dcrat | df5b610e4419af9a5105390db9693a93d957244d6b0a44e46c944e5a6dd49eb6

Analysis

max time kernel
150s
max time network
148s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 05:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_df5b610e4419af9a5105390db9693a93d957244d6b0a44e46c944e5a6dd49eb6.exe
Size

1.3MB
MD5

9bacb5769c657f7930206e1118b7510c
SHA1

f02855423ce7cfb5e5aeab64ba66246fcb0cb745
SHA256

df5b610e4419af9a5105390db9693a93d957244d6b0a44e46c944e5a6dd49eb6
SHA512

5000099cbaef504a0d239c3ba0604bffc504a69d7e873cd21414167cb0e9d8114b9d8060b0f377b2157b24f78bd6fde01652150a5481da43ab55eb8b614bcb71
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1416	2264	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	784	2264	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	2264	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2264	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2264	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2264	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	2264	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	2264	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	2264	schtasks.exe	34

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000600000001960c-12.dat	dcrat
behavioral1/memory/2684-13-0x0000000000B50000-0x0000000000C60000-memory.dmp	dcrat
behavioral1/memory/2384-43-0x00000000011A0000-0x00000000012B0000-memory.dmp	dcrat
behavioral1/memory/2748-221-0x0000000000190000-0x00000000002A0000-memory.dmp	dcrat
behavioral1/memory/1292-281-0x0000000000AF0000-0x0000000000C00000-memory.dmp	dcrat
behavioral1/memory/2252-520-0x0000000001120000-0x0000000001230000-memory.dmp	dcrat
behavioral1/memory/2112-581-0x0000000000030000-0x0000000000140000-memory.dmp	dcrat
behavioral1/memory/692-641-0x00000000011D0000-0x00000000012E0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1728	powershell.exe
1988	powershell.exe
2392	powershell.exe
2332	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2684	DllCommonsvc.exe
2384	sppsvc.exe
1888	sppsvc.exe
384	sppsvc.exe
2748	sppsvc.exe
1292	sppsvc.exe
2128	sppsvc.exe
2832	sppsvc.exe
1956	sppsvc.exe
2252	sppsvc.exe
2112	sppsvc.exe
692	sppsvc.exe

Loads dropped DLL 2 IoCs

pid	Process
2872	cmd.exe
2872	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
25	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com
19	raw.githubusercontent.com
22	raw.githubusercontent.com
28	raw.githubusercontent.com
32	raw.githubusercontent.com
36	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_df5b610e4419af9a5105390db9693a93d957244d6b0a44e46c944e5a6dd49eb6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1980	schtasks.exe
2172	schtasks.exe
1844	schtasks.exe
2364	schtasks.exe
1416	schtasks.exe
784	schtasks.exe
2212	schtasks.exe
3000	schtasks.exe
1676	schtasks.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 11 IoCs

