dcrat | a89024bb7857f3a4fab536dba5ab4b156de83cf116051cc9453fd685848b17e4

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 08:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_a89024bb7857f3a4fab536dba5ab4b156de83cf116051cc9453fd685848b17e4.exe
Size

1.3MB
MD5

14f5a005958f22affbc64c92ea9a7838
SHA1

3da7cea450587e2220ba551ea2369fd9edcccec5
SHA256

a89024bb7857f3a4fab536dba5ab4b156de83cf116051cc9453fd685848b17e4
SHA512

883ae1e635947ba6f2effdb877a255b3d2fa445dab81dc4169fbb8c5296117c4bbe54289014bd0678944c3bcb61aba489390e77f874d62a9b70abcde2d023462
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2856	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2856	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2856	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2856	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2856	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	2856	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	2856	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2856	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2856	schtasks.exe	34

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000019465-9.dat	dcrat
behavioral1/memory/2676-13-0x0000000000080000-0x0000000000190000-memory.dmp	dcrat
behavioral1/memory/2672-41-0x0000000000110000-0x0000000000220000-memory.dmp	dcrat
behavioral1/memory/2196-111-0x0000000000C70000-0x0000000000D80000-memory.dmp	dcrat
behavioral1/memory/1872-172-0x00000000003C0000-0x00000000004D0000-memory.dmp	dcrat
behavioral1/memory/640-233-0x0000000000F10000-0x0000000001020000-memory.dmp	dcrat
behavioral1/memory/2216-470-0x00000000000C0000-0x00000000001D0000-memory.dmp	dcrat
behavioral1/memory/2088-531-0x0000000000AC0000-0x0000000000BD0000-memory.dmp	dcrat
behavioral1/memory/1184-650-0x0000000000F40000-0x0000000001050000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2136	powershell.exe
2416	powershell.exe
2348	powershell.exe
2364	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
2676	DllCommonsvc.exe
2672	csrss.exe
2196	csrss.exe
1872	csrss.exe
640	csrss.exe
2212	csrss.exe
2580	csrss.exe
1620	csrss.exe
2216	csrss.exe
2088	csrss.exe
2572	csrss.exe
1184	csrss.exe
1596	csrss.exe

