dcrat | e8be04bd1ae1b0c37648c2f5604f4ab0b30fdd0630d6cae277ed93890896cde3

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 09:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_e8be04bd1ae1b0c37648c2f5604f4ab0b30fdd0630d6cae277ed93890896cde3.exe
Size

1.3MB
MD5

12450a138853cadda2fd3368191ccf65
SHA1

072d84099dcb70f6a253812db1a8e6c2a9f33698
SHA256

e8be04bd1ae1b0c37648c2f5604f4ab0b30fdd0630d6cae277ed93890896cde3
SHA512

849bd227d7631eaefa9d505d27ce425c924791552aec7749e206cb69aa29997c4cadf72a7767e1b8d8c79309baa9d237946e60bb594b501b20154f645c4e6365
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1308	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2572	schtasks.exe	35

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000018636-12.dat	dcrat
behavioral1/memory/2852-13-0x0000000000FA0000-0x00000000010B0000-memory.dmp	dcrat
behavioral1/memory/1856-66-0x0000000000380000-0x0000000000490000-memory.dmp	dcrat
behavioral1/memory/1692-125-0x0000000000A60000-0x0000000000B70000-memory.dmp	dcrat
behavioral1/memory/296-185-0x00000000013D0000-0x00000000014E0000-memory.dmp	dcrat
behavioral1/memory/908-245-0x0000000000350000-0x0000000000460000-memory.dmp	dcrat
behavioral1/memory/880-305-0x00000000008F0000-0x0000000000A00000-memory.dmp	dcrat
behavioral1/memory/2672-365-0x0000000001260000-0x0000000001370000-memory.dmp	dcrat
behavioral1/memory/2868-425-0x0000000000030000-0x0000000000140000-memory.dmp	dcrat
behavioral1/memory/1660-485-0x0000000000180000-0x0000000000290000-memory.dmp	dcrat
behavioral1/memory/2944-545-0x0000000000C40000-0x0000000000D50000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2936	powershell.exe
2392	powershell.exe
1848	powershell.exe
1928	powershell.exe
1944	powershell.exe
1736	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
2852	DllCommonsvc.exe
1856	WmiPrvSE.exe
1692	WmiPrvSE.exe
296	WmiPrvSE.exe
908	WmiPrvSE.exe
880	WmiPrvSE.exe
2672	WmiPrvSE.exe
2868	WmiPrvSE.exe
1660	WmiPrvSE.exe
2944	WmiPrvSE.exe

Loads dropped DLL 2 IoCs

pid	Process
2704	cmd.exe
2704	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
13	raw.githubusercontent.com
16	raw.githubusercontent.com
20	raw.githubusercontent.com
23	raw.githubusercontent.com
30	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
27	raw.githubusercontent.com
34	raw.githubusercontent.com

