dcrat | 8caa9c10a98760610cd31750aeb7dbbed055c0a989a26cf7dedf6ed866beef41

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 08:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_8caa9c10a98760610cd31750aeb7dbbed055c0a989a26cf7dedf6ed866beef41.exe
Size

1.3MB
MD5

b95408791c68270fd681970b783f232f
SHA1

05ee6e0b7d156df3ffee53cb2fb4ceafa67ea557
SHA256

8caa9c10a98760610cd31750aeb7dbbed055c0a989a26cf7dedf6ed866beef41
SHA512

260045159a0d48f3d0b59de897d5ae6a47a83baa657c52740511238cdb41abf0c18548fc6523a5e8e2cbe12ba835540649f1b5ff02948f20156f70296975560b
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2824	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2824	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2824	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2824	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2824	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2824	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	2824	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	668	2824	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2824	schtasks.exe	35

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000700000001707c-11.dat	dcrat
behavioral1/memory/2324-13-0x0000000000DA0000-0x0000000000EB0000-memory.dmp	dcrat
behavioral1/memory/2508-52-0x0000000000AB0000-0x0000000000BC0000-memory.dmp	dcrat
behavioral1/memory/2096-111-0x00000000000E0000-0x00000000001F0000-memory.dmp	dcrat
behavioral1/memory/2444-171-0x00000000001F0000-0x0000000000300000-memory.dmp	dcrat
behavioral1/memory/2140-231-0x00000000000C0000-0x00000000001D0000-memory.dmp	dcrat
behavioral1/memory/2556-291-0x0000000000F20000-0x0000000001030000-memory.dmp	dcrat
behavioral1/memory/2580-351-0x0000000001070000-0x0000000001180000-memory.dmp	dcrat
behavioral1/memory/544-589-0x0000000000330000-0x0000000000440000-memory.dmp	dcrat
behavioral1/memory/2220-650-0x0000000000C80000-0x0000000000D90000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
812	powershell.exe
2044	powershell.exe
2144	powershell.exe
2028	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2324	DllCommonsvc.exe
2508	Idle.exe
2096	Idle.exe
2444	Idle.exe
2140	Idle.exe
2556	Idle.exe
2580	Idle.exe
2040	Idle.exe
612	Idle.exe
2720	Idle.exe
544	Idle.exe
2220	Idle.exe

Loads dropped DLL 2 IoCs

pid	Process
1164	cmd.exe
1164	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
40	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
19	raw.githubusercontent.com
36	raw.githubusercontent.com
26	raw.githubusercontent.com
29	raw.githubusercontent.com
33	raw.githubusercontent.com
4	raw.githubusercontent.com
13	raw.githubusercontent.com
16	raw.githubusercontent.com
22	raw.githubusercontent.com

