dcrat | 6436d18112005a24e7f325fb567fe23d0ada3514033248c6a565229886366fa3

Analysis

max time kernel
150s
max time network
139s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 03:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_6436d18112005a24e7f325fb567fe23d0ada3514033248c6a565229886366fa3.exe
Size

1.3MB
MD5

80a8fd52d35c067abddf1f3ec53a5555
SHA1

133c9625e0882d93306842aaa72bc4e768007b5a
SHA256

6436d18112005a24e7f325fb567fe23d0ada3514033248c6a565229886366fa3
SHA512

a829a3dc8832ed3040a33da831cde908a161119366579e3dfc2afa90d8f32e12118a11ea49fded43b1a312348e4611096cf5f274745013890de1f7fb29258350
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2164	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2164	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2164	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2164	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2164	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2164	schtasks.exe	35

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000016cab-10.dat	dcrat
behavioral1/memory/2892-13-0x0000000000A90000-0x0000000000BA0000-memory.dmp	dcrat
behavioral1/memory/3004-45-0x0000000000A50000-0x0000000000B60000-memory.dmp	dcrat
behavioral1/memory/2948-104-0x0000000000F30000-0x0000000001040000-memory.dmp	dcrat
behavioral1/memory/2924-164-0x0000000000170000-0x0000000000280000-memory.dmp	dcrat
behavioral1/memory/1920-225-0x0000000000B50000-0x0000000000C60000-memory.dmp	dcrat
behavioral1/memory/824-285-0x0000000000150000-0x0000000000260000-memory.dmp	dcrat
behavioral1/memory/2092-345-0x0000000000F90000-0x00000000010A0000-memory.dmp	dcrat
behavioral1/memory/1504-523-0x0000000001070000-0x0000000001180000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2688	powershell.exe
2600	powershell.exe
2296	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
2892	DllCommonsvc.exe
3004	lsass.exe
2948	lsass.exe
2924	lsass.exe
1920	lsass.exe
824	lsass.exe
2092	lsass.exe
2984	lsass.exe
1476	lsass.exe
1504	lsass.exe

Loads dropped DLL 2 IoCs

pid	Process
2724	cmd.exe
2724	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