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\1033\csrss.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\1033\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\1033\886983d96e3d3e	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_e8be04bd1ae1b0c37648c2f5604f4ab0b30fdd0630d6cae277ed93890896cde3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2424	schtasks.exe
2984	schtasks.exe
1308	schtasks.exe
2188	schtasks.exe
2872	schtasks.exe
2888	schtasks.exe
2740	schtasks.exe
1776	schtasks.exe
1628	schtasks.exe
1728	schtasks.exe
868	schtasks.exe
2920	schtasks.exe
2836	schtasks.exe
1832	schtasks.exe
1584	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2852	DllCommonsvc.exe
1928	powershell.exe
1944	powershell.exe
1848	powershell.exe
2392	powershell.exe
1736	powershell.exe
2936	powershell.exe
1856	WmiPrvSE.exe
1692	WmiPrvSE.exe
296	WmiPrvSE.exe
908	WmiPrvSE.exe
880	WmiPrvSE.exe
2672	WmiPrvSE.exe
2868	WmiPrvSE.exe
1660	WmiPrvSE.exe
2944	WmiPrvSE.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2852	DllCommonsvc.exe
Token: SeDebugPrivilege	1928	powershell.exe
Token: SeDebugPrivilege	1944	powershell.exe
Token: SeDebugPrivilege	1848	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	1856	WmiPrvSE.exe
Token: SeDebugPrivilege	1692	WmiPrvSE.exe
Token: SeDebugPrivilege	296	WmiPrvSE.exe
Token: SeDebugPrivilege	908	WmiPrvSE.exe
Token: SeDebugPrivilege	880	WmiPrvSE.exe
Token: SeDebugPrivilege	2672	WmiPrvSE.exe
Token: SeDebugPrivilege	2868	WmiPrvSE.exe
Token: SeDebugPrivilege	1660	WmiPrvSE.exe
Token: SeDebugPrivilege	2944	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 1096	2112	JaffaCakes118_e8be04bd1ae1b0c37648c2f5604f4ab0b30fdd0630d6cae277ed93890896cde3.exe	31
PID 2112 wrote to memory of 1096	2112	JaffaCakes118_e8be04bd1ae1b0c37648c2f5604f4ab0b30fdd0630d6cae277ed93890896cde3.exe	31
PID 2112 wrote to memory of 1096	2112	JaffaCakes118_e8be04bd1ae1b0c37648c2f5604f4ab0b30fdd0630d6cae277ed93890896cde3.exe	31
PID 2112 wrote to memory of 1096	2112	JaffaCakes118_e8be04bd1ae1b0c37648c2f5604f4ab0b30fdd0630d6cae277ed93890896cde3.exe	31
PID 1096 wrote to memory of 2704	1096	WScript.exe	32
PID 1096 wrote to memory of 2704	1096	WScript.exe	32
PID 1096 wrote to memory of 2704	1096	WScript.exe	32
PID 1096 wrote to memory of 2704	1096	WScript.exe	32
PID 2704 wrote to memory of 2852	2704	cmd.exe	34
PID 2704 wrote to memory of 2852	2704	cmd.exe	34
PID 2704 wrote to memory of 2852	2704	cmd.exe	34
PID 2704 wrote to memory of 2852	2704	cmd.exe	34
PID 2852 wrote to memory of 2936	2852	DllCommonsvc.exe	51
PID 2852 wrote to memory of 2936	2852	DllCommonsvc.exe	51
PID 2852 wrote to memory of 2936	2852	DllCommonsvc.exe	51
PID 2852 wrote to memory of 2392	2852	DllCommonsvc.exe	52
PID 2852 wrote to memory of 2392	2852	DllCommonsvc.exe	52
PID 2852 wrote to memory of 2392	2852	DllCommonsvc.exe	52
PID 2852 wrote to memory of 1848	2852	DllCommonsvc.exe	53
PID 2852 wrote to memory of 1848	2852	DllCommonsvc.exe	53
PID 2852 wrote to memory of 1848	2852	DllCommonsvc.exe	53
PID 2852 wrote to memory of 1928	2852	DllCommonsvc.exe	54
PID 2852 wrote to memory of 1928	2852	DllCommonsvc.exe	54
PID 2852 wrote to memory of 1928	2852	DllCommonsvc.exe	54
PID 2852 wrote to memory of 1944	2852	DllCommonsvc.exe	55
PID 2852 wrote to memory of 1944	2852	DllCommonsvc.exe	55
PID 2852 wrote to memory of 1944	2852	DllCommonsvc.exe	55
PID 2852 wrote to memory of 1736	2852	DllCommonsvc.exe	56
PID 2852 wrote to memory of 1736	2852	DllCommonsvc.exe	56
PID 2852 wrote to memory of 1736	2852	DllCommonsvc.exe	56
PID 2852 wrote to memory of 1788	2852	DllCommonsvc.exe	63
PID 2852 wrote to memory of 1788	2852	DllCommonsvc.exe	63
PID 2852 wrote to memory of 1788	2852	DllCommonsvc.exe	63
PID 1788 wrote to memory of 2488	1788	cmd.exe	65
PID 1788 wrote to memory of 2488	1788	cmd.exe	65
PID 1788 wrote to memory of 2488	1788	cmd.exe	65
PID 1788 wrote to memory of 1856	1788	cmd.exe	66
PID 1788 wrote to memory of 1856	1788	cmd.exe	66
PID 1788 wrote to memory of 1856	1788	cmd.exe	66
PID 1856 wrote to memory of 3012	1856	WmiPrvSE.exe	67
PID 1856 wrote to memory of 3012	1856	WmiPrvSE.exe	67
PID 1856 wrote to memory of 3012	1856	WmiPrvSE.exe	67
PID 3012 wrote to memory of 2684	3012	cmd.exe	69
PID 3012 wrote to memory of 2684	3012	cmd.exe	69
PID 3012 wrote to memory of 2684	3012	cmd.exe	69
PID 3012 wrote to memory of 1692	3012	cmd.exe	70
PID 3012 wrote to memory of 1692	3012	cmd.exe	70
PID 3012 wrote to memory of 1692	3012	cmd.exe	70
PID 1692 wrote to memory of 1696	1692	WmiPrvSE.exe	71
PID 1692 wrote to memory of 1696	1692	WmiPrvSE.exe	71
PID 1692 wrote to memory of 1696	1692	WmiPrvSE.exe	71
PID 1696 wrote to memory of 1552	1696	cmd.exe	73
PID 1696 wrote to memory of 1552	1696	cmd.exe	73
PID 1696 wrote to memory of 1552	1696	cmd.exe	73
PID 1696 wrote to memory of 296	1696	cmd.exe	74
PID 1696 wrote to memory of 296	1696	cmd.exe	74
PID 1696 wrote to memory of 296	1696	cmd.exe	74
PID 296 wrote to memory of 2392	296	WmiPrvSE.exe	75
PID 296 wrote to memory of 2392	296	WmiPrvSE.exe	75
PID 296 wrote to memory of 2392	296	WmiPrvSE.exe	75
PID 2392 wrote to memory of 2524	2392	cmd.exe	77
PID 2392 wrote to memory of 2524	2392	cmd.exe	77
PID 2392 wrote to memory of 2524	2392	cmd.exe	77
PID 2392 wrote to memory of 908	2392	cmd.exe	78