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\es-ES\lsass.exe	DllCommonsvc.exe
File created	C:\Windows\es-ES\6203df4a6bafc7	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8caa9c10a98760610cd31750aeb7dbbed055c0a989a26cf7dedf6ed866beef41.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2680	schtasks.exe
668	schtasks.exe
1612	schtasks.exe
2616	schtasks.exe
2940	schtasks.exe
2820	schtasks.exe
2736	schtasks.exe
2228	schtasks.exe
2644	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2324	DllCommonsvc.exe
2044	powershell.exe
2144	powershell.exe
2028	powershell.exe
812	powershell.exe
2508	Idle.exe
2096	Idle.exe
2444	Idle.exe
2140	Idle.exe
2556	Idle.exe
2580	Idle.exe
2040	Idle.exe
612	Idle.exe
2720	Idle.exe
544	Idle.exe
2220	Idle.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2324	DllCommonsvc.exe
Token: SeDebugPrivilege	2044	powershell.exe
Token: SeDebugPrivilege	2144	powershell.exe
Token: SeDebugPrivilege	2028	powershell.exe
Token: SeDebugPrivilege	812	powershell.exe
Token: SeDebugPrivilege	2508	Idle.exe
Token: SeDebugPrivilege	2096	Idle.exe
Token: SeDebugPrivilege	2444	Idle.exe
Token: SeDebugPrivilege	2140	Idle.exe
Token: SeDebugPrivilege	2556	Idle.exe
Token: SeDebugPrivilege	2580	Idle.exe
Token: SeDebugPrivilege	2040	Idle.exe
Token: SeDebugPrivilege	612	Idle.exe
Token: SeDebugPrivilege	2720	Idle.exe
Token: SeDebugPrivilege	544	Idle.exe
Token: SeDebugPrivilege	2220	Idle.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 2964	2908	JaffaCakes118_8caa9c10a98760610cd31750aeb7dbbed055c0a989a26cf7dedf6ed866beef41.exe	30
PID 2908 wrote to memory of 2964	2908	JaffaCakes118_8caa9c10a98760610cd31750aeb7dbbed055c0a989a26cf7dedf6ed866beef41.exe	30
PID 2908 wrote to memory of 2964	2908	JaffaCakes118_8caa9c10a98760610cd31750aeb7dbbed055c0a989a26cf7dedf6ed866beef41.exe	30
PID 2908 wrote to memory of 2964	2908	JaffaCakes118_8caa9c10a98760610cd31750aeb7dbbed055c0a989a26cf7dedf6ed866beef41.exe	30
PID 2964 wrote to memory of 1164	2964	WScript.exe	31
PID 2964 wrote to memory of 1164	2964	WScript.exe	31
PID 2964 wrote to memory of 1164	2964	WScript.exe	31
PID 2964 wrote to memory of 1164	2964	WScript.exe	31
PID 1164 wrote to memory of 2324	1164	cmd.exe	33
PID 1164 wrote to memory of 2324	1164	cmd.exe	33
PID 1164 wrote to memory of 2324	1164	cmd.exe	33
PID 1164 wrote to memory of 2324	1164	cmd.exe	33
PID 2324 wrote to memory of 2028	2324	DllCommonsvc.exe	45
PID 2324 wrote to memory of 2028	2324	DllCommonsvc.exe	45
PID 2324 wrote to memory of 2028	2324	DllCommonsvc.exe	45
PID 2324 wrote to memory of 812	2324	DllCommonsvc.exe	46
PID 2324 wrote to memory of 812	2324	DllCommonsvc.exe	46
PID 2324 wrote to memory of 812	2324	DllCommonsvc.exe	46
PID 2324 wrote to memory of 2044	2324	DllCommonsvc.exe	47
PID 2324 wrote to memory of 2044	2324	DllCommonsvc.exe	47
PID 2324 wrote to memory of 2044	2324	DllCommonsvc.exe	47
PID 2324 wrote to memory of 2144	2324	DllCommonsvc.exe	48
PID 2324 wrote to memory of 2144	2324	DllCommonsvc.exe	48
PID 2324 wrote to memory of 2144	2324	DllCommonsvc.exe	48
PID 2324 wrote to memory of 2164	2324	DllCommonsvc.exe	53
PID 2324 wrote to memory of 2164	2324	DllCommonsvc.exe	53
PID 2324 wrote to memory of 2164	2324	DllCommonsvc.exe	53
PID 2164 wrote to memory of 2704	2164	cmd.exe	55
PID 2164 wrote to memory of 2704	2164	cmd.exe	55
PID 2164 wrote to memory of 2704	2164	cmd.exe	55
PID 2164 wrote to memory of 2508	2164	cmd.exe	56
PID 2164 wrote to memory of 2508	2164	cmd.exe	56
PID 2164 wrote to memory of 2508	2164	cmd.exe	56
PID 2508 wrote to memory of 2424	2508	Idle.exe	57
PID 2508 wrote to memory of 2424	2508	Idle.exe	57
PID 2508 wrote to memory of 2424	2508	Idle.exe	57
PID 2424 wrote to memory of 1644	2424	cmd.exe	59
PID 2424 wrote to memory of 1644	2424	cmd.exe	59
PID 2424 wrote to memory of 1644	2424	cmd.exe	59
PID 2424 wrote to memory of 2096	2424	cmd.exe	60
PID 2424 wrote to memory of 2096	2424	cmd.exe	60
PID 2424 wrote to memory of 2096	2424	cmd.exe	60
PID 2096 wrote to memory of 2784	2096	Idle.exe	61
PID 2096 wrote to memory of 2784	2096	Idle.exe	61
PID 2096 wrote to memory of 2784	2096	Idle.exe	61
PID 2784 wrote to memory of 2872	2784	cmd.exe	63
PID 2784 wrote to memory of 2872	2784	cmd.exe	63
PID 2784 wrote to memory of 2872	2784	cmd.exe	63
PID 2784 wrote to memory of 2444	2784	cmd.exe	64
PID 2784 wrote to memory of 2444	2784	cmd.exe	64
PID 2784 wrote to memory of 2444	2784	cmd.exe	64
PID 2444 wrote to memory of 2068	2444	Idle.exe	65
PID 2444 wrote to memory of 2068	2444	Idle.exe	65
PID 2444 wrote to memory of 2068	2444	Idle.exe	65
PID 2068 wrote to memory of 2296	2068	cmd.exe	67
PID 2068 wrote to memory of 2296	2068	cmd.exe	67
PID 2068 wrote to memory of 2296	2068	cmd.exe	67
PID 2068 wrote to memory of 2140	2068	cmd.exe	68
PID 2068 wrote to memory of 2140	2068	cmd.exe	68
PID 2068 wrote to memory of 2140	2068	cmd.exe	68
PID 2140 wrote to memory of 1376	2140	Idle.exe	69
PID 2140 wrote to memory of 1376	2140	Idle.exe	69
PID 2140 wrote to memory of 1376	2140	Idle.exe	69
PID 1376 wrote to memory of 1304	1376	cmd.exe	71