pid	Process
2384	sppsvc.exe
1888	sppsvc.exe
384	sppsvc.exe
2748	sppsvc.exe
1292	sppsvc.exe
2128	sppsvc.exe
2832	sppsvc.exe
1956	sppsvc.exe
2252	sppsvc.exe
2112	sppsvc.exe
692	sppsvc.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2684	DllCommonsvc.exe
2392	powershell.exe
2332	powershell.exe
1988	powershell.exe
1728	powershell.exe
2384	sppsvc.exe
1888	sppsvc.exe
384	sppsvc.exe
2748	sppsvc.exe
1292	sppsvc.exe
2128	sppsvc.exe
2832	sppsvc.exe
1956	sppsvc.exe
2252	sppsvc.exe
2112	sppsvc.exe
692	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2684	DllCommonsvc.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	2332	powershell.exe
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeDebugPrivilege	1728	powershell.exe
Token: SeDebugPrivilege	2384	sppsvc.exe
Token: SeDebugPrivilege	1888	sppsvc.exe
Token: SeDebugPrivilege	384	sppsvc.exe
Token: SeDebugPrivilege	2748	sppsvc.exe
Token: SeDebugPrivilege	1292	sppsvc.exe
Token: SeDebugPrivilege	2128	sppsvc.exe
Token: SeDebugPrivilege	2832	sppsvc.exe
Token: SeDebugPrivilege	1956	sppsvc.exe
Token: SeDebugPrivilege	2252	sppsvc.exe
Token: SeDebugPrivilege	2112	sppsvc.exe
Token: SeDebugPrivilege	692	sppsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2772 wrote to memory of 2940	2772	JaffaCakes118_df5b610e4419af9a5105390db9693a93d957244d6b0a44e46c944e5a6dd49eb6.exe	30
PID 2772 wrote to memory of 2940	2772	JaffaCakes118_df5b610e4419af9a5105390db9693a93d957244d6b0a44e46c944e5a6dd49eb6.exe	30
PID 2772 wrote to memory of 2940	2772	JaffaCakes118_df5b610e4419af9a5105390db9693a93d957244d6b0a44e46c944e5a6dd49eb6.exe	30
PID 2772 wrote to memory of 2940	2772	JaffaCakes118_df5b610e4419af9a5105390db9693a93d957244d6b0a44e46c944e5a6dd49eb6.exe	30
PID 2940 wrote to memory of 2872	2940	WScript.exe	31
PID 2940 wrote to memory of 2872	2940	WScript.exe	31
PID 2940 wrote to memory of 2872	2940	WScript.exe	31
PID 2940 wrote to memory of 2872	2940	WScript.exe	31
PID 2872 wrote to memory of 2684	2872	cmd.exe	33
PID 2872 wrote to memory of 2684	2872	cmd.exe	33
PID 2872 wrote to memory of 2684	2872	cmd.exe	33
PID 2872 wrote to memory of 2684	2872	cmd.exe	33
PID 2684 wrote to memory of 1728	2684	DllCommonsvc.exe	44
PID 2684 wrote to memory of 1728	2684	DllCommonsvc.exe	44
PID 2684 wrote to memory of 1728	2684	DllCommonsvc.exe	44
PID 2684 wrote to memory of 1988	2684	DllCommonsvc.exe	45
PID 2684 wrote to memory of 1988	2684	DllCommonsvc.exe	45
PID 2684 wrote to memory of 1988	2684	DllCommonsvc.exe	45
PID 2684 wrote to memory of 2332	2684	DllCommonsvc.exe	46
PID 2684 wrote to memory of 2332	2684	DllCommonsvc.exe	46
PID 2684 wrote to memory of 2332	2684	DllCommonsvc.exe	46
PID 2684 wrote to memory of 2392	2684	DllCommonsvc.exe	47
PID 2684 wrote to memory of 2392	2684	DllCommonsvc.exe	47
PID 2684 wrote to memory of 2392	2684	DllCommonsvc.exe	47
PID 2684 wrote to memory of 1872	2684	DllCommonsvc.exe	52
PID 2684 wrote to memory of 1872	2684	DllCommonsvc.exe	52
PID 2684 wrote to memory of 1872	2684	DllCommonsvc.exe	52
PID 1872 wrote to memory of 2468	1872	cmd.exe	54
PID 1872 wrote to memory of 2468	1872	cmd.exe	54
PID 1872 wrote to memory of 2468	1872	cmd.exe	54
PID 1872 wrote to memory of 2384	1872	cmd.exe	55
PID 1872 wrote to memory of 2384	1872	cmd.exe	55
PID 1872 wrote to memory of 2384	1872	cmd.exe	55
PID 1872 wrote to memory of 2384	1872	cmd.exe	55
PID 1872 wrote to memory of 2384	1872	cmd.exe	55
PID 2384 wrote to memory of 2580	2384	sppsvc.exe	56
PID 2384 wrote to memory of 2580	2384	sppsvc.exe	56
PID 2384 wrote to memory of 2580	2384	sppsvc.exe	56
PID 2580 wrote to memory of 1508	2580	cmd.exe	58
PID 2580 wrote to memory of 1508	2580	cmd.exe	58
PID 2580 wrote to memory of 1508	2580	cmd.exe	58
PID 2580 wrote to memory of 1888	2580	cmd.exe	59
PID 2580 wrote to memory of 1888	2580	cmd.exe	59
PID 2580 wrote to memory of 1888	2580	cmd.exe	59
PID 2580 wrote to memory of 1888	2580	cmd.exe	59
PID 2580 wrote to memory of 1888	2580	cmd.exe	59
PID 1888 wrote to memory of 2716	1888	sppsvc.exe	60
PID 1888 wrote to memory of 2716	1888	sppsvc.exe	60
PID 1888 wrote to memory of 2716	1888	sppsvc.exe	60
PID 2716 wrote to memory of 2132	2716	cmd.exe	62
PID 2716 wrote to memory of 2132	2716	cmd.exe	62
PID 2716 wrote to memory of 2132	2716	cmd.exe	62
PID 2716 wrote to memory of 384	2716	cmd.exe	63
PID 2716 wrote to memory of 384	2716	cmd.exe	63
PID 2716 wrote to memory of 384	2716	cmd.exe	63
PID 2716 wrote to memory of 384	2716	cmd.exe	63
PID 2716 wrote to memory of 384	2716	cmd.exe	63
PID 384 wrote to memory of 1948	384	sppsvc.exe	64
PID 384 wrote to memory of 1948	384	sppsvc.exe	64
PID 384 wrote to memory of 1948	384	sppsvc.exe	64
PID 1948 wrote to memory of 2568	1948	cmd.exe	66
PID 1948 wrote to memory of 2568	1948	cmd.exe	66
PID 1948 wrote to memory of 2568	1948	cmd.exe	66
PID 1948 wrote to memory of 2748	1948	cmd.exe	67

