dcrat | 8ddb63599bbf52294af4ca0dd38c3f08946e6f99c0c7e4db1e93b334f21fc9f8

Analysis

max time kernel
145s
max time network
142s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 03:07 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_8ddb63599bbf52294af4ca0dd38c3f08946e6f99c0c7e4db1e93b334f21fc9f8.exe
Size

1.3MB
MD5

744edd583b99ea68d11e66250c174266
SHA1

818dae0bfcfc18ba38a99ff68cb4215f1f4d0e0f
SHA256

8ddb63599bbf52294af4ca0dd38c3f08946e6f99c0c7e4db1e93b334f21fc9f8
SHA512

01eda806a8d3d9ca7acfab6f843adbd84cf0e69f97cdb93f964aafd0f4d6232ef3fdd289432b7ef8c8076e59abfdd334e2278389ba7e246884a818bd88d3f74c
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	3044	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	3044	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	3044	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	3044	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	3044	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	3044	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	3044	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	3044	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	3044	schtasks.exe	35

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016d1f-9.dat	dcrat
behavioral1/memory/2820-13-0x0000000000290000-0x00000000003A0000-memory.dmp	dcrat
behavioral1/memory/1600-52-0x0000000000AA0000-0x0000000000BB0000-memory.dmp	dcrat
behavioral1/memory/2932-171-0x0000000001160000-0x0000000001270000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1068	powershell.exe
3020	powershell.exe
3028	powershell.exe
2976	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2820	DllCommonsvc.exe
1600	wininit.exe
1980	wininit.exe
2932	wininit.exe
1232	wininit.exe
588	wininit.exe
2924	wininit.exe
1104	wininit.exe
2128	wininit.exe
2552	wininit.exe
2300	wininit.exe
444	wininit.exe

