dcrat | 7c40a76c36b3d5fbc702ef882dd207e65f310c89dba816b9f8b3436d4e496ab8

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 08:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_7c40a76c36b3d5fbc702ef882dd207e65f310c89dba816b9f8b3436d4e496ab8.exe
Size

1.3MB
MD5

7983791a37f9bf2314326b290475000a
SHA1

59d157106246858cbe2b1da31162822cd403c647
SHA256

7c40a76c36b3d5fbc702ef882dd207e65f310c89dba816b9f8b3436d4e496ab8
SHA512

608212acefb70e7f6ad6c74865bbfc34f2f39e4c82a6e8119033a684d09d03200e356748ae003235480656b75dc8ead76ded445e1bc406617edf8ec4ac04e776
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2608	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	2608	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2608	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	2608	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	776	2608	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	864	2608	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	2608	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2608	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	2608	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	2608	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	2608	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	2608	schtasks.exe	33

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00080000000174b4-12.dat	dcrat
behavioral1/memory/2972-13-0x00000000008D0000-0x00000000009E0000-memory.dmp	dcrat
behavioral1/memory/2780-52-0x0000000000F80000-0x0000000001090000-memory.dmp	dcrat
behavioral1/memory/2260-117-0x0000000000140000-0x0000000000250000-memory.dmp	dcrat
behavioral1/memory/1656-177-0x0000000000DC0000-0x0000000000ED0000-memory.dmp	dcrat
behavioral1/memory/1268-237-0x0000000000040000-0x0000000000150000-memory.dmp	dcrat
behavioral1/memory/1572-297-0x0000000001350000-0x0000000001460000-memory.dmp	dcrat
behavioral1/memory/2004-357-0x0000000000290000-0x00000000003A0000-memory.dmp	dcrat
behavioral1/memory/1796-417-0x0000000000D60000-0x0000000000E70000-memory.dmp	dcrat
behavioral1/memory/1380-478-0x0000000001040000-0x0000000001150000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1152	powershell.exe
2024	powershell.exe
2192	powershell.exe
2320	powershell.exe
2180	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2972	DllCommonsvc.exe
2780	System.exe
2260	System.exe
1656	System.exe
1268	System.exe
1572	System.exe
2004	System.exe
1796	System.exe
1380	System.exe
2436	System.exe
2784	System.exe