flow	ioc
12	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
30	raw.githubusercontent.com
9	raw.githubusercontent.com
5	raw.githubusercontent.com
23	raw.githubusercontent.com
26	raw.githubusercontent.com
4	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6436d18112005a24e7f325fb567fe23d0ada3514033248c6a565229886366fa3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2324	schtasks.exe
2896	schtasks.exe
2732	schtasks.exe
2632	schtasks.exe
2740	schtasks.exe
2664	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2892	DllCommonsvc.exe
2600	powershell.exe
2688	powershell.exe
2296	powershell.exe
3004	lsass.exe
2948	lsass.exe
2924	lsass.exe
1920	lsass.exe
824	lsass.exe
2092	lsass.exe
2984	lsass.exe
1476	lsass.exe
1504	lsass.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	2892	DllCommonsvc.exe
Token: SeDebugPrivilege	2600	powershell.exe
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeDebugPrivilege	2296	powershell.exe
Token: SeDebugPrivilege	3004	lsass.exe
Token: SeDebugPrivilege	2948	lsass.exe
Token: SeDebugPrivilege	2924	lsass.exe
Token: SeDebugPrivilege	1920	lsass.exe
Token: SeDebugPrivilege	824	lsass.exe
Token: SeDebugPrivilege	2092	lsass.exe
Token: SeDebugPrivilege	2984	lsass.exe
Token: SeDebugPrivilege	1476	lsass.exe
Token: SeDebugPrivilege	1504	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1116 wrote to memory of 1988	1116	JaffaCakes118_6436d18112005a24e7f325fb567fe23d0ada3514033248c6a565229886366fa3.exe	31
PID 1116 wrote to memory of 1988	1116	JaffaCakes118_6436d18112005a24e7f325fb567fe23d0ada3514033248c6a565229886366fa3.exe	31
PID 1116 wrote to memory of 1988	1116	JaffaCakes118_6436d18112005a24e7f325fb567fe23d0ada3514033248c6a565229886366fa3.exe	31
PID 1116 wrote to memory of 1988	1116	JaffaCakes118_6436d18112005a24e7f325fb567fe23d0ada3514033248c6a565229886366fa3.exe	31
PID 1988 wrote to memory of 2724	1988	WScript.exe	32
PID 1988 wrote to memory of 2724	1988	WScript.exe	32
PID 1988 wrote to memory of 2724	1988	WScript.exe	32
PID 1988 wrote to memory of 2724	1988	WScript.exe	32
PID 2724 wrote to memory of 2892	2724	cmd.exe	34
PID 2724 wrote to memory of 2892	2724	cmd.exe	34
PID 2724 wrote to memory of 2892	2724	cmd.exe	34
PID 2724 wrote to memory of 2892	2724	cmd.exe	34
PID 2892 wrote to memory of 2600	2892	DllCommonsvc.exe	42
PID 2892 wrote to memory of 2600	2892	DllCommonsvc.exe	42
PID 2892 wrote to memory of 2600	2892	DllCommonsvc.exe	42
PID 2892 wrote to memory of 2296	2892	DllCommonsvc.exe	43
PID 2892 wrote to memory of 2296	2892	DllCommonsvc.exe	43
PID 2892 wrote to memory of 2296	2892	DllCommonsvc.exe	43
PID 2892 wrote to memory of 2688	2892	DllCommonsvc.exe	44
PID 2892 wrote to memory of 2688	2892	DllCommonsvc.exe	44
PID 2892 wrote to memory of 2688	2892	DllCommonsvc.exe	44
PID 2892 wrote to memory of 2828	2892	DllCommonsvc.exe	48
PID 2892 wrote to memory of 2828	2892	DllCommonsvc.exe	48
PID 2892 wrote to memory of 2828	2892	DllCommonsvc.exe	48
PID 2828 wrote to memory of 2364	2828	cmd.exe	50
PID 2828 wrote to memory of 2364	2828	cmd.exe	50
PID 2828 wrote to memory of 2364	2828	cmd.exe	50
PID 2828 wrote to memory of 3004	2828	cmd.exe	51
PID 2828 wrote to memory of 3004	2828	cmd.exe	51
PID 2828 wrote to memory of 3004	2828	cmd.exe	51
PID 3004 wrote to memory of 1060	3004	lsass.exe	52
PID 3004 wrote to memory of 1060	3004	lsass.exe	52
PID 3004 wrote to memory of 1060	3004	lsass.exe	52
PID 1060 wrote to memory of 1488	1060	cmd.exe	54
PID 1060 wrote to memory of 1488	1060	cmd.exe	54
PID 1060 wrote to memory of 1488	1060	cmd.exe	54
PID 1060 wrote to memory of 2948	1060	cmd.exe	55
PID 1060 wrote to memory of 2948	1060	cmd.exe	55
PID 1060 wrote to memory of 2948	1060	cmd.exe	55
PID 2948 wrote to memory of 2940	2948	lsass.exe	56
PID 2948 wrote to memory of 2940	2948	lsass.exe	56
PID 2948 wrote to memory of 2940	2948	lsass.exe	56
PID 2940 wrote to memory of 2656	2940	cmd.exe	58
PID 2940 wrote to memory of 2656	2940	cmd.exe	58
PID 2940 wrote to memory of 2656	2940	cmd.exe	58
PID 2940 wrote to memory of 2924	2940	cmd.exe	59
PID 2940 wrote to memory of 2924	2940	cmd.exe	59
PID 2940 wrote to memory of 2924	2940	cmd.exe	59
PID 2924 wrote to memory of 2608	2924	lsass.exe	60
PID 2924 wrote to memory of 2608	2924	lsass.exe	60
PID 2924 wrote to memory of 2608	2924	lsass.exe	60
PID 2608 wrote to memory of 2600	2608	cmd.exe	62
PID 2608 wrote to memory of 2600	2608	cmd.exe	62
PID 2608 wrote to memory of 2600	2608	cmd.exe	62
PID 2608 wrote to memory of 1920	2608	cmd.exe	63
PID 2608 wrote to memory of 1920	2608	cmd.exe	63
PID 2608 wrote to memory of 1920	2608	cmd.exe	63
PID 1920 wrote to memory of 2120	1920	lsass.exe	64
PID 1920 wrote to memory of 2120	1920	lsass.exe	64
PID 1920 wrote to memory of 2120	1920	lsass.exe	64
PID 2120 wrote to memory of 2032	2120	cmd.exe	66
PID 2120 wrote to memory of 2032	2120	cmd.exe	66
PID 2120 wrote to memory of 2032	2120	cmd.exe	66
PID 2120 wrote to memory of 824	2120	cmd.exe	67

