dcrat | 84a1bba8f48830693c4a84544491a1576a74e566968e58f9e92dbe6550bab9fc

Analysis

max time kernel
148s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 08:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_84a1bba8f48830693c4a84544491a1576a74e566968e58f9e92dbe6550bab9fc.exe
Size

1.3MB
MD5

74b88371f834ad6f1b47b3085a7d9df1
SHA1

d67e3edbcf330b6543034d138e4945ae6f228e7a
SHA256

84a1bba8f48830693c4a84544491a1576a74e566968e58f9e92dbe6550bab9fc
SHA512

23ad3ef6d330fffe95a1b21dfbd6e2204b2365b98cf4b5e95d5fa293f08578eb2ab0bb26250c983cd9a910051e14049cb54426e0f6cd4b9101f81e008b3f6df4
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2628	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2628	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2628	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2628	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2628	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	2628	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2628	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	524	2628	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	780	2628	schtasks.exe	34

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016855-12.dat	dcrat
behavioral1/memory/2732-13-0x00000000003D0000-0x00000000004E0000-memory.dmp	dcrat
behavioral1/memory/1364-49-0x0000000001310000-0x0000000001420000-memory.dmp	dcrat
behavioral1/memory/1040-288-0x00000000003E0000-0x00000000004F0000-memory.dmp	dcrat
behavioral1/memory/2016-348-0x0000000001110000-0x0000000001220000-memory.dmp	dcrat
behavioral1/memory/2928-408-0x0000000000050000-0x0000000000160000-memory.dmp	dcrat
behavioral1/memory/3040-468-0x00000000008A0000-0x00000000009B0000-memory.dmp	dcrat
behavioral1/memory/752-647-0x00000000010D0000-0x00000000011E0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1560	powershell.exe
376	powershell.exe
1092	powershell.exe
2460	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2732	DllCommonsvc.exe
1364	lsm.exe
1724	lsm.exe
2720	lsm.exe
2408	lsm.exe
1040	lsm.exe
2016	lsm.exe
2928	lsm.exe
3040	lsm.exe
276	lsm.exe
1452	lsm.exe
752	lsm.exe

