dcrat | e4d8d13f073823596f27ec02a107ed3abec2acfa02998211a4c16189ba42775f

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 07:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_e4d8d13f073823596f27ec02a107ed3abec2acfa02998211a4c16189ba42775f.exe
Size

1.3MB
MD5

16b8f405c7e0f2acffd7e08aaf847c70
SHA1

e9eb392e14ffbad16a6b6aaefbd1b6702faa3469
SHA256

e4d8d13f073823596f27ec02a107ed3abec2acfa02998211a4c16189ba42775f
SHA512

1076fb66bcdd102137b235073b0bcc62a92389857f58213064024b705bb56a9c43314ea6efa96e3ba16c9e7f9ad8187c4a12683dd7b7cae544f4786aebb8f3db
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	2352	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2352	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2352	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2352	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2352	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	2352	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2352	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	2352	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2352	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	2352	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	2352	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	2352	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	2352	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	2352	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	2352	schtasks.exe	32

DCRat payload 12 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016d25-12.dat	dcrat
behavioral1/memory/2108-13-0x0000000000EA0000-0x0000000000FB0000-memory.dmp	dcrat
behavioral1/memory/1940-34-0x0000000000220000-0x0000000000330000-memory.dmp	dcrat
behavioral1/memory/2368-125-0x0000000000970000-0x0000000000A80000-memory.dmp	dcrat
behavioral1/memory/1036-185-0x0000000000AD0000-0x0000000000BE0000-memory.dmp	dcrat
behavioral1/memory/1848-245-0x0000000001230000-0x0000000001340000-memory.dmp	dcrat
behavioral1/memory/2852-305-0x00000000003B0000-0x00000000004C0000-memory.dmp	dcrat
behavioral1/memory/2080-365-0x0000000000CE0000-0x0000000000DF0000-memory.dmp	dcrat
behavioral1/memory/1844-425-0x00000000013E0000-0x00000000014F0000-memory.dmp	dcrat
behavioral1/memory/3020-486-0x00000000003A0000-0x00000000004B0000-memory.dmp	dcrat
behavioral1/memory/2908-546-0x0000000001100000-0x0000000001210000-memory.dmp	dcrat
behavioral1/memory/2396-607-0x0000000001260000-0x0000000001370000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1488	powershell.exe
1916	powershell.exe
1668	powershell.exe
1988	powershell.exe
1028	powershell.exe
1696	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2108	DllCommonsvc.exe
1940	Idle.exe
2368	Idle.exe
1036	Idle.exe
1848	Idle.exe
2852	Idle.exe
2080	Idle.exe
1844	Idle.exe
3020	Idle.exe
2908	Idle.exe
2396	Idle.exe

Loads dropped DLL 2 IoCs

pid	Process
2568	cmd.exe
2568	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
5	raw.githubusercontent.com
12	raw.githubusercontent.com
15	raw.githubusercontent.com
22	raw.githubusercontent.com
29	raw.githubusercontent.com
9	raw.githubusercontent.com
19	raw.githubusercontent.com
25	raw.githubusercontent.com
32	raw.githubusercontent.com

