dcrat | 787ec42a2f3df91c682501e7e9271673dae58e5981b4349f6c410ee96f58c344

Analysis

max time kernel
146s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 04:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_787ec42a2f3df91c682501e7e9271673dae58e5981b4349f6c410ee96f58c344.exe
Size

1.3MB
MD5

3bf1794a157df46ffe99af6521c68211
SHA1

b4904e1cedb9ff933cf8a0b62d7930e141b7a873
SHA256

787ec42a2f3df91c682501e7e9271673dae58e5981b4349f6c410ee96f58c344
SHA512

ecf5fcc9d78764648feefd1c4d89ad56ef7df320e6ec17fa7e5f49fb2179788b146e15368546d78a1e24158291cb7fd56d2c2fa429c0cace10080957ac38c125
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2992	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2992	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2992	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2992	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2992	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2992	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	2992	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	2992	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	344	2992	schtasks.exe	34

DCRat payload 13 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016d0c-9.dat	dcrat
behavioral1/memory/2472-13-0x0000000000BD0000-0x0000000000CE0000-memory.dmp	dcrat
behavioral1/memory/1524-30-0x0000000000910000-0x0000000000A20000-memory.dmp	dcrat
behavioral1/memory/2156-111-0x0000000000340000-0x0000000000450000-memory.dmp	dcrat
behavioral1/memory/2732-172-0x0000000000AB0000-0x0000000000BC0000-memory.dmp	dcrat
behavioral1/memory/2164-233-0x0000000000230000-0x0000000000340000-memory.dmp	dcrat
behavioral1/memory/1916-293-0x0000000001000000-0x0000000001110000-memory.dmp	dcrat
behavioral1/memory/2640-354-0x0000000000310000-0x0000000000420000-memory.dmp	dcrat
behavioral1/memory/1536-414-0x0000000000050000-0x0000000000160000-memory.dmp	dcrat
behavioral1/memory/1108-475-0x0000000000080000-0x0000000000190000-memory.dmp	dcrat
behavioral1/memory/2872-535-0x0000000000FC0000-0x00000000010D0000-memory.dmp	dcrat
behavioral1/memory/2372-595-0x0000000000360000-0x0000000000470000-memory.dmp	dcrat
behavioral1/memory/868-655-0x0000000000F00000-0x0000000001010000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
676	powershell.exe
1028	powershell.exe
3048	powershell.exe
2968	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2472	DllCommonsvc.exe
1524	taskhost.exe
2156	taskhost.exe
2732	taskhost.exe
2164	taskhost.exe
1916	taskhost.exe
2640	taskhost.exe
1536	taskhost.exe
1108	taskhost.exe
2872	taskhost.exe
2372	taskhost.exe
868	taskhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2800	cmd.exe
2800	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
12	raw.githubusercontent.com
23	raw.githubusercontent.com
27	raw.githubusercontent.com
30	raw.githubusercontent.com
40	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
16	raw.githubusercontent.com
20	raw.githubusercontent.com
34	raw.githubusercontent.com
37	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_787ec42a2f3df91c682501e7e9271673dae58e5981b4349f6c410ee96f58c344.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2988	schtasks.exe
2776	schtasks.exe
2636	schtasks.exe
344	schtasks.exe
2976	schtasks.exe
2780	schtasks.exe
2616	schtasks.exe
2140	schtasks.exe
1644	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2472	DllCommonsvc.exe
676	powershell.exe
2968	powershell.exe
1028	powershell.exe
3048	powershell.exe
1524	taskhost.exe
2156	taskhost.exe
2732	taskhost.exe
2164	taskhost.exe
1916	taskhost.exe
2640	taskhost.exe
1536	taskhost.exe
1108	taskhost.exe
2872	taskhost.exe
2372	taskhost.exe
868	taskhost.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2472	DllCommonsvc.exe
Token: SeDebugPrivilege	676	powershell.exe
Token: SeDebugPrivilege	2968	powershell.exe
Token: SeDebugPrivilege	1524	taskhost.exe
Token: SeDebugPrivilege	1028	powershell.exe
Token: SeDebugPrivilege	3048	powershell.exe
Token: SeDebugPrivilege	2156	taskhost.exe
Token: SeDebugPrivilege	2732	taskhost.exe