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_df5b610e4419af9a5105390db9693a93d957244d6b0a44e46c944e5a6dd49eb6.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_df5b610e4419af9a5105390db9693a93d957244d6b0a44e46c944e5a6dd49eb6.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2772
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2872
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2684
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1728
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Favorites\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1988
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2332
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\NetHood\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2392
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QazrxQR9tJ.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1872
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2468
      - C:\providercommon\sppsvc.exe
        
        "C:\providercommon\sppsvc.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2384
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZBm8ilTxac.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2580
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1508
        
        C:\providercommon\sppsvc.exe
        
        "C:\providercommon\sppsvc.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1888
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nlAvT1Qihc.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2132
        
        C:\providercommon\sppsvc.exe
        
        "C:\providercommon\sppsvc.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:384
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\t3iRsZx2b7.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2568
        
        C:\providercommon\sppsvc.exe
        
        "C:\providercommon\sppsvc.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2748
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hfpeQ4JfvC.bat"
        13⤵
        
        PID:2348
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1808
        
        C:\providercommon\sppsvc.exe
        
        "C:\providercommon\sppsvc.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1292
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4Q74CISUeM.bat"
        15⤵
        
        PID:2680
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2672
        
        C:\providercommon\sppsvc.exe
        
        "C:\providercommon\sppsvc.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2128
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6Po3x2tXZG.bat"
        17⤵
        
        PID:2976
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2380
        
        C:\providercommon\sppsvc.exe
        
        "C:\providercommon\sppsvc.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2832
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fjnbjzFmbP.bat"
        19⤵
        
        PID:1744
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1692
        
        C:\providercommon\sppsvc.exe
        
        "C:\providercommon\sppsvc.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1956
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6uMgbjYtd5.bat"
        21⤵
        
        PID:2808
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2668
        
        C:\providercommon\sppsvc.exe
        
        "C:\providercommon\sppsvc.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2252
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EzJh52oHEl.bat"
        23⤵
        
        PID:2920
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:3032
        
        C:\providercommon\sppsvc.exe
        
        "C:\providercommon\sppsvc.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\H7eFR6a9mI.bat"
        25⤵
        
        PID:776
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1088
        
        C:\providercommon\sppsvc.exe
        
        "C:\providercommon\sppsvc.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Favorites\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\All Users\Favorites\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Favorites\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\providercommon\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\NetHood\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Admin\NetHood\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\NetHood\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7f3ee77dea2a75c1b93207685964113c

SHA1
aab052ec7324be813fa9db600edbf692eac7c746

SHA256
36528baed3bc4a5fced2930871f2b203bcb8ca74d0eb61fedb594d6f939f2037

SHA512
4ae5eb92c848c2025f0f809e3d7db23d68bf11f39256eaee85d8db9f469cf8c632cee08054263c7fe771d55e09eef1bf6337e2c8a59ad7c239638e148b00e4d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e245cb10273ae067e372e6bee4599e71