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e8be04bd1ae1b0c37648c2f5604f4ab0b30fdd0630d6cae277ed93890896cde3.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e8be04bd1ae1b0c37648c2f5604f4ab0b30fdd0630d6cae277ed93890896cde3.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1096
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2852
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2936
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\1033\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2392
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1848
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Templates\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1928
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1944
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Desktop\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1736
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WWb6AaO82t.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1788
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2488
      - C:\Users\Default\Desktop\WmiPrvSE.exe
        
        "C:\Users\Default\Desktop\WmiPrvSE.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CMv1BFFgLz.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2684
        
        C:\Users\Default\Desktop\WmiPrvSE.exe
        
        "C:\Users\Default\Desktop\WmiPrvSE.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zj0hR7WTEZ.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1552
        
        C:\Users\Default\Desktop\WmiPrvSE.exe
        
        "C:\Users\Default\Desktop\WmiPrvSE.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:296
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\da4noHdFs8.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2524
        
        C:\Users\Default\Desktop\WmiPrvSE.exe
        
        "C:\Users\Default\Desktop\WmiPrvSE.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:908
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OPH1A2PBmS.bat"
        13⤵
        
        PID:2716
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1508
        
        C:\Users\Default\Desktop\WmiPrvSE.exe
        
        "C:\Users\Default\Desktop\WmiPrvSE.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:880
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wRWwqJyPGw.bat"
        15⤵
        
        PID:2704
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2312
        
        C:\Users\Default\Desktop\WmiPrvSE.exe
        
        "C:\Users\Default\Desktop\WmiPrvSE.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2672
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VAhDAdBh8f.bat"
        17⤵
        
        PID:2236
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1936
        
        C:\Users\Default\Desktop\WmiPrvSE.exe
        
        "C:\Users\Default\Desktop\WmiPrvSE.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2868
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wUBsuxMZs4.bat"
        19⤵
        
        PID:3068
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2936
        
        C:\Users\Default\Desktop\WmiPrvSE.exe
        
        "C:\Users\Default\Desktop\WmiPrvSE.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1660
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\A1nTHBcTHH.bat"
        21⤵
        