Loads dropped DLL 2 IoCs

pid	Process
2556	cmd.exe
2556	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
18	raw.githubusercontent.com
26	raw.githubusercontent.com
29	raw.githubusercontent.com
33	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
15	raw.githubusercontent.com
22	raw.githubusercontent.com
36	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows NT\Accessories\ja-JP\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\ja-JP\6ccacd8608530f	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Prefetch\ReadyBoot\System.exe	DllCommonsvc.exe
File created	C:\Windows\Prefetch\ReadyBoot\27d1bcfc3c54e0	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7c40a76c36b3d5fbc702ef882dd207e65f310c89dba816b9f8b3436d4e496ab8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2456	schtasks.exe
2896	schtasks.exe
2204	schtasks.exe
864	schtasks.exe
2328	schtasks.exe
2336	schtasks.exe
2532	schtasks.exe
776	schtasks.exe
2304	schtasks.exe
2152	schtasks.exe
2020	schtasks.exe
1440	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2972	DllCommonsvc.exe
2972	DllCommonsvc.exe
2972	DllCommonsvc.exe
1152	powershell.exe
2192	powershell.exe
2180	powershell.exe
2024	powershell.exe
2320	powershell.exe
2780	System.exe
2260	System.exe
1656	System.exe
1268	System.exe
1572	System.exe
2004	System.exe
1796	System.exe
1380	System.exe
2436	System.exe
2784	System.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2972	DllCommonsvc.exe
Token: SeDebugPrivilege	1152	powershell.exe
Token: SeDebugPrivilege	2192	powershell.exe
Token: SeDebugPrivilege	2180	powershell.exe
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeDebugPrivilege	2320	powershell.exe
Token: SeDebugPrivilege	2780	System.exe
Token: SeDebugPrivilege	2260	System.exe
Token: SeDebugPrivilege	1656	System.exe
Token: SeDebugPrivilege	1268	System.exe
Token: SeDebugPrivilege	1572	System.exe
Token: SeDebugPrivilege	2004	System.exe
Token: SeDebugPrivilege	1796	System.exe
Token: SeDebugPrivilege	1380	System.exe
Token: SeDebugPrivilege	2436	System.exe
Token: SeDebugPrivilege	2784	System.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 2552	2228	JaffaCakes118_7c40a76c36b3d5fbc702ef882dd207e65f310c89dba816b9f8b3436d4e496ab8.exe	29
PID 2228 wrote to memory of 2552	2228	JaffaCakes118_7c40a76c36b3d5fbc702ef882dd207e65f310c89dba816b9f8b3436d4e496ab8.exe	29
PID 2228 wrote to memory of 2552	2228	JaffaCakes118_7c40a76c36b3d5fbc702ef882dd207e65f310c89dba816b9f8b3436d4e496ab8.exe	29
PID 2228 wrote to memory of 2552	2228	JaffaCakes118_7c40a76c36b3d5fbc702ef882dd207e65f310c89dba816b9f8b3436d4e496ab8.exe	29
PID 2552 wrote to memory of 2556	2552	WScript.exe	30
PID 2552 wrote to memory of 2556	2552	WScript.exe	30
PID 2552 wrote to memory of 2556	2552	WScript.exe	30
PID 2552 wrote to memory of 2556	2552	WScript.exe	30
PID 2556 wrote to memory of 2972	2556	cmd.exe	32
PID 2556 wrote to memory of 2972	2556	cmd.exe	32
PID 2556 wrote to memory of 2972	2556	cmd.exe	32
PID 2556 wrote to memory of 2972	2556	cmd.exe	32
PID 2972 wrote to memory of 1152	2972	DllCommonsvc.exe	46
PID 2972 wrote to memory of 1152	2972	DllCommonsvc.exe	46
PID 2972 wrote to memory of 1152	2972	DllCommonsvc.exe	46
PID 2972 wrote to memory of 2024	2972	DllCommonsvc.exe	47
PID 2972 wrote to memory of 2024	2972	DllCommonsvc.exe	47
PID 2972 wrote to memory of 2024	2972	DllCommonsvc.exe	47
PID 2972 wrote to memory of 2192	2972	DllCommonsvc.exe	48
PID 2972 wrote to memory of 2192	2972	DllCommonsvc.exe	48
PID 2972 wrote to memory of 2192	2972	DllCommonsvc.exe	48
PID 2972 wrote to memory of 2320	2972	DllCommonsvc.exe	49
PID 2972 wrote to memory of 2320	2972	DllCommonsvc.exe	49
PID 2972 wrote to memory of 2320	2972	DllCommonsvc.exe	49
PID 2972 wrote to memory of 2180	2972	DllCommonsvc.exe	50
PID 2972 wrote to memory of 2180	2972	DllCommonsvc.exe	50
PID 2972 wrote to memory of 2180	2972	DllCommonsvc.exe	50
PID 2972 wrote to memory of 2780	2972	DllCommonsvc.exe	56
PID 2972 wrote to memory of 2780	2972	DllCommonsvc.exe	56
PID 2972 wrote to memory of 2780	2972	DllCommonsvc.exe	56
PID 2780 wrote to memory of 1740	2780	System.exe	57
PID 2780 wrote to memory of 1740	2780	System.exe	57
PID 2780 wrote to memory of 1740	2780	System.exe	57
PID 1740 wrote to memory of 2072	1740	cmd.exe	59
PID 1740 wrote to memory of 2072	1740	cmd.exe	59
PID 1740 wrote to memory of 2072	1740	cmd.exe	59
PID 1740 wrote to memory of 2260	1740	cmd.exe	60
PID 1740 wrote to memory of 2260	1740	cmd.exe	60
PID 1740 wrote to memory of 2260	1740	cmd.exe	60
PID 2260 wrote to memory of 2168	2260	System.exe	61
PID 2260 wrote to memory of 2168	2260	System.exe	61
PID 2260 wrote to memory of 2168	2260	System.exe	61
PID 2168 wrote to memory of 1292	2168	cmd.exe	63
PID 2168 wrote to memory of 1292	2168	cmd.exe	63
PID 2168 wrote to memory of 1292	2168	cmd.exe	63
PID 2168 wrote to memory of 1656	2168	cmd.exe	64
PID 2168 wrote to memory of 1656	2168	cmd.exe	64
PID 2168 wrote to memory of 1656	2168	cmd.exe	64
PID 1656 wrote to memory of 1596	1656	System.exe	65
PID 1656 wrote to memory of 1596	1656	System.exe	65
PID 1656 wrote to memory of 1596	1656	System.exe	65
PID 1596 wrote to memory of 308	1596	cmd.exe	67
PID 1596 wrote to memory of 308	1596	cmd.exe	67
PID 1596 wrote to memory of 308	1596	cmd.exe	67
PID 1596 wrote to memory of 1268	1596	cmd.exe	68
PID 1596 wrote to memory of 1268	1596	cmd.exe	68
PID 1596 wrote to memory of 1268	1596	cmd.exe	68
PID 1268 wrote to memory of 1484	1268	System.exe	69
PID 1268 wrote to memory of 1484	1268	System.exe	69
PID 1268 wrote to memory of 1484	1268	System.exe	69
PID 1484 wrote to memory of 2764	1484	cmd.exe	71
PID 1484 wrote to memory of 2764	1484	cmd.exe	71
PID 1484 wrote to memory of 2764	1484	cmd.exe	71
PID 1484 wrote to memory of 1572	1484	cmd.exe	72

