Analysis
-
max time kernel
148s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 05:27
Behavioral task
behavioral1
Sample
JaffaCakes118_363582e9611c4a691fdc70e89a4aebceeaff385df14943e9d0db48d52246d4e0.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_363582e9611c4a691fdc70e89a4aebceeaff385df14943e9d0db48d52246d4e0.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_363582e9611c4a691fdc70e89a4aebceeaff385df14943e9d0db48d52246d4e0.exe
-
Size
1.3MB
-
MD5
526076dcb33946f85100c96c88c43b6e
-
SHA1
d8a3b7df3426a58a7b1cd37e576af984a1cb9cb2
-
SHA256
363582e9611c4a691fdc70e89a4aebceeaff385df14943e9d0db48d52246d4e0
-
SHA512
ce7a3746e88b02481179e0454dc560b2e4a31cd8edc44b99723e7c3a1097488758d98b17152a993d71aba39139b87589ca984637d02ca4f29205c7f0975a1402
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2380 2996 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2792 2996 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2676 2996 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2672 2996 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 320 2996 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2464 2996 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2600 2996 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 656 2996 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1872 2996 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2800 2996 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 340 2996 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2720 2996 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1984 2996 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 560 2996 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2820 2996 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1884 2996 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1460 2996 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1888 2996 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x0007000000016cab-12.dat dcrat behavioral1/memory/2880-13-0x0000000001330000-0x0000000001440000-memory.dmp dcrat behavioral1/memory/1672-73-0x0000000000320000-0x0000000000430000-memory.dmp dcrat behavioral1/memory/1504-132-0x0000000000C80000-0x0000000000D90000-memory.dmp dcrat behavioral1/memory/1672-310-0x0000000001100000-0x0000000001210000-memory.dmp dcrat behavioral1/memory/2884-488-0x00000000011A0000-0x00000000012B0000-memory.dmp dcrat behavioral1/memory/1464-548-0x00000000001E0000-0x00000000002F0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1972 powershell.exe 2384 powershell.exe 2660 powershell.exe 1068 powershell.exe 2168 powershell.exe 1628 powershell.exe 2076 powershell.exe -
Executes dropped EXE 10 IoCs
pid Process 2880 DllCommonsvc.exe 1672 winlogon.exe 1504 winlogon.exe 2204 winlogon.exe 1724 winlogon.exe 1672 winlogon.exe 676 winlogon.exe 2292 winlogon.exe 2884 winlogon.exe 1464 winlogon.exe -
Loads dropped DLL 2 IoCs
pid Process 2492 cmd.exe 2492 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs
flow ioc 9 raw.githubusercontent.com 19 raw.githubusercontent.com 26 raw.githubusercontent.com 4 raw.githubusercontent.com 5 raw.githubusercontent.com 12 raw.githubusercontent.com 15 raw.githubusercontent.com 22 raw.githubusercontent.com 29 raw.githubusercontent.com -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Common Files\microsoft shared\Stationery\wininit.exe DllCommonsvc.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Stationery\56085415360792 DllCommonsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\ja-JP\csrss.exe DllCommonsvc.exe File created C:\Windows\ja-JP\886983d96e3d3e DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_363582e9611c4a691fdc70e89a4aebceeaff385df14943e9d0db48d52246d4e0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2720 schtasks.exe 2800 schtasks.exe 560 schtasks.exe 2820 schtasks.exe 1884 schtasks.exe 1460 schtasks.exe 1888 schtasks.exe 2672 schtasks.exe 656 schtasks.exe 2676 schtasks.exe 340 schtasks.exe 1984 schtasks.exe 2380 schtasks.exe 2792 schtasks.exe 2600 schtasks.exe 1872 schtasks.exe 320 schtasks.exe 2464 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