Token: SeDebugPrivilege	2164	taskhost.exe
Token: SeDebugPrivilege	1916	taskhost.exe
Token: SeDebugPrivilege	2640	taskhost.exe
Token: SeDebugPrivilege	1536	taskhost.exe
Token: SeDebugPrivilege	1108	taskhost.exe
Token: SeDebugPrivilege	2872	taskhost.exe
Token: SeDebugPrivilege	2372	taskhost.exe
Token: SeDebugPrivilege	868	taskhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 1468	1984	JaffaCakes118_787ec42a2f3df91c682501e7e9271673dae58e5981b4349f6c410ee96f58c344.exe	30
PID 1984 wrote to memory of 1468	1984	JaffaCakes118_787ec42a2f3df91c682501e7e9271673dae58e5981b4349f6c410ee96f58c344.exe	30
PID 1984 wrote to memory of 1468	1984	JaffaCakes118_787ec42a2f3df91c682501e7e9271673dae58e5981b4349f6c410ee96f58c344.exe	30
PID 1984 wrote to memory of 1468	1984	JaffaCakes118_787ec42a2f3df91c682501e7e9271673dae58e5981b4349f6c410ee96f58c344.exe	30
PID 1468 wrote to memory of 2800	1468	WScript.exe	31
PID 1468 wrote to memory of 2800	1468	WScript.exe	31
PID 1468 wrote to memory of 2800	1468	WScript.exe	31
PID 1468 wrote to memory of 2800	1468	WScript.exe	31
PID 2800 wrote to memory of 2472	2800	cmd.exe	33
PID 2800 wrote to memory of 2472	2800	cmd.exe	33
PID 2800 wrote to memory of 2472	2800	cmd.exe	33
PID 2800 wrote to memory of 2472	2800	cmd.exe	33
PID 2472 wrote to memory of 676	2472	DllCommonsvc.exe	44
PID 2472 wrote to memory of 676	2472	DllCommonsvc.exe	44
PID 2472 wrote to memory of 676	2472	DllCommonsvc.exe	44
PID 2472 wrote to memory of 1028	2472	DllCommonsvc.exe	45
PID 2472 wrote to memory of 1028	2472	DllCommonsvc.exe	45
PID 2472 wrote to memory of 1028	2472	DllCommonsvc.exe	45
PID 2472 wrote to memory of 3048	2472	DllCommonsvc.exe	47
PID 2472 wrote to memory of 3048	2472	DllCommonsvc.exe	47
PID 2472 wrote to memory of 3048	2472	DllCommonsvc.exe	47
PID 2472 wrote to memory of 2968	2472	DllCommonsvc.exe	48
PID 2472 wrote to memory of 2968	2472	DllCommonsvc.exe	48
PID 2472 wrote to memory of 2968	2472	DllCommonsvc.exe	48
PID 2472 wrote to memory of 1524	2472	DllCommonsvc.exe	52
PID 2472 wrote to memory of 1524	2472	DllCommonsvc.exe	52
PID 2472 wrote to memory of 1524	2472	DllCommonsvc.exe	52
PID 1524 wrote to memory of 2104	1524	taskhost.exe	54
PID 1524 wrote to memory of 2104	1524	taskhost.exe	54
PID 1524 wrote to memory of 2104	1524	taskhost.exe	54
PID 2104 wrote to memory of 2304	2104	cmd.exe	56
PID 2104 wrote to memory of 2304	2104	cmd.exe	56
PID 2104 wrote to memory of 2304	2104	cmd.exe	56
PID 2104 wrote to memory of 2156	2104	cmd.exe	57
PID 2104 wrote to memory of 2156	2104	cmd.exe	57
PID 2104 wrote to memory of 2156	2104	cmd.exe	57
PID 2156 wrote to memory of 2896	2156	taskhost.exe	58
PID 2156 wrote to memory of 2896	2156	taskhost.exe	58
PID 2156 wrote to memory of 2896	2156	taskhost.exe	58
PID 2896 wrote to memory of 1992	2896	cmd.exe	60
PID 2896 wrote to memory of 1992	2896	cmd.exe	60
PID 2896 wrote to memory of 1992	2896	cmd.exe	60
PID 2896 wrote to memory of 2732	2896	cmd.exe	61
PID 2896 wrote to memory of 2732	2896	cmd.exe	61
PID 2896 wrote to memory of 2732	2896	cmd.exe	61
PID 2732 wrote to memory of 2664	2732	taskhost.exe	62
PID 2732 wrote to memory of 2664	2732	taskhost.exe	62
PID 2732 wrote to memory of 2664	2732	taskhost.exe	62
PID 2664 wrote to memory of 1824	2664	cmd.exe	64
PID 2664 wrote to memory of 1824	2664	cmd.exe	64
PID 2664 wrote to memory of 1824	2664	cmd.exe	64
PID 2664 wrote to memory of 2164	2664	cmd.exe	65
PID 2664 wrote to memory of 2164	2664	cmd.exe	65
PID 2664 wrote to memory of 2164	2664	cmd.exe	65
PID 2164 wrote to memory of 908	2164	taskhost.exe	66
PID 2164 wrote to memory of 908	2164	taskhost.exe	66
PID 2164 wrote to memory of 908	2164	taskhost.exe	66
PID 908 wrote to memory of 2424	908	cmd.exe	68
PID 908 wrote to memory of 2424	908	cmd.exe	68
PID 908 wrote to memory of 2424	908	cmd.exe	68
PID 908 wrote to memory of 1916	908	cmd.exe	69
PID 908 wrote to memory of 1916	908	cmd.exe	69
PID 908 wrote to memory of 1916	908	cmd.exe	69
PID 1916 wrote to memory of 1568	1916	taskhost.exe	70