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7c40a76c36b3d5fbc702ef882dd207e65f310c89dba816b9f8b3436d4e496ab8.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7c40a76c36b3d5fbc702ef882dd207e65f310c89dba816b9f8b3436d4e496ab8.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2556
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2972
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1152
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2024
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Prefetch\ReadyBoot\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2320
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\ja-JP\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2180
    - - C:\Windows\Prefetch\ReadyBoot\System.exe
        
        "C:\Windows\Prefetch\ReadyBoot\System.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2780
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FFH8oguQ3d.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2072
        
        C:\Windows\Prefetch\ReadyBoot\System.exe
        
        "C:\Windows\Prefetch\ReadyBoot\System.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xZLz5Ote6t.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1292
        
        C:\Windows\Prefetch\ReadyBoot\System.exe
        
        "C:\Windows\Prefetch\ReadyBoot\System.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WYuyh03jyF.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:308
        
        C:\Windows\Prefetch\ReadyBoot\System.exe
        
        "C:\Windows\Prefetch\ReadyBoot\System.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1268
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PfMhC4n1i0.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1484
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2764
        
        C:\Windows\Prefetch\ReadyBoot\System.exe
        
        "C:\Windows\Prefetch\ReadyBoot\System.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1572
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4JlC5zfAS6.bat"
        14⤵
        
        PID:1036
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:812
        
        C:\Windows\Prefetch\ReadyBoot\System.exe
        
        "C:\Windows\Prefetch\ReadyBoot\System.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2004
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\o4pIGJu18c.bat"
        16⤵
        
        PID:2632
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1316
        
        C:\Windows\Prefetch\ReadyBoot\System.exe
        
        "C:\Windows\Prefetch\ReadyBoot\System.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1796
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IrGY9odMle.bat"
        18⤵
        
        PID:1300
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2860
        
        C:\Windows\Prefetch\ReadyBoot\System.exe
        
        "C:\Windows\Prefetch\ReadyBoot\System.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1380
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xkGYwzkQoc.bat"
        20⤵
        
        PID:2576
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2208
        
        C:\Windows\Prefetch\ReadyBoot\System.exe
        
        "C:\Windows\Prefetch\ReadyBoot\System.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2436
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nGW3UwTeX7.bat"
        22⤵
        
        PID:2028
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2020
        
        C:\Windows\Prefetch\ReadyBoot\System.exe
        
        "C:\Windows\Prefetch\ReadyBoot\System.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2784
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\onYrHPGvDe.bat"
        24⤵
        
