1/memory/2416-111-0x0000000000130000-0x0000000000240000-memory.dmp	dcrat
behavioral1/memory/2972-171-0x0000000000290000-0x00000000003A0000-memory.dmp	dcrat
behavioral1/memory/1248-232-0x0000000000210000-0x0000000000320000-memory.dmp	dcrat
behavioral1/memory/1608-292-0x0000000001030000-0x0000000001140000-memory.dmp	dcrat
behavioral1/memory/2972-411-0x00000000000A0000-0x00000000001B0000-memory.dmp	dcrat
behavioral1/memory/2796-471-0x0000000000AD0000-0x0000000000BE0000-memory.dmp	dcrat
behavioral1/memory/2912-590-0x00000000003F0000-0x0000000000500000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
576	powershell.exe
3008	powershell.exe
2980	powershell.exe
3016	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2812	DllCommonsvc.exe
2112	Idle.exe
2416	Idle.exe
2972	Idle.exe
1248	Idle.exe
1608	Idle.exe
2496	Idle.exe
2972	Idle.exe
2796	Idle.exe
2840	Idle.exe
2912	Idle.exe

Loads dropped DLL 2 IoCs

pid	Process
2136	cmd.exe
2136	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
19	raw.githubusercontent.com
26	raw.githubusercontent.com
32	raw.githubusercontent.com
36	raw.githubusercontent.com
4	raw.githubusercontent.com
15	raw.githubusercontent.com
23	raw.githubusercontent.com
29	raw.githubusercontent.com