Loads dropped DLL 2 IoCs

pid	Process
1964	cmd.exe
1964	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
29	raw.githubusercontent.com
36	raw.githubusercontent.com
39	raw.githubusercontent.com
9	raw.githubusercontent.com
13	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
32	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
22	raw.githubusercontent.com
25	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_84a1bba8f48830693c4a84544491a1576a74e566968e58f9e92dbe6550bab9fc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2832	schtasks.exe
2640	schtasks.exe
524	schtasks.exe
780	schtasks.exe
2268	schtasks.exe
2728	schtasks.exe
2608	schtasks.exe
2664	schtasks.exe
2304	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2732	DllCommonsvc.exe
376	powershell.exe
1560	powershell.exe
1092	powershell.exe
2460	powershell.exe
1364	lsm.exe
1724	lsm.exe
2720	lsm.exe
2408	lsm.exe
1040	lsm.exe
2016	lsm.exe
2928	lsm.exe
3040	lsm.exe
276	lsm.exe
1452	lsm.exe
752	lsm.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2732	DllCommonsvc.exe
Token: SeDebugPrivilege	376	powershell.exe
Token: SeDebugPrivilege	1560	powershell.exe
Token: SeDebugPrivilege	1092	powershell.exe
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeDebugPrivilege	1364	lsm.exe
Token: SeDebugPrivilege	1724	lsm.exe
Token: SeDebugPrivilege	2720	lsm.exe
Token: SeDebugPrivilege	2408	lsm.exe
Token: SeDebugPrivilege	1040	lsm.exe
Token: SeDebugPrivilege	2016	lsm.exe
Token: SeDebugPrivilege	2928	lsm.exe
Token: SeDebugPrivilege	3040	lsm.exe
Token: SeDebugPrivilege	276	lsm.exe
Token: SeDebugPrivilege	1452	lsm.exe
Token: SeDebugPrivilege	752	lsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2400	2380	JaffaCakes118_84a1bba8f48830693c4a84544491a1576a74e566968e58f9e92dbe6550bab9fc.exe	30
PID 2380 wrote to memory of 2400	2380	JaffaCakes118_84a1bba8f48830693c4a84544491a1576a74e566968e58f9e92dbe6550bab9fc.exe	30
PID 2380 wrote to memory of 2400	2380	JaffaCakes118_84a1bba8f48830693c4a84544491a1576a74e566968e58f9e92dbe6550bab9fc.exe	30
PID 2380 wrote to memory of 2400	2380	JaffaCakes118_84a1bba8f48830693c4a84544491a1576a74e566968e58f9e92dbe6550bab9fc.exe	30
PID 2400 wrote to memory of 1964	2400	WScript.exe	31
PID 2400 wrote to memory of 1964	2400	WScript.exe	31
PID 2400 wrote to memory of 1964	2400	WScript.exe	31
PID 2400 wrote to memory of 1964	2400	WScript.exe	31
PID 1964 wrote to memory of 2732	1964	cmd.exe	33
PID 1964 wrote to memory of 2732	1964	cmd.exe	33
PID 1964 wrote to memory of 2732	1964	cmd.exe	33
PID 1964 wrote to memory of 2732	1964	cmd.exe	33
PID 2732 wrote to memory of 1560	2732	DllCommonsvc.exe	44
PID 2732 wrote to memory of 1560	2732	DllCommonsvc.exe	44
PID 2732 wrote to memory of 1560	2732	DllCommonsvc.exe	44
PID 2732 wrote to memory of 376	2732	DllCommonsvc.exe	45
PID 2732 wrote to memory of 376	2732	DllCommonsvc.exe	45
PID 2732 wrote to memory of 376	2732	DllCommonsvc.exe	45
PID 2732 wrote to memory of 1092	2732	DllCommonsvc.exe	46
PID 2732 wrote to memory of 1092	2732	DllCommonsvc.exe	46
PID 2732 wrote to memory of 1092	2732	DllCommonsvc.exe	46
PID 2732 wrote to memory of 2460	2732	DllCommonsvc.exe	48
PID 2732 wrote to memory of 2460	2732	DllCommonsvc.exe	48
PID 2732 wrote to memory of 2460	2732	DllCommonsvc.exe	48
PID 2732 wrote to memory of 1364	2732	DllCommonsvc.exe	52
PID 2732 wrote to memory of 1364	2732	DllCommonsvc.exe	52
PID 2732 wrote to memory of 1364	2732	DllCommonsvc.exe	52
PID 1364 wrote to memory of 612	1364	lsm.exe	53
PID 1364 wrote to memory of 612	1364	lsm.exe	53
PID 1364 wrote to memory of 612	1364	lsm.exe	53
PID 612 wrote to memory of 2328	612	cmd.exe	55
PID 612 wrote to memory of 2328	612	cmd.exe	55
PID 612 wrote to memory of 2328	612	cmd.exe	55
PID 612 wrote to memory of 1724	612	cmd.exe	57
PID 612 wrote to memory of 1724	612	cmd.exe	57
PID 612 wrote to memory of 1724	612	cmd.exe	57
PID 1724 wrote to memory of 1984	1724	lsm.exe	58
PID 1724 wrote to memory of 1984	1724	lsm.exe	58
PID 1724 wrote to memory of 1984	1724	lsm.exe	58
PID 1984 wrote to memory of 2648	1984	cmd.exe	60
PID 1984 wrote to memory of 2648	1984	cmd.exe	60
PID 1984 wrote to memory of 2648	1984	cmd.exe	60
PID 1984 wrote to memory of 2720	1984	cmd.exe	61
PID 1984 wrote to memory of 2720	1984	cmd.exe	61
PID 1984 wrote to memory of 2720	1984	cmd.exe	61
PID 2720 wrote to memory of 1948	2720	lsm.exe	62
PID 2720 wrote to memory of 1948	2720	lsm.exe	62
PID 2720 wrote to memory of 1948	2720	lsm.exe	62
PID 1948 wrote to memory of 984	1948	cmd.exe	64
PID 1948 wrote to memory of 984	1948	cmd.exe	64
PID 1948 wrote to memory of 984	1948	cmd.exe	64
PID 1948 wrote to memory of 2408	1948	cmd.exe	65
PID 1948 wrote to memory of 2408	1948	cmd.exe	65
PID 1948 wrote to memory of 2408	1948	cmd.exe	65
PID 2408 wrote to memory of 1824	2408	lsm.exe	66
PID 2408 wrote to memory of 1824	2408	lsm.exe	66
PID 2408 wrote to memory of 1824	2408	lsm.exe	66
PID 1824 wrote to memory of 1648	1824	cmd.exe	68
PID 1824 wrote to memory of 1648	1824	cmd.exe	68
PID 1824 wrote to memory of 1648	1824	cmd.exe	68
PID 1824 wrote to memory of 1040	1824	cmd.exe	69
PID 1824 wrote to memory of 1040	1824	cmd.exe	69
PID 1824 wrote to memory of 1040	1824	cmd.exe	69
PID 1040 wrote to memory of 2520	1040	lsm.exe	70