pid Process 2880 DllCommonsvc.exe 2880 DllCommonsvc.exe 2880 DllCommonsvc.exe 2384 powershell.exe 1972 powershell.exe 2076 powershell.exe 1628 powershell.exe 1068 powershell.exe 2168 powershell.exe 2660 powershell.exe 1672 winlogon.exe 1504 winlogon.exe 2204 winlogon.exe 1724 winlogon.exe 1672 winlogon.exe 676 winlogon.exe 2292 winlogon.exe 2884 winlogon.exe 1464 winlogon.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
description pid Process Token: SeDebugPrivilege 2880 DllCommonsvc.exe Token: SeDebugPrivilege 2384 powershell.exe Token: SeDebugPrivilege 1972 powershell.exe Token: SeDebugPrivilege 2076 powershell.exe Token: SeDebugPrivilege 1628 powershell.exe Token: SeDebugPrivilege 1068 powershell.exe Token: SeDebugPrivilege 2168 powershell.exe Token: SeDebugPrivilege 2660 powershell.exe Token: SeDebugPrivilege 1672 winlogon.exe Token: SeDebugPrivilege 1504 winlogon.exe Token: SeDebugPrivilege 2204 winlogon.exe Token: SeDebugPrivilege 1724 winlogon.exe Token: SeDebugPrivilege 1672 winlogon.exe Token: SeDebugPrivilege 676 winlogon.exe Token: SeDebugPrivilege 2292 winlogon.exe Token: SeDebugPrivilege 2884 winlogon.exe Token: SeDebugPrivilege 1464 winlogon.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 804 wrote to memory of 1700 804 JaffaCakes118_363582e9611c4a691fdc70e89a4aebceeaff385df14943e9d0db48d52246d4e0.exe 31 PID 804 wrote to memory of 1700 804 JaffaCakes118_363582e9611c4a691fdc70e89a4aebceeaff385df14943e9d0db48d52246d4e0.exe 31 PID 804 wrote to memory of 1700 804 JaffaCakes118_363582e9611c4a691fdc70e89a4aebceeaff385df14943e9d0db48d52246d4e0.exe 31 PID 804 wrote to memory of 1700 804 JaffaCakes118_363582e9611c4a691fdc70e89a4aebceeaff385df14943e9d0db48d52246d4e0.exe 31 PID 1700 wrote to memory of 2492 1700 WScript.exe 32 PID 1700 wrote to memory of 2492 1700 WScript.exe 32 PID 1700 wrote to memory of 2492 1700 WScript.exe 32 PID 1700 wrote to memory of 2492 1700 WScript.exe 32 PID 2492 wrote to memory of 2880 2492 cmd.exe 34 PID 2492 wrote to memory of 2880 2492 cmd.exe 34 PID 2492 wrote to memory of 2880 2492 cmd.exe 34 PID 2492 wrote to memory of 2880 2492 cmd.exe 34 PID 2880 wrote to memory of 2384 2880 DllCommonsvc.exe 54 PID 2880 wrote to memory of 2384 2880 DllCommonsvc.exe 54 PID 2880 wrote to memory of 2384 2880 DllCommonsvc.exe 54 PID 2880 wrote to memory of 2660 2880 DllCommonsvc.exe 55 PID 2880 wrote to memory of 2660 2880 DllCommonsvc.exe 55 PID 2880 wrote to memory of 2660 2880 DllCommonsvc.exe 55 PID 2880 wrote to memory of 1972 2880 DllCommonsvc.exe 56 PID 2880 wrote to memory of 1972 2880 DllCommonsvc.exe 56 PID 2880 wrote to memory of 1972 2880 DllCommonsvc.exe 56 PID 2880 wrote to memory of 2076 2880 DllCommonsvc.exe 57 PID 2880 wrote to memory of 2076 2880 DllCommonsvc.exe 57 PID 2880 wrote to memory of 2076 2880 DllCommonsvc.exe 57 PID 2880 wrote to memory of 1068 2880 DllCommonsvc.exe 58 PID 2880 wrote to memory of 1068 2880 DllCommonsvc.exe 58 PID 2880 wrote to memory of 1068 2880 DllCommonsvc.exe 58 PID 2880 wrote to memory of 1628 2880 DllCommonsvc.exe 59 PID 2880 wrote to memory of 1628 2880 DllCommonsvc.exe 59 PID 2880 wrote to memory of 1628 2880 