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\es-ES\lsass.exe	DllCommonsvc.exe
File created	C:\Windows\es-ES\6203df4a6bafc7	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6321db3417e55f11dab4ae1801f62f7b9d7c485c0c4a5596cd6c90a644231b19.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2612	schtasks.exe
2684	schtasks.exe
1148	schtasks.exe
2780	schtasks.exe
2348	schtasks.exe
2448	schtasks.exe
1568	schtasks.exe
1396	schtasks.exe
2748	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2812	DllCommonsvc.exe
3016	powershell.exe
3008	powershell.exe
576	powershell.exe
2980	powershell.exe
2112	Idle.exe
2416	Idle.exe
2972	Idle.exe
1248	Idle.exe
1608	Idle.exe
2496	Idle.exe
2972	Idle.exe
2796	Idle.exe
2840	Idle.exe
2912	Idle.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2812	DllCommonsvc.exe
Token: SeDebugPrivilege	3016	powershell.exe
Token: SeDebugPrivilege	3008	powershell.exe
Token: SeDebugPrivilege	576	powershell.exe
Token: SeDebugPrivilege	2980	powershell.exe
Token: SeDebugPrivilege	2112	Idle.exe
Token: SeDebugPrivilege	2416	Idle.exe
Token: SeDebugPrivilege	2972	Idle.exe
Token: SeDebugPrivilege	1248	Idle.exe
Token: SeDebugPrivilege	1608	Idle.exe
Token: SeDebugPrivilege	2496	Idle.exe
Token: SeDebugPrivilege	2972	Idle.exe
Token: SeDebugPrivilege	2796	Idle.exe
Token: SeDebugPrivilege	2840	Idle.exe
Token: SeDebugPrivilege	2912	Idle.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 236 wrote to memory of 2064	236	JaffaCakes118_6321db3417e55f11dab4ae1801f62f7b9d7c485c0c4a5596cd6c90a644231b19.exe	30
PID 236 wrote to memory of 2064	236	JaffaCakes118_6321db3417e55f11dab4ae1801f62f7b9d7c485c0c4a5596cd6c90a644231b19.exe	30
PID 236 wrote to memory of 2064	236	JaffaCakes118_6321db3417e55f11dab4ae1801f62f7b9d7c485c0c4a5596cd6c90a644231b19.exe	30
PID 236 wrote to memory of 2064	236	JaffaCakes118_6321db3417e55f11dab4ae1801f62f7b9d7c485c0c4a5596cd6c90a644231b19.exe	30
PID 2064 wrote to memory of 2136	2064	WScript.exe	31
PID 2064 wrote to memory of 2136	2064	WScript.exe	31
PID 2064 wrote to memory of 2136	2064	WScript.exe	31
PID 2064 wrote to memory of 2136	2064	WScript.exe	31
PID 2136 wrote to memory of 2812	2136	cmd.exe	33
PID 2136 wrote to memory of 2812	2136	cmd.exe	33
PID 2136 wrote to memory of 2812	2136	cmd.exe	33
PID 2136 wrote to memory of 2812	2136	cmd.exe	33
PID 2812 wrote to memory of 576	2812	DllCommonsvc.exe	44
PID 2812 wrote to memory of 576	2812	DllCommonsvc.exe	44
PID 2812 wrote to memory of 576	2812	DllCommonsvc.exe	44
PID 2812 wrote to memory of 3008	2812	DllCommonsvc.exe	45
PID 2812 wrote to memory of 3008	2812	DllCommonsvc.exe	45
PID 2812 wrote to memory of 3008	2812	DllCommonsvc.exe	45
PID 2812 wrote to memory of 2980	2812	DllCommonsvc.exe	46
PID 2812 wrote to memory of 2980	2812	DllCommonsvc.exe	46
PID 2812 wrote to memory of 2980	2812	DllCommonsvc.exe	46
PID 2812 wrote to memory of 3016	2812	DllCommonsvc.exe	47
PID 2812 wrote to memory of 3016	2812	DllCommonsvc.exe	47
PID 2812 wrote to memory of 3016	2812	DllCommonsvc.exe	47
PID 2812 wrote to memory of 2788	2812	DllCommonsvc.exe	52
PID 2812 wrote to memory of 2788	2812	DllCommonsvc.exe	52
PID 2812 wrote to memory of 2788	2812	DllCommonsvc.exe	52
PID 2788 wrote to memory of 2708	2788	cmd.exe	54
PID 2788 wrote to memory of 2708	2788	cmd.exe	54
PID 2788 wrote to memory of 2708	2788	cmd.exe	54
PID 2788 wrote to memory of 2112	2788	cmd.exe	55
PID 2788 wrote to memory of 2112	2788	cmd.exe	55
PID 2788 wrote to memory of 2112	2788	cmd.exe	55
PID 2112 wrote to memory of 2144	2112	Idle.exe	57
PID 2112 wrote to memory of 2144	2112	Idle.exe	57
PID 2112 wrote to memory of 2144	2112	Idle.exe	57
PID 2144 wrote to memory of 624	2144	cmd.exe	59
PID 2144 wrote to memory of 624	2144	cmd.exe	59
PID 2144 wrote to memory of 624	2144	cmd.exe	59
PID 2144 wrote to memory of 2416	2144	cmd.exe	60
PID 2144 wrote to memory of 2416	2144	cmd.exe	60
PID 2144 wrote to memory of 2416	2144	cmd.exe	60
PID 2416 wrote to memory of 1276	2416	Idle.exe	61
PID 2416 wrote to memory of 1276	2416	Idle.exe	61
PID 2416 wrote to memory of 1276	2416	Idle.exe	61
PID 1276 wrote to memory of 1948	1276	cmd.exe	63
PID 1276 wrote to memory of 1948	1276	cmd.exe	63
PID 1276 wrote to memory of 1948	1276	cmd.exe	63
PID 1276 wrote to memory of 2972	1276	cmd.exe	64
PID 1276 wrote to memory of 2972	1276	cmd.exe	64
PID 1276 wrote to memory of 2972	1276	cmd.exe	64
PID 2972 wrote to memory of 2920	2972	Idle.exe	65
PID 2972 wrote to memory of 2920	2972	Idle.exe	65
PID 2972 wrote to memory of 2920	2972	Idle.exe	65
PID 2920 wrote to memory of 2372	2920	cmd.exe	67
PID 2920 wrote to memory of 2372	2920	cmd.exe	67
PID 2920 wrote to memory of 2372	2920	cmd.exe	67
PID 2920 wrote to memory of 1248	2920	cmd.exe	68
PID 2920 wrote to memory of 1248	2920	cmd.exe	68
PID 2920 wrote to memory of 1248	2920	cmd.exe	68
PID 1248 wrote to memory of 3064	1248	Idle.exe	69
PID 1248 wrote to memory of 3064	1248	Idle.exe	69
PID 1248 wrote to memory of 3064	1248	Idle.exe	69
PID 3064 wrote to memory of 1316	3064	cmd.exe	71

