dcrat | b0efaa76ce4f31e0ef0309a8cb7bc02b9bc025e26a95649abc9ab6e7cc7a7406

Analysis

max time kernel
145s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 10:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_b0efaa76ce4f31e0ef0309a8cb7bc02b9bc025e26a95649abc9ab6e7cc7a7406.exe
Size

1.3MB
MD5

955ff33aa9dcacab7e1bb7302beada6a
SHA1

ca3ade10c6ec4194d80a72894deb174158880c24
SHA256

b0efaa76ce4f31e0ef0309a8cb7bc02b9bc025e26a95649abc9ab6e7cc7a7406
SHA512

2400d960673da8f6fe349a5bd7e0e35c7c4c393351190dc8f01c2d4258489b42adcf89cd6c7b4c4640a943d09cccd85cb49977713eb2fa103c4978f9a009f72a
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2476	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2476	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	2476	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	2476	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2476	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2476	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	2476	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2476	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	844	2476	schtasks.exe	35

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016031-11.dat	dcrat
behavioral1/memory/2880-13-0x0000000000F40000-0x0000000001050000-memory.dmp	dcrat
behavioral1/memory/2416-52-0x0000000000AC0000-0x0000000000BD0000-memory.dmp	dcrat
behavioral1/memory/1476-112-0x0000000000E30000-0x0000000000F40000-memory.dmp	dcrat
behavioral1/memory/1892-172-0x0000000001060000-0x0000000001170000-memory.dmp	dcrat
behavioral1/memory/1484-350-0x0000000001240000-0x0000000001350000-memory.dmp	dcrat
behavioral1/memory/2628-648-0x0000000000260000-0x0000000000370000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
628	powershell.exe
1472	powershell.exe
544	powershell.exe
2388	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2880	DllCommonsvc.exe
2416	dllhost.exe
1476	dllhost.exe
1892	dllhost.exe
1472	dllhost.exe
1612	dllhost.exe
1484	dllhost.exe
704	dllhost.exe
1340	dllhost.exe
2964	dllhost.exe
2816	dllhost.exe
2628	dllhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2312	cmd.exe
2312	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
9	raw.githubusercontent.com
22	raw.githubusercontent.com
25	raw.githubusercontent.com
29	raw.githubusercontent.com
36	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
32	raw.githubusercontent.com
39	raw.githubusercontent.com