DllCommonsvc.exe 59 PID 2880 wrote to memory of 2168 2880 DllCommonsvc.exe 61 PID 2880 wrote to memory of 2168 2880 DllCommonsvc.exe 61 PID 2880 wrote to memory of 2168 2880 DllCommonsvc.exe 61 PID 2880 wrote to memory of 3068 2880 DllCommonsvc.exe 68 PID 2880 wrote to memory of 3068 2880 DllCommonsvc.exe 68 PID 2880 wrote to memory of 3068 2880 DllCommonsvc.exe 68 PID 3068 wrote to memory of 3064 3068 cmd.exe 70 PID 3068 wrote to memory of 3064 3068 cmd.exe 70 PID 3068 wrote to memory of 3064 3068 cmd.exe 70 PID 3068 wrote to memory of 1672 3068 cmd.exe 71 PID 3068 wrote to memory of 1672 3068 cmd.exe 71 PID 3068 wrote to memory of 1672 3068 cmd.exe 71 PID 1672 wrote to memory of 2860 1672 winlogon.exe 72 PID 1672 wrote to memory of 2860 1672 winlogon.exe 72 PID 1672 wrote to memory of 2860 1672 winlogon.exe 72 PID 2860 wrote to memory of 2992 2860 cmd.exe 74 PID 2860 wrote to memory of 2992 2860 cmd.exe 74 PID 2860 wrote to memory of 2992 2860 cmd.exe 74 PID 2860 wrote to memory of 1504 2860 cmd.exe 75 PID 2860 wrote to memory of 1504 2860 cmd.exe 75 PID 2860 wrote to memory of 1504 2860 cmd.exe 75 PID 1504 wrote to memory of 560 1504 winlogon.exe 76 PID 1504 wrote to memory of 560 1504 winlogon.exe 76 PID 1504 wrote to memory of 560 1504 winlogon.exe 76 PID 560 wrote to memory of 1100 560 cmd.exe 78 PID 560 wrote to memory of 1100 560 cmd.exe 78 PID 560 wrote to memory of 1100 560 cmd.exe 78 PID 560 wrote to memory of 2204 560 cmd.exe 79 PID 560 wrote to memory of 2204 560 cmd.exe 79 PID 560 wrote to memory of 2204 560 cmd.exe 79 PID 2204 wrote to memory of 1888 2204 winlogon.exe 80 PID 2204 wrote to memory of 1888 2204 winlogon.exe 80 PID 2204 wrote to memory of 1888 2204 winlogon.exe 80 PID 1888 wrote to memory of 1288 1888 cmd.exe 82 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_363582e9611c4a691fdc70e89a4aebceeaff385df14943e9d0db48d52246d4e0.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_363582e9611c4a691fdc70e89a4aebceeaff385df14943e9d0db48d52246d4e0.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2384
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2660
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\microsoft shared\Stationery\wininit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1972
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ja-JP\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2076
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1068
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1628
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\lsm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2168
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NUopwCXjzr.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:3064
-
-
C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe"C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AsgPmp9HNF.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:2992
-
-
C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe"C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yaFjl1awzE.bat"9⤵
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:1100
-
-
C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe"C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CxpWyGgMb4.bat"11⤵
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:1288
-
-
C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe"C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1724 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GX2kvMhQbI.bat"13⤵PID:2608
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:2552
-
-