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_787ec42a2f3df91c682501e7e9271673dae58e5981b4349f6c410ee96f58c344.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_787ec42a2f3df91c682501e7e9271673dae58e5981b4349f6c410ee96f58c344.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1468
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2472
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:676
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1028
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3048
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2968
    - - C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1524
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tA3KztjMoN.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2304
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zj0hR7WTEZ.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1992
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wzkVYe0vvu.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1824
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AQtyVABn1C.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:908
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2424
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CTHuJZ10YE.bat"
        14⤵
        
        PID:1568
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2720
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2640
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D6YKtyItKL.bat"
        16⤵
        
        PID:2308
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1828
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1536
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2zXOrWkEHk.bat"
        18⤵
        
        PID:1380
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2144
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1108
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8pOjIocmws.bat"
        20⤵
        
        PID:3056
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2012
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2872
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GW80Ek08hx.bat"
        22⤵
        
        PID:324
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2756
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2372
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EYKlAcFNfO.bat"
        24⤵
        
        PID:2100
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2972
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:868
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xgactKMGCU.bat"
        26⤵
        
        PID:796
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\providercommon\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8d4fdcf033c4f7bd17ffe0229efed7d1

SHA1
581a4d2171cc4ac83bc8e0757a9844893d3b5ce5

SHA256
09ebb7844d4dd9796c4a6dde2eff2fc1f72a8a04691f21f8399404ced91f44d7

SHA512
094ec7da90583c6b26eeffdfbf5b04e6bf70f15928d0784d7b9af4899ed25d92ee020211fa7bad2ddbc38961de3821a05981eb151ff9af1b4dad05969a436f89

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a914c019fb73450099cec1a62d647a93

SHA1
fddf0b9d8343449f9eaec36f430a38bd6df18f74

SHA256
3f0daaba54a29f620b5f9f407d2cf84db17f48352dedcb6552ceb0ef3d5d4083

SHA512
afcb4e3ab438b19c75f305678215dfa3a181d411c556ddf9c9e108cc5d37b8329ff8f8cd60e434c31bd56e6b1e4818c9b190412f6be087dd7fce4b2547852810

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
952c22673cff70f49aa922ec2a04eb78

SHA1
2df12d9d2e3e83d0565d22045d8ba3e74ae1572f

SHA256
2c10ec57f1b880b712f85b42383a2dd2452d40f4fe8c6c77cfbbb57a9e9efa37

SHA512
92f6ee5ebeeb5e061f9d09e3c37cab69ff055ecca12cbdb6596a76a3d96e2dbed172e542d4e7203ab747e191dbeb54df6b353855a607b6ede06a6216ae13cb7c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f265547e3f04343c20abb0fde4ff7707