Loads dropped DLL 2 IoCs

pid	Process
1952	cmd.exe
1952	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
20	raw.githubusercontent.com
34	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
13	raw.githubusercontent.com
37	raw.githubusercontent.com
41	raw.githubusercontent.com
16	raw.githubusercontent.com
23	raw.githubusercontent.com
27	raw.githubusercontent.com
30	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\dllhost.exe	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\AppCompat\Programs\services.exe	DllCommonsvc.exe
File created	C:\Windows\AppCompat\Programs\c5b4cb5e9653cc	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_a89024bb7857f3a4fab536dba5ab4b156de83cf116051cc9453fd685848b17e4.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2644	schtasks.exe
2888	schtasks.exe
2700	schtasks.exe
2620	schtasks.exe
1872	schtasks.exe
2188	schtasks.exe
2796	schtasks.exe
2696	schtasks.exe
2600	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
2676	DllCommonsvc.exe
2676	DllCommonsvc.exe
2676	DllCommonsvc.exe
2348	powershell.exe
2136	powershell.exe
2416	powershell.exe
2672	csrss.exe
2364	powershell.exe
2196	csrss.exe
1872	csrss.exe
640	csrss.exe
2212	csrss.exe
2580	csrss.exe
1620	csrss.exe
2216	csrss.exe
2088	csrss.exe
2572	csrss.exe
1184	csrss.exe
1596	csrss.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	2676	DllCommonsvc.exe
Token: SeDebugPrivilege	2348	powershell.exe
Token: SeDebugPrivilege	2136	powershell.exe
Token: SeDebugPrivilege	2416	powershell.exe
Token: SeDebugPrivilege	2672	csrss.exe
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeDebugPrivilege	2196	csrss.exe
Token: SeDebugPrivilege	1872	csrss.exe
Token: SeDebugPrivilege	640	csrss.exe
Token: SeDebugPrivilege	2212	csrss.exe
Token: SeDebugPrivilege	2580	csrss.exe
Token: SeDebugPrivilege	1620	csrss.exe
Token: SeDebugPrivilege	2216	csrss.exe
Token: SeDebugPrivilege	2088	csrss.exe
Token: SeDebugPrivilege	2572	csrss.exe
Token: SeDebugPrivilege	1184	csrss.exe
Token: SeDebugPrivilege	1596	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2500 wrote to memory of 2668	2500	JaffaCakes118_a89024bb7857f3a4fab536dba5ab4b156de83cf116051cc9453fd685848b17e4.exe	30
PID 2500 wrote to memory of 2668	2500	JaffaCakes118_a89024bb7857f3a4fab536dba5ab4b156de83cf116051cc9453fd685848b17e4.exe	30
PID 2500 wrote to memory of 2668	2500	JaffaCakes118_a89024bb7857f3a4fab536dba5ab4b156de83cf116051cc9453fd685848b17e4.exe	30
PID 2500 wrote to memory of 2668	2500	JaffaCakes118_a89024bb7857f3a4fab536dba5ab4b156de83cf116051cc9453fd685848b17e4.exe	30
PID 2668 wrote to memory of 1952	2668	WScript.exe	31
PID 2668 wrote to memory of 1952	2668	WScript.exe	31
PID 2668 wrote to memory of 1952	2668	WScript.exe	31
PID 2668 wrote to memory of 1952	2668	WScript.exe	31
PID 1952 wrote to memory of 2676	1952	cmd.exe	33
PID 1952 wrote to memory of 2676	1952	cmd.exe	33
PID 1952 wrote to memory of 2676	1952	cmd.exe	33
PID 1952 wrote to memory of 2676	1952	cmd.exe	33
PID 2676 wrote to memory of 2136	2676	DllCommonsvc.exe	45
PID 2676 wrote to memory of 2136	2676	DllCommonsvc.exe	45
PID 2676 wrote to memory of 2136	2676	DllCommonsvc.exe	45
PID 2676 wrote to memory of 2416	2676	DllCommonsvc.exe	46
PID 2676 wrote to memory of 2416	2676	DllCommonsvc.exe	46
PID 2676 wrote to memory of 2416	2676	DllCommonsvc.exe	46
PID 2676 wrote to memory of 2348	2676	DllCommonsvc.exe	47
PID 2676 wrote to memory of 2348	2676	DllCommonsvc.exe	47
PID 2676 wrote to memory of 2348	2676	DllCommonsvc.exe	47
PID 2676 wrote to memory of 2364	2676	DllCommonsvc.exe	48
PID 2676 wrote to memory of 2364	2676	DllCommonsvc.exe	48
PID 2676 wrote to memory of 2364	2676	DllCommonsvc.exe	48
PID 2676 wrote to memory of 2672	2676	DllCommonsvc.exe	53
PID 2676 wrote to memory of 2672	2676	DllCommonsvc.exe	53
PID 2676 wrote to memory of 2672	2676	DllCommonsvc.exe	53
PID 2672 wrote to memory of 2156	2672	csrss.exe	54
PID 2672 wrote to memory of 2156	2672	csrss.exe	54
PID 2672 wrote to memory of 2156	2672	csrss.exe	54
PID 2156 wrote to memory of 2436	2156	cmd.exe	56
PID 2156 wrote to memory of 2436	2156	cmd.exe	56
PID 2156 wrote to memory of 2436	2156	cmd.exe	56
PID 2156 wrote to memory of 2196	2156	cmd.exe	57
PID 2156 wrote to memory of 2196	2156	cmd.exe	57
PID 2156 wrote to memory of 2196	2156	cmd.exe	57
PID 2196 wrote to memory of 2208	2196	csrss.exe	58
PID 2196 wrote to memory of 2208	2196	csrss.exe	58
PID 2196 wrote to memory of 2208	2196	csrss.exe	58
PID 2208 wrote to memory of 2752	2208	cmd.exe	60
PID 2208 wrote to memory of 2752	2208	cmd.exe	60
PID 2208 wrote to memory of 2752	2208	cmd.exe	60
PID 2208 wrote to memory of 1872	2208	cmd.exe	61
PID 2208 wrote to memory of 1872	2208	cmd.exe	61
PID 2208 wrote to memory of 1872	2208	cmd.exe	61
PID 1872 wrote to memory of 1156	1872	csrss.exe	62
PID 1872 wrote to memory of 1156	1872	csrss.exe	62
PID 1872 wrote to memory of 1156	1872	csrss.exe	62
PID 1156 wrote to memory of 744	1156	cmd.exe	64
PID 1156 wrote to memory of 744	1156	cmd.exe	64
PID 1156 wrote to memory of 744	1156	cmd.exe	64
PID 1156 wrote to memory of 640	1156	cmd.exe	65
PID 1156 wrote to memory of 640	1156	cmd.exe	65
PID 1156 wrote to memory of 640	1156	cmd.exe	65
PID 640 wrote to memory of 2284	640	csrss.exe	66
PID 640 wrote to memory of 2284	640	csrss.exe	66
PID 640 wrote to memory of 2284	640	csrss.exe	66
PID 2284 wrote to memory of 2204	2284	cmd.exe	68
PID 2284 wrote to memory of 2204	2284	cmd.exe	68
PID 2284 wrote to memory of 2204	2284	cmd.exe	68
PID 2284 wrote to memory of 2212	2284	cmd.exe	69
PID 2284 wrote to memory of 2212	2284	cmd.exe	69
PID 2284 wrote to memory of 2212	2284	cmd.exe	69
PID 2212 wrote to memory of 2232	2212	csrss.exe	70