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8caa9c10a98760610cd31750aeb7dbbed055c0a989a26cf7dedf6ed866beef41.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8caa9c10a98760610cd31750aeb7dbbed055c0a989a26cf7dedf6ed866beef41.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1164
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2324
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2028
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:812
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\es-ES\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2044
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2144
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Y2BBUhSYHq.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2164
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2704
      - C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xkGYwzkQoc.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1644
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PX74P8KQcP.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2784
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2872
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Lg3y2yDdyq.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2296
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\12JaEZR6zX.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:1376
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1304
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2556
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mWzz7cjAeP.bat"
        15⤵
        
        PID:2488
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2672
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2580
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hJP5Gj8VmP.bat"
        17⤵
        
        PID:2956
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:3056
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2040
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rE1HJofSUb.bat"
        19⤵
        
        PID:1932
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1664
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:612
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eUivgxqvfs.bat"
        21⤵
        
        PID:2128
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1080
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2720
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lEFN0vw97k.bat"
        23⤵
        
        PID:668
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2772
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:544
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat"
        25⤵
        
        PID:3068
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1608
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2220
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6Po3x2tXZG.bat"
        27⤵
        
        PID:2196
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Windows\es-ES\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\es-ES\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Windows\es-ES\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d540557cf2add412ff23eafea84d28e2

SHA1
a0744895fb7b967d4b8b0cfb6a530fedbd4da000

SHA256
3e94b21a1348157a171729ae5a71343a926ec265b31b3b4e8734c11c34c3ea78

SHA512
6bc541011b1a30ad0be9693664bd1cb92816ea955e1677f83800e63cfeb8f1d7f5c955ac0f716a106261ba0a772c6ff09f517b548364a6d51b8e3bfa20ca4606

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
145004e683a818ffe298f8d05bb8d80e

SHA1
632c588bc8a455a70e1433ed88f24e282a5f8f59

SHA256
17a31268ba5575ba8a1cb9fb72fc3416aee1d34155e69245272a514c7789b177

SHA512
790c6c132969185ad359b40cb3ca4122142e060056cb48217a6a2daa588ec858a79332aa1026132fb87fac1d52915cbc2c9eecce15540cfc080becf6e5b8f666

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2dbe4bcdb81d73ea865268821b4ebe4e

SHA1
83a71ed195e533043557e08098d72c25a5d22ef5

SHA256
fd3a1143f1a56f8c68c21f54fa12ca820e1663df6deda224392f8f8d41deebb5

SHA512
6b631e78c9c23189eb42ed3b2b829f56d562d02123b14cf2e29bb176b983e663ddaba83793f08cafb60ad9f29c6e4990be9194befa39d3f3ffee64b175c92efe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1dbbef55c8b74140dfbc9d5a4614f1bb