SHA1
6adfd4a35405486b72969cd0c2a17da98f274ef9

SHA256
e4f6f1de3eb456d27db643aa16c49f6fe279e013d7badfb3c37e9d003c4b2bc3

SHA512
c4c79036f7ca08537ea5b035670a327812f77e7f59be24bf8a28e3ccd5c27fd9a2d6daa0e9fb2d4e057c566b0dfe5c77620f4679045eacd1014c400cd06dd6b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cb2f7581974b4c0599fe3f1da9939b5d

SHA1
cb2bda91c9df024deb82d9a401a4a8695b965994

SHA256
2b66198cb6d90be88af5cf419e1f77311eeba4e6a2daf8d3b622b6905c60b235

SHA512
41909a18a769f365eaad707ccdac4a2a3e0350ae249cb6f820e377d869bb1203d6823bbf0d242dcba0cd238a52e21e39b39fbd415afa6f99b666bd519add29b3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a03197b63f38c83861ea4a813a885e37

SHA1
eb5fe89b8b42534281e1931451998f27186f4cd4

SHA256
117c405b96ab1218c29da99f17b8c7a4f3aae048b522602255db9c8f83c0cabd

SHA512
9ae91d0d19087040f3a5a5b6ceb504d5fb9554a2399e836cff8709c318284e3e511977d162940eb65c2e1e8159f8ced7a6ba2d5c06705efb5e4984211a64cb10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6cb012c777731e08a023bb51266ca887

SHA1
44be6cb9c20ba0d7016f73dd9de72e8c39662497

SHA256
f3983424f1db53c0d91c28725d056dc913d7b5d8aea4998ce820cfcfb6b2d7ee

SHA512
b68b4b1ee8e666f9a9e139b5a83ef1bc30c5978d85a80660b715322cad8a4a3f390f36ee03e2672254bce7d2434cf1956301d330575b8aa9d3c6d0070dab7e6e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c07fbb0774bbf10ddcaaf05fd6c8ddc6

SHA1
f5b6de01d6cad9fe1ddb0c69ca08d4c5d71d5a0e

SHA256
aca5c680e63be6fb45f91bb154000e882d6622d4efa34a7d3e3ed5c675302e91

SHA512
281635f5977257075565bbda00b26d264ec0fdf2327ac5c159242a777a443f16d527cc6f730215ebecb0908f7de08379a9df9afbc5a6cbd1498f6ebeac9b41bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e0198f35f88e6b97ea5fcb0dbfda2c0d

SHA1
a7ea6e0228b934a8b3ff1dbf46d592d447e0d06d

SHA256
b2096610d94ff58b19bfa3d43ecd3bb76b0dfee361758a0c91cb55d0989d0e2e

SHA512
33e83e318990f2793e19220ff714ff28219b883c213585fb40088cd93131693a95532884f1418820542524a0843592a3b3c089a48bfebeedab71aae6ce5cb952

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
148950110944274f65fda619605aac4c

SHA1
5c07daa7e438a6accdba04784a540fbcc1373a22

SHA256
1fe9266f1a7e08bb41972f090b9e8817325c2de4ee9f851a995caddb2e987094

SHA512
b87248588f5a62e0f72b5a24d28c8dc463ded985312acd458a385228bbd47ce4f30e5d2f23aef163c97811dd572f7ae3b28d2bdd1197c05d6ba5fe74bc02c68e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2zXOrWkEHk.bat

Filesize
240B

MD5
a65fb30d520d9d5d6b01223c4a4b3256

SHA1
f71a365d1f47b46d5f2cc8bdd02583b94031105c

SHA256
a934a4f3b2bcae33a4e59f50d79b3aa9189c70798744f1a7fed68b7859251499

SHA512
1b22c17bbdd26b12219ee64afe0abab86662a3e0b1a9a45e60bb1916a7169e35d6c43856d2ee7ccd458463d6079d1eead583bce9881cbfd6c3ed787b270f4c28