SHA1
12fdad335acb3fb619baa8c9d7cd147f948421be

SHA256
1773e0bb047f938467dcb592b1faec7e0d73ddcb281acf36bb0319c45282be90

SHA512
b8c62100fd54ed7b153dca4c59e4c880c775fbd29a1459e5510e04227a9e2ad6d057277d8e975b3a722e7962d6a25d59dbe10ae428177787787293342a477c21

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7cd24309fb6c5b174843d532817aab99

SHA1
cd15ec02f56e963ad761dd935f52c474e3d05935

SHA256
e9052c0d3df30191e42486e2f22adb9936ee0209f02ac3e19b4695b9379fe020

SHA512
8fc4b3faa533da8d9db64b45fa874a080383c685c1c33bf980a785d50e2d1b20ef68ca44f41053a638fd83b7d549bfdbeda52dad272b920efe113458075f9c8d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d902b15fdb5f5f88a7abec68acdffef5

SHA1
d3a5eb8487380a8d0c4d75be7220ce53b13c1767

SHA256
1dc94c627316b06db8e687d74bd4989772988203741455f4bf955194bc40fd9f

SHA512
3e87fe0635cb60dd4658297e3b84f5403eb959061ec8b8f54404a337fb5d36336a25b4364fa6fad98206d8333b9916a3aa00755b327df25ad7c9dde7ac00bae4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ec83b9b6edc4e79dabb139be9243218b

SHA1
d57a5797f78da43bc74e8a3167093dc694b42a1b

SHA256
e41f7cae7d394d4839515e28b193ab1e1ba6da898b2b78555c5fc0e9c6592264

SHA512
8e4ccdf9bce23ea1639bf473cd760741275e50f1cb1b7156398b47cbae500d0463134bbde9865e10320d65532ba0f387cf822af7e3080c617ef3bc774bdf5e63

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
676f58bb3b1a271213ec33384fd91cc7

SHA1
903eb5b72161c2b35722139ece4728ba0271844b

SHA256
cdcc38303286af701a122fcc74185e1305a6fbdc57f224d0c73726a60b093633

SHA512
737e7f174a33c74a7fe86d45082d02a230b621d0b47d23102bc553a7ab79aa75e795202f1bfe9f2a24567b3e8a0a34178f73216d19a1e83823368f0bd95c00ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
417d78eceb5ed5d48c5791f84088829c

SHA1
eddd37148600701d7b7cd1b6199dc7ade13802fd

SHA256
95a40580def3e27451cffc467bc5794e0e8053812caf4da0d53851686469f1ad

SHA512
3edcbab65b3dd14eac208fc12ddc23868246d24c89750043353d0e465df75fea2b1b590c6b394fc93f83515ecfefae3f8a654f4a6eebc58cdcfd9367b5942715

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2481d8d9784035da6e923e50ee11119e

SHA1
333c09b157557544a30bdffeb249d5c9ca7f1954

SHA256
b1c50358037b7b74d9c0e89ef23af1eb452f9b2544e5022433a657bc31e4b563

SHA512
111262e31d8f4ed552d40fec380ccc575d10478ccde662803818a6ed016617192b3d42cd348d8a744c9109b7af0878be25c365b9732a5c9bed4e65bea51b8396

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
138da25ecb1e6bf98b9e94f1e331525b

SHA1
c9942457de7d5f1c0571cdcb4c284dc9b9ed36a9

SHA256
6e67d7a95cfbe2116872164c6dab1a3e6ac1e97e7d22e5f56135d6f3edeb060e

SHA512
13a762a5409ba02e1d0440a2d16fb77e4267cc3f94929f3098a366dc0c3f55c3a01dc3d49756f3eeb026ecafba05af605f2d65931e1d7c8479e62bc57058284e

Download Submit
C:\Users\Admin\AppData\Local\Temp\4Q74CISUeM.bat

Filesize
193B

MD5
a9cc60c84f2fe06d2d49613b0c30587b

SHA1
be1a0ddcd6a14ec12767b89ab36b3ee2130140f9

SHA256
8bf22d71cff3435b780a7a2292f5c271ddeec15451a28ac269b8a71408f5690a

SHA512
85a546b668fd1f45a459b5291acf3d9b3f6831522b65d54adda1db9ed2e6d0e44ce8df907e6b2fad8a2c2b356d01f84aa1080350fbd7c0e0f76dbbb75049de5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\6Po3x2tXZG.bat