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\5940a34987c991	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_e4d8d13f073823596f27ec02a107ed3abec2acfa02998211a4c16189ba42775f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2992	schtasks.exe
2960	schtasks.exe
2816	schtasks.exe
2484	schtasks.exe
2504	schtasks.exe
3060	schtasks.exe
2492	schtasks.exe
2648	schtasks.exe
2588	schtasks.exe
2608	schtasks.exe
2760	schtasks.exe
2508	schtasks.exe
2264	schtasks.exe
2528	schtasks.exe
836	schtasks.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
2108	DllCommonsvc.exe
1916	powershell.exe
1988	powershell.exe
1668	powershell.exe
1028	powershell.exe
1696	powershell.exe
1940	Idle.exe
1488	powershell.exe
2368	Idle.exe
1036	Idle.exe
1848	Idle.exe
2852	Idle.exe
2080	Idle.exe
1844	Idle.exe
3020	Idle.exe
2908	Idle.exe
2396	Idle.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	2108	DllCommonsvc.exe
Token: SeDebugPrivilege	1916	powershell.exe
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeDebugPrivilege	1940	Idle.exe
Token: SeDebugPrivilege	1668	powershell.exe
Token: SeDebugPrivilege	1028	powershell.exe
Token: SeDebugPrivilege	1696	powershell.exe
Token: SeDebugPrivilege	1488	powershell.exe
Token: SeDebugPrivilege	2368	Idle.exe
Token: SeDebugPrivilege	1036	Idle.exe
Token: SeDebugPrivilege	1848	Idle.exe
Token: SeDebugPrivilege	2852	Idle.exe
Token: SeDebugPrivilege	2080	Idle.exe
Token: SeDebugPrivilege	1844	Idle.exe
Token: SeDebugPrivilege	3020	Idle.exe
Token: SeDebugPrivilege	2908	Idle.exe
Token: SeDebugPrivilege	2396	Idle.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 2032	2904	JaffaCakes118_e4d8d13f073823596f27ec02a107ed3abec2acfa02998211a4c16189ba42775f.exe	28
PID 2904 wrote to memory of 2032	2904	JaffaCakes118_e4d8d13f073823596f27ec02a107ed3abec2acfa02998211a4c16189ba42775f.exe	28
PID 2904 wrote to memory of 2032	2904	JaffaCakes118_e4d8d13f073823596f27ec02a107ed3abec2acfa02998211a4c16189ba42775f.exe	28
PID 2904 wrote to memory of 2032	2904	JaffaCakes118_e4d8d13f073823596f27ec02a107ed3abec2acfa02998211a4c16189ba42775f.exe	28
PID 2032 wrote to memory of 2568	2032	WScript.exe	29
PID 2032 wrote to memory of 2568	2032	WScript.exe	29
PID 2032 wrote to memory of 2568	2032	WScript.exe	29
PID 2032 wrote to memory of 2568	2032	WScript.exe	29
PID 2568 wrote to memory of 2108	2568	cmd.exe	31
PID 2568 wrote to memory of 2108	2568	cmd.exe	31
PID 2568 wrote to memory of 2108	2568	cmd.exe	31
PID 2568 wrote to memory of 2108	2568	cmd.exe	31
PID 2108 wrote to memory of 1028	2108	DllCommonsvc.exe	48
PID 2108 wrote to memory of 1028	2108	DllCommonsvc.exe	48
PID 2108 wrote to memory of 1028	2108	DllCommonsvc.exe	48
PID 2108 wrote to memory of 1696	2108	DllCommonsvc.exe	49
PID 2108 wrote to memory of 1696	2108	DllCommonsvc.exe	49
PID 2108 wrote to memory of 1696	2108	DllCommonsvc.exe	49
PID 2108 wrote to memory of 1488	2108	DllCommonsvc.exe	50
PID 2108 wrote to memory of 1488	2108	DllCommonsvc.exe	50
PID 2108 wrote to memory of 1488	2108	DllCommonsvc.exe	50
PID 2108 wrote to memory of 1916	2108	DllCommonsvc.exe	51
PID 2108 wrote to memory of 1916	2108	DllCommonsvc.exe	51
PID 2108 wrote to memory of 1916	2108	DllCommonsvc.exe	51
PID 2108 wrote to memory of 1668	2108	DllCommonsvc.exe	52
PID 2108 wrote to memory of 1668	2108	DllCommonsvc.exe	52
PID 2108 wrote to memory of 1668	2108	DllCommonsvc.exe	52
PID 2108 wrote to memory of 1988	2108	DllCommonsvc.exe	53
PID 2108 wrote to memory of 1988	2108	DllCommonsvc.exe	53
PID 2108 wrote to memory of 1988	2108	DllCommonsvc.exe	53
PID 2108 wrote to memory of 1940	2108	DllCommonsvc.exe	60
PID 2108 wrote to memory of 1940	2108	DllCommonsvc.exe	60
PID 2108 wrote to memory of 1940	2108	DllCommonsvc.exe	60
PID 1940 wrote to memory of 2200	1940	Idle.exe	61
PID 1940 wrote to memory of 2200	1940	Idle.exe	61
PID 1940 wrote to memory of 2200	1940	Idle.exe	61
PID 2200 wrote to memory of 2812	2200	cmd.exe	63
PID 2200 wrote to memory of 2812	2200	cmd.exe	63
PID 2200 wrote to memory of 2812	2200	cmd.exe	63
PID 2200 wrote to memory of 2368	2200	cmd.exe	64
PID 2200 wrote to memory of 2368	2200	cmd.exe	64
PID 2200 wrote to memory of 2368	2200	cmd.exe	64
PID 2368 wrote to memory of 2056	2368	Idle.exe	67
PID 2368 wrote to memory of 2056	2368	Idle.exe	67
PID 2368 wrote to memory of 2056	2368	Idle.exe	67
PID 2056 wrote to memory of 284	2056	cmd.exe	69
PID 2056 wrote to memory of 284	2056	cmd.exe	69
PID 2056 wrote to memory of 284	2056	cmd.exe	69
PID 2056 wrote to memory of 1036	2056	cmd.exe	70
PID 2056 wrote to memory of 1036	2056	cmd.exe	70
PID 2056 wrote to memory of 1036	2056	cmd.exe	70
PID 1036 wrote to memory of 2472	1036	Idle.exe	71
PID 1036 wrote to memory of 2472	1036	Idle.exe	71
PID 1036 wrote to memory of 2472	1036	Idle.exe	71
PID 2472 wrote to memory of 2244	2472	cmd.exe	73
PID 2472 wrote to memory of 2244	2472	cmd.exe	73
PID 2472 wrote to memory of 2244	2472	cmd.exe	73
PID 2472 wrote to memory of 1848	2472	cmd.exe	74
PID 2472 wrote to memory of 1848	2472	cmd.exe	74
PID 2472 wrote to memory of 1848	2472	cmd.exe	74
PID 1848 wrote to memory of 2016	1848	Idle.exe	75
PID 1848 wrote to memory of 2016	1848	Idle.exe	75
PID 1848 wrote to memory of 2016	1848	Idle.exe	75
PID 2016 wrote to memory of 1980	2016	cmd.exe	77