Loads dropped DLL 2 IoCs

pid	Process
2740	cmd.exe
2740	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
26	raw.githubusercontent.com
36	raw.githubusercontent.com
5	raw.githubusercontent.com
13	raw.githubusercontent.com
23	raw.githubusercontent.com
19	raw.githubusercontent.com
30	raw.githubusercontent.com
33	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com
16	raw.githubusercontent.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Defender\es-ES\System.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\56085415360792	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8ddb63599bbf52294af4ca0dd38c3f08946e6f99c0c7e4db1e93b334f21fc9f8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1952	schtasks.exe
2796	schtasks.exe
2932	schtasks.exe
876	schtasks.exe
2860	schtasks.exe
1556	schtasks.exe
2648	schtasks.exe
2752	schtasks.exe
2468	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2820	DllCommonsvc.exe
3028	powershell.exe
3020	powershell.exe
2976	powershell.exe
1068	powershell.exe
1600	wininit.exe
1980	wininit.exe
2932	wininit.exe
1232	wininit.exe
588	wininit.exe
2924	wininit.exe
1104	wininit.exe
2128	wininit.exe
2552	wininit.exe
2300	wininit.exe
444	wininit.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2820	DllCommonsvc.exe
Token: SeDebugPrivilege	3028	powershell.exe
Token: SeDebugPrivilege	3020	powershell.exe
Token: SeDebugPrivilege	2976	powershell.exe
Token: SeDebugPrivilege	1068	powershell.exe
Token: SeDebugPrivilege	1600	wininit.exe
Token: SeDebugPrivilege	1980	wininit.exe
Token: SeDebugPrivilege	2932	wininit.exe
Token: SeDebugPrivilege	1232	wininit.exe
Token: SeDebugPrivilege	588	wininit.exe
Token: SeDebugPrivilege	2924	wininit.exe
Token: SeDebugPrivilege	1104	wininit.exe
Token: SeDebugPrivilege	2128	wininit.exe
Token: SeDebugPrivilege	2552	wininit.exe
Token: SeDebugPrivilege	2300	wininit.exe
Token: SeDebugPrivilege	444	wininit.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2560 wrote to memory of 2060	2560	JaffaCakes118_8ddb63599bbf52294af4ca0dd38c3f08946e6f99c0c7e4db1e93b334f21fc9f8.exe	31
PID 2560 wrote to memory of 2060	2560	JaffaCakes118_8ddb63599bbf52294af4ca0dd38c3f08946e6f99c0c7e4db1e93b334f21fc9f8.exe	31
PID 2560 wrote to memory of 2060	2560	JaffaCakes118_8ddb63599bbf52294af4ca0dd38c3f08946e6f99c0c7e4db1e93b334f21fc9f8.exe	31
PID 2560 wrote to memory of 2060	2560	JaffaCakes118_8ddb63599bbf52294af4ca0dd38c3f08946e6f99c0c7e4db1e93b334f21fc9f8.exe	31
PID 2060 wrote to memory of 2740	2060	WScript.exe	32
PID 2060 wrote to memory of 2740	2060	WScript.exe	32
PID 2060 wrote to memory of 2740	2060	WScript.exe	32
PID 2060 wrote to memory of 2740	2060	WScript.exe	32
PID 2740 wrote to memory of 2820	2740	cmd.exe	34
PID 2740 wrote to memory of 2820	2740	cmd.exe	34
PID 2740 wrote to memory of 2820	2740	cmd.exe	34
PID 2740 wrote to memory of 2820	2740	cmd.exe	34
PID 2820 wrote to memory of 1068	2820	DllCommonsvc.exe	45
PID 2820 wrote to memory of 1068	2820	DllCommonsvc.exe	45
PID 2820 wrote to memory of 1068	2820	DllCommonsvc.exe	45
PID 2820 wrote to memory of 3020	2820	DllCommonsvc.exe	46
PID 2820 wrote to memory of 3020	2820	DllCommonsvc.exe	46
PID 2820 wrote to memory of 3020	2820	DllCommonsvc.exe	46
PID 2820 wrote to memory of 3028	2820	DllCommonsvc.exe	47
PID 2820 wrote to memory of 3028	2820	DllCommonsvc.exe	47
PID 2820 wrote to memory of 3028	2820	DllCommonsvc.exe	47
PID 2820 wrote to memory of 2976	2820	DllCommonsvc.exe	48
PID 2820 wrote to memory of 2976	2820	DllCommonsvc.exe	48
PID 2820 wrote to memory of 2976	2820	DllCommonsvc.exe	48
PID 2820 wrote to memory of 1572	2820	DllCommonsvc.exe	53
PID 2820 wrote to memory of 1572	2820	DllCommonsvc.exe	53
PID 2820 wrote to memory of 1572	2820	DllCommonsvc.exe	53
PID 1572 wrote to memory of 1944	1572	cmd.exe	55
PID 1572 wrote to memory of 1944	1572	cmd.exe	55
PID 1572 wrote to memory of 1944	1572	cmd.exe	55
PID 1572 wrote to memory of 1600	1572	cmd.exe	56
PID 1572 wrote to memory of 1600	1572	cmd.exe	56
PID 1572 wrote to memory of 1600	1572	cmd.exe	56
PID 1600 wrote to memory of 2164	1600	wininit.exe	57
PID 1600 wrote to memory of 2164	1600	wininit.exe	57
PID 1600 wrote to memory of 2164	1600	wininit.exe	57
PID 2164 wrote to memory of 1660	2164	cmd.exe	59
PID 2164 wrote to memory of 1660	2164	cmd.exe	59
PID 2164 wrote to memory of 1660	2164	cmd.exe	59
PID 2164 wrote to memory of 1980	2164	cmd.exe	60
PID 2164 wrote to memory of 1980	2164	cmd.exe	60
PID 2164 wrote to memory of 1980	2164	cmd.exe	60
PID 1980 wrote to memory of 2708	1980	wininit.exe	61
PID 1980 wrote to memory of 2708	1980	wininit.exe	61
PID 1980 wrote to memory of 2708	1980	wininit.exe	61
PID 2708 wrote to memory of 1540	2708	cmd.exe	63
PID 2708 wrote to memory of 1540	2708	cmd.exe	63
PID 2708 wrote to memory of 1540	2708	cmd.exe	63
PID 2708 wrote to memory of 2932	2708	cmd.exe	64
PID 2708 wrote to memory of 2932	2708	cmd.exe	64
PID 2708 wrote to memory of 2932	2708	cmd.exe	64
PID 2932 wrote to memory of 2052	2932	wininit.exe	65
PID 2932 wrote to memory of 2052	2932	wininit.exe	65
PID 2932 wrote to memory of 2052	2932	wininit.exe	65
PID 2052 wrote to memory of 1068	2052	cmd.exe	67
PID 2052 wrote to memory of 1068	2052	cmd.exe	67
PID 2052 wrote to memory of 1068	2052	cmd.exe	67
PID 2052 wrote to memory of 1232	2052	cmd.exe	68
PID 2052 wrote to memory of 1232	2052	cmd.exe	68
PID 2052 wrote to memory of 1232	2052	cmd.exe	68
PID 1232 wrote to memory of 1584	1232	wininit.exe	69
PID 1232 wrote to memory of 1584	1232	wininit.exe	69
PID 1232 wrote to memory of 1584	1232	wininit.exe	69
PID 1584 wrote to memory of 1280	1584	cmd.exe	71