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6321db3417e55f11dab4ae1801f62f7b9d7c485c0c4a5596cd6c90a644231b19.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6321db3417e55f11dab4ae1801f62f7b9d7c485c0c4a5596cd6c90a644231b19.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:236
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2136
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2812
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:576
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3008
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\es-ES\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2980
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3016
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Y2BBUhSYHq.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2788
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2708
      - C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe
        
        "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2112
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Bp0TjAk7l7.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:624
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe
        
        "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BYj1kG62r9.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1276
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1948
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe
        
        "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6xwNL0dL8Y.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2372
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe
        
        "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1248
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UPAAmIRCFx.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1316
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe
        
        "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1608
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\USq6qxpMr5.bat"
        15⤵
        
        PID:780
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:656
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe
        
        "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2496
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U4eMIZxK0W.bat"
        17⤵
        
        PID:3040
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2860
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe
        
        "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2972
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bkUsYtfOrG.bat"
        19⤵
        
        PID:2208
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2104
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe
        
        "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2796
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SRNviAgREO.bat"
        21⤵
        
        PID:2720
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2836
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe
        
        "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2840
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\R8cJcUuQgj.bat"
        23⤵
        
        PID:2664
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1148
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe
        
        "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2912
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yXZnhMCmO6.bat"
        25⤵
        
        PID:1120
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Windows\es-ES\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\es-ES\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Windows\es-ES\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\providercommon\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1f4e4d999bf4ac81e77598d075bbfa8b

SHA1
0e37c7cd6323552d948f943035a2ceded2a76aed

SHA256
2ee23b9caa689e9c67fd1bed150d78219a380fa0d92229863d9cb1bd7dccc019

SHA512
55dc8c3ceddce377f095fdd373e389bec2e3d708fd0bc3749f17990c95648313719b12e048faf61dca08eb85f9ae1d994c394b52fd46082e7647a2884806dfdb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b313f2b68632f24f859ce88114b46191

SHA1
b90b72c0f6f67a7bb29651ec21fb03ee371c4de7

SHA256
039f05f083dcf49733266066184ec42fe4090bbb9bc1e5dd82aa701955a9c91b

SHA512
d4c71b71c08f9d3de9cb8783b1c60715226d80ea6863a6d355adda873dc474cdbbbb910e5382b6aaa7be202212a6166d075cb48518dd9e37a713e5b57d97bc5a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a11a1602a0c5e668c9ba65831a3b2093

SHA1
1fdcdcee6397da2e7ffce1720cc2c13ade74c75d

SHA256
c616bc7d219ed7938648753efb748ec25043d1c755a445c9cd0cef318a615465

SHA512
0b13d39dddced13c9ee7bc2dc9328e5c36ef7e85ffd5257fef4b6a47dc519cb6c320c8cb2bae7dfefaa847ee582e9dc04055f2f2358bf6a70524e4aef3d044c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1cee1bb58eddd3d490cbe0faf8fa71ec