Filesize
193B

MD5
2f2c6f2d70391aee7f2d18c0d85871c5

SHA1
094208afd556970ef26a8f930f5551bffa99d003

SHA256
1bd40af620608bdf76c16d0a2f323b917741c6656d7fa997861a3ca160400532

SHA512
2ed517337a86c5f1a7d60a5a23a90596ba0b5c28a5fab22fbd2337d23f008d41af6a234a8af684ab3ec717995b077431bd85fc8aec362e7979bdc3bcd7d114ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\6uMgbjYtd5.bat

Filesize
193B

MD5
162e8febc44334c8a945b63acb3e4ad9

SHA1
a09e55ed23de92cbbbe9d3a3d3e317d08a364642

SHA256
ac77eee7674f0bebe6ba942723e4042bc6ae0c661e85c41f804e94cc2de3fff5

SHA512
fe28b0cee1de202562b3fbf6d34cfc3f361d570206b7a4b0f2016cccd2f76d020296a84e627f6f664a0cbbce8132f7304eb7f763fc0b0ddf0b90a5a105c715e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA4AA.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EzJh52oHEl.bat

Filesize
193B

MD5
574fdf5dfcf2bcef6bfb9c3e1995f3a4

SHA1
8595e2366d8378261d69afc61755986a68980cdf

SHA256
f8b57c7de1a45848eed08da1431b8f121e8933348455d84cd16daf6d899a9a80

SHA512
d1a813a4efb744d44ced6baf20a0523f18b77a42205ea4feb9e439568ddaa1b002f678c689ec23c6eb401ed76f3092fb5f66a682508665bd9e3e549435f8f2fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\H7eFR6a9mI.bat

Filesize
193B

MD5
637cc0cef5d734e16853721a14a06ef3

SHA1
0859dd093c241e66c6011ffbfe476bdcdbb3ed16

SHA256
f8f3757fb9e55a0c039a6f3b989a50e39058e477c56d7496a3b14ba53e36d15c

SHA512
84bb342863c91d86a3b010d275f20a9a2445d611f958ff7440fb7f06fdd9979c4d3cdf92b7640a960afe7c6cdd13ff7a52e40014a7f71c56793c2f0a33b0aec4

Download Submit
C:\Users\Admin\AppData\Local\Temp\QazrxQR9tJ.bat

Filesize
193B

MD5
329e74e7efe77b7f9cf1fadd7de9f7dc

SHA1
3efbe7ac0b7d5cbe2bca6ea5ca91a56bf93fd34a

SHA256
0afcbdc1b1cd1ec7bac9968f784c14deb6b00d2628ba7b39b204f0c2809856db

SHA512
8d1d2ba05b2751f89e9c4b646ffc43c1862deaadf95bc75eb0c5e47d1692d9a741827ac4217c87068ce99cd6e503b839ac5e4204959f08f91a99ee2eef834c1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA4CC.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZBm8ilTxac.bat

Filesize
193B

MD5
f8851ef86290fb65b96d608b449133e6

SHA1
8861e3ae14104b551929419f87fecb03553d0f39

SHA256
5a647c535207890e1f18436d3498b6fbdb881caaaa8fc45879ee621b0c841257

SHA512
a3a738eb6a6530479cc24e1f74748da1a6a653370ed86ff0c4f2931e1142dc39b0be8c9f12eab9dd7e698afeddd38d393740f10896fc034c4008a392f486cdc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\fjnbjzFmbP.bat

Filesize
193B

MD5
1f0600d735ee9fa8de46fb43b43b1da1

SHA1
27c820d651c2d40f256c48c80bbf492f2260add8

SHA256
b2dbaf555a553f605bb7d7cd201523caf713497495cefc2fc8bfc61ed6bc30e8

SHA512
598f96606b3adb8cb701726769e3ed71b6b053fd232eb69bc75c72abbfd8dd307d21a66e5a7d3bfc27da67b3ac5468c1d0290d0a219e79a6be0b7b08e6a7d61c