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e4d8d13f073823596f27ec02a107ed3abec2acfa02998211a4c16189ba42775f.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e4d8d13f073823596f27ec02a107ed3abec2acfa02998211a4c16189ba42775f.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2568
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2108
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1028
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1696
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1488
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\Sample Pictures\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1916
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1668
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1988
    - - C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1940
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0IgHXqOu0A.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2812
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2368
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qsbi9TUILn.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:284
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uVa8TbDE3p.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2472
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2244
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1848
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xm2kK1SIVO.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1980
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2852
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mNrvcGFykN.bat"
        14⤵
        
        PID:1292
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2316
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2080
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8KwMxVG80h.bat"
        16⤵
        
        PID:1764
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2400
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1844
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ISA3vp411k.bat"
        18⤵
        
        PID:2924
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1324
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3020
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\L59TFxmxil.bat"
        20⤵
        
        PID:2656
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2492
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2908
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\a4RGbRhdNM.bat"
        22⤵
        
        PID:1640
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2308
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Sidebar\Gadgets\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\providercommon\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Pictures\Sample Pictures\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Pictures\Sample Pictures\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7308f103324df6c340ac3ea07d62a33b

SHA1
542a9fa036e8b2ef1ce490c7e46bb0f1ab105898

SHA256
27caf34ddf0fa67b121e8e7cd04829c747ef86c5f12d201f5f2c941a881d25e1

SHA512
b07c3ce7d31a7b16c462c6d1df38d15065ff230f31f72a0391c8cb12f801dee1ab1b486bdf86baebda02e4ce4301e0d2310032e45082ef253c3740be6580c7e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
395abf88a4a165e849ba546f2cc3a3da

SHA1
214a6bc84fd9793b72816a62961c4af229422872

SHA256
0113ca10574a7c27586b4bb8891dca6f4940dde3cf2cf616de9b0bcd9b33a44e

SHA512
ff017223ae2e8be3c9a17fcac5cfc4c14171441e3e4f8213efe636c52f1ea2fed5bc0b2df52cedb810aac63c00d59649c83ec9b6e3e9442e739fef7c189bdb23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b00c84945ebc244b29a7b4e21259c9f1

SHA1
62caf664dedca3754bbe5d86a04d7d1e5338c323

SHA256
0cc19e6e4210887cee8b3758c88377c661008e8707a34c2efb27ca494adc8c62

SHA512
088e947d9c986ad7ee46f90dd2b8125879e456fb4b6cab8696bb312821bce47a360f0bb5568a300bc4677185cab2f945c51d530afd0ddc0e536e7134aefa8240

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e7adeadb4ea5911a1cbf61a53dcbea33

SHA1
6194bd22783e68d0fefdc6c54c6e9f4dea9f825d

SHA256
80af658ac3c458a991b51791d09800df92304665a13863a0f16ef1f85d294bcb

SHA512
ca006d5485b6f4e333bfa1d12913565df2b0acf6a8ac755bc60e2534076dc82d522e23bea77279cb8ef552d7252908ca744907546b4025162f9fa5d32317ad4c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2bfd9a25af229bd0241f5c50fc5228b8

SHA1
a4608d384aab349aa3846778d4c786a0d56a0d88

SHA256
f060f239df517b4f0eeeff90418942f1a9be5056921906d979448c831caf4081

SHA512
16b1e1e0ac02567cd8b2d88d5b7fb14cf9fa63acbb3d3043cf3e4b3d73203acdb680036ab7c9edd7d1a6c718f84489af4f5e3cf322917b4593a9644c82237f45