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Mail\es-ES\services.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\es-ES\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\es-ES\services.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b0efaa76ce4f31e0ef0309a8cb7bc02b9bc025e26a95649abc9ab6e7cc7a7406.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2872	schtasks.exe
2796	schtasks.exe
2676	schtasks.exe
2052	schtasks.exe
1716	schtasks.exe
2352	schtasks.exe
2628	schtasks.exe
2640	schtasks.exe
844	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2880	DllCommonsvc.exe
628	powershell.exe
544	powershell.exe
2388	powershell.exe
1472	powershell.exe
2416	dllhost.exe
1476	dllhost.exe
1892	dllhost.exe
1472	dllhost.exe
1612	dllhost.exe
1484	dllhost.exe
704	dllhost.exe
1340	dllhost.exe
2964	dllhost.exe
2816	dllhost.exe
2628	dllhost.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2880	DllCommonsvc.exe
Token: SeDebugPrivilege	628	powershell.exe
Token: SeDebugPrivilege	544	powershell.exe
Token: SeDebugPrivilege	2388	powershell.exe
Token: SeDebugPrivilege	1472	powershell.exe
Token: SeDebugPrivilege	2416	dllhost.exe
Token: SeDebugPrivilege	1476	dllhost.exe
Token: SeDebugPrivilege	1892	dllhost.exe
Token: SeDebugPrivilege	1472	dllhost.exe
Token: SeDebugPrivilege	1612	dllhost.exe
Token: SeDebugPrivilege	1484	dllhost.exe
Token: SeDebugPrivilege	704	dllhost.exe
Token: SeDebugPrivilege	1340	dllhost.exe
Token: SeDebugPrivilege	2964	dllhost.exe
Token: SeDebugPrivilege	2816	dllhost.exe
Token: SeDebugPrivilege	2628	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 2504	2124	JaffaCakes118_b0efaa76ce4f31e0ef0309a8cb7bc02b9bc025e26a95649abc9ab6e7cc7a7406.exe	30
PID 2124 wrote to memory of 2504	2124	JaffaCakes118_b0efaa76ce4f31e0ef0309a8cb7bc02b9bc025e26a95649abc9ab6e7cc7a7406.exe	30
PID 2124 wrote to memory of 2504	2124	JaffaCakes118_b0efaa76ce4f31e0ef0309a8cb7bc02b9bc025e26a95649abc9ab6e7cc7a7406.exe	30
PID 2124 wrote to memory of 2504	2124	JaffaCakes118_b0efaa76ce4f31e0ef0309a8cb7bc02b9bc025e26a95649abc9ab6e7cc7a7406.exe	30
PID 2504 wrote to memory of 2312	2504	WScript.exe	31
PID 2504 wrote to memory of 2312	2504	WScript.exe	31
PID 2504 wrote to memory of 2312	2504	WScript.exe	31
PID 2504 wrote to memory of 2312	2504	WScript.exe	31
PID 2312 wrote to memory of 2880	2312	cmd.exe	33
PID 2312 wrote to memory of 2880	2312	cmd.exe	33
PID 2312 wrote to memory of 2880	2312	cmd.exe	33
PID 2312 wrote to memory of 2880	2312	cmd.exe	33
PID 2880 wrote to memory of 628	2880	DllCommonsvc.exe	45
PID 2880 wrote to memory of 628	2880	DllCommonsvc.exe	45
PID 2880 wrote to memory of 628	2880	DllCommonsvc.exe	45
PID 2880 wrote to memory of 1472	2880	DllCommonsvc.exe	46
PID 2880 wrote to memory of 1472	2880	DllCommonsvc.exe	46
PID 2880 wrote to memory of 1472	2880	DllCommonsvc.exe	46
PID 2880 wrote to memory of 544	2880	DllCommonsvc.exe	47
PID 2880 wrote to memory of 544	2880	DllCommonsvc.exe	47
PID 2880 wrote to memory of 544	2880	DllCommonsvc.exe	47
PID 2880 wrote to memory of 2388	2880	DllCommonsvc.exe	48
PID 2880 wrote to memory of 2388	2880	DllCommonsvc.exe	48
PID 2880 wrote to memory of 2388	2880	DllCommonsvc.exe	48
PID 2880 wrote to memory of 2700	2880	DllCommonsvc.exe	51
PID 2880 wrote to memory of 2700	2880	DllCommonsvc.exe	51
PID 2880 wrote to memory of 2700	2880	DllCommonsvc.exe	51
PID 2700 wrote to memory of 1988	2700	cmd.exe	55
PID 2700 wrote to memory of 1988	2700	cmd.exe	55
PID 2700 wrote to memory of 1988	2700	cmd.exe	55
PID 2700 wrote to memory of 2416	2700	cmd.exe	56
PID 2700 wrote to memory of 2416	2700	cmd.exe	56
PID 2700 wrote to memory of 2416	2700	cmd.exe	56
PID 2416 wrote to memory of 484	2416	dllhost.exe	57
PID 2416 wrote to memory of 484	2416	dllhost.exe	57
PID 2416 wrote to memory of 484	2416	dllhost.exe	57
PID 484 wrote to memory of 776	484	cmd.exe	59
PID 484 wrote to memory of 776	484	cmd.exe	59
PID 484 wrote to memory of 776	484	cmd.exe	59
PID 484 wrote to memory of 1476	484	cmd.exe	60
PID 484 wrote to memory of 1476	484	cmd.exe	60
PID 484 wrote to memory of 1476	484	cmd.exe	60
PID 1476 wrote to memory of 2808	1476	dllhost.exe	61
PID 1476 wrote to memory of 2808	1476	dllhost.exe	61
PID 1476 wrote to memory of 2808	1476	dllhost.exe	61
PID 2808 wrote to memory of 2344	2808	cmd.exe	63
PID 2808 wrote to memory of 2344	2808	cmd.exe	63
PID 2808 wrote to memory of 2344	2808	cmd.exe	63
PID 2808 wrote to memory of 1892	2808	cmd.exe	64
PID 2808 wrote to memory of 1892	2808	cmd.exe	64
PID 2808 wrote to memory of 1892	2808	cmd.exe	64
PID 1892 wrote to memory of 628	1892	dllhost.exe	65
PID 1892 wrote to memory of 628	1892	dllhost.exe	65
PID 1892 wrote to memory of 628	1892	dllhost.exe	65
PID 628 wrote to memory of 2156	628	cmd.exe	67
PID 628 wrote to memory of 2156	628	cmd.exe	67
PID 628 wrote to memory of 2156	628	cmd.exe	67
PID 628 wrote to memory of 1472	628	cmd.exe	68
PID 628 wrote to memory of 1472	628	cmd.exe	68
PID 628 wrote to memory of 1472	628	cmd.exe	68
PID 1472 wrote to memory of 1728	1472	dllhost.exe	69
PID 1472 wrote to memory of 1728	1472	dllhost.exe	69
PID 1472 wrote to memory of 1728	1472	dllhost.exe	69
PID 1728 wrote to memory of 1540	1728	cmd.exe	71