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6436d18112005a24e7f325fb567fe23d0ada3514033248c6a565229886366fa3.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6436d18112005a24e7f325fb567fe23d0ada3514033248c6a565229886366fa3.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1116
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2892
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2600
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2296
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2688
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3qIDwt1oDr.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2828
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2364
      - C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rE1HJofSUb.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1060
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1488
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ELjGFNzRMY.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2656
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\daA37ewxym.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2608
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2600
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Z7DRyUOV59.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2032
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:824
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cqXkQwtlzQ.bat"
        15⤵
        
        PID:2880
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2488
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2092
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5cWoBfSAzl.bat"
        17⤵
        
        PID:1868
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2124
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2984
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TA6UjH3MJQ.bat"
        19⤵
        
        PID:1936
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:940
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1476
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Y23Kn3rQqK.bat"
        21⤵
        
        PID:2188
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2432
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2fb10d79216e65b91b958a2b5f7a6d50

SHA1
747386d3b4d2bb5869b15979674b233a4e5ab560

SHA256
ad433653d26127859265a5e8aaa2c30b1732ec91833e6468e98d0a647cbfa773

SHA512
f0d133190c6d0c2b16ec28239c65366c78295298797d37373129100650e623e85edec3ea6350b96b14894795bdd404d1eec0cf94b4925c691e03a1a75b475e42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e6f1d6b7ee7df44eebd8a872d9df57f2

SHA1
f5dbfa1941e43737ec9fe29dcb00172889a3e9c6

SHA256
a26aa0a2e2c125ecea3ba06258b8de34ef6c40437f13beb5ff577f9dfd05d848

SHA512
8f221d4af552b94a5a92c7e1b83d2508c480c448ee8b080a5fd2bbc49374920ed5d10573b158348a54d915769ad86cfb054b64ac54a5b691ddef7dfcafbe0b4b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
076da757382fe6e7f395160b7c3a3de0

SHA1
ea90b4f23af48764fda3f12367549969da547ddf

SHA256
7655540f6db58205e2dfb4ba6dad4fce1c4a1dde34ef9f7f5b13ac805baece74

SHA512
987b00278c687b4d28b26a93ac2d13741dd49d5f4518a5ddf98cc8a3378c40fda20fa776eccfe297c35f3af44418790190636968ed57b93de856e56efdcd5594

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1e2c631054a6c9ceca3d8dd7af61076f

SHA1
1cf200216ab73a72bf7cfc54d5cc84a7e240a550

SHA256
72bf8c239a7bf3ba31848bb14de64f6bb1c5da1aaab736b5b1dda8055cba2cd1

SHA512
820879f275ad469a0e4ca62d72ec132d673fe6c2ad789b7116b805e056f91ae3c331257b1ba80f8267d667e7d07e73ed923e4364631d780812ee0c3b96a0728c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a29fc0d51728147245edfd80ae427490

SHA1
f25361309429a3902b9a046639e714b3f80fabc2

SHA256
e03d1332809d00d8e99cb975ef56660ae857e3a2f353cdbdbd5270170b7e22dd

SHA512
d7c3e849691e67bb74efa1674d14961b87d662d8d1f91a5605057195d4945b4ae5f3106b456671988126e2fc7e45dda70d71d815a9f1285283617f77fd1464d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
57e9cf9137c0a2b773c121ef6c00ef30