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a96beba11ab29fa055745093110225ac

SHA1
c58492e62e1f45aa9c1ed1b2757645fc850539ed

SHA256
072102c8cae30f9e95ffa3a5b78e1bdacfa4fbb5bbbbbe0db7af62b0ac48d49f

SHA512
17a0f644ea48cfa83dcfc501bbaedf9fb0c0a888a0ed70389f795926099d48046591e92141c322c81ab3c4c21cee6ec13b430d5e100abd5be5a30e7b44a5ee6e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e1b3c6ad2cba1fcb35512d08c021f3ea

SHA1
2e3737ad0b130ec154e285c1787c1eef541b62b5

SHA256
9cd0e95ee8c02db6f42a5909a3eb583d633663d74c9a48867154f178e68e50ff

SHA512
96b4ec3ff7cd99f0e15e45c095eb12a0627966f1a538fb02f28159e7b1d32b5960bbd072389d039a1b2e7528edeee27fbec538bdef917a4bec9a7868f608632d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1d733caa5334b94437854f81ebda9646

SHA1
ed07b0e8ea0da8f0ad32ec42ed7bed8d4a03e94c

SHA256
fe48cacb540f69b6c8d0bc6bff5feaa43dfbcee49d00e2d7b7e6458aac48f8b4

SHA512
7c87ffc24f68499549ce1c541e2abf880d2c24a2e500434e43e3731e49216bc12381351ae527ab2a77f78cd39bb9f6b41561811499cbed19aa6fd346d91a2556

Download Submit
C:\Users\Admin\AppData\Local\Temp\0IgHXqOu0A.bat

Filesize
191B

MD5
f2cf10e848807f0f43b32a59762ce084

SHA1
761526f31333148c2c7888a6ef1b9661044a0421

SHA256
70b59f395f7bff1f20b338a6b2565b7011c6d40b64f79781944987e3e6f22969

SHA512
464f60bb50e1c0a97a8668381d39344113c85d59523db2053ef12bd956fbe6cb9263c3834f34608b71ae9313046f43e0168065c1ec434a7a5a4badcc5204b07c

Download Submit
C:\Users\Admin\AppData\Local\Temp\8KwMxVG80h.bat

Filesize
191B

MD5
ed78c22c14f2ed65160ec2707ce65e8d

SHA1
9b75d7b11045467665ae1626a10873ab1da31d2a

SHA256
d11e31d01e525df8a329acd1a0aa9ff46d23f7933d3cf521b20b07e716640ecd

SHA512
1c69ba3de0ecbe98f632104ef206aeef319684b14b4f5a8156210ea3a127adc4d02f160a5f1e742b56eff241b428921727102d2a5429fc60d7fdece8cba8c06c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabAD03.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ISA3vp411k.bat

Filesize
191B

MD5
572edbe6434d78299299ac6298865a4b

SHA1
0e888303f9ed6ff47296fa0d15d0c87bc8f18869

SHA256
6ce01714f2349d7c84f6f3933a6178ffd18ff4b80f9abe9ce13e79d4c9f75865

SHA512
701ebbfca17f59b5211a14071b726d4eb5c0a9fb272aefb011a981562a252228f42b02085b82fd7b25fbf4041589e4fedc70bad6fbab2aa99b755c1ceae75afb

Download Submit
C:\Users\Admin\AppData\Local\Temp\L59TFxmxil.bat

Filesize
191B

MD5
0487116f93839d00ae4d547b29e7e9b8

SHA1
26b56eb846c0e06013c4eee9bc2956d75a456fa5

SHA256
a2d6ff42ca5741dada3a1c4f4d51b9befc26604f65c05e99a1bdae80dfdb3f96

SHA512
99f0c0f073ea14517dd2f94a194db71f0035ab66dba4adb92500a916bcec38bb07ae534bdfd3ecebc6cba2220df9b274fb5ef40ed3ebdaaaa76a6c95742e75e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarAD16.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a4RGbRhdNM.bat

Filesize
191B

MD5
d97ae129bd9f9e334f9e5f3021d3ada7

SHA1
4d1b157d3bb9c36aa41d4a5c4ddc9715bb14a7c8

SHA256
84e5cb0c028d3ff1fe818c581929a67c60879fbb9e44361208c971d3e84396d4

SHA512
f1fffe802f1965424da5de20ecf43636daf2b74cb55b8ba03f5876fb967d8aabbfc3fc113b0b7f40545e6613d467cf95b16080b28799a6b7242c498f3fffa87b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mNrvcGFykN.bat