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a89024bb7857f3a4fab536dba5ab4b156de83cf116051cc9453fd685848b17e4.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a89024bb7857f3a4fab536dba5ab4b156de83cf116051cc9453fd685848b17e4.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1952
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2676
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2136
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2416
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppCompat\Programs\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2348
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
    - - C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2672
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GN7B3lpeta.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2436
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lZfwAG7KGX.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2752
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1872
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3Lxx1rvPQX.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1156
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:744
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:640
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AMKHlt6LWj.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2204
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\W0gPze1DKI.bat"
        14⤵
        
        PID:2232
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2712
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2580
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1Gu59oh2IN.bat"
        16⤵
        
        PID:1652
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2956
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1620
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Z7DRyUOV59.bat"
        18⤵
        
        PID:1556
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1852
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\15yWIDpGaf.bat"
        20⤵
        
        PID:2852
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1052
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2088
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat"
        22⤵
        
        PID:2988
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1580
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2572
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\M53DwaTFc6.bat"
        24⤵
        
        PID:1288
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2460
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1184
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\S2GQUB77UU.bat"
        26⤵
        
        PID:872
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:840
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe"
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Windows\AppCompat\Programs\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\AppCompat\Programs\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Windows\AppCompat\Programs\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
09e51d08902b6b774785b85a187ed440

SHA1
4ea03205dfdbde6d2202a2040afbd0bb724b9094

SHA256
d7d29524bb543fb8c74b4d1095f63bb68a7329d1345c6a7d6e04c13cff0eb7cc

SHA512
d9a79783ad432fd43584e8204fcc226bbf37133893050074d6a83989c6003ad5661bd368de3e8c3cbd4651429addaf60391f9a77c179ca857ddc06aa22382438

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ad9c34cf67b159ba821d6275cb55d58c

SHA1
c204522d4cc4063f2267128c3471557b4be78766

SHA256
e9b1b6d1c1eac345e2925a341fd8018aa4de40712cf732a87f2c5e53c740b99d

SHA512
0d3f3a36277cb376690227179990a6b09078679d2553db54ced3ed3dddacaddcb26d0efdf3884ebf3decf24eb3049111a756d212720fd5c03650dc85dbb9d2bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
054ecb64fbb1aa815c2c916bc42a69f0