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8ddb63599bbf52294af4ca0dd38c3f08946e6f99c0c7e4db1e93b334f21fc9f8.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8ddb63599bbf52294af4ca0dd38c3f08946e6f99c0c7e4db1e93b334f21fc9f8.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2560
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2820
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1068
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3020
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\es-ES\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3028
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2976
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\E1U41Va1sj.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1572
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1944
      - C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\wininit.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\wininit.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WPmuDeaX4D.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1660
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\wininit.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\wininit.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OTxxDhnLNa.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2708
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1540
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\wininit.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\wininit.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6M87tNVNy8.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1068
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\wininit.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\wininit.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1232
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uugdhbmYnk.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:1584
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1280
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\wininit.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\wininit.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:588
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ay5NT8uJA6.bat"
        15⤵
        
        PID:2376
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2920
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\wininit.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\wininit.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2924
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YyUd3mmyLr.bat"
        17⤵
        
        PID:3004
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2368
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\wininit.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\wininit.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1104
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uSow6ZWML2.bat"
        19⤵
        
        PID:1800
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:952
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\wininit.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\wininit.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2128
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GvFVSjZSRs.bat"
        21⤵
        
        PID:1524
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:484
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\wininit.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\wininit.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2552
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GTS4B5cy6p.bat"
        23⤵
        
        PID:2756
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2636
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\wininit.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\wininit.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2300
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JeZnuB4iL9.bat"
        25⤵
        
        PID:1560
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1944
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\wininit.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\wininit.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952

Network

DNS

raw.githubusercontent.com

wininit.exe

Remote address:

8.8.8.8:53

Request

raw.githubusercontent.com

IN A

Response

raw.githubusercontent.com

IN A

185.199.108.133

raw.githubusercontent.com

IN A

185.199.111.133

raw.githubusercontent.com

IN A

185.199.110.133

raw.githubusercontent.com

IN A

185.199.109.133

185.199.108.133:443

raw.githubusercontent.com

tls

wininit.exe

741 B
4.1kB
9
10
185.199.108.133:443

raw.githubusercontent.com

tls

wininit.exe

747 B
4.2kB
9
11
185.199.108.133:443

raw.githubusercontent.com

tls

wininit.exe

793 B
4.2kB
10
11
185.199.108.133:443

raw.githubusercontent.com

tls

wininit.exe

741 B
4.1kB
9
10
185.199.108.133:443

raw.githubusercontent.com

tls

wininit.exe

793 B
4.2kB
10
11
185.199.108.133:443

raw.githubusercontent.com

tls

wininit.exe

793 B
4.2kB
10
11
185.199.108.133:443

raw.githubusercontent.com

tls

wininit.exe

741 B
4.1kB
9
10
185.199.108.133:443

raw.githubusercontent.com

tls

wininit.exe

741 B
4.1kB
9
10
185.199.108.133:443

raw.githubusercontent.com

tls

wininit.exe

793 B
4.2kB
10
11
185.199.108.133:443

raw.githubusercontent.com

tls

wininit.exe

741 B
4.1kB
9
10

8.8.8.8:53

raw.githubusercontent.com

dns

wininit.exe

71 B
135 B
1
1

DNS Request

raw.githubusercontent.com

DNS Response

185.199.108.133

185.199.111.133

185.199.110.133

185.199.109.133

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7836203b9654d6d83850c8958b7dbacb

