dcrat | 5ae728afed04541315123abe20964ad7978e4fc91485bbe807b36892ab826b96

Analysis

max time kernel
145s
max time network
140s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 03:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_5ae728afed04541315123abe20964ad7978e4fc91485bbe807b36892ab826b96.exe
Size

1.3MB
MD5

532642b7eec6ac7b2c884cf71186f6de
SHA1

38034ba7e0a1507debecb8e14b0e52c761176754
SHA256

5ae728afed04541315123abe20964ad7978e4fc91485bbe807b36892ab826b96
SHA512

cc142edc962063699bd6a951bc1f3d6282eb98e05178a3a7eb4f00a37a776673389ad5c392abf6d70b99346e500abbd28ddf870505d969ea746f03f2ea076fe0
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	2216	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	2216	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2216	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2216	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2216	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2216	schtasks.exe	34

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000015da7-12.dat	dcrat
behavioral1/memory/2252-13-0x00000000010F0000-0x0000000001200000-memory.dmp	dcrat
behavioral1/memory/2008-45-0x0000000000920000-0x0000000000A30000-memory.dmp	dcrat
behavioral1/memory/1336-105-0x0000000001200000-0x0000000001310000-memory.dmp	dcrat
behavioral1/memory/2124-285-0x0000000000190000-0x00000000002A0000-memory.dmp	dcrat
behavioral1/memory/1724-345-0x0000000001270000-0x0000000001380000-memory.dmp	dcrat
behavioral1/memory/2880-465-0x00000000013C0000-0x00000000014D0000-memory.dmp	dcrat
behavioral1/memory/2932-584-0x0000000000330000-0x0000000000440000-memory.dmp	dcrat
behavioral1/memory/3036-644-0x0000000000390000-0x00000000004A0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2752	powershell.exe
2800	powershell.exe
2364	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2252	DllCommonsvc.exe
2008	OSPPSVC.exe
1336	OSPPSVC.exe
2784	OSPPSVC.exe
2880	OSPPSVC.exe
2124	OSPPSVC.exe
1724	OSPPSVC.exe
2636	OSPPSVC.exe
2880	OSPPSVC.exe
1556	OSPPSVC.exe
2932	OSPPSVC.exe
3036	OSPPSVC.exe