Filesize
191B

MD5
921b69ccea763d39e5c807d7fcc2ef38

SHA1
4055c85919dd63c5cb959b198fd661c156be1aea

SHA256
afdf7bf831335159430c307915d9b040e3fbc8e3dac5363650b1fff259265096

SHA512
1deb80be5f2d4037a28b3593b634d88024003b61db580344662b858d2153aa2bce9f62d5b5b4726783a6c7e43e2a6233ba92f155c7f9d276d1bb914ea3c17467

Download Submit
C:\Users\Admin\AppData\Local\Temp\qsbi9TUILn.bat

Filesize
191B

MD5
26ab1fe61e87b50008e0516766f17744

SHA1
743ce1c9ae6abdd2e10a1a8bda46bf4a6c7b3c7b

SHA256
6c5888f24324d6eefc1244d2615b9969fd433c6f8ef735bcb6c0035362b934bf

SHA512
5930aa93f7d16b294d0466e9c86ec9cffe37c00fab52693ccfdb789513109e4a2d822383bdc0b79b88ea112ef4afc9fc7f0195047750352a14857a57c0f967a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\uVa8TbDE3p.bat

Filesize
191B

MD5
202b4a8f7a4d96f6922ed846c870d407

SHA1
0bf55e247d6c8d9a4bd122d059954946cecad805

SHA256
84e4e80a64ad2330d659bf324ebe9b49914cb62c42520cf0e20a93e77a6a1090

SHA512
9a50025cf01f23f61b55658fadbb1f6082cd522f860839f2cc11a5eb4a142e8ac05f3ffd93b1761914aaeca95c48f0952e508a3322bdb7fe313849d6e8f09a3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\xm2kK1SIVO.bat

Filesize
191B

MD5
6789b9ff1d11f3f909d6092fb88268f0

SHA1
8c4f117bea7dcdac61198ef3ec5326fa0bb4ada2

SHA256
b08a2f76c3eb1c142d70cd2c4a02071f388a5780a8bbd49e3c9d6c16a52dec54

SHA512
d2b9345bd06ff58ce0855c24015d33cdd57bbc1ee023efa4052d62efa25015454cd31cc8c55e40592c5048970c3c6319afbce27baa49d67f4a8697c845f95fb5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e11e094b5d7edc51786290cc28f35ba4

SHA1
c280be161c3424aceefa945118f175e0d3ad087a

SHA256
f1bd5971a6f5730a9b9880cb7f99accc58e7d063da9566df47c47aab3dccb498

SHA512
8b3c39818198744f685dea4e4e18c4598df8166c14871354435a8d1e46e5954fb8064cfb22937225e42aec82631452f1e243b19ebf6338929d4601db3e36c620

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1036-185-0x0000000000AD0000-0x0000000000BE0000-memory.dmp

Filesize
1.1MB

Download
memory/1844-426-0x0000000000550000-0x0000000000562000-memory.dmp

Filesize
72KB

Download
memory/1844-425-0x00000000013E0000-0x00000000014F0000-memory.dmp

Filesize
1.1MB

Download
memory/1848-245-0x0000000001230000-0x0000000001340000-memory.dmp

Filesize
1.1MB

Download
memory/1916-44-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

Filesize
2.9MB

Download
memory/1916-46-0x0000000001EC0000-0x0000000001EC8000-memory.dmp

Filesize
32KB

Download
memory/1940-56-0x0000000000460000-0x0000000000472000-memory.dmp

Filesize
72KB

Download
memory/1940-34-0x0000000000220000-0x0000000000330000-memory.dmp

Filesize
1.1MB

Download
memory/2080-365-0x0000000000CE0000-0x0000000000DF0000-memory.dmp

Filesize
1.1MB

Download
memory/2108-13-0x0000000000EA0000-0x0000000000FB0000-memory.dmp

Filesize
1.1MB

Download
memory/2108-17-0x0000000000480000-0x000000000048C000-memory.dmp

Filesize
48KB

Download
memory/2108-16-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download
memory/2108-15-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/2108-14-0x0000000000450000-0x0000000000462000-memory.dmp

Filesize
72KB

Download
memory/2368-125-0x0000000000970000-0x0000000000A80000-memory.dmp

Filesize
1.1MB

Download
memory/2396-608-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2396-607-0x0000000001260000-0x0000000001370000-memory.dmp

Filesize
1.1MB

Download
memory/2852-305-0x00000000003B0000-0x00000000004C0000-memory.dmp

Filesize
1.1MB

Download
memory/2908-547-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/2908-546-0x0000000001100000-0x0000000001210000-memory.dmp

Filesize
1.1MB

Download
memory/3020-486-0x00000000003A0000-0x00000000004B0000-memory.dmp

Filesize
1.1MB

Download