SHA1
21e3028c2448ed4bdac982dea6c8d5473245f210

SHA256
67a737c467cdd461a946eb25775e3e5476ae85d6308cee9ddbc4be5eeb6815f2

SHA512
e3b4bc407a1795ab3c7e49521e922c6658dddf26b6c6e853744ad75a30d5a3a18a701512b23a098fc92bceeacacf297d4bd6a52b8e869e3d9fa5e5aa6b69fcb8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a52df7a371aa515d3b26440f9a6b566a

SHA1
b5517b1aff63757a9f40cd018d8c52c9ee8d75d9

SHA256
157dde5635c22e8f999b4991009912b83dbdbf2cfb5906cdf7c77f2a43c41607

SHA512
93d3468552f409f5ebf1f5bb665a37d03470fe593e934ee1fdf0ebd085242169adcf5e86876f8f73cce5b37efe9855d31ad66df85300334147cd69ac9807df84

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a0471973c4119e05ed1e9d914205c0c6

SHA1
a4ab1d24ede8fd8d94eee2302d08c41381860676

SHA256
3321feeea0bdf5a6c97eab16160c96f9d45086f30520cdd6d3fc8eab052b5164

SHA512
a1589162bf56f82bf8c48be23378ed6ccda874ae6066afe4b373b1655f512a4d8d450cc05f0bfec06d39651625659fb8952149b72bb1db7aa705cc5c66d9b74b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fd3c4c26ad0ca2784e87e2b25bc7193c

SHA1
dee0fefd3fa59f01c67bf3cad22a5cd1d12bf7fb

SHA256
d4eac688a85c94432457d1c9948992e91947425b2bab60eb001bb23f91984043

SHA512
f04c78af14c9869204d3a08f1b63d83961d41291ba63a5affb936738f2532bfc800b7a92654ff644b25f4941f6d16b0ef53c349af501b23dbeb46eafd466d91e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0245eca29928180b45296e7af0c4e763

SHA1
8114efbb691b615d8b76d5d501c97104c3ae3146

SHA256
9450ef47dcef0dc5694efc938418dea89af6303706bfaf59646308b707fc04e7

SHA512
2ed22d8629f17512a98334ed6277085c2f343558faa39c1fd80265226c2d8ff6a95a4f74c5518e09fedf4e33ba8c134fbfaee263fdd182aafc67402144eab13b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
086a872eb6b172f59086c653f29719d3

SHA1
b2cb19894923df1667e1b2e49e5f2ffd5be538cf

SHA256
8d8d5302aef64b77568ce4186319cafab3fdd34be4d3fd39be18cf5257566db4

SHA512
1d452ef10227827a9dcb31b59b638f8571c9a75f8d62c3c531b74116e8cf94ef10c4956b6296b090531019c0183a841d911d572a2aa03ff93ce2bbf9a0d13614

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b0e30dd2279a9b6cf902ec4a949017b1

SHA1
26872f192e823c96836bd46e744bd4ad86f7396a

SHA256
ff37269e6823175d2af379d93ed59863174766e1e6959dd1f07c025481c172d8

SHA512
eac0a3270ff4eaca899a1bf133ba37f7ba9b4ff723d72e536c5148586282df857581256fc24693f5d4abd3b44c229d327c67afbfabf630dd09b787aaf029dc36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
94ffb1ec323e465c4b53d55b5c1eb88e

SHA1
a0e28ca430d5b5d23ff18dfbd49cf9bb7bad695a

SHA256
302a7693d76587af694638fabb12fd1a9bba85aed91d8a6e56692849b40876f8

SHA512
2e885057b9b3a9baa78e0bc26c5b562df23b64fdc087d02000a3531e36a6edc56fbefabd7e9788559732e9d808b2d3aeceb80d1c1a79211a9ee018376ca37387