Loads dropped DLL 2 IoCs

pid	Process
2524	cmd.exe
2524	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
9	raw.githubusercontent.com
16	raw.githubusercontent.com
33	raw.githubusercontent.com
36	raw.githubusercontent.com
22	raw.githubusercontent.com
26	raw.githubusercontent.com
29	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
12	raw.githubusercontent.com
19	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\56085415360792	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_5ae728afed04541315123abe20964ad7978e4fc91485bbe807b36892ab826b96.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2948	schtasks.exe
2916	schtasks.exe
2744	schtasks.exe
2636	schtasks.exe
2684	schtasks.exe
2956	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2252	DllCommonsvc.exe
2364	powershell.exe
2752	powershell.exe
2800	powershell.exe
2008	OSPPSVC.exe
1336	OSPPSVC.exe
2784	OSPPSVC.exe
2880	OSPPSVC.exe
2124	OSPPSVC.exe
1724	OSPPSVC.exe
2636	OSPPSVC.exe
2880	OSPPSVC.exe
1556	OSPPSVC.exe
2932	OSPPSVC.exe
3036	OSPPSVC.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2252	DllCommonsvc.exe
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeDebugPrivilege	2752	powershell.exe
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeDebugPrivilege	2008	OSPPSVC.exe
Token: SeDebugPrivilege	1336	OSPPSVC.exe
Token: SeDebugPrivilege	2784	OSPPSVC.exe
Token: SeDebugPrivilege	2880	OSPPSVC.exe
Token: SeDebugPrivilege	2124	OSPPSVC.exe
Token: SeDebugPrivilege	1724	OSPPSVC.exe
Token: SeDebugPrivilege	2636	OSPPSVC.exe
Token: SeDebugPrivilege	2880	OSPPSVC.exe
Token: SeDebugPrivilege	1556	OSPPSVC.exe
Token: SeDebugPrivilege	2932	OSPPSVC.exe
Token: SeDebugPrivilege	3036	OSPPSVC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 1804	2160	JaffaCakes118_5ae728afed04541315123abe20964ad7978e4fc91485bbe807b36892ab826b96.exe	30
PID 2160 wrote to memory of 1804	2160	JaffaCakes118_5ae728afed04541315123abe20964ad7978e4fc91485bbe807b36892ab826b96.exe	30
PID 2160 wrote to memory of 1804	2160	JaffaCakes118_5ae728afed04541315123abe20964ad7978e4fc91485bbe807b36892ab826b96.exe	30
PID 2160 wrote to memory of 1804	2160	JaffaCakes118_5ae728afed04541315123abe20964ad7978e4fc91485bbe807b36892ab826b96.exe	30
PID 1804 wrote to memory of 2524	1804	WScript.exe	31
PID 1804 wrote to memory of 2524	1804	WScript.exe	31
PID 1804 wrote to memory of 2524	1804	WScript.exe	31
PID 1804 wrote to memory of 2524	1804	WScript.exe	31
PID 2524 wrote to memory of 2252	2524	cmd.exe	33
PID 2524 wrote to memory of 2252	2524	cmd.exe	33
PID 2524 wrote to memory of 2252	2524	cmd.exe	33
PID 2524 wrote to memory of 2252	2524	cmd.exe	33
PID 2252 wrote to memory of 2752	2252	DllCommonsvc.exe	41
PID 2252 wrote to memory of 2752	2252	DllCommonsvc.exe	41
PID 2252 wrote to memory of 2752	2252	DllCommonsvc.exe	41
PID 2252 wrote to memory of 2800	2252	DllCommonsvc.exe	42
PID 2252 wrote to memory of 2800	2252	DllCommonsvc.exe	42
PID 2252 wrote to memory of 2800	2252	DllCommonsvc.exe	42
PID 2252 wrote to memory of 2364	2252	DllCommonsvc.exe	43
PID 2252 wrote to memory of 2364	2252	DllCommonsvc.exe	43
PID 2252 wrote to memory of 2364	2252	DllCommonsvc.exe	43
PID 2252 wrote to memory of 556	2252	DllCommonsvc.exe	47
PID 2252 wrote to memory of 556	2252	DllCommonsvc.exe	47
PID 2252 wrote to memory of 556	2252	DllCommonsvc.exe	47
PID 556 wrote to memory of 484	556	cmd.exe	49
PID 556 wrote to memory of 484	556	cmd.exe	49
PID 556 wrote to memory of 484	556	cmd.exe	49
PID 556 wrote to memory of 2008	556	cmd.exe	51
PID 556 wrote to memory of 2008	556	cmd.exe	51
PID 556 wrote to memory of 2008	556	cmd.exe	51
PID 2008 wrote to memory of 1544	2008	OSPPSVC.exe	52
PID 2008 wrote to memory of 1544	2008	OSPPSVC.exe	52
PID 2008 wrote to memory of 1544	2008	OSPPSVC.exe	52
PID 1544 wrote to memory of 2128	1544	cmd.exe	54
PID 1544 wrote to memory of 2128	1544	cmd.exe	54
PID 1544 wrote to memory of 2128	1544	cmd.exe	54
PID 1544 wrote to memory of 1336	1544	cmd.exe	55
PID 1544 wrote to memory of 1336	1544	cmd.exe	55
PID 1544 wrote to memory of 1336	1544	cmd.exe	55
PID 1336 wrote to memory of 2068	1336	OSPPSVC.exe	56
PID 1336 wrote to memory of 2068	1336	OSPPSVC.exe	56
PID 1336 wrote to memory of 2068	1336	OSPPSVC.exe	56
PID 2068 wrote to memory of 2332	2068	cmd.exe	58
PID 2068 wrote to memory of 2332	2068	cmd.exe	58
PID 2068 wrote to memory of 2332	2068	cmd.exe	58
PID 2068 wrote to memory of 2784	2068	cmd.exe	59
PID 2068 wrote to memory of 2784	2068	cmd.exe	59
PID 2068 wrote to memory of 2784	2068	cmd.exe	59
PID 2784 wrote to memory of 2840	2784	OSPPSVC.exe	60
PID 2784 wrote to memory of 2840	2784	OSPPSVC.exe	60
PID 2784 wrote to memory of 2840	2784	OSPPSVC.exe	60
PID 2840 wrote to memory of 1888	2840	cmd.exe	62
PID 2840 wrote to memory of 1888	2840	cmd.exe	62
PID 2840 wrote to memory of 1888	2840	cmd.exe	62
PID 2840 wrote to memory of 2880	2840	cmd.exe	63
PID 2840 wrote to memory of 2880	2840	cmd.exe	63
PID 2840 wrote to memory of 2880	2840	cmd.exe	63
PID 2880 wrote to memory of 1388	2880	OSPPSVC.exe	64
PID 2880 wrote to memory of 1388	2880	OSPPSVC.exe	64
PID 2880 wrote to memory of 1388	2880	OSPPSVC.exe	64
PID 1388 wrote to memory of 1900	1388	cmd.exe	66
PID 1388 wrote to memory of 1900	1388	cmd.exe	66
PID 1388 wrote to memory of 1900	1388	cmd.exe	66
PID 1388 wrote to memory of 2124	1388	cmd.exe	67