SHA1
feb6bae80b8c43bcbf4857ebd7fd760c6e1251cd

SHA256
a3f3bf128c655242507d74ed487e040fc95c103e7539155cd2c80b8a14d05c82

SHA512
82ddebacec6eda596edc69eb03b05df5afaf35bb68929fce03137a0f9b3e47fcd785595898b3c745648148138edda34cb8723ade1909a249896f8ef56f536fe4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4dfd43b5e77c2bee2c37c955b9eb0f09

SHA1
7c8b19f58bd6e5db70e035788ffe6f3b84a8f61e

SHA256
066c184ad215b2960822417314c497d1f841e134d33e5c56eeb6e80f16c524e2

SHA512
d9504cc97854b9d7371394095d0a10e77cf51dd4542be2f318c9350cb529d36eb5d56d48e63a5fab05c13c65e37282450169f1d3c2be7b31d5cda050c68f0440

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2b611ceaa14edb45aaf69b28ea7daf15

SHA1
f1ca7ad6486318f405600136a5891ddb76e54e34

SHA256
53957504187237e006af8fb02cefd00fc42dc5a8cdf85170678e05a8fc5014b0

SHA512
95a1ea2e74a90286552b4b6c182b4a7343f6d08df1f373cca621ae9c1028745df0fd898732ee92f83c5ab1dccca9f03371f375fb3475df9a33e345cdfde42993

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1e2ef9a233fc629ba5ed03e97876277b

SHA1
0244daaef346cacf3b53a59eeeefe85d56df3eb9

SHA256
c382713190109531837b08da039288602db3f8d522096f19a308b482b632f217

SHA512
7b2bd282acce386ba794d3e9ab0c434c2e682d41949bc40220c3906a18e3ee54d1067e581c33efb411a03b3320e0b71fdf19c5c57519a35632dbc3c54a153ebd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2ce7bfb8d6c9a87e464860e2b1aa0035

SHA1
0023af2adf4b46020597762f1d2dec7c572d7252

SHA256
a1c6659c3a8beaa585ac3371b7622fd3d9a54593342a71f960bde983a389eaf4

SHA512
95a774db556aeffe0f1706414378c0fc095cd1f8961f7ea867279a35a3c8195b9d54ecc23acc80bcd40bf322243cf72665f77069eccd86e7e75f50834bbc8d6d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
feea0ef8e3ad4e8e149e604a47529504

SHA1
cc91a3ad3159a88e92556efaed6bb5f97e55e383

SHA256
a8fee38eae5aafc02d8279c032c6a884b74fafbb4af733d4a4bad8aff1b5552f

SHA512
0dafcf4bccdf376675fcbbe873c7cb5b521ca37590c76f1fb45c043172443947005859ff0933af2a3ad3cffd4db01baa92177f38b73ac9ec9746cc2ef365736c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0d72f6c881c2e413283c7e7d33c7cbf6

SHA1
79a3b78ce7ad7f0d57973a08a814f17cae0bdfcc

SHA256
aefabf9a1fcedaee000d472ee6bdf273c7e57986eba918316b3b2137ebb2d8a8

SHA512
b8b2d4c6dfa9825fcc6efc3006bfb875b61d9347180337c8388419c5dadf939faffaedaf7e967cb1954745c7f85799bb9690caae80e6ea688347687da98cd213

Download Submit
C:\Users\Admin\AppData\Local\Temp\12JaEZR6zX.bat

Filesize
222B

MD5
b217b14f4e0e748a43d44e710001f931

SHA1
dbe9d085f3819d7c25f85ffb4d251ddcb6ce7d5a

SHA256
12c0a0fa762260e3974278d43c37ed3fc5a5d8dbbf23ed36a1bd7bcc032f924d

SHA512
4411a6ced037659587c0aef132ab45a25739d5b2ff63737329d88e195e1a36a449613aeec992387d668956f2e5beb88a79f753641310937a540f83d0dff569bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\6Po3x2tXZG.bat

Filesize
222B

MD5
f0e028b82432db86d5abb004d2630d98

SHA1
4f59925e9970a7b2689f1dc4d9937646884cf9e4

SHA256
46faa6e8fad69c048113e369cc9ab9961d92f6b7ce85f16e01b9c09e2e7edef8

SHA512
390de6ff150ce906e98c1ab1d1d450d0e55cf7a82ae9b4dbcba0c939ef9a8fe928d21afe26378f4eb9c5be3ab4deb5b82734bff69531318e1c89d5fc346d2e59