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b0efaa76ce4f31e0ef0309a8cb7bc02b9bc025e26a95649abc9ab6e7cc7a7406.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b0efaa76ce4f31e0ef0309a8cb7bc02b9bc025e26a95649abc9ab6e7cc7a7406.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2312
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2880
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:628
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\es-ES\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1472
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:544
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2388
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DjfEt6epAa.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2700
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1988
      - C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dllhost.exe
        
        "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dllhost.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nAABNdhKLs.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:484
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:776
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dllhost.exe
        
        "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dllhost.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1476
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bYn7JG6kRk.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2344
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dllhost.exe
        
        "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dllhost.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1892
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JFTIgCVObE.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:628
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2156
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dllhost.exe
        
        "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dllhost.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1472
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ounU5LkXKE.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1540
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dllhost.exe
        
        "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dllhost.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1612
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\grdey4A1QM.bat"
        15⤵
        
        PID:2724
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2652
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dllhost.exe
        
        "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dllhost.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1484
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eUivgxqvfs.bat"
        17⤵
        
        PID:1440
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1640
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dllhost.exe
        
        "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dllhost.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:704
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fmZn61weJC.bat"
        19⤵
        
        PID:2432
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1932
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dllhost.exe
        
        "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dllhost.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1340
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\srJhtCwLGi.bat"
        21⤵
        
        PID:1560
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1588
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dllhost.exe
        
        "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dllhost.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2964
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AXFqcUy7ES.bat"
        23⤵
        
        PID:1256
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2948
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dllhost.exe
        
        "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dllhost.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2816
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\m1XclINWiF.bat"
        25⤵
        
        PID:2900
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1480
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dllhost.exe
        
        "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dllhost.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2628
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tA3KztjMoN.bat"
        27⤵
        
        PID:2132
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\es-ES\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\es-ES\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\es-ES\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
238b123fb96876501d09e4f68436242b

SHA1
7904737838cd78a725660f5e8260a170267b4d9d

SHA256
4f561202c28dc0296c21726920d7644cf6c9dc96bb60ca0c49f0b69f7d673a93

SHA512
a6ef8d13fd58a589fc1247b4234e8779da1d64aa06aa7578ad9c67372dd620825e04fb38c5b6db046cfd335468e67426d130d8a866e99afd331bcb42c16e465a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9647f569bdb64f38b1347246155e3782

SHA1
e19bc745c12f380c179ca95593e073e25083f3a7

SHA256
1cda7a474f3ed3d7fac59b0af58a2070663bcc7dbc027e37012ac5c995053826

SHA512
da3f2a06cd29c5f2678450cc15fd9219da98d833de6ed1dcb7cb5d6d5f38df109bdd13071d242ffd8cbe2cbda72c9a7e5114217b239401867ea413792e6f0b61

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
728ea9b3c3f3609711cf5e835e325ce3

SHA1
eb85849a977a0b992bba140001d18c8f4b2fbd11

SHA256
f9bcb046cbd37d6d50f99c6106cb6a1235df91ae6d0c7603ece4b75fb05ff935

SHA512
f3eff9a6444b5d24ad7942dea09f9059c8b5d2d02ab5686d7bcea94be85fd3de6d1d3c556604079fa9356061f14c00c6b30d2d07b985214a472236829ea34e75