        PID:1892
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2604
        
        C:\Users\Default\Desktop\WmiPrvSE.exe
        
        "C:\Users\Default\Desktop\WmiPrvSE.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2944
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\V61H6ynXXY.bat"
        23⤵
        
        PID:1928
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\1033\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\1033\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\1033\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\providercommon\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Templates\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\Admin\Templates\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Templates\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\providercommon\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Desktop\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default\Desktop\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Desktop\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a7e4d8372451b0a1732e7b3031c4d292

SHA1
d8cd71f64cea586faac59dc3e66ddf090d8a8472

SHA256
35bf66c87a2cb8b9ab0b8b679df60f4323fecf6c4093f650b58825c1d89e20a8

SHA512
7e0d11c1c218d8fb63c77aee4915cb10c816ca1db6673ef233e47e30c7b446cd814048a6dd257ff43ce4f98fbaa5bf45d258541e5a69d1fa19efe9ac3d2a10bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fb18a8af1f0d6c4bae44f9d2e2f7957b

SHA1
14e6db00785e7c5250b3e1663540f4acf8e16f26

SHA256
10230ff46dad4e34fb98b62e119575f8cf7e86403e44e582362fd58e4081a134

SHA512
29c8ec790129eff9e2d81d87f37a4c596bf4bd2c0d2f34d6757feced8fb53437a927c1e87e1b7536fc9f155fffde5ba57b6d8c37a3b646dd2f3f59e2e03c2817

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7c2c97aae0087379bcddcb0425ce1c99

SHA1
af3b72050afbb9f3ab8023dc849954b2abf54137

SHA256
3c374ccf3a6e73fee99017200b0d12ead4abf6f3be72415219025587878ae8c6

SHA512
2db7ec0ce198bcb1d22ccd8f2d851d2ec77e08d0fe305f3fbd1ed6110ce4b70c34ab2a9a79d8fbb56646a6b24a6e41fd5e2c9aabd745054848dd4b0afb204308

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bdaee877167e726c6aca2f934b1b7b55

SHA1
13882c9fa03297f780d0611250eef328d237a08c

SHA256
0287f0f78fa25b2adca058449f92af29a588dcd32681818a6554663c907d9747

SHA512
00d0d1a9c218ccea7e2489b957684ff2b07d7f5bc0ef65e527584ce62b3a05ffadda19d9d7a271daf7684fa4561f90918bcd56a6403489355d248697ea6aad4d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
15a35e838e411d5f548703840711bf96

SHA1
305b519105dd6cda85ab81994c8cf24aadf8355d

SHA256
1be5cd3ae8e1b1b7ffef79087a158e891a118f760ab0b45c88e749f203c36daf

SHA512
af8969474ceaf7bb3c4dd76a15809b9aba1e698cf93bfe13c87f20e9c0ae894e7a50cf1af8b6d7246e74331875e0965f1c47074bb104133f62ad2d57a12db2ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2fc3470fb3d0679d782f0f4cc9dc5ab7

SHA1
7afd81493f1135c5a41a80a1817d735ad960fa48

SHA256
c980700873cc1198eeae133ad6d6fc5c2ffac695af160327cfadee461d567cae

SHA512
77571a9ff88b9988bb5ae91934a935b3e6b62d74dbcdbc6ab176aa956bbdeefa020af9572ba84803c0ea5f97315507bc75909f64e2683767403c4bd2d281d418

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c9648b5e5e8ee8612a0d2580b8a39d98

SHA1
c1ad4d8ef249952a5b6b3ce6f803278299d3c22d

SHA256
71e3da781f9ed2a417295dfb2281125bf6ceb4d8c0ed747c3c3c034415ab3743

SHA512
dde2688923dbb1bb9e026a0f512b251b8850fb467fdccccd55c2d2d606be13fbe74aa8a6a067f46351e7ee4b5328bb1ee8bf9998b03f717fe1031b2008db72ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6240dbc1907412dcac725f0960901b2e