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5ae728afed04541315123abe20964ad7978e4fc91485bbe807b36892ab826b96.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5ae728afed04541315123abe20964ad7978e4fc91485bbe807b36892ab826b96.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1804
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2524
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2252
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2752
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2800
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jdk1.7.0_80\lib\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\P2XacHOZcy.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:556
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:484
      - C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qRj2XQE6t6.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1544
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2128
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1336
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LkcfmFI5TJ.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2332
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2784
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\410ZzJtAuR.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1888
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TEfATY8not.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1900
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2124
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z9xTb8lNHs.bat"
        15⤵
        
        PID:1704
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1624
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1724
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AQtyVABn1C.bat"
        17⤵
        
        PID:2916
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:580
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2636
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sWs9jrlB8v.bat"
        19⤵
        
        PID:536
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:328
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2880
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EzDSmeWZ76.bat"
        21⤵
        
        PID:388
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:3024
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1556
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LkcfmFI5TJ.bat"
        23⤵
        
        PID:1060
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1180
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2932
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iVu5YTRuDT.bat"
        25⤵
        
        PID:1752
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2220
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\jdk1.7.0_80\lib\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\lib\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jdk1.7.0_80\lib\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bc22a34c8f46ce6f483bce8c8e239419

SHA1
2d6a216f69818d91eafb2139c485d34715778357

SHA256
36b53cb2b1a0b1ec19b2f3ab7576e772ad3a3175d677d5656167966de8391128

SHA512
0a6ac88237a9dd443a04e652d56d75ae9baaf59461f4ce69781d426bca1fbbccc0765963b3229a67cece39c2db161a5a4878eb3adca9dc985c159f16e44668d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3f5c3c561853f491e84c9dcb6d32e4ee

SHA1
d959807ae6d847857c709ca9b62e8f83c717e768

SHA256
4c922a66d3b3414de8b3cb7da99869044f5434c86ca9e18bb3b65eb0e17ec6e1

SHA512
295f523b95f00a00fff2cdc883c1cb29059c70981b8e8c5a0a0e2fb3b4b1d5c85652441efe8e6b3f8a39d158dfa4f1fafc1bb757567d6add1113e659887d9d8b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a63635a8007a47c4c704880b7cfe68c4

SHA1
12335c08fe3d908e07b61ddba1ab82135adcc250

SHA256
b861a75cfa0effd1de796e5cfc6bb5bed75bad2fcfa128b16f1da55e60b449c0

SHA512
3e226d2342a5d243f720897a95aa15d5d49824cbf5082353df8200c176f889f543f77d33a58594819ce5684c0e14795cff61fa1212150e2caaab924575b977df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
61be2bcf8c6c236f575ec14b1c9d6759

SHA1
0cee51787e2fbfb04655208a7ebe3665553c5ca7

SHA256
8944a929f9800e47b35471a58945328c1f28a8371cea043e895fb05272b5f489

SHA512
dc52a39fd55fef0e5ff6b05a2852de905bf2ba613c9a26e07d4a401596fb6622bfdac651f5de0938b8a7aa8e17a4bb97ec8994c5862fea400c84256456416c34

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6412d9bddf043406e1f207e8d89758bb

SHA1
cfa1786080e1395559cda71546207b33a4a4bfd6

SHA256
d02017a82ebb2a4a002e293336a9d17415daf0d3bb3437ba96a6481ba8885142

SHA512
b989e5b86b1ce6dbb1cdf8a1e50d1033d843a0e605a20ea25f14f7a45c47ba955bb69ce9823dfbb6424ec1e926a931fa15ec8ecbc4a3bbda7301c8a7a6635ecc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4cb65b8c5f9df311bb3bcc86f1c66633

SHA1
a5b2aadd8f9d5ab36dfa7f41560ddf7ceabe3a3e

SHA256
293bcb96fa161f15fe6330f0ec82a3b34a96447da19907b70394d8c11e6c83a7

SHA512
e8cd9406038025bd260a08cc0a0de0fd9fca638a252e91952308aca21a2034fab7590d285b84e04c0708422ca3095231fbcf0aab6f4e316c40b48d6a8b3d9b83

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b2dfcbe2a839958ec8cd7c093158a9da