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
49534ea5585b3c0b1f50030db73287ac

SHA1
b67eff0f3501d656253095a3846fd4605bb53711

SHA256
695e9a549938a51d036c9de275d868cdfa2962cea79a6ee7505aee27183e25eb

SHA512
b1b776446438350150df20f6e22b8a881907b8aad941888ef489d4ca1a31e59cf8287de0ac56070d8426cd81b8ecc2e63f82b53e4516a2e91019867ef3e282f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6cf0e5f176700b664fe1cce0f90aae3b

SHA1
a730a1142fd7d7caae2a92730dd6af98346d3d53

SHA256
b982f8ac726343cf58f56d3fd2a59857f4fd272f831b4ccd3ee10119c23a4751

SHA512
718acde2a21118e23c6acf918f6c79bc49c723a845f641bdfda3767d9729fecd9fbc58deffe593a4893c142f51936acdc69557d72f1145efc34df8eaa3fc9e9d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
121ce941f6f8db0373a6fe0e7d8e1693

SHA1
84ae880a5cae2ff7837b040e164164566594ef61

SHA256
8aee915b006fb553a7595de53f5a29c00ed0dd6945e9e3873395c6075345c2c0

SHA512
f09411a4df413e6cdafa5c0ad36d5ab3f71cd33751a61d00516063b57d7f739f5c3d5d9f7c4830500e9acea9d12a8db531f12540df22e124246e709a36ba7322

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
52a46a882452b9b01e3141ab3813c5a3

SHA1
0c55ab041da2424589fe761494d8dbae2f1cc5ba

SHA256
92e77da6cfc5d0e2bf263a21ae4bacb50cce40a8f263f2e2849a9af2354d42ce

SHA512
ff858c66a2c98caa75bd4277f4fafc1d5a0f02a2e7069cd612b6ecf27f716c3ea0711a5b224eddc7f4dcfb6326588a43833a1c758be9051200b3168396a96457

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ed296ac350e40502674cfbb8d885b0e0

SHA1
8cdc55e53e5aad6a5134d3272528c1ef5ea155fa

SHA256
479730d800d631c1d72118ae41ed6e8f2c45217728102506fa8f2b936045d261

SHA512
5b51646c2bef8b16b79d6845019e39dab8b03e50d6afe30d9f7f1e6c561ae12b8f719ca323e848f379f0f6460a391fc70bd9bd997c58386a2e391c8f50665dd2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b45460d869d577526eac1a7c9ec3d33d

SHA1
727316c620cd53b5d11c2062412a3d5468da4911

SHA256
0ed35f34e28b25e439a4b5ae9304b86d0d441a750109add4b0e924354dc0f506

SHA512
ab98127c25e3acf6b9752018d8910863a60f14897d3e33ed8dd06f2d94b92b639c44b1d09cd04bde6b1bab814813d7b30415995d8f1bbd096e35552cbb9aa583

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d690e9b2655d8d8e1372a3d986b0438e

SHA1
93cb7a3b4c9bc6ff2cef21b9e101f0c42a9707c1

SHA256
2f7603f142b0e9d16597e34e2c376b3dd6b3eba1bdcd2064cd3691c595ee29f1

SHA512
eafda2f8cc652b83dac527d90a7b51b6ae3da22e265f152419a0a81f625085a79a4a5c6b5e492a6ea2c5c38342c879477edbba615b90d26988a2d1d7ee3b401f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AXFqcUy7ES.bat

Filesize
225B

MD5
5c8500e22a559de3c29354f06de764f9

SHA1
bca00c40b8cd81ae147d79780cacad59e6839d2c

SHA256
c892c070b5a85cda899a2181a319969298072ec580dc95b170f4cc379dd33000

SHA512
05745c2d3f2a675415a7a32833b788b6b5cd831864d469e02433a41de268d5b89136b7497d568d6c17c4f98f47b66b346a7be1fde5e6b16967c7924edd86159c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1A94.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DjfEt6epAa.bat

Filesize
225B

MD5
b127d26aa5c071a8bb20f9889d85d9b1

SHA1
db94481e6ae99c8d82203b1a524857cb84e89dd3

SHA256
3d9ec44fe98d009283d1613b5efde961128091330cfbc08ef66188df912bf359

SHA512
179e696d893446f060b7530423a71bccac7dcae91162826227334b60456ef3b93d2d8d30417c952b3eccd1a8b274a4dfaf85a217a29380a7e201ccb4ed8754b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\JFTIgCVObE.bat