Download Submit
C:\Users\Admin\AppData\Local\Temp\8pOjIocmws.bat

Filesize
240B

MD5
2c501083f0a6cac86a566ca9d681c7f3

SHA1
a54787d83ac617a8ce24d2e925cdb1bb7bcfc623

SHA256
7fb19edb966269bd83cd57e7dcadef4366e144142bedd797c53fed2631998aa4

SHA512
8fac98368dd9ff88d5018837582520fff20f24be89b8ad7ffb5076b90559f14e30ec1015991670b58c8902b2cb660787ff4de35f5abf0045a31d78317da24956

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQtyVABn1C.bat

Filesize
240B

MD5
690f4760be2e620597100441ed84b0c5

SHA1
b5c9ae48755e4104b1dc7b8ab75a0b20aac3af80

SHA256
c541fd9a8151a2f965bde757f7ac0fc348178a4b0414d8811472b07c8d6c5d03

SHA512
ba3d4c285db36589fa9c11a83392855a6759d972fe4362c3f6a4db0522049546e2b06a4ef0fce4a1c3e7e51be8a7e9444f2d5790d960301d8307a19f05597b9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CTHuJZ10YE.bat

Filesize
240B

MD5
b2e7eec669aad198e57e25b4ec88bbb3

SHA1
85e9ba0e476a6599840a5a8dafe6e252240c27e6

SHA256
fc373c25dcd8b442304833754793f43e3e5bbcffc051f179b6fa6f594b50d6e3

SHA512
c520bafe171bd90202a0d9c4c510ab558d639f5f17986ac13eba8a1e210cb6dd2d80f2bdc57aa3b668a531abf62321b44e22e401a5a71d0e3645fbc6936c175e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD645.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\D6YKtyItKL.bat

Filesize
240B

MD5
99a506720e8e64ee1b2b58d4c47fd82f

SHA1
2f51e119ef6b09c07e27ff55bdfba8ee2f381c36

SHA256
cb00ce25494229c42d279617b636e6802c7fd99f325d49bb970892cfae8cdce7

SHA512
5d576cc8674636c5252defe2127144408df56a37b62b92e6f4f41611982f4b7b8303e7b3b456d80f46df0ea2021f1b998503f5df994aa3901847efd97d11da6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\EYKlAcFNfO.bat

Filesize
240B

MD5
e33f6d9c1c74b795c1f32d2aa7962714

SHA1
cecb2894f4b2ac4d2fa28c301be50ac3032846b6

SHA256
5c9e6f3e90ec9eb4a934572e74cd9cff559a130e9a744d365dc21530f8bc1d50

SHA512
e793631be0d9cb7668f3dd5ec3fd754d76408e65b1d3adc9df2624409c9001a10622011c09997304c19efd5e8271f0f7c42e3bc841826dfbafbe86bddaa8781d

Download Submit
C:\Users\Admin\AppData\Local\Temp\GW80Ek08hx.bat

Filesize
240B

MD5
c9f67dbba4614cc0ec41d6ffde1cb3c9

SHA1
f2c50fccc95d74fe5bc87dd516b7e1684f4cf016

SHA256
6c8f62b80089a8fbdd5d9f6542104bd710795fdd1d3c8677369cd9cc86a09bd2

SHA512
b9741531d6096397fdc376ce5400e3fa50eb0812de40b59d3eb6ca8ee5d890fbc8e83fe1956a065a74031ee87b86047da1db3adf927f57edf1681cee3f6e5de9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD667.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zj0hR7WTEZ.bat

Filesize
240B

MD5
1619ebf22f7316ca69a2022b94b5b433

SHA1
1e437b9565f810d4acd6ea75e3f71c93471942e7

SHA256
d9dfcf017ad4f212bc01444057ad3431f52323e1fb871b54b2df63f015d7e174

SHA512
62df4c7214c7f40f59b5a0252a864422b5597a2d0b9f037f2d318035cd62ec77c25c2736a68ced6c40dda1b5e14c794744beb1c14e6394719fadbf15eea343d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tA3KztjMoN.bat

Filesize
240B

MD5
f1bed11d1951e0b031756ba16c1fd049

SHA1
53a8543014881ec6e96499fc51c91d962cc2caad

SHA256
94fb90e5cd3d552ab1e63c9ed0264f6aab858deba2d594a7b8555d627c565310

SHA512
4dbc9164dcc700a1370c33157b6d4dcf76ad7b33d999b8b8d0da2e0ebf4140f4f76781b7c7c701eb07a682c1bdf80463eaa111f5a5f439b46cd7073b3f1d4fdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\wzkVYe0vvu.bat