SHA1
33229a1c2747cc59af9f2917f4e1814b6a14b7fb

SHA256
58bb57cf7748a890d45264b97b9248a33a8e815cc7b5de000be7544b93293c08

SHA512
9ffc234170d6d02b1b9c7c18ce83f6f04df247d97b6954f6de934d6c051a29180313597c983140d1b2282e655c20cbf089abef663c6bbd6ce750449140eec43a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b1ba2b9f226837220c14f55a68334538

SHA1
1e52ae4b585c05e21a9cedac6669fb093432bedc

SHA256
f04ebdd441a1bf74efdeeb83242a823fcf67388cb83ed0b6b1bf6accad4038fd

SHA512
388e4e55ee055a030385d802eabfe4458deb9b8900e2bc814db80596ddc9412b4985f517b347702b493e613c53dcf8d4af4ab6d7d869d676183e2839e46fce9b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8db57dbcf490dff892a501c982d91e56

SHA1
f8eb5131a06e60205d3548dc05b312e84f1fbdbd

SHA256
3cf83bc53e9931afe91bbd053384b74922870c3f631859bd15374205e7458781

SHA512
76716f6edd964d14bd3bfbb575ea31037e8d0a10556eb756de74878127b3f08398838260e1413e40c488b9146c0094b43c2c6d6cb030f3d497da25a462e18a26

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d9de4d85454f4cb7692b6e6803ee619e

SHA1
d5335a0bd997b92dd71d5f9a43e1c166daa97633

SHA256
cdab7a1755d8b0a8e8a304cb33ff8be16760400fa449835d7d499b7a3bd028ea

SHA512
84e0b69acd3c47d71bb330a49d6197d64e3e1c593b98e740e66303c663d3c221255b0db014454d7856664b574f84db6f09aa4575e8d0fd16bba5e6d4db4fe864

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5787f95b0ec69b783a4710a0cd4e17d7

SHA1
b68743a9b07207a4a2fbc5552fbf56412c0c12c5

SHA256
a9a7317e4bd5117ea92bb36aa58a805b87455b35a22218e336085608a45b3d6f

SHA512
266a465e9bc4acf59d18f51c2125e9b4dea106643495999b039e664d778731ce9d2f6e518f73652c611c07a15229012379e65b5f013570469fab6e490a12b6b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
999a40e275c80f89af2995ddcff7170f

SHA1
c8ab68bb31c5155af9c0968fab7d8d09742dd016

SHA256
65b16e4f5a907857c7f184b5a23402032f86ecb15a18457f7fd184ca284f7ffd

SHA512
68c92e6342adaf56827ec7c88ed2d21749db54b38e861d630903ff62457a4af2976a5170a9ecea4c099cdce37560ff3737c0065a16e2e7419fcbc97108fb80b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
43ad3c5fe296c70fb931efaa26d8c4ac

SHA1
4517dab5696ec247e1177ff0c5b0ef05e41a54f0

SHA256
b47b111f7e9fa4d80919cf462db255f7d2c362f568550f85cfcf10de135af27e

SHA512
a9eb9377d589ea397137b15ad092f0892921e2e80c0e413d4eda4e00cadbce5b4a57eabc6b05b5b79903172718cdc1d3e3d2b7986f3763d286cf5d82213c7b29

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
89f19d3512a2e3b987b5c7f40811dd19

SHA1
d4a68c106e3486864db45e8062b8e5990dd27815

SHA256
8a90bbccde4098aa7a4cd6e59c1d5152cf8d4e0fdb9bb9fd1d4c20cc720dc663

SHA512
4935cab6da6a53f27c7eb754a0a1d0b4a4d0c33b017508618479414ab822c368d0340b9c5ee338431b653dd97deb44fc27eebb97c02d88965694cd53443af32c

Download Submit
C:\Users\Admin\AppData\Local\Temp\15yWIDpGaf.bat

Filesize
223B

MD5
abfbcab0bf0d040a26398d4533397843

SHA1
3bfbfe1ed42457a55606a2944462554a69eb1368

SHA256
f9881c71f59d974c707e5b88568bfaefddb0ecb30372cfd02add1b049b146238

SHA512
cf3f5b2be839c5b5bfaa39e21b26de8dc3954ed1ba842860b615cc3cd3f7da88c1fd8ab44e978a82981db9905f638aaf9ac09ce5063bdba59826ea18114cd8bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\1Gu59oh2IN.bat