SHA1
174845e3220db81c0a716c41b31285266370a270

SHA256
0999a0dd7ff4d8ed5795132c664e454dd40ebe963b5ff4ed898f47830d844454

SHA512
f6a8b76d0430e2298dc6671f2f0bbd539092c3b3914b053bf16780153fb56fbf905c740b989138ee53966991a9cf0ae0ecc8f5ca5cd9a99bc013e53a7a16e822

Download Submit
C:\Users\Admin\AppData\Local\Temp\A1nTHBcTHH.bat

Filesize
202B

MD5
41d508e90ac29e81e1c30b956b04347f

SHA1
7155c245e821ed391e509752785e87a9887a0946

SHA256
ff9d2d5e5faf733387aac1c62cd7009f0f3efab68df5602d98b386c378c53747

SHA512
88fd48cc62c509f5e1e9d26fa7cbd7fc91f034a8b4c383935e48de80393df9136721027e56a94cc32870762d016acd16cd480d59f4c69e1ba7c5719758572fc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMv1BFFgLz.bat

Filesize
202B

MD5
f867291638f23336857608690a82bb84

SHA1
9f73bd6ddbc62db9237f6210b4ef2f1a037d6e8a

SHA256
dcf6421ad22665c31d118041652efb0033aaa2bac9f96333f5a28b5625bdbd67

SHA512
0c5845c233df5b302caa2fbe6e139501f326470f6642ea404808d858795b942a9078ff26956a035a7c8e6c1d915c0432f4e3d8346314985d2ae171010e471315

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3842.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\OPH1A2PBmS.bat

Filesize
202B

MD5
53853df8232f6e6553ee911d8c713aeb

SHA1
b75bfb517b32db7382fe88c294ffb1671b266566

SHA256
fde06df6828e8314b10de6e72be6cc005cff2dbdbc7618e6014040ae77124228

SHA512
f4a36e6c17c50e804193d69713a13a8ca80c984ad661d00279e5d20788865ba3586867bcf2df516f0c5e1b2a3ee0dad4d2f2c051c135b85b1715e37dd11bf6f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3854.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\V61H6ynXXY.bat

Filesize
202B

MD5
c7e69756caeef4d2408a8a5d54d1d30d

SHA1
c75a47faf67891230b39002c048765e509213e03

SHA256
d43b8aecb05e02b1d1f6d12a8383a845f2092d0cf9f6d042b23adab98ec855af

SHA512
c83fb1a390ebb72a6c48103727ec26d1c0b20f9c3594e7fa7855e60e5c0b0eafaf3c7d035fc2373bfc37ce46c60c62cb587e607a1ccee4c68b7628a2f900e192

Download Submit
C:\Users\Admin\AppData\Local\Temp\VAhDAdBh8f.bat

Filesize
202B

MD5
62206e3fc31fab7ffd81866025de4fbf

SHA1
144caab0f96ffeef15faec18370f34f106d47b67

SHA256
f6550bcb35783bf8cea56daaee82bb2a59895cf8fa7e13621677a159ecf02bf7

SHA512
71e888a80165d5e643be2480845a5bd788e275b10184709231fd3a4b81ddf49d638128eabfd1376cc26f6526e36bf4728f0b345da21ca5236139d1341982fcc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\WWb6AaO82t.bat

Filesize
202B

MD5
01c263a946f8670f98259022c00dbdb1

SHA1
f9dbb1862712863210307b3450a47b957cc4a2d9

SHA256
e4ea935528ffb31fe9bba0a206509a490ad82dae2df5bbe920e60b17223adbb0

SHA512
b7bc53d4868230c2cb8867209f86ca3c73cd0588f1463cc2f9cd8a75df2f024e22808d39f9b84bac67d05d2b7fa45d69cf307e30923772bc64c01c087dd2eca0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zj0hR7WTEZ.bat

Filesize
202B

MD5
577582b89337c305638a28cb29005d10

SHA1
42236fd3c1040a460879bca74b98b9f24cd83c4f

SHA256
f3dd28260e7ede5a6d10d63315570b30d5ef5edfa7b57f29c01c3b5188c39c23

SHA512
c407d24dba80d319865d9a096bc8b7f6b0937eff662683f3ff897370975dce0230514d9e88350a91faf7b060b8ca2d8448c7b9e3a7ebfb793762aa6f0b21b996