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_84a1bba8f48830693c4a84544491a1576a74e566968e58f9e92dbe6550bab9fc.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_84a1bba8f48830693c4a84544491a1576a74e566968e58f9e92dbe6550bab9fc.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1964
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2732
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1560
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:376
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1092
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2460
    - - C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1364
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\M2NHsv551y.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:612
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2328
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1724
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UPAAmIRCFx.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2648
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lcLsEvVTrf.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:984
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2408
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4stVUxPy0P.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1648
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7JTBpj7DN0.bat"
        14⤵
        
        PID:2520
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2784
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2016
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bf2k7CZMYL.bat"
        16⤵
        
        PID:2728
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1832
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2928
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZZzsG8LzQB.bat"
        18⤵
        
        PID:1612
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1380
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3040
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yoQf8QHV2Q.bat"
        20⤵
        
        PID:1616
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2056
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:276
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eNTIt1NKYH.bat"
        22⤵
        
        PID:1708
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2996
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1452
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JFTIgCVObE.bat"
        24⤵
        
        PID:1676
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2460
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:752
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wRcBAgH7Mb.bat"
        26⤵
        
        PID:2672
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\providercommon\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
710759b9bfd4102c5446f9b14a1f5bb5

SHA1
aff06a3b88333df4bc9ac1af9e0efb394681a1e5

SHA256
e5dddb92a9ba7f4c0d11d362e6d1e0d7c758cb53cb5c970f50f13df164c7d152

SHA512
ec8480bc06c6c4eda8420f3cf8e954e8ab6b7b36bf252d227f3221e0cf10b5a85fb2a36741e7692d22172ea41a15354adbd7feaf17aa566473857302a209170e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
474c36533515a33b0cb16bd41e57eeff

SHA1
6711bcbb61051c8385c86a27ac3b2ffa3587bae6

SHA256
962aca07004f153ea796083dc09f39210d8eb88241f23ff3e2884ce763c15f6c

SHA512
d599e94b4eda56c4a56e728c95348ab0dd2c8f9a874f19b440a14bffdaa929a72c448350fff1fdecac6ad43363a3583ccd8377c89af3ea9cb88da36522243a19

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4a9c454d0d29f711ae26bda8604b6dd8

SHA1
998c6d30c708534228501eed71b31b70cbf8ebff

SHA256
2e66abcf92dfc43ae78e13fd480f375dd23c4cda425ee2b89df1d0dc851be43f

SHA512
c2dd5a9e262cec2a6c634f9753fc252c04c75cde262c59a4356ac3dfc49a604af9ac9a137e23ced58df59ed82fc6ae219cd39d5aed2defb1b8623089dd274c66

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ebc7f4030354c12006bec8b6353da23c