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab12B8.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat

Filesize
222B

MD5
109e8fcf863df0bf3844b553c559d4ba

SHA1
3e68640a8414357376a75364869136ddbeddf5ab

SHA256
fbbedd656234dfba076346712de827d45a4aedaf4abcda099e0c7485a0e2ed97

SHA512
3c5affca71388cf2e2292d052ccc23caaf7f9f8e7cdd817bb3d638d32844ce43def61509469318ba734561fcb682c96024c40ce2b4a2946b8031f49cb673a3fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lg3y2yDdyq.bat

Filesize
222B

MD5
07735e8fa1d30de7e5c660447407ec76

SHA1
f095c7721381a2085a400766bec052ac8fcc2e0e

SHA256
a2dad6d94574f380c0f48bbf6c5cab46ca8a79f8d4c394b524b241bb876f5d92

SHA512
0c30b2dbd19bf7d4bc65ce61480b7d34279915a00a55d1cdffc21a7bf4f6d3a3bcd74ac851df342f44aa4cf998b82c0122bb848785a2f1d748bb9f2e3912a847

Download Submit
C:\Users\Admin\AppData\Local\Temp\PX74P8KQcP.bat

Filesize
222B

MD5
99d76bc7dd766f51a131aa83e17adf97

SHA1
a76f2da0fdcbce6e2a4b76e47b555c7949009dff

SHA256
c892c998e6657a3bca9f91598afac83d7b0ace29dc0bd38f0d7c4fdd1ee6d5a4

SHA512
40721b7719280e38ebca45ddee6b9028b25da7bd85df44639d44df1088637df34910b04f553ea98fa41f2fae28634ca2f6181616a12495cc027ac9cd2e9c6fd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar12DA.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Y2BBUhSYHq.bat

Filesize
222B

MD5
54d228d2939aa34d06169b0c363b52e9

SHA1
e84d02687dd2e1bebc844520a060a996aaf84f96

SHA256
1ace3b664b2b5180cec53c0ae47acc9c5051f2c34da0a2f5dbc11db496e0a9dc

SHA512
d8aeedd0f6492c6f7d93d678ff4685b2e5131a796e578cdbfb2100bf3902f4308641b43033febe71debcfbde82b4878199df44063b28bf39cd0628b67921569c

Download Submit
C:\Users\Admin\AppData\Local\Temp\eUivgxqvfs.bat

Filesize
222B

MD5
3c241a3a4e378dec0093e31cf34e145b

SHA1
352295c185a88f9698bbdffb9ae9e34aee30d267

SHA256
d13fc28c53339e567ec65fdc2a208e56edd59541d25e45f3bf8e9f46725dda2d

SHA512
cd3e7783894fb9455c7f3c2d2445ff6d93d98d10e769dd9f2424e956a28dbdaba406d64bbbe5dd0633e80e9b1e7fe2ad23e3ed863d1b0ebb01893a41b2846dee

Download Submit
C:\Users\Admin\AppData\Local\Temp\hJP5Gj8VmP.bat

Filesize
222B

MD5
3cfaf6570b03ccde95a486b3b5b27b47

SHA1
b7c8e83769450669b1bf0196f0625af17f073238

SHA256
fb807bdd0cf0790c380e645d3981f2e79a4e500d2cabc4215263bd7daf46e164

SHA512
87b89876a32b480e8b85e6f6ad1313083553cb9eec41b22ecdc3ee6fae3b87648a6720f5ef4c543a42e53b8e2df5cf31fc98e4974b24a7612ca7c6615322c457

Download Submit
C:\Users\Admin\AppData\Local\Temp\lEFN0vw97k.bat

Filesize
222B

MD5
580c36862f4535bad9c98ebfa5d3d677

SHA1
1a6541660affd1d45a1ae0c10eb59685efb23e5b

SHA256
e026b16dca4f00a6b5e00c5db32b348d1219ab23da840d2a74c2dd743687ba68

SHA512
83c5889b5064cfb0ad9d0acdb29b71000feb8972777bb7b8ab95abf3d867ecc9f135b0bee60aca0dc03a96d6de4c6064f95b6eb541c8209174500486d6bbe883