SHA1
fe55891f9ebaa5087e82b033f20c2005779d657b

SHA256
8a265af45b85e2b9f9fe06e4260a12e5ae2e84e6a52aedde2e74712200b740bf

SHA512
1c7de30d7bde88c01e8b075c47048f072490071f964a8bd96efd20165915d894da58a89b0f83d71834f8b3e916e42e40cbf830329bad803a09649013a6827b09

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7ceda64fb6e0fe6fab39c6922f25686c

SHA1
b7f6d4e691b5d3b1e91de5b365d03b1839cedf7a

SHA256
0bb8c6f9c69dee5223223e86d0dc345a09c23a193ad69e0cc0ae641dc37f0f69

SHA512
768f8c0e2759b27dbf682818e217cabb36e734d73c287d1cf981f2639d4c64035cb4767ea509296628b5fcf62933b0d18aa994dc2fc5493c095d8bf3f029d212

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0585fc394961cffebbdb6f5d4c2a0dba

SHA1
269790617c03d84750ce06656075e7646cb6cc5d

SHA256
291713e4d10af43feec8d2bd6e38485abbff380f56dbc41f4c1535d871470920

SHA512
7360e64579a84282b29662a5bf1cfe2f6b4437a651d3993fa5ce12ff4b1ba5e024bc942776eee1b45de918428d57abbc06f2bbbf8039e965989c375acb83da5e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a1e1e8d3c2096cd2250e1036b6b4bc59

SHA1
d00d634fb153a4d0decaf1e023314182aa8a83a9

SHA256
67f8cb08fa04982b06bae53f4f59ab51a9396252111a8ec70bf5ff36a267ac0a

SHA512
0d4b70b9f08819da3279f13ddbcba0796a572eda1afbb7fe11f6f68c5df2b2cb408002c215795292c66791c3cfe0604c7a3b0b2e9007f301b75c98eb116307c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8e7b2856c2a691c5f56f6223e6b5e6df

SHA1
4f9a05d8b0e6ffc46c3366616559fa1e31700534

SHA256
ec5d04f60835360793a886a346a869cd5284c64d68882ec650535021191bb142

SHA512
4a1c04d8da01a81262fabada677c104a42a56abd877e0b165453771b3c84274a3466ef92ff06db763f67d27f2cb294c945d8c57f5f06645b693ca98835ed5526

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9eb7c256835c96a11a0db2afdee95802

SHA1
891394c75d6111d0c11235a93f2138d1f46491ed

SHA256
5f2601a809c6599722aba5878abbabcf403b2316bb1bf56e64805655429522af

SHA512
fdf6a8742b3b0bf15745ae3222153a6e9ff8de1d09ff9f3760914d0a364f36a10b941247ee2a015da83f2694f6d07deb0c9c3ad2b9649ff7d669df0c7d5c2c50

Download Submit
C:\Users\Admin\AppData\Local\Temp\6xwNL0dL8Y.bat

Filesize
222B

MD5
2c722ee53b846fbef65574aacc68bb56

SHA1
10de19d2b195bd40b7c48d4281816d37a43f366b

SHA256
bb3399148d08efca6a90f8c988dacc854a7acb84b0b4ddbbb26c0d084c5361cd

SHA512
6584e8aba2f1d70e7303e979c48f74d354ce7da8d7ef66bae6525cccc4c9108a37af2262863ec81c217c9a5fec954c81923f62e3f456bd474ce58e53cc25c099

Download Submit
C:\Users\Admin\AppData\Local\Temp\BYj1kG62r9.bat

Filesize
222B

MD5
dbb98454eba5a03873542873864c24b0

SHA1
08372cfce47fa2befb7fa708971461a1a0fdbcba

SHA256
535c695d2b364b9be08a3f8d4308ca10c2eb37b76d645205835355f467cf4ee3

SHA512
2daaeb885bd22bcdb3a2d1d0cfb613c60e3abef5133763e7c1cc294fbc61a3f7d02d27bd46481395098b0ef51bdb59220d169dc29093feb09fa8833b9d5d3425