SHA1
1aa72fc385108ff69117ab88678987d20876e1ac

SHA256
a3671137e0c5f3914f7e0a0f2b7038bde6bb471bba0f9358189f5f1b90ead21b

SHA512
8bea4f5cad7ad145f08967d653148ce43a02d5ac8bc29f168b5a40041cc61b1768df1f32dab2181ec4bc4ed3f89729c49a91856c81243bf69a483844e90c61c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9252f39e72f3d905635c985a21a4c3f8

SHA1
bbdff04e50a92972ac3b221205e5e39f81061d81

SHA256
4d191e7715c8c19e04cd7baf0369ff2903a2b96c8d0e1fc17c8911e90f879ee1

SHA512
898f755570a6a3922f6d237570f69839f1ff14704675e98c3a526cf5ba730735a91360be43d93d0f79d14ee698be1902908ad2355bbf9dd551d08c6a22cb07fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3cc372d2c227fb20fa7c016eecf71e31

SHA1
65827f3fef5a7ed73fb2bf4c54aeed1af551ca5e

SHA256
f10be8d92a49fedb1e4848d2d9f259c0add01a763767da7ceeb89dc51dad07a4

SHA512
3951b136fb5069c57a7b39d054800a0fe68b2d305468abef8790758ac1959ecb0245ec5cf67ae77e343a9b95fcd2b17fa8c599cb2062c98421ede975c68ee6be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bc5c0aa2c123d3bd691e6e6f36e2f82d

SHA1
1e7544962aa718acc387bdcbd8c3f67d0d5b76ea

SHA256
1f6eed38423ba8c0c5a915826ab6b55016f876f1ff1165969a586db54f3448c8

SHA512
e1cabb8eba7b125625c9603398c69bf6bfea28b40792b465e8ab37ba57047969af7a92d441185a78dd8c230e9e1a7274f6e3371f4e3b777f39dd5f7c4c6b3ccc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c30c37cfa696c309190a40e2d8727f0d

SHA1
cd60a1a6c638af323c073f8cb3fb3edac7fdfa91

SHA256
2b259b26b3df874a0e893131b0ba5f36b5bfbb74da3ef998111fb33f69b58b92

SHA512
979cd3e29a03761ed3542d93afa549b859d67a9101eb8a184f92399bc881f33e6970c0c52820fd45bb0a206ae01466de9e758ba7866f02d96bcd7820380d48d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
472c6d5be67ca07e1f0035edeaded4fa

SHA1
8c737b1ba37cd42bc21dc20501fac68046942847

SHA256
0431814e701e07a6d42c836ceaa0f71f27833331d2aeaf0ad7d2a4e03de2aeeb

SHA512
319a17a13b8463ae8f60b6cf92760b3fad488e56e16f52ce22ec32f2596842b10e60db2d33775fc702f74ce06fee0e5ed96b7f7dfdc202e323f283714488c993

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
272f680b0e4592be4f15ab76908e670a

SHA1
066ff1dc50ddbdd2158a0d94f6b7baa96084ff59

SHA256
3f3d49f5802c4c4e3bec12ea63bf1c2396792e1bc25d378a99479a8b1963c82e

SHA512
ef28442566cbbb9e0cacf0a7b8bba999cab13ef65b6fb76c96fa27e20558fb7f5d6a9196ca7e6bec4bb7acf3e7c9e9bc3e0e4df0357ca1f90d47241333634352

Download Submit
C:\Users\Admin\AppData\Local\Temp\4stVUxPy0P.bat

Filesize
235B

MD5
a87a2c93bbd6f80df902257023458080

SHA1
d3e7537c0d0421b3188da122fed97f5c6035ab06

SHA256
e2610caf724ce23146c3bc2b8b30888c91a2263ed0d2d9cd56bc76f5c970fb0a

SHA512
3716ec8560b07c434bae6ad1a25b3cd5792f29f7f9e701c26ff824dd2d11262b27c876419c5265d726c979c00734b323d68ff9d2c7fbe01fe43111c06783279a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7JTBpj7DN0.bat