        PID:2012
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Windows\Prefetch\ReadyBoot\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Windows\Prefetch\ReadyBoot\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\Accessories\ja-JP\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\ja-JP\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\Accessories\ja-JP\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
702c277b4de7bf0e68e9a1aa4463b26c

SHA1
5721d046ee807f1c555c12b3fbd5e8623790c723

SHA256
1a3c2fb4a81524cfd7e0ec545243329bef11243da46231ece38bc165175f02a1

SHA512
83768720204402a9d4a014dd9ec470678d5f59e5f9a0166f987f836cf98b56575fc5f661eb2adca0d49165e26305bd8637b656d87a8f0fa812cbd812919614b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
661d7e378d53eebf09ffb3b45830543d

SHA1
19843506b50b7e548deccdd03e3f03630472827f

SHA256
ed6a6f66cd0fc2ac1c4c93724294079a950af72125aaf75f2ffc6cc798c13fea

SHA512
0dd2e9d3b1b655b26fc116178e2a840d96c3638fb9062ca9af149f22e133f9c2a9bf1b85e8d2e3d415541b4fa1e4c2fecc926618937dacb8059df1ae07e3e772

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8696c0f8770cb6924c2a08591631115f

SHA1
a9748594a09660089b71973631dfe5a56c95449f

SHA256
db127029fb0a21d2870b9bfc3d660c597e4a8288ae358fdce283150ec127d5c5

SHA512
be4ceed7f43ca62ad30226250c183280705e34e9dac590532a116239d2876e1a62d37500954aee08f84966b3dfd87504b41b55b4ad82e015a98cead07809850e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
61395b8d304b1affa2def2f1ee16106f

SHA1
f00021d26bbf01ef9cfb5ce12dfae704349495c3

SHA256
1bc45f24191bba26b0dcb0fb5132a62cefa7acbebea98a9f0c59e751cb6571d7

SHA512
6f84f49b538deee1bb4daf847096e43fc85b94f328ae3e8c087debde57d0d48bbd79ce046dc7bb2884a6c6025564f51d21c8daf776a3877d6935f136df284160

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a900f31e3b9be68e8a025659002d8da9

SHA1
d8b5c947f94c48edc18ab0e8072c760dbc43feab

SHA256
2f195bb055f3711db745217220965e728b6ee6c02081945835bdebae86294e95

SHA512
9d65f82fd9567af23dd1c08dcc5c1a61c4dd16ccb435540e2915d990a4cb14ced7f36e9f691cc56fca582bae3c55c533f56de3cbeda2989f7841b9cac4fa494a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d8d0677f281a8232d6bc5a917a5f0b71

SHA1
64c38d472bd5513acde9f18141582304ccec5acb

SHA256
8a09f96532a7c0e071ff88cea61407f239dd36e6553fa147f5cae3038500fafb

SHA512
e41566783c820b8d44ddc4760605610152b1bcfa4a925ee329ed7f3c0c485f106498f9ce9e6a3b6451de80a60bccc0092ba5d45bab2fe3cdfcc0d0620722b60e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0eab806f50471e60951ea73ef0c3bbbe

SHA1
71ac1c38bffb9610facc6203a936cfacb4b3919f

SHA256
21bbf67bc42cbdd89c6baba27d63353847637c01174a8e20689e27cc183bc4e4

SHA512
5d54e8ebecc46b55d4d1068f2b997b7c6681280fd232d436000877e8f68cd4e64f72cd3a1431859a90f44c73d2803b6a87d9f9f9b9cf5b1b65fa5429e6fe4053

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
236eda83e7999f8e38696520fadcffeb

SHA1
6592a683f64abb08383ca736227533a3fc01c5dd

SHA256
c9ad331dbf00dc743fb891f47656e16b88d300bd18ec53e38fee7c504a2792f5

SHA512
916efe0661e8933dca4750dd0f471ea77327a5668bc77daf8249965142fab3096f26b069052dedde4db8b4ef5b8497ade2f4f349546b9a23f924f8ee87f62e16

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ea5cfba405d3a6e1e4d6aedbbf58965d