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b734b11485265a8046ab4df5363878ae

SHA1
8cee9217eb7ae1567074b229cb456fd50bd13f85

SHA256
eef0d5b8b4be3447885055c443533453ab1fb296d6ad507789385b16530a05fc

SHA512
e0685cdef9e8d075bd05b3976c5815ea36617180403526b0f33eacfa777061169bf8ba47fcbd4b09b0df1b3f073975055008fdc2c6c299b319f556ceb3a3a0c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\6M87tNVNy8.bat

Filesize
239B

MD5
6c91b4fcf81f498df84aafd6f21b6c8a

SHA1
e0e9ea412e3add3c1505c9013f398563544b8920

SHA256
3cfc7f39d839c60fef12933b63a2b3a19395c911b7df3ec6651b582b05928088

SHA512
8bac29bc7759403ecc9497e69dc902e86edce32aab2f89b48b90c7609e5cefaf99fe2324b95f9b01eba6bcd01141d5c7eb2b3a4f73959d98c0ee9a065b2aa48c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab29B1.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\E1U41Va1sj.bat

Filesize
239B

MD5
529ac3dbf16873dfcd629dd593f987d9

SHA1
66b4556565fc18a2bf323dccc12c0bf6b0fbb449

SHA256
a4d6d3ccbac52d28008ee6ba5f51a95fb6eed108ad5441f4119908390c6a91db

SHA512
cdfdc0c345dfa3ed15776239161afd2d6d8cc6f260b1da34999c1e0184c8f44d9b25593a954851b86c273731bc9599cf8dba51cf9c072b95bc4a02da9b6d32a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\GTS4B5cy6p.bat

Filesize
239B

MD5
3fd39d9429dfdc13442c9b42084b3c00

SHA1
4e3a04bf12c8065028f8b4d6ffdff102f61096bd

SHA256
529eeec97d03f28f8f0e998975986b3299bd4c0e085501ce8e148c89c4882770

SHA512
da8cd8d38287b9421ffb0219b3ca26ec7334f9a8cb80414cea6b3dcd22f0e1e8cd291c732b189bc733541531e7386987dc1e83999b5a6adab06bae61706b9159

Download Submit
C:\Users\Admin\AppData\Local\Temp\GvFVSjZSRs.bat

Filesize
239B

MD5
be7c27769369ab7bc4017a3c99bce6a0

SHA1
fdc9690a2cfd27a7a2fab04546124a3b22c1a061

SHA256
0d627409093c5a8b6447f79ff5f1fa556d36263be7d156f5731c20a816c758f1

SHA512
2dec9d4fc91c98d47faf8e41adcbc05eda5ded434800f5b63db231cc53a2e47481e64830c7fc130b3b09131f4e8b1d696ef51efb6332741cca3fd4b6ca3f7ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\JeZnuB4iL9.bat

Filesize
239B

MD5
27929d48fe9a32cfb35b94f8e8e6b513

SHA1
4217bf576af861a5d20e0ce2dea5997d53309844

SHA256
eda885edf83837307012abbe2c8e95ebb5acd68a63a7ddfc3258d33ccd70a68f

SHA512
20b604d4d5242d7aac3cd47f89058fb5b4cadf027b790ac0e90d04f5b747be9290d8ac90c7e2b0fdb6d6f885fe6f3781f585beb1b7e38bc541d4323c995a0b6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\OTxxDhnLNa.bat

Filesize
239B

MD5
833448952295047bf51910a45a148ae3

SHA1
1aed972fa118942fc8f9da7abeadbc31291d19e6

SHA256
58f97e7c29dc6b42b6050d8fa2d3ed0b297eed1fede9155e140e90fc81410055

SHA512
1b7d73aade56f0024ce46b0747c75b64526a25f591beca104733fcdcdba5cfee8679b898ea2fc02d54912d52bc0de85ef5da17adb11fb884e5711ad30a0a0331

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar29D3.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPmuDeaX4D.bat