Filesize
235B

MD5
60fed64317f3bd9b9c27659229a0da8c

SHA1
d06689791272e44ac46ffa27cdf4982d1af2aff4

SHA256
69a420df6ebb4caba40bbe64a6d5b52133c7e043ecc98e2257d06221825e32a0

SHA512
f2575806eff59975f8c441b6d2d6b75bafcddda7c984f5540bc4f884384468f5f6544a2f9e515c734cd60aca72843280080e6f7ac8fc0bec4952bb0c68edb764

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC6DA.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\JFTIgCVObE.bat

Filesize
235B

MD5
81d8ea75e05176e7ed2b98e218713fce

SHA1
08131f19be0e447d3ad45b307b32a540e71a71e9

SHA256
ee76449631858c7523a4af8fcd50322c9b18baf891c1534eedcac457040ef553

SHA512
791cba234273456eee71395f8837fe36611d36422fad8959fd38a6bf60823815d1c7ee148bf6a5fa8d2456cf8de543657e1e265d957794cebd49113480c5c382

Download Submit
C:\Users\Admin\AppData\Local\Temp\M2NHsv551y.bat

Filesize
235B

MD5
7dda21c238471c9f8970b70ecf791b21

SHA1
c70c732eb1a957a32c58e66acab526568cdb97ee

SHA256
d5bae39cb9648839483557ad0e6e728018f417ac20afd863473945befb2374bc

SHA512
d671f49cf3c3dbf27f1cbd0eb6bc2f703a8ae0bcc20f930591ce0154cd04fc794cf77cb0b661d49fbfeb5497a18ca287e0b1fb6b3bb87cae1436ba860beaba06

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC6EC.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UPAAmIRCFx.bat

Filesize
235B

MD5
c492273bbb440068ab828ef09d85e1d2

SHA1
4e106386831a6c58e8ff83b599042f5d90df9c48

SHA256
dff526f45a5557b07a44f6cbebde36aba3795662fca2b72dfe896e1d89c2cf5a

SHA512
a30c6e5eea5d86c3934da1eedcb8c4a569f39c1ee6863d383f55359cebacbee4812cd6f28dc79d72c32273ed6fba0f9dd946ddccd89f7feff3908eb8b2cf0cfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZZzsG8LzQB.bat

Filesize
235B

MD5
d7639b7f7dcfb09bde7a3a255661d46e

SHA1
5a2e07558fd42ab7269ece61a203f69cbb5bae4a

SHA256
a2b07b9f44554fa22e243577ee9b09363b13c7969e32c4c55304ccb949d477f8

SHA512
22feedc24bb23f655a7c8a28160e09523962c1cdf84ec5eb61ea2f472de1880615c0e526e414ed98642bd287de21ea53a2c4bd3193125d9aa029a9a498867e8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\bf2k7CZMYL.bat

Filesize
235B

MD5
e1a60488131caecb9fe1ff144cb26d9d

SHA1
577248d6efebec10b0df05a1bea7210692bfcdac

SHA256
874f025dee1098160f86e1b237e053146ddcfe82e2f1380ef51efc1203571a16

SHA512
491f9509390f3e2844e386ad1fd0e98cfdf352917e4b3d492602ca6dce116d70c19d00f45cefc92175ac474fe14c486a1fe382cd45bf809cd8340822d45a6e85

Download Submit
C:\Users\Admin\AppData\Local\Temp\eNTIt1NKYH.bat

Filesize
235B

MD5
5c0f171a48a43ed0af1006c3397f8322

SHA1
cc207da25a59da767397c67ea4f727fee18edbe7

SHA256
6eba51bcd22cd2a652cb779d5543c100df494a5cf4a7d8519bbbdaeac27890d9

SHA512
2d20785a166d14471d69d94f0a2dd2faf2bd01e984a057b81e00adcc6e5e7470b64cf0dd800cf5c8c5a5a74a1055a7134113ace09f97241d939aae8e6a4d7a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\lcLsEvVTrf.bat