Filesize
240B

MD5
9ea76c21ac89da4a65ac001365cf1f31

SHA1
de6b39365abd776b7126230f8687c31db6e5a653

SHA256
aad6726effd71463f64928880a4c38f3de2c16691bf20bffa4b5abad661ee8bc

SHA512
78676a8690ac287c51eac94711e2ecd976e94a6033ee1a16e12cfd9cfa776f9e8622e3528aa83cbd3015c95fc973c85c198dabd9c6e952cca47c816416e7c42d

Download Submit
C:\Users\Admin\AppData\Local\Temp\xgactKMGCU.bat

Filesize
240B

MD5
5b8d9e2557f5cbf847e8bdd1826ca2b5

SHA1
9113e31d5599bfe2d016f5ca3a4b621a69762722

SHA256
ab69bb782459c0cf99f7c07711a65510774321d5ab4df7c5161e98d79bb37f8b

SHA512
94bf169ee6dc550ff99ce82102328c00c76661bb812c9ed1157ca67499f13671376a6961d6cc8dd62e4b911cfd840f874cc3c8f4aa5b30336b6f34a80195fa99

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\CHOQ9W226H2R0K6V3F14.temp

Filesize
7KB

MD5
0781477765be46c850961e28772e759c

SHA1
d32efc3f77e792dcf30e96a6fc313b24cfd5bb7a

SHA256
1c9fac50f1cef1b06ad2306b2313abb14b5aed0e9bbb673713bbaac7831c1001

SHA512
e71f7f927e3704d84b0159089c5162200c6d881916eae828db22a791d2683719dc6a62f16ceefb89a44d4a81a43d846967588637cb22bed7dfd06a1ebf9bdb31

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/676-51-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download
memory/868-655-0x0000000000F00000-0x0000000001010000-memory.dmp

Filesize
1.1MB

Download
memory/1108-475-0x0000000000080000-0x0000000000190000-memory.dmp

Filesize
1.1MB

Download
memory/1524-52-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/1524-30-0x0000000000910000-0x0000000000A20000-memory.dmp

Filesize
1.1MB

Download
memory/1536-414-0x0000000000050000-0x0000000000160000-memory.dmp

Filesize
1.1MB

Download
memory/1536-415-0x0000000000450000-0x0000000000462000-memory.dmp

Filesize
72KB

Download
memory/1916-294-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/1916-293-0x0000000001000000-0x0000000001110000-memory.dmp

Filesize
1.1MB

Download
memory/2156-111-0x0000000000340000-0x0000000000450000-memory.dmp

Filesize
1.1MB

Download
memory/2156-112-0x0000000000550000-0x0000000000562000-memory.dmp

Filesize
72KB

Download
memory/2164-233-0x0000000000230000-0x0000000000340000-memory.dmp

Filesize
1.1MB

Download
memory/2372-595-0x0000000000360000-0x0000000000470000-memory.dmp

Filesize
1.1MB

Download
memory/2472-14-0x00000000002E0000-0x00000000002F2000-memory.dmp

Filesize
72KB

Download
memory/2472-15-0x0000000000B40000-0x0000000000B4C000-memory.dmp

Filesize
48KB

Download
memory/2472-16-0x0000000000990000-0x000000000099C000-memory.dmp

Filesize
48KB

Download
memory/2472-13-0x0000000000BD0000-0x0000000000CE0000-memory.dmp

Filesize
1.1MB

Download
memory/2472-17-0x0000000000B30000-0x0000000000B3C000-memory.dmp

Filesize
48KB

Download
memory/2640-354-0x0000000000310000-0x0000000000420000-memory.dmp

Filesize
1.1MB

Download
memory/2732-173-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/2732-172-0x0000000000AB0000-0x0000000000BC0000-memory.dmp

Filesize
1.1MB

Download
memory/2872-535-0x0000000000FC0000-0x00000000010D0000-memory.dmp

Filesize
1.1MB

Download
memory/2968-45-0x000000001B560000-0x000000001B842000-memory.dmp

Filesize
2.9MB

Download