SHA1
e510b955bf8e6e3da34ecea9f5fe6e3bf28442f0

SHA256
0c5125639de721f85871c6d1a3ecac00eac88bc50cc7248a7be13b87a7f3616a

SHA512
e382389f96b26c0a06871e3f7b36e1a2e9d08a7b051c11cd9197190b589bbdc18f93eb2cc46b6fab0df8e04d008759cadcd1183a3be3d45ab8723c7b483710b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
76d39716d5b99fc3632b251ef813033f

SHA1
e693b84cf1f077cee46ac21860340d1ac3516ca3

SHA256
c4913cf55fe3a2be7b8f5cf7cc595f9ac5b497f301b60c24a124a1df94145252

SHA512
5656d17682dd4a3fd1a8adeb5eaf10d7ef9307a4ccac616c22228e401fbc5a75aa0e314687fc2138006cb002ab4ba856feba0bf09fa29d626a0f687888e4506a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
578dd5874f468cd4b00f513a7c685f49

SHA1
47a4e2b6254a4ad55214b27cb4f5f37965adfdc1

SHA256
9da5f33e3a0d0d6999347d00a17d3311462515350590dd5b400d92e759b25ecb

SHA512
1d2b6aed69c2c12cf2e409f72d65b300968b84f744674293e73f2da28e3bef5cc2c370048e6f21b4e861f239df20e6b100ff73b99335f66fb631db2514daf815

Download Submit
C:\Users\Admin\AppData\Local\Temp\410ZzJtAuR.bat

Filesize
225B

MD5
4c27121cb0caa5ea3029fbf31c6e5a52

SHA1
b517996795c45ada4b3b522339939b34b15795c5

SHA256
23a979b1ad49935af6ea846a2bcc0e7e5298ced4d4847d66cfd9bfa3732e2169

SHA512
d85c5d4fd898a03f08ebe22173cdeeccf1f025f2a4c43a7d6944569df6b699bf2211907bf0d94ff29b7687b9df25555c2d0eaba43015850c034e327484cc78d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQtyVABn1C.bat

Filesize
225B

MD5
788c6bb0879a7e62266176335e4dc195

SHA1
22e1eb78fa4fe75714f6e620f7185d4c68e2ee75

SHA256
3df4e88314c06268066426c38d41e666fad68479c6f599084b7b53a180861820

SHA512
06f86977bcc7a7a482ded8fa8e5f7586c31e3d41b14e8b8ec0d706b87a9fe34e86881a29e573aeb66ef35e854a187856a36bebb9791aff7bd5a19b9c06820e7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE42A.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EzDSmeWZ76.bat

Filesize
225B

MD5
6e5b07e2550471b9175d749d4f390ff3

SHA1
5e2ad6d102ad205867e6d9894ffe95eff7f6e849

SHA256
f3df282785596a4a8e1300fca38a2dd66cff606729a493974623985e73bc5370

SHA512
0ab8d6d34afb574d3c5113a6f8a0c009e847ea3e0da378b2fe0b4215b3cd468e614bcec6cb774f5978ce9afd4d4d86cf51754c1243be45dac4eb30fa4eae978d

Download Submit
C:\Users\Admin\AppData\Local\Temp\LkcfmFI5TJ.bat

Filesize
225B

MD5
c870598d894ea92503ed1752bc419bc3

SHA1
be2d161a25011d2253b8b8262b6980bbf090db5f

SHA256
f57f3afa31017cd2a9b73e055a0a77c4983af2a69accabaac5dbdd6afd7c46b8

SHA512
ab334a0e47a93362a484262f9138d68cad53f1d6e9144b15a248821372d52e3802eabe8651ce12076cfa6ffeb439288d02ca9fd54f03383cfeabeb892fb62f8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\P2XacHOZcy.bat

Filesize
225B

MD5
557e1a2457ff1fb1933712b73d7451ef

SHA1
5aba2e32afefb12ebd86a8e0fce777a99c5a17cf

SHA256
f1986bc5a006d39a4b0f3e89b7350be9692115a300acae2a09d3427f398a2bad

SHA512
485b53e7c9edebaf22597587c31bcb6cd8b910d01a77b6eecc6e1895be815fb80bcbc5ded4289789fa6068b2f6888ea9f515950977c95c47b827c9180e89b2af

Download Submit
C:\Users\Admin\AppData\Local\Temp\TEfATY8not.bat

Filesize
225B

MD5
29f69db02a5bccb51faeed8041aa8c26

SHA1
23f58b3fc0921d537656c61c7464f007ccb06e6c

SHA256
c0f6469e21570398b8f95b92a25858ff6640ffe128a7d532fee328714c243655

SHA512
581fa47ec160743855d5c4fca6a1c9d26a83bbe84f54147f89e8942b71ca95b9d11b1953b5316f0eefffa9cb4f4614ccd92bef8e86f718c2b5b90c1dd8db57af