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bp0TjAk7l7.bat

Filesize
222B

MD5
706e3ef67dd7b8eee8cfbc306321b5b6

SHA1
4ea868f9714e0ff9ec5d77b8a843e16a915e74e9

SHA256
c524c4bf69d1ec741b126e5c71e665bf7a0d8d09b294498873c02537c3e3e1f7

SHA512
467728d6f7deb462c2ff7771422df868d64c61971ea5b2f77fb23575bf14f4e0997494bd28a9fc73228475c291067db5af1232ce26754b0c683aba6296b55bb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD329.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\R8cJcUuQgj.bat

Filesize
222B

MD5
785e8e1a35cdb4a992f9c6810f046cc2

SHA1
59021a5226f4dba7ffedcc3a405e6817e7b7d093

SHA256
92e22d01de034dede58b021a4346230e3c1eb21b24d5117d99000c29d4aed057

SHA512
bab7eb9c5623345b7d1915a42e519e92a85b7b72cc52bd62c8268d98dcbe6723f2e22ed5af5d4069b89ee69f017145c7896132e653953a658dc62ef4b8e2da31

Download Submit
C:\Users\Admin\AppData\Local\Temp\SRNviAgREO.bat

Filesize
222B

MD5
7e5e40771cb09d379ed7910b37e0089c

SHA1
3a4f3fa2f7d85d310fc133b9f6bafe5e2b4c2b1d

SHA256
56dee6095df5b45980e6325f19d5f4afea005e61b47fb207a9acb983a771511d

SHA512
e384b579b8167404dd0ad6461e16326faebfc75ab3bfe3ddbf85d99a2010d2dccb6841082ec580475fbd8b0d06c592bc41747042d578646becd1fd3dfa799abc

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD34B.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\U4eMIZxK0W.bat

Filesize
222B

MD5
e5da56c64b875e6fc97214c06629e359

SHA1
27e032d3dab4523f4adad93313058f91d21de8e0

SHA256
30b1120a132fba5515d4e2da6f0c6aad993923c8bed5d9bc27c6f200c85eebac

SHA512
d0bbb5894ebcc9b5751d647924e4eb2b1eaeba895a08bb869c3a5fe0bae918510ed229e42c3c15c6d1d259849377823f81dd8fc18e224b41d0395086331e41ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\UPAAmIRCFx.bat

Filesize
222B

MD5
c5e8277c36532eb6fc86d4259afdafb9

SHA1
60dba5b774e6622de3e01db4f7e4c3bc35251c16

SHA256
35ddb44aedeaf7e6d6566caee5224ef98fa34a132cd8f4ff36f056d6f2d84eda

SHA512
466ff3b75f4bcb6f1b1ef36848b97f89a7f1316021dd73b959d5b6827a393ca322a399c7f4d61acccdd0dae2e567593a3533e5fb3d19d1845c39a07c40ecdf03

Download Submit
C:\Users\Admin\AppData\Local\Temp\USq6qxpMr5.bat

Filesize
222B

MD5
a45db7295dd44484da4d194ec01359f0

SHA1
74998017a383b9822bc79f970e9f4a30b2a93f99

SHA256
2c2e4718eb3a7a388a1558af7b008c8fd7afad5d06bdbf0340e5ab7d87508e35

SHA512
60a1d0a3ae12d46c6522c566f91677a51c721c2e56bfebf343fcd65ffc4c9ae934c6d402d5cd102c793db07c9c3543dd3fda4fb009d3c50264d04271ef8c99c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Y2BBUhSYHq.bat

Filesize
222B

MD5
9871d6b02f563b9fd58a95a7c778907a

SHA1
74410d4f6f4d651f70ee0c46a3eaa45582f58ca2

SHA256
de081406c488afe19466ffd2e6efc9e76777681702b7cf644b98c4b90d3bcee8

SHA512
8528bf94d62c53edcb77c51cc6fec3298c33438bd2585945958e6c9f606e5a1dacbbbca231611ba8a6fd97da8ba3a23e271beb2f0b91b11eea7b691fa516256d