Filesize
239B

MD5
cba7fd4379d1f79b07b16f632c366205

SHA1
443e64c6730c8d68f56ae007841baae4a19ae15e

SHA256
1270395d083ae88f1c124cb581fba14bcfa3d707e2a6753061bcc9ac77fd8ea0

SHA512
3a02198ea01f8001603733c260353a8e415b53dc23903f9b6c2be2a76d5adf45a6fea7502d81f05511ca6392d13c8030dc5fefb7f0b787a6bd93e5a516e7d877

Download Submit
C:\Users\Admin\AppData\Local\Temp\YyUd3mmyLr.bat

Filesize
239B

MD5
64ca76150e5c08336bf3af9c61bef4d8

SHA1
1840e51279413f01b2a299876bf39fc0d2a24542

SHA256
f67e7fb149607daaa2345703c6a5d1a0cd62ed372c8ef735e69283901b387107

SHA512
933aa0b231b8f00cc62cded6382b985f422ea302d37e9050b1f34199e0cbdb411bf9e64e8c5fd8b3dae477c503314f3aec0b1819fe40d27dfb35d949de73063b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ay5NT8uJA6.bat

Filesize
239B

MD5
ca976bca182c8122bc6bb407d2dac7e5

SHA1
cab5d0921ba0f1c8c70e1d5616e7b9de02e183a8

SHA256
ad077fa8668185dcb5d1e1ce5aaa44dd7061173330839ee8f52357db22b56be7

SHA512
909986ae2c1a278eb558b949a0ed829fa68cf727d6d4cf50d11014a9fa1329620e5e064814cbb29310e6d780be94aab6a19991a9fb90df60f5b6c6dbd9e5580a

Download Submit
C:\Users\Admin\AppData\Local\Temp\uSow6ZWML2.bat

Filesize
239B

MD5
41eca185e839c52e17ff12760845ccb5

SHA1
b0c57ba5d5fb0de8d4ad113f950cfb6ca61f3ca8

SHA256
ddd2d017a8135be1af646fc1e15adb301819aed95a0553b99bb91a605b8992b0

SHA512
942ad256f246ca3e111cc0635beb5cc85004daa45e95d06b355f80d8395c2869c2fef1b50163f2d69351f274103fee919e6cfbb66f9620b8044496abd9093a95

Download Submit
C:\Users\Admin\AppData\Local\Temp\uugdhbmYnk.bat

Filesize
239B

MD5
731e4dd794fef33df6489aaef557f1fb

SHA1
0ee488991f6b33f4a1765414c3c96bb738c1c3a8

SHA256
62f222bf3affe0e76e7440d3b9317ee59335c1913e8fb3998b3b004ab2738d18

SHA512
e1c399403ec68ddda46b3b72cfe074f5d54889ff2a75608ed1703974a64e64781c0c713bd647ce5db10780d21ad8b92df37263245600daabd97f29d42ddab2ba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ac6b383da33f910a4cfe5564eb97e3dd

SHA1
231ce5af016e1c8a7c01f46160e939a35e21ff59

SHA256
805ec0f9bd860f6af73976b33023a095a2b0d9199d5bfe9c46d4312a09cfa8bb

SHA512
5602a5a5bb775ded8ab4249815342ef724fee95b6cca9bacc626e0d4bc31de881506da42ad722a46b191a56fd5f19cf31f1fc2ae7ce82037f3d7563cc8f924b1

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/444-645-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/1600-52-0x0000000000AA0000-0x0000000000BB0000-memory.dmp

Filesize
1.1MB

Download
memory/1980-111-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/2820-13-0x0000000000290000-0x00000000003A0000-memory.dmp

Filesize
1.1MB

Download
memory/2820-17-0x0000000000270000-0x000000000027C000-memory.dmp

Filesize
48KB

Download
memory/2820-16-0x0000000000260000-0x000000000026C000-memory.dmp

Filesize
48KB

Download
memory/2820-15-0x0000000000250000-0x000000000025C000-memory.dmp

Filesize
48KB

Download
memory/2820-14-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2932-172-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/2932-171-0x0000000001160000-0x0000000001270000-memory.dmp

Filesize
1.1MB

Download
memory/3028-48-0x00000000026E0000-0x00000000026E8000-memory.dmp

Filesize
32KB

Download
memory/3028-42-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.