SHA1
51739191bb2e9f12dd890ee9201fe3e0de9b2754

SHA256
3c3d8e2bb675fba3a58c27169bf95c5b412dcb0e05c24a34a5f471022bb98dd8

SHA512
fd8126ece9b40891e8842ae5eeae83161ed9dbb8e1195c93aed70ecaa248481b724fa801d62a0604bc8a5ed6b77537243feb3599b258370cadf3a8a9b20ad4ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\4JlC5zfAS6.bat

Filesize
205B

MD5
e23795d078c9ca840bbc2bef545e03a3

SHA1
217961b4d7249bafcd4575e063761b0b4cce1110

SHA256
007ae792d0ddd9b65cbed3191f62aa1825d6d744153c505afadfd4fad5498929

SHA512
6db7fb5294f085f41e8bede702c2399ae0e90f1a13dfeb23b477ad59fe58b49b1ea2deb03a90719701cfcba363895f44e3d38b3b1a0b693510942241c665f7b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3CA5.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FFH8oguQ3d.bat

Filesize
205B

MD5
9ea8a75871339ce3f50dec2684c781c2

SHA1
c3984bd3d3a7a01b8bfb4cf11c2b62e7fa01e3c0

SHA256
3d9ccdb8b59f18395468b7ea343e3d73aa0717e46aa7092fcb3aa566665ee03b

SHA512
f465736bef813a62ffb19e50076df4eedf1677e760dbce806c9b92870488dbf53564a39ae59f5558a10ca33b56fbab748fa80812de4a88c41a7c3fa1b1bdebe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IrGY9odMle.bat

Filesize
205B

MD5
22609de9ff7e238b967c341392881883

SHA1
9248ffad0c6f85b79857d82b972c8a82af2f5a3a

SHA256
34288223cd6ba249ff1b83e87eba4a07c8a0a6fe45c8c0e71ca21e5b756aa9d7

SHA512
847b09a42ce085791f8e839400e43e1e23c3d0d404e7adbadf2169f651b6d3e3a9f07a550c3bc09d21e113bec06fe46deac3de0eceee1402d237e36dbacf200d

Download Submit
C:\Users\Admin\AppData\Local\Temp\PfMhC4n1i0.bat

Filesize
205B

MD5
45650378eebfd217257b9e016a530bf3

SHA1
8da641e2713ad0bd822a43737b53ed968f68d8bc

SHA256
e7f4754af1925901a2a815d3d950ff96ec60dcfad1c4e077f2bc60532482c874

SHA512
d21bcd39f46318cb16e56c640d2c30d1681093db2a85dcabd0a7cc7a7248aaf14cc9826021b123601d7477e98fd83086a182b8b33ec5e25d300e46f4fa5a64c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3CB7.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WYuyh03jyF.bat

Filesize
205B

MD5
4e99a3c3f1e9ddccde474d75895934ca

SHA1
000f80e029a0326039326375d262322129e31276

SHA256
8a161d28a98a2eb4a72057b3633c5cd3f6f479fca1075767ecd11c3a90f91d0f

SHA512
78cb07b42d2641118a6605ea6589818466c2aa4ba67f9780e307150f6dda0bf8b9d1966057c277274d73995d3b417d62110dfb20040251c65c058df13fa1f749

Download Submit
C:\Users\Admin\AppData\Local\Temp\nGW3UwTeX7.bat

Filesize
205B

MD5
fc2911da89927913405eb63c13fa7ed9

SHA1
8db1fbc9647b9987e0ab333d02c3927e5cb0453e

SHA256
8069f6d9ab40896904a6424fd22525dafacaa5c61fee6209f2f59dffcf6b38ea

SHA512
9691296e51fe5e713c728eb16e27e035a84d93f7d56e54db37090f361a5ed4aff991c76831c1c5bed0ee9f266d6313d540ccedbf641bd3df0a3bcec18382a7bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\o4pIGJu18c.bat

Filesize
205B

MD5
e2a1b6c511db4b9c14d320a4f5fd2735

SHA1
09b3a31e3e6d9b960978729f0699f4046ad10187

SHA256
e360d226bd3b1eefc91f954404560d72a7db97264d0c855480c8b041f0b8315d

SHA512
349ec0ad436fd0585b13a9c6486a245591416afd45d5784b0fba693d3829f6e3f74d285895f9b54bda251e63ba8c8f33ba1668bbf9abaf59be87db18dc443ff2