SHA1
7730337e2a340e48fdf8ed806e3f65a92bbccb0d

SHA256
be8a0be0418825ffdeca7a1141b95424d0dd3638d534fe25900e56603468a6cb

SHA512
72d26c002fd762bec9fe0e1f2e1bc7981d3bfa2bd4b2106b0a330602123236f9e5483e03a34f41559ec4a80df0df1580fb090094d3fbdb99505ec4e1537ff397

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e66d6d9ffc3d04a4db5e75782170d711

SHA1
c9627421354b09ec2a80d2d5cdf36e03b4a95f7e

SHA256
429288517ba2e11ecf7eb343b7deb695650555c77554d39cf1d973d19d04caa8

SHA512
d096830bea6e349be59211563a901b123ccf4373260caba0c7d11d1608365bb57569d6d72029b15296f465614b715a45d98bb90390e6160c616e58de94a1528a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3qIDwt1oDr.bat

Filesize
237B

MD5
2b115609bc2af1ca3586ab248d7b8c99

SHA1
39f5cdaa05a8c3f1a0133927574f33b18a96897b

SHA256
23c0f123294b7e33cda87ab385ae0b9ab30e1cb0742e1e969f865d3be8172d9d

SHA512
3a678d1f7170ea77c1fcc45dad3b7cb7c50b42550e49eac911f253d2fd7905a957daeb3638465ba2d7ae690d06e1e5d5ef5fc438f3185a24c9d7e96061786a06

Download Submit
C:\Users\Admin\AppData\Local\Temp\5cWoBfSAzl.bat

Filesize
237B

MD5
cabd469e198104c6fb717f2977e0f364

SHA1
bdf1e0135eaa440a326c838ba168a33f4939c9c7

SHA256
bc3f7b4201697042d2bc73995f4f622bfec9789f81bf18f54ff6ea48e03f4249

SHA512
0010a198baf13c986697cc9b75db254ec6e5930ecaa78d6e6731f3280288a40c1da6220ad25b50566ecab075f9ef36b886437561a4c79ca29b2a165423abf472

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3DCD.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ELjGFNzRMY.bat

Filesize
237B

MD5
d8731ebdedef5264c01c28ea73de843f

SHA1
d0f02eec469c4e3e3420522989b9ecf8ce31a73f

SHA256
be1584d0f2ef9723bdc6d16108c18f0683af1ada72214e9ab0adf70492c49e85

SHA512
bb0a016b63eea2662e0a7ee4c3eefe5080cbb91fa4b50aa01d5cebb666e76bce7ef94dbf3f3d8b7dde7c9bef8412b9db6d4b4d81a6cc7002ff7cf09bbdf7ee80

Download Submit
C:\Users\Admin\AppData\Local\Temp\TA6UjH3MJQ.bat

Filesize
237B

MD5
e0bd5b3875355250178025e017ce0c74

SHA1
37a38ac49f27a79099a4125a5b054b52c2457c4e

SHA256
59d325a02374c6fa4afb920541b4e2933eb0bd4670635106e07a0ac3faea9e6d

SHA512
c74abbb231930abbc895bb6b559dcb2fa5766a2c4d1fa4fa278fa89a81644f270ac0a41384e58606eb3445d99bc1b8355637d7d08de0e732079f9233027b907d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3E8B.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Y23Kn3rQqK.bat

Filesize
237B

MD5
f9e0d9049dc620ea1e56994d9933945b

SHA1
759ba8119ea38bd73b67754e238b9d149a5128b9

SHA256
8f1d85a8e58d273a65e8c824e84f932a4e9912009940a4eea2934768f26a991f

SHA512
a604e2ba1f67d4840e2eb2c6d4cca725c8ffb6f09ebfaa7e1cb457c57a77785ea99e4055a9dd7103384ab2f56cecca7085698b6b23876a55497984a48130ca59