C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe"C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1672 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UucX7bnqC8.bat"15⤵PID:2224
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:2392
-
-
C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe"C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:676 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x7ZYnkvAkq.bat"17⤵PID:2180
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:2020
-
-
C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe"C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2292 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X5pWA5YIY7.bat"19⤵PID:3028
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:2512
-
-
C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe"C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2884 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JDh6J9oWuS.bat"21⤵PID:2600
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵PID:2792
-
-
C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe"C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1464
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\microsoft shared\Stationery\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\microsoft shared\Stationery\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\microsoft shared\Stationery\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\ja-JP\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\ja-JP\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\ja-JP\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Users\Default\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Users\Default\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1888
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5587c123b89191f37b58a99e1ffaced0d
SHA143ebbfec2c51aedebb0b585ac4b9307d5feb8ff1
SHA256d8c23dc945d27ec20ba6fee54767abe24092ff5de98c1d8421a6bd8c371507a1
SHA5126f3de9b86a6f40715f8dbda93b655b11ffa0ad284a6411427b09630792648f5cf09dc3970ed5c1afb2fa26d45db1963cf756cd5266cea36e3673bd91c1feee8d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51c3b2b7ba3e944005953cab9539c49a0
SHA1eb6eb7e35bab7463228610777f0379d09fd00486
SHA256de21658da88f445f0bda2285031af39749a20e6f0d0794edba4520a04deabe54
SHA512883643a2f8671965652bf7a593d10803f330f07d6eddab6e6332fdc82f5fe7eb13ed0ba4469545d150130223f20357feed690a7b139533b51117a50e7faa7a69
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55a261ec0e450215817c1c030c7e16bc4
SHA1c7ff588ae8721ae456f66219e0c49e4117b4429e
SHA256767e9ba351aa4aee74e5f69b55659828917d6d875ede5e60d62696d483b14dc9
SHA512975336e94817181bcb78ff87d0ac43037583000d4d2f50b4375ed76e88f887b529e191ae82f84ee8e4d256523740f26109fd8b4a4fc512d0d1e6513cd5c2f00a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53ac99291fd63305b2e7be6f3a1efa8f5
SHA1b82c5a7382d0fe44cbae93f3bb21104ac173827c
SHA2560aaae9270ca33fd09934bf1881c31d1b37109063b0c64998849d616c973b381f
SHA512c85968473939a8d02114c43aef59121d3e7a7f7870186652739fef36864da96c20cd53cf68ff0ccc4dd6ba3acb4da2ecb6f22db5c939ba1258f8e0cb3e049b36
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD553edd03561f6ec7c35e8bcfffd30b895
SHA18a02d670a87fed284eb9c214e45f0aa45f5f9e47
SHA25690eb9a2d74d936526bca1e0c461617739d251328e8f72b94b8eb07d5e6e291b7
SHA512f324e312660f6391907d043b4e1dc78adea6ac69bffd2854f2f07bb4f245d5e526ee1143d2953e1030f3d99337f6bbb573337da47b7fdfdd64c6441dbcc869c1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ee47b611bfe60db37142da9ecd94bbe9
SHA1beb2a94392c56c9839a7ccabff8aed01570e5322
SHA256ce858d20d720de04f55d26f1a24c8c6623945669320cd00fdf90d1af0e7298e3