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE43C.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\iVu5YTRuDT.bat

Filesize
225B

MD5
0d54ecb9a2170b1332d87a520ffe2e12

SHA1
8439913492277f8317ca3871b273c8f6b617d9d2

SHA256
f03595ce76607c120c2abd52006395df6b442f097e6e50b4cef013cb15d3e06c

SHA512
3344d6f28f851e5c1e33a2faac5487c6d3e39c48aed15e6094db0c9ca7f97994bc924bdb3d323c1be8a1b1fe3723a46ed374925f4f70dacfa6b7ed39a9904ec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\qRj2XQE6t6.bat

Filesize
225B

MD5
a158d815bdbb9831a9c0d778b8435c08

SHA1
0d637aea4557e197445a549e63a22428d6e7b524

SHA256
0b0252276665f1f83182223edaecf65e26638863167e16cc6147108bc7daaa9f

SHA512
4980fd65e51d6e32260633efbb6032a17e631be082fce2b97d003e1d0a8c0dacef58e8d770d04c9cb295280cb5df661f1afec98c0d02f91ccd74f7cbb957886e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sWs9jrlB8v.bat

Filesize
225B

MD5
ffd1e98b7981cfe9b00cc3657efecafa

SHA1
66a2193560a550276ffe3a841fe19dca5e085899

SHA256
ff24fdbc5e06b2a76faca3bb1e4b5048907a2f0cb4fb2c69c035fd69cec532c1

SHA512
07fb1ede97cc1f0e3ee80dae4406837d5b836e8c2ac2aafd58bf869cf7bfb3c4941505b7fca05a27f2a4f45e19caa521422e18a9174e3ea3bbafafb292e066fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\z9xTb8lNHs.bat

Filesize
225B

MD5
9902d6f8440f041641ab1eda768befd3

SHA1
8f3e5e12f332aa9337e9cc486b47003d6dfaa630

SHA256
ed18e15d4aad75d19955b904d22d53ff41e42720c62c22b00b19464275b944d1

SHA512
ec8f52724b631790cca756ddb664e56ac2d0ac59a725fa66d055301fb826765d2d8f7c8f2f3bbcf985258dca3c2f1b0a2d00d28c588e35bde3ab59a6a76b0be6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
bae6441d68dfda58c8dc9e6863f51cc8

SHA1
ff9562df4544a170af78f36ce9d7b766d28476f1

SHA256
cb6ae89a0b8658540bbc6ae277bc6b00da9b363449cf333ecbeee3a128b08862

SHA512
59c10c6ab9289d38aa32610cee2fab68981bef5836396dd7e284f50a4173e032e45830ddcbde5760102161c2d8934a70130852b059f967b36a5ff1f6923f7b40

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1336-105-0x0000000001200000-0x0000000001310000-memory.dmp

Filesize
1.1MB

Download
memory/1336-106-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/1724-345-0x0000000001270000-0x0000000001380000-memory.dmp

Filesize
1.1MB

Download
memory/2008-45-0x0000000000920000-0x0000000000A30000-memory.dmp

Filesize
1.1MB

Download
memory/2008-46-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2124-285-0x0000000000190000-0x00000000002A0000-memory.dmp

Filesize
1.1MB

Download
memory/2252-16-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download
memory/2252-15-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/2252-17-0x0000000000480000-0x000000000048C000-memory.dmp

Filesize
48KB

Download
memory/2252-14-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/2252-13-0x00000000010F0000-0x0000000001200000-memory.dmp

Filesize
1.1MB

Download
memory/2364-30-0x000000001B5A0000-0x000000001B882000-memory.dmp

Filesize
2.9MB

Download
memory/2364-32-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

Filesize
32KB

Download
memory/2636-405-0x00000000002D0000-0x00000000002E2000-memory.dmp

Filesize
72KB

Download
memory/2880-465-0x00000000013C0000-0x00000000014D0000-memory.dmp

Filesize
1.1MB

Download
memory/2880-225-0x0000000000360000-0x0000000000372000-memory.dmp

Filesize
72KB

Download
memory/2932-584-0x0000000000330000-0x0000000000440000-memory.dmp

Filesize
1.1MB

Download
memory/3036-644-0x0000000000390000-0x00000000004A0000-memory.dmp

Filesize
1.1MB

Download