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z7DRyUOV59.bat

Filesize
237B

MD5
5d25877cf73946f1d6f9fb11994060f3

SHA1
5443b98068c3ad84e1ad59f56d18dbe775fe24bc

SHA256
ea0f5062b0c4aff9ed8967ec451c3ef3efb7401490b5947490c82b4736becd20

SHA512
47c5d7f8871253bba5afd8cae1928216349a0e122f64893b071b92e1925d01a40c8cd355bff330b370c677ae2385e26df66a16bb5d5890421316dc7f863da8a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\cqXkQwtlzQ.bat

Filesize
237B

MD5
2bf9d7c79873bd4b4434c62a457d9e93

SHA1
620cb388ec3ac90e636e44e8e79a9cc8f658339e

SHA256
6f46b23bdcfdede3a024c1491303a1dea33c1560bc9b523a139d5df162af5184

SHA512
021f40bb0e6421cab05029f3ce1d298fe96ec3652c2f36dfb885d1a06d8ed645d56670109222410706e7cb7ae77d38f3a14ba340bda22ad14352d805ceaf2b02

Download Submit
C:\Users\Admin\AppData\Local\Temp\daA37ewxym.bat

Filesize
237B

MD5
bc5c4ef838b4eef716d0b840532ea2e7

SHA1
8baaad153074e57f29a93b583517cd2b60b286aa

SHA256
22e86d4023ab1e927930045346cdfa198915f37ed48f984df8de27eb0641e2e8

SHA512
5e9975aa2b0a430b6089889c12ff9e5f632b79c5f5c877da733b7462f7fb3175a648a8343a231aee50450a0fcc9190c3decf3b9c6dc5834fa561db66d0ac5a9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\rE1HJofSUb.bat

Filesize
237B

MD5
e1a628a6f5b4fe84eba488be9e1b270b

SHA1
3c428d33ff0cfff19943b6afda55082a3f38767a

SHA256
b5cfa80df7dba6d7e4f7ca4a0d089dd54903a87557586e2ef96c95440a125dfa

SHA512
8e7b3f2182f1a8a4dfba9b0263175910f1b8a7d7c9aaa9ec3e18dc52a988945fe4b95243f2dd5399c4eb1e149541eb5cd849fcae3c6eccbb20c8e4c32e6c5ef8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b07f9015d8468a30510e6b7fce1de993

SHA1
6e17762cddf1fe1ee8901c97a1b1f8e50e1149d6

SHA256
5a23170178cb3711f49936a19f32135b08b9fbd01da9133301bd0ed5a882b6f8

SHA512
d37f19ecea74d587fb32d47c2bd0a69f563e71db2cadd8d8c939c64285da90ed3ad81df7e2c8d2e86f1e154061f451f9d9fa34989a87bc58f4e40f43546ac1eb

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/824-285-0x0000000000150000-0x0000000000260000-memory.dmp

Filesize
1.1MB

Download
memory/1504-523-0x0000000001070000-0x0000000001180000-memory.dmp

Filesize
1.1MB

Download
memory/1920-225-0x0000000000B50000-0x0000000000C60000-memory.dmp

Filesize
1.1MB

Download
memory/2092-345-0x0000000000F90000-0x00000000010A0000-memory.dmp

Filesize
1.1MB

Download
memory/2600-30-0x000000001B320000-0x000000001B602000-memory.dmp

Filesize
2.9MB

Download
memory/2600-31-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/2892-16-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download
memory/2892-15-0x0000000000480000-0x000000000048C000-memory.dmp

Filesize
48KB

Download
memory/2892-17-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/2892-14-0x0000000000450000-0x0000000000462000-memory.dmp

Filesize
72KB

Download
memory/2892-13-0x0000000000A90000-0x0000000000BA0000-memory.dmp

Filesize
1.1MB

Download
memory/2924-165-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/2924-164-0x0000000000170000-0x0000000000280000-memory.dmp

Filesize
1.1MB

Download
memory/2948-104-0x0000000000F30000-0x0000000001040000-memory.dmp

Filesize
1.1MB

Download
memory/3004-45-0x0000000000A50000-0x0000000000B60000-memory.dmp

Filesize
1.1MB

Download