Download Submit
C:\Users\Admin\AppData\Local\Temp\hfpeQ4JfvC.bat

Filesize
193B

MD5
2dcb6e80a0ebdb49109ff98ab27d054d

SHA1
208139e78ba76184923c181a2be5d860507c6cbf

SHA256
8d9d62563a15989b338021e7bf703c0afc67a69d98aa343ed6b0abb9db0fff99

SHA512
3c6894e5c805e6583288adfed3f158288336afb1baed8057495e03863c80e8619b1701d3ef5933e05ed8e595f8ab9a2408c88d36e14985b0cb0e784d39ec0d91

Download Submit
C:\Users\Admin\AppData\Local\Temp\nlAvT1Qihc.bat

Filesize
193B

MD5
1c69571bb8d398337ea762e3532d2193

SHA1
4517e25520da3ec97ac8a317c0c07ec5a06f46a2

SHA256
ad48671effeb7d73019c63666263ca3775dd7ed18b02e23dc4e2a9c9a94c1f41

SHA512
3bb2aeca1cd3159b91a6c87fae507c4daeceec62ae4acf5243ca0bc604d2af493d460c17367d8d73ee1c8378040d1f6841c30224faa1b20c11a6ce9087979a03

Download Submit
C:\Users\Admin\AppData\Local\Temp\t3iRsZx2b7.bat

Filesize
193B

MD5
316683db3380a13474435cb8891c7ea7

SHA1
2d0a54674a030ef4e9b3d42fc1fb853cecae83ae

SHA256
035be770f11995fdd3f5128d032c8c2e5ca997212d39bf628dcf22c1470d3b62

SHA512
5091b8285b56caba6e805967c25580b07f203db95c9fc663e3cdf62ff51e554d57d3e922a1212d0ca36f0bbf1b3f2f52922aebbfd01e362cb05c40e212be520b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GRFLMV74DV9Q5UMPTXDJ.temp

Filesize
7KB

MD5
aca52d89a678c5e4ea3aeed7f31176e5

SHA1
32cc5aff19d33178e27703562ff80425631aab4c

SHA256
1e0a09a93ec6803133e36703b6f55821cd1d027dd93eaada13f0c52f44ec92e7

SHA512
788820750c69c24a8a8d659424f04cb8038fd9801cca9079778f532fa7024fd1afddf4e6e4fdabc2a4564587fd489a948945be5199a493a3bdc5a339f2c38402

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/692-641-0x00000000011D0000-0x00000000012E0000-memory.dmp

Filesize
1.1MB

Download
memory/1292-281-0x0000000000AF0000-0x0000000000C00000-memory.dmp

Filesize
1.1MB

Download
memory/1292-282-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/1956-460-0x00000000003E0000-0x00000000003F2000-memory.dmp

Filesize
72KB

Download
memory/2112-581-0x0000000000030000-0x0000000000140000-memory.dmp

Filesize
1.1MB

Download
memory/2252-520-0x0000000001120000-0x0000000001230000-memory.dmp

Filesize
1.1MB

Download
memory/2252-521-0x00000000001E0000-0x00000000001F2000-memory.dmp

Filesize
72KB

Download
memory/2332-39-0x00000000022A0000-0x00000000022A8000-memory.dmp

Filesize
32KB

Download
memory/2332-34-0x000000001B2B0000-0x000000001B592000-memory.dmp

Filesize
2.9MB

Download
memory/2384-43-0x00000000011A0000-0x00000000012B0000-memory.dmp

Filesize
1.1MB

Download
memory/2384-44-0x00000000003E0000-0x00000000003F2000-memory.dmp

Filesize
72KB

Download
memory/2684-15-0x0000000000480000-0x000000000048C000-memory.dmp

Filesize
48KB

Download
memory/2684-14-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/2684-13-0x0000000000B50000-0x0000000000C60000-memory.dmp

Filesize
1.1MB

Download
memory/2684-16-0x0000000000450000-0x000000000045C000-memory.dmp

Filesize
48KB

Download
memory/2684-17-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download
memory/2748-221-0x0000000000190000-0x00000000002A0000-memory.dmp

Filesize
1.1MB

Download