Filesize
223B

MD5
1968bc9c48d344c9a36394b4f1de7d92

SHA1
68f42860c9b4f0bcc1bcefadc0f7f2500efc316c

SHA256
0ebdb3976536a7a2167a230a0dec5e42123d0d9452de06f55e6e8875d5e9bfa9

SHA512
9fb12764b0d96f5c135f33265802cf84e0634e7d1abb1e2880a2d488221937cc31103715a8d639991030944da5ca919a8120357ccbe778844247a1d9860661b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\3Lxx1rvPQX.bat

Filesize
223B

MD5
bedc718984f36570f5d9eeeb05af160e

SHA1
147005b3fa4e4aea7f0070cdb231543e08bbd35a

SHA256
42dc41f614795ddd615e6a88e742b1f1a96a82de380817ac49a364fe66342dde

SHA512
bf1b78a1f7221c41756e6cf83fbc160981158e7672d3321c133472b87dde3d497dabaf096c6cc4eeb54b7cf0d112d9425a08dd05890f77c22cee6ec43f95ac4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\AMKHlt6LWj.bat

Filesize
223B

MD5
9afa474554cc7048c087f270985ff099

SHA1
42934bbbb7da0a77fe1b482e4051a584f9f1098e

SHA256
024627cf16f26ba2182075356f6302c4b8f080fa11b6201b9f5df6bd2df86612

SHA512
667ce200cb1d6f01550a5009d7ea71a6334cd91435d7f4f8973e518b37897e1a69d3c67cf940db24f576b4e36c06f566308aeb36b43017468c09c34fe10a5d6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab11C.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GN7B3lpeta.bat

Filesize
223B

MD5
70186d3a81cd2fd2f35fb7f0805c926e

SHA1
ebb1eb420985757fcb6bcd97c1b12f575044faf2

SHA256
49641bf9411aeb7fc0ee5882626d24149288caf7248cee1242f37ddf0595a436

SHA512
a62639bfe8a6cbc5e2fd7de73ce2a8df6332e9623c3eb1942e3d9cffcf3a9d16264294482c6dfd8149c321456679850f0bea5b6c0607f22afb517129c31949c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\M53DwaTFc6.bat

Filesize
223B

MD5
ddd300fb57660787986bb1a521fea8a2

SHA1
021d9b042e94d2fb702c5da63780bc8ca44ec3ab

SHA256
1323686269b33d83d192fd7572e33a31317ec3344cae876b8e63b168a8cff518

SHA512
94c66b6cc4a4840adf939c0359a81fbfea745e8068cc7d7546f8aabc38c36b1aade8b5db98f28f01bbd65bb6b8b09368d52dab1ea706691cd92531aae7a30cb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\S2GQUB77UU.bat

Filesize
223B

MD5
cec73beb45181c5493f150b809325865

SHA1
db16e43d9762ec677cd7c77e7c3838cecb795eb3

SHA256
233f67bec704c20332d82e4e957b2bda43282f1a5c868e541ce40597f694beb9

SHA512
c54bda30cba1fb57cfd65e9e04f07ee0ef29f92d27293cca0c5237040601160f28e007395445e628c8c004bada80e1f0e6fdb06ff12e8ca17fa4432968afbcb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar13E.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\W0gPze1DKI.bat

Filesize
223B

MD5
1bbf2efe6e5ee4e22cfe89a6a3b1a9d9

SHA1
56fc85cff1ea677714bb82827a41bbe918272a09

SHA256
81fce11d7331f13cccad9bf24ccaaf909ca1c0eaa0335eacb7347a40173c6a01

SHA512
d0b7eee98df086f0c20ec4f58743e0df7b5ba77a798385c96a31d370ceeecfcc6dbeb5059f92509d86e2e2d777b5bd74e94f50da7d03bbe7f4f872c0ecdbf8d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z7DRyUOV59.bat