SHA512cafef438000893db261c4d528bea2893333726432c55c922bac5d8838411939e2c315791155990169ee4d03341a95963407e107d31ab0c09b55c1103b2616f50
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5686478d9e3161560c686961d01748e45
SHA1618bbbf120243abee7c7002007b4ea825823bef8
SHA256ba1be93c24825f8900dadd76707b7dabd57ec6f8a719cad8903ded4ffd9a3b12
SHA5125346f7495b880b3ed124d3751620484b0f04cd2b7ec28e3e554c27c8008646250fb95bcf96f5c919e358486941eec9ea4a73cb60fa3d90916cc829849075828a
-
Filesize
226B
MD55e5ad24d6582cb1b64949452c4eda57e
SHA157f1db29e0d912df4fa824933e750f80786bcc58
SHA25695d5b7ab5afad98308008aba5aee175a886662221af24a80bdc90ad68076fe3b
SHA51228eec427e7dedfce6fef91b686f35bbed03e17bb5961184f8d76304e0e719e9b7e9ecbbc790cb60e2ff019c87e184bd240970e56cdac76113a5e157e1b4cf8fe
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
226B
MD51cc16743d598355c777fd636261802e3
SHA13fe9c374ac3ccee37ff613eed9b8233b5c0a282d
SHA25621660eed6c4ad2c74e593d8c466d14a742437a0a53bb1953f1f029dba4955d4a
SHA512d37889118ccd0ca363790b0a1ccb86d831ce86df7ee5249b5979e930607acbe14aa8d8ad52bee8dae8930b9be459e4a0ff7cb6cae85b0dcc1e7b64a9e35fe267
-
Filesize
226B
MD54421c09d52fcbd29dc7971a4a33e379c
SHA1ab3443f86605290f045f0ee513d8ed9e54362a3c
SHA256d8cb77af782bd3d5debe9563d7b0e04c520379ba104a578e4721baed3483e43e
SHA51206d9836d89ced6547ca99ccefeb63df74062d90fe126d13e7bcc4021918160d143ceb4a1d15b335cfc69aa09c98cd1fc3ba9e025805f2d47df5677daff51e44e
-
Filesize
226B
MD5f6688e4c4a1ab3bf6d87260258393811
SHA1331cc2c33369a8502d64f840335ed2edcdbf8790
SHA256b45c21b23ba2bad9ce325958efcfdf11828e22355919ea8449948c98d3040eaa
SHA512411b301a0c7d57119cf7e2cc8dd88719a6543eaea3b1b8d9fa4563556557b92303aa3d334fbf7f4eee56021ea25a609191f2ae11d66fbe1c6149005218beafd4
-
Filesize
226B
MD5345128b11805b5eb0b00341817ccc828
SHA1dbafebe090d774195efcbcc5b2706373ceecfdb7
SHA256444d0c48eb2bb6029689a3eb1ad2a40d6fadefa88899252e0b6024bc5a66d19a
SHA512dc9870cc63e0f40f90294b9851f779df36fa39bc26d8df75f97decf463c374ceec214875fe725c6188070d55c0b7b802cbe103e1b39679fdd96633024b45267d
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
226B
MD545ef8b9abdd4f64737358c91385b3ba6
SHA18f29f9bc651aca555bfb803e073ae80198ba04b7
SHA256f0b42fda240b24bce0df504b9fcb76d51df75d5f675fd1470a3341b7acfa478b
SHA512dc2b7536dc4d9f7be086be3c21e76c6a85f8e92c1323bba5723a6bb5a049aaec70eac0c5e8c9d0ffbac0f77691840720c0d35c4d656f7e3eea306e0ca8a17207
-
Filesize
226B
MD5e860093b2c8b2011ab406a6bfbc77470
SHA1fc1743b339af0474341ec08d75aefac889b9ffbd
SHA256801dab47781e09f77562cd82bbb2cb8656d07e4a950e8e916d0bd4ddf1025d0c
SHA5127ad89b0bc08755b1f08111ada532220c62e57fc293ed97c0716a5a4e8bf5df4961cdc0116e144bb5b9b71b7626cf35f675b68534f1191593612fd34e1e701b6c
-
Filesize
226B
MD5c88ad6a00736cfe69a78f7f43473af0a
SHA1545b79a16be902d95fd54ada815877078231030b
SHA25632a7c6de6374ff4ba82fe5c77b7b12c44e1f21665f1df1168e4f93b11c588226
SHA512de1291bceede735ca14f8fca941a6a37f307d8490b562546a911159715c0eac225deb4b5d19d762c1b3c32057e3e807fe0824fb503984cefd8440be6cf2e0423
-
Filesize
226B
MD503d4f9c0ff0e1d57b4874e9d1d00f0a4
SHA1a4c239f11048fdf6536d5f4194ebc295ae0f75e7
SHA256605c8ac2a78488e42150cd79c63ec7fc8e8913241448cde722dc9a256a74780e
SHA512c86dca2fc979ea5d4c3044269c3bccf9350d150af487725b80a3499540772a88b5467645aa9aa8714cdf127ad1f6eca8aba178ed01ee02090839af65a5e79c9f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5738923b43ae881cfc5be726b3e3dcb61
SHA1ab49f5323592a3746b170c4214ce517b65a56288
SHA25681cecbcd451dbb21f46a75b104722ceb592910d5a9dfbb1c60e0656f62ce636c
SHA51252f4e99a76a3c6aff7e734c0380a797f8a7bf99232d0e1e7617a402030ed3915b052a6f6b31dab958c51dcd62554c52798ec17b0ad3ce1f575b59c4881bfed26
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478