Download Submit
C:\Users\Admin\AppData\Local\Temp\mWzz7cjAeP.bat

Filesize
222B

MD5
396cf83d76ae0d375c0a6ecbccbf5049

SHA1
ff22bace7ebee77acab335fdc1e6bf9c5d46188c

SHA256
44f61789dfa2299c3cb7f19bce94bacf4e7c6f113a3adda3dace3f2e144d0231

SHA512
1a13edd7a7bc680dbf2c2faa71708d804e176b70ba9ef45924d07e38ef15dd00838f11324b09d6f589108036412a98da8b9a9761fc74f703a8496b9325222ba6

Download Submit
C:\Users\Admin\AppData\Local\Temp\rE1HJofSUb.bat

Filesize
222B

MD5
c2eaa851bde407d5f9c4ef756efbeefc

SHA1
a5a56cf5f4ec9009ad390cc9a1adefa21d093678

SHA256
f37760cb8d9b8389ed9b2590c9f79d0b6d39bea9d23d4504e339acc84c121429

SHA512
fa49921b80b8eb9687eb279d308909182515aabb832c7fd1d0098b0577cce60fee72c99b3d69bd2b0dda629cef149cb6721356f4d0fc6c897b10151eea7eddaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\xkGYwzkQoc.bat

Filesize
222B

MD5
e811b87f4fde02ae3ca9abca7b70b208

SHA1
28d3558b047863b71a2eba36761f851fb256787e

SHA256
95b0f0b26f53a528e0f059cfea327c37bfcf41b9ddf94cd15e767c714eb6d634

SHA512
e0b9a935880babc3f3e3fa4222ba957d6031a4329060b9939d79b9ff0a0f43e0c5353f05a6c5782db729adb093a8da21b62083042a7cc515cbf86fe868f8999e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
5d156cf3cfed19e4ac3d37392ee2259e

SHA1
0c8ca7f6ea7b9425eb2f574017f2adb709b201fc

SHA256
2d6f08ffe7ba95f342b2c8bc6128f8dbf29d859b862907a11d0aa4e75efb0043

SHA512
4b2e7ca636d72e21d33b8afc93ef340a3d5dc4e286a02e393f60f05a89fde1604490e76cce1a2291ab78c8f50bd9f3314aaa1ec047bac9b1d0b56040ae471b77

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/544-590-0x00000000002B0000-0x00000000002C2000-memory.dmp

Filesize
72KB

Download
memory/544-589-0x0000000000330000-0x0000000000440000-memory.dmp

Filesize
1.1MB

Download
memory/2044-33-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download
memory/2044-38-0x0000000002890000-0x0000000002898000-memory.dmp

Filesize
32KB

Download
memory/2096-111-0x00000000000E0000-0x00000000001F0000-memory.dmp

Filesize
1.1MB

Download
memory/2140-231-0x00000000000C0000-0x00000000001D0000-memory.dmp

Filesize
1.1MB

Download
memory/2220-650-0x0000000000C80000-0x0000000000D90000-memory.dmp

Filesize
1.1MB

Download
memory/2324-14-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/2324-15-0x0000000000570000-0x000000000057C000-memory.dmp

Filesize
48KB

Download
memory/2324-16-0x0000000000450000-0x000000000045C000-memory.dmp

Filesize
48KB

Download
memory/2324-17-0x0000000000580000-0x000000000058C000-memory.dmp

Filesize
48KB

Download
memory/2324-13-0x0000000000DA0000-0x0000000000EB0000-memory.dmp

Filesize
1.1MB

Download
memory/2444-171-0x00000000001F0000-0x0000000000300000-memory.dmp

Filesize
1.1MB

Download
memory/2508-52-0x0000000000AB0000-0x0000000000BC0000-memory.dmp

Filesize
1.1MB

Download
memory/2556-291-0x0000000000F20000-0x0000000001030000-memory.dmp

Filesize
1.1MB

Download
memory/2580-351-0x0000000001070000-0x0000000001180000-memory.dmp

Filesize
1.1MB

Download
memory/2720-529-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download