Download Submit
C:\Users\Admin\AppData\Local\Temp\da4noHdFs8.bat

Filesize
202B

MD5
eb6c27667bae405392a5230b9e2c9bb2

SHA1
07a78eb7ce917cc8e4a88d6b3772cdcaf356135a

SHA256
510d30a85b743a41f7e34c292cd6df6637b5d80ea433be39e0832b1bdc8a9813

SHA512
8dd50e29e816b2f79d15040103819400c8fbbea10d669e7260f78c61fea71bee3fcff922fc28572f25b8ec4c26c75a1963970a407cd3aedd46bfb54b244dd32c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wRWwqJyPGw.bat

Filesize
202B

MD5
0acf372481ef8eb22bb2f7efeab76425

SHA1
c33919a0e41623c26fdba93fe42be003929919f4

SHA256
8244da5540ddcc0c57b6ca5db901581cab7714fa0a1d7bcad2231a9c95a2c6a7

SHA512
6213db671b379d09fffc53ae973a724f80c90e52e6706096e0c44d8e52dd60d5234a1a43df5510dc4d133474a4f3b137f405fb4e3c6abe828f0d9adbd4f1451c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUBsuxMZs4.bat

Filesize
202B

MD5
d7cc6a071be2629a510ed3af335dd4d3

SHA1
1f5a7ad8d6913d29ed56b938e600e254c074468f

SHA256
2c408e515707392b5c52f54ab861552f402e31d21fc3265e083860203a397c49

SHA512
285a43e3789002d39e863800548a6c43117a49272522f0258a72a666bba5140320b6c1b84e3acbac146e1261e2f7a65f4d0bbca9bd28200ec007d8361fec4568

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
6b0ec5e1b904c2464e50899415626b89

SHA1
d57122f946b3a2c68a89b4bece5974fbd177143d

SHA256
49ffcd3a0e9e04fbe6a3cd714e4a9c88577f8f221addcce02bb7520eae38459d

SHA512
ed150fdcacb87a9a8d41c93c6581f6a659bb2cc68ff8a1230388eea50147756909d56ac9b9a088f405c50bcc44387190c41f8da5298b15826c69f40f3ee81fce

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/296-185-0x00000000013D0000-0x00000000014E0000-memory.dmp

Filesize
1.1MB

Download
memory/880-305-0x00000000008F0000-0x0000000000A00000-memory.dmp

Filesize
1.1MB

Download
memory/908-245-0x0000000000350000-0x0000000000460000-memory.dmp

Filesize
1.1MB

Download
memory/1660-485-0x0000000000180000-0x0000000000290000-memory.dmp

Filesize
1.1MB

Download
memory/1692-125-0x0000000000A60000-0x0000000000B70000-memory.dmp

Filesize
1.1MB

Download
memory/1856-66-0x0000000000380000-0x0000000000490000-memory.dmp

Filesize
1.1MB

Download
memory/1928-57-0x00000000022C0000-0x00000000022C8000-memory.dmp

Filesize
32KB

Download
memory/1928-56-0x000000001B550000-0x000000001B832000-memory.dmp

Filesize
2.9MB

Download
memory/2672-365-0x0000000001260000-0x0000000001370000-memory.dmp

Filesize
1.1MB

Download
memory/2852-16-0x0000000000370000-0x000000000037C000-memory.dmp

Filesize
48KB

Download
memory/2852-15-0x0000000000360000-0x000000000036C000-memory.dmp

Filesize
48KB

Download
memory/2852-17-0x0000000000590000-0x000000000059C000-memory.dmp

Filesize
48KB

Download
memory/2852-14-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/2852-13-0x0000000000FA0000-0x00000000010B0000-memory.dmp

Filesize
1.1MB

Download
memory/2868-425-0x0000000000030000-0x0000000000140000-memory.dmp

Filesize
1.1MB

Download
memory/2944-546-0x00000000003E0000-0x00000000003F2000-memory.dmp

Filesize
72KB

Download
memory/2944-545-0x0000000000C40000-0x0000000000D50000-memory.dmp

Filesize
1.1MB

Download