Filesize
223B

MD5
e4de106eda1b2b81f1212b28b6e1da5f

SHA1
47caf4b6a5a19e98d36b86c3ad6f1428343b87f3

SHA256
062bfe77edf852723ce2842afeb1a5ff89aad7b1880530da958aaf6021073f1b

SHA512
b4989b27e4f3fcc9e41eccbdbf4d1df76908ff73d2d2a22afb21eb6b658186ca80b49d949358638d8557258d67487cd20afa6c2236a04e8e941150f470049fea

Download Submit
C:\Users\Admin\AppData\Local\Temp\lZfwAG7KGX.bat

Filesize
223B

MD5
5f5923f5e9ed60b79b17b1cc14281c88

SHA1
593b119021da4eb399ae498bf89a052bec19d914

SHA256
e6ba2e08bfc3b2e1ba753652318fbf6e694fb5c21dc401059febbea86f7da8cf

SHA512
36801469a1239fc0578c1c468df5da36048fec429175546fd9798238983cd6a38107f452c9afe62cae120696bb5bc2f126e512c98aac0b6ded0c5018a2763f8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat

Filesize
223B

MD5
259fabcbe8c542d63d041b2320e7b646

SHA1
b4dd001e4e517ccce00973012dade0d0c900299d

SHA256
bdacd076cf836c1313e94d24c764f6a24058b09e1fcf281c1cf3273573bf8626

SHA512
b1168768f347fd6d53df2f4122be5acd70d15c1bd2fc56d02276e605369cde9eb001e655445f657f2fba79542ba3e0e8cbffd256f0589d0d47a7bb4e69800a91

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ae4a7a325ea232d749ab1c0ed99a5caa

SHA1
71a37cdb233c0e25e71f0658633993d45a74df7b

SHA256
17faad5290d34af98d063536c0be64f76b5585473889ace0f65ad8420b48d360

SHA512
d88b22ac5c995f87a5aafe14d15040488c84a7c013112dfc223bb24d6b63fb24a7fad707a260dc4f3dfebb46fc0ca3ad605cf8aba851ae02433a974fca18564e

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/640-233-0x0000000000F10000-0x0000000001020000-memory.dmp

Filesize
1.1MB

Download
memory/1184-650-0x0000000000F40000-0x0000000001050000-memory.dmp

Filesize
1.1MB

Download
memory/1872-173-0x00000000005D0000-0x00000000005E2000-memory.dmp

Filesize
72KB

Download
memory/1872-172-0x00000000003C0000-0x00000000004D0000-memory.dmp

Filesize
1.1MB

Download
memory/2088-531-0x0000000000AC0000-0x0000000000BD0000-memory.dmp

Filesize
1.1MB

Download
memory/2136-40-0x000000001B710000-0x000000001B9F2000-memory.dmp

Filesize
2.9MB

Download
memory/2196-112-0x0000000000330000-0x0000000000342000-memory.dmp

Filesize
72KB

Download
memory/2196-111-0x0000000000C70000-0x0000000000D80000-memory.dmp

Filesize
1.1MB

Download
memory/2216-470-0x00000000000C0000-0x00000000001D0000-memory.dmp

Filesize
1.1MB

Download
memory/2216-471-0x0000000000570000-0x0000000000582000-memory.dmp

Filesize
72KB

Download
memory/2348-42-0x0000000001EE0000-0x0000000001EE8000-memory.dmp

Filesize
32KB

Download
memory/2672-47-0x00000000002D0000-0x00000000002E2000-memory.dmp

Filesize
72KB

Download
memory/2672-41-0x0000000000110000-0x0000000000220000-memory.dmp

Filesize
1.1MB

Download
memory/2676-17-0x00000000007E0000-0x00000000007EC000-memory.dmp

Filesize
48KB

Download
memory/2676-16-0x0000000000640000-0x000000000064C000-memory.dmp

Filesize
48KB

Download
memory/2676-15-0x00000000007D0000-0x00000000007DC000-memory.dmp

Filesize
48KB

Download
memory/2676-14-0x0000000000540000-0x0000000000552000-memory.dmp

Filesize
72KB

Download
memory/2676-13-0x0000000000080000-0x0000000000190000-memory.dmp

Filesize
1.1MB

Download