Download Submit
C:\Users\Admin\AppData\Local\Temp\bkUsYtfOrG.bat

Filesize
222B

MD5
25a2d9f2cde469f906f5652e6c73703f

SHA1
a46079ed464a98669dd3767a848013930d5973d3

SHA256
0f861c08a8c9a52484d5ff2e243f85ac00dbd1fff37bb0407ecf47c0b31da9e4

SHA512
5d77be0e7ce28c67a9831e605da866eee3431cd06292ee5044c29750dda6bc0db40538f45740aefd66048435d4740e19fd34e5992c81867ddaac2541a2227118

Download Submit
C:\Users\Admin\AppData\Local\Temp\yXZnhMCmO6.bat

Filesize
222B

MD5
9a660917bbec55330554839c30ce9a67

SHA1
8b2a3ac5bef17e28f356cfc2153fa273eaef09c1

SHA256
b5818e58fcae5bca8802c67a090c523f642a1494aff17fca3b81427f5f4277c3

SHA512
cadce1dc29d3ed3f607f7c54b99e479fc75ede226861315cf0ba0f12c49cbb5fb2ce08aebd5a4a82ab528fa530bd68872cb2fae20975e8e819e8bf2058d4dc46

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KUVKA82QIVZNUM5UD1X8.temp

Filesize
7KB

MD5
fa52388f2ec68e559ab8cf65a55cfba9

SHA1
46cbfe02fdc26f8c574e4da4f7c8a7eadeb1a6cc

SHA256
a713e0a1781a16a75e41cfbe53f8b71f1d5f266f15811a91a64eb5b5f6de8efe

SHA512
2a9707471c69f2b07eadefbaf7573e8837000e4177eb34a94145fe13237a95fd3c6ae9bf9f7bb9895ad948f7ffbd6a543c77e96d611883a699261f8c42431a67

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1248-232-0x0000000000210000-0x0000000000320000-memory.dmp

Filesize
1.1MB

Download
memory/1608-292-0x0000000001030000-0x0000000001140000-memory.dmp

Filesize
1.1MB

Download
memory/2112-52-0x0000000000B80000-0x0000000000C90000-memory.dmp

Filesize
1.1MB

Download
memory/2416-111-0x0000000000130000-0x0000000000240000-memory.dmp

Filesize
1.1MB

Download
memory/2796-471-0x0000000000AD0000-0x0000000000BE0000-memory.dmp

Filesize
1.1MB

Download
memory/2812-15-0x0000000000560000-0x000000000056C000-memory.dmp

Filesize
48KB

Download
memory/2812-14-0x0000000000540000-0x0000000000552000-memory.dmp

Filesize
72KB

Download
memory/2812-16-0x0000000000550000-0x000000000055C000-memory.dmp

Filesize
48KB

Download
memory/2812-13-0x0000000000160000-0x0000000000270000-memory.dmp

Filesize
1.1MB

Download
memory/2812-17-0x0000000000570000-0x000000000057C000-memory.dmp

Filesize
48KB

Download
memory/2912-590-0x00000000003F0000-0x0000000000500000-memory.dmp

Filesize
1.1MB

Download
memory/2912-591-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/2972-172-0x0000000000540000-0x0000000000552000-memory.dmp

Filesize
72KB

Download
memory/2972-411-0x00000000000A0000-0x00000000001B0000-memory.dmp

Filesize
1.1MB

Download
memory/2972-171-0x0000000000290000-0x00000000003A0000-memory.dmp

Filesize
1.1MB

Download
memory/3016-38-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download
memory/3016-43-0x00000000029E0000-0x00000000029E8000-memory.dmp

Filesize
32KB

Download