Filesize
235B

MD5
e8b6aafef1d4915e27dfb8d205487603

SHA1
51d0966ee619bcddb2fcd42be12af6541cbf44fa

SHA256
93d73e79dab740fdac5429f37fcbce07f39611639446e720db12c334970a73c8

SHA512
47fe42bfcd35c97e40c3e345357759851dd0e284936e28e822490f77dbfe879d61cc435ed55a2383bcc03a7aa4f90067058389ecd777d6a8a8c0742f4b767962

Download Submit
C:\Users\Admin\AppData\Local\Temp\wRcBAgH7Mb.bat

Filesize
235B

MD5
e0bf130c676eb4d5797a8d84fcb9adf1

SHA1
9705abadb18aec2b011efecb224f6ae715536396

SHA256
885690eaf3bfd2d45c76ea1e5109e719f086be8c6938696c1f57f23c5c34581e

SHA512
4feef956fcce1976c86fbbbb8dc0bd026e3af6a255253e725026bd71a12aef7bb36f24d19ec2f83a729fd17d330cceabdd70d7884e4feb2d43c5709d0c0e3936

Download Submit
C:\Users\Admin\AppData\Local\Temp\yoQf8QHV2Q.bat

Filesize
235B

MD5
f3121d9f38fd5baed67b92fd277d9e36

SHA1
5d55257419d66eaf350bf3bc7f763220acb57012

SHA256
26499aaefab977608f9ec366836084f9cf70d8091e35874a2dd680cef4c2a6c9

SHA512
15b10ac3379ad86372a2a0298f608803f606a16186ad6dcd40ff4a4d99e55ddbd23507e0a89072c30dfdfda9238a3b24d43ef5286bf73c6f672b76aef7575a7d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
036dfeb930fc4ddfb62de62f9715d604

SHA1
e57ea65f19ecd67f45dd136d4cd8b88a89f73ba8

SHA256
5e30a2dfddfbbc6790d2721667e7500999161a6b5d1f93adf39a7bfd865b1a57

SHA512
a71cabf203259b23aaea029fd2218cde27b81090c0de77c7a278d27913c7a28689fbaa3f4c1dc38abd6d42759cc7f228e619930db612cad809d9e771ec7e67c1

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/276-528-0x00000000002B0000-0x00000000002C2000-memory.dmp

Filesize
72KB

Download
memory/376-51-0x00000000021D0000-0x00000000021D8000-memory.dmp

Filesize
32KB

Download
memory/376-50-0x000000001B5B0000-0x000000001B892000-memory.dmp

Filesize
2.9MB

Download
memory/752-647-0x00000000010D0000-0x00000000011E0000-memory.dmp

Filesize
1.1MB

Download
memory/1040-288-0x00000000003E0000-0x00000000004F0000-memory.dmp

Filesize
1.1MB

Download
memory/1364-52-0x0000000000550000-0x0000000000562000-memory.dmp

Filesize
72KB

Download
memory/1364-49-0x0000000001310000-0x0000000001420000-memory.dmp

Filesize
1.1MB

Download
memory/2016-348-0x0000000001110000-0x0000000001220000-memory.dmp

Filesize
1.1MB

Download
memory/2732-15-0x00000000003A0000-0x00000000003AC000-memory.dmp

Filesize
48KB

Download
memory/2732-14-0x00000000002B0000-0x00000000002C2000-memory.dmp

Filesize
72KB

Download
memory/2732-13-0x00000000003D0000-0x00000000004E0000-memory.dmp

Filesize
1.1MB

Download
memory/2732-16-0x0000000000390000-0x000000000039C000-memory.dmp

Filesize
48KB

Download
memory/2732-17-0x00000000003B0000-0x00000000003BC000-memory.dmp

Filesize
48KB

Download
memory/2928-408-0x0000000000050000-0x0000000000160000-memory.dmp

Filesize
1.1MB

Download
memory/3040-468-0x00000000008A0000-0x00000000009B0000-memory.dmp

Filesize
1.1MB

Download