Download Submit
C:\Users\Admin\AppData\Local\Temp\onYrHPGvDe.bat

Filesize
205B

MD5
ca549ea154bb32c0ffceb70c5d5f09ba

SHA1
bc9a49886a4ae55f366e1ab5198d08d692a3d3f0

SHA256
74272b400c933f2eea36464dc439270910c8339e59364d490c8167a6724b8789

SHA512
bd3daff9a7297f59297f861e1bc586f795ea053cdacf7c8f4e6de8d76ead29bddfb8e8a63d5a6672fdb57e44f8536d2b806197aa433131a98f9fcb08609d4ab6

Download Submit
C:\Users\Admin\AppData\Local\Temp\xZLz5Ote6t.bat

Filesize
205B

MD5
e1299eae7927540186275155d7d74cb1

SHA1
847bcd23af5dbeaba64758c065ed1883bea472fa

SHA256
000bbcaf4f3dc4e4bf31eb6d0b3f5642fe1252f69cd0285ab449be695634e43b

SHA512
29f3f005771491adcb5e8078a8a865f25438d20088eea00b5ac370d930a02d1301e3bb4f95ae9a42a4f92cf5e9f0348ee82806c6884a86144e2336ab84608f69

Download Submit
C:\Users\Admin\AppData\Local\Temp\xkGYwzkQoc.bat

Filesize
205B

MD5
43cebc4442a9e7f713dfc9c3ab0a0f80

SHA1
1ecec852b170ff9fd5c1e4e4f7052ff891e7cb42

SHA256
801531b5f7f8c5dec05d41c1ede2b22d691ab46cf825ade1c4eb3d081c7843ab

SHA512
2593585f3b310dfeb53e4a6d045fa0e64282a97dd2609b34566ca4c1324444ab10dd8ec288da50525f151bd33736a98b0de763a037259cdfcef03fd715e3e390

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b6d2da9ce5d5d861a9a78babbab7d195

SHA1
90e9d0f9ea13124364e5289c012a0d52caf4e3c6

SHA256
dbe4a481e8f601bed513bf6bf8497b73c5f76431d863277fbe187171ab3e9135

SHA512
b9a603ae2117688864801cf438984ce99503e6e8f346921f924737c5326965dd349eee1535cbb659da5e173518b48c5633745c0744e735c7fd0c9e1c03c52e55

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1152-51-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download
memory/1152-53-0x0000000000490000-0x0000000000498000-memory.dmp

Filesize
32KB

Download
memory/1268-237-0x0000000000040000-0x0000000000150000-memory.dmp

Filesize
1.1MB

Download
memory/1380-479-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/1380-478-0x0000000001040000-0x0000000001150000-memory.dmp

Filesize
1.1MB

Download
memory/1572-297-0x0000000001350000-0x0000000001460000-memory.dmp

Filesize
1.1MB

Download
memory/1656-177-0x0000000000DC0000-0x0000000000ED0000-memory.dmp

Filesize
1.1MB

Download
memory/1796-417-0x0000000000D60000-0x0000000000E70000-memory.dmp

Filesize
1.1MB

Download
memory/1796-418-0x0000000000870000-0x0000000000882000-memory.dmp

Filesize
72KB

Download
memory/2004-357-0x0000000000290000-0x00000000003A0000-memory.dmp

Filesize
1.1MB

Download
memory/2260-117-0x0000000000140000-0x0000000000250000-memory.dmp

Filesize
1.1MB

Download
memory/2780-52-0x0000000000F80000-0x0000000001090000-memory.dmp

Filesize
1.1MB

Download
memory/2972-17-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/2972-16-0x0000000000340000-0x000000000034C000-memory.dmp

Filesize
48KB

Download
memory/2972-15-0x0000000000350000-0x000000000035C000-memory.dmp

Filesize
48KB

Download
memory/2972-14-0x0000000000330000-0x0000000000342000-memory.dmp

Filesize
72KB

Download
memory/2972-13-0x00000000008D0000-0x00000000009E0000-memory.dmp

Filesize
1.1MB

Download