Filesize
225B

MD5
6cdaa2059835509832795c63a514bb6a

SHA1
3cc759b1e0ee8a89c5ddc11210ab4bd7cb73a7d3

SHA256
539f33cf203ca404a5e967321349c82dc6160671fd1c7aa2d80ab9e54beb7fbe

SHA512
219d10e6fc184cb4f3ac71a3ba4ac84a474b307883781f127dd832fc8f59e4f1277d343f4fae885cefc63d3fb4d4ab98d4e0c4e6d02f3344d948a388eb446dce

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1AB7.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bYn7JG6kRk.bat

Filesize
225B

MD5
bca7210a8386d2ac51cfdf070d542e09

SHA1
4c1b4db791058f3d829500f8f86a93bbf1f7977e

SHA256
cf60c544717fa6a2fd71511b3f9be144cda6ec7ed0a26e666f058770ca9d1b44

SHA512
ddcc9ddb3456fe5a89be3c5ddf3787544333dfaa822bdcb2b2a3951ef3adea82d95a0d2ae2e8cd4354a6009a8a1d460b471ff6b11b1bd203bceef5db5b0b7ddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\eUivgxqvfs.bat

Filesize
225B

MD5
1f5b54f6604602855a15af2fbef66f37

SHA1
fc533da75841a68c3a17b3744cb1c91abd7d187d

SHA256
1f83a5309096c1b7dc9b6435149c5e864a3512e279d6a54befb0dba86f17d348

SHA512
b98ad22ea24bc0cddab79dfc9deec4038d46b9e47c044555db28862c8306b06c5baa3686ab5e5ee693544fa819d16b5345e2a350ae4dc8998eb95c62f96e7996

Download Submit
C:\Users\Admin\AppData\Local\Temp\fmZn61weJC.bat

Filesize
225B

MD5
9450e4729f613245376a18039bc37ceb

SHA1
905644931da94441518d036310614b26351d4787

SHA256
abf2e7a2789ac1dba3431c754d5cdc57a5b20e0a276400fc74397b13d33ab429

SHA512
cd7685026098dd4ad7522ed05c977cf28f6bcaface8bac1d2bb4d2f9ad8831a0ecc51155ca20a214be491265e407fc4715e2153dc36a465965b4da0bc7bba343

Download Submit
C:\Users\Admin\AppData\Local\Temp\grdey4A1QM.bat

Filesize
225B

MD5
231bb3589afcb5c14ec1865501d38cbe

SHA1
8c6aad10b501ed52d65bda39a67c403f6cd615c2

SHA256
7f9f582c5651a8e7fad65427618842ed14ef4e3214d5fd8f0606b661da0fd779

SHA512
01972396b76fc24ae3cf94e8c0e46b6c375bb66fc29e1df8664b089c561d41db8756e88ac91b24707fa146b229fc7e54a48363be22ce8993a32505e7b4bd7592

Download Submit
C:\Users\Admin\AppData\Local\Temp\m1XclINWiF.bat

Filesize
225B

MD5
84b995847c77627bc4b371841832865c

SHA1
f8b263b3e367402062ca607cff68abefd035ffd0

SHA256
ae4033d107888af4c6791e7e8cea36a433fbe4221f9ae52c290d1e2cc653cf3c

SHA512
570293220a41fa2d78e7ce1ce2e64ff743df977bcc8e3d79a42e21a68adb00f09c0e405d6af12c18eb00bd4559eb4c38df9aeb6f52baef71f0bd3334520cf05f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nAABNdhKLs.bat

Filesize
225B

MD5
79ccc508323beb377fd20b196e27b175

SHA1
3ebbf8beec32d2d03e9bd80a8abd1a541daf1a90

SHA256
e8087841c02986b68b6a279fd998ebc44079082923108a01b0b2ba0ade743f80

SHA512
e7e5d3f5104cba77e2d56e1a11927bb543dc24b34ab81fc0ab336b7bd02e0e37478d916638afdbe2455aea59c5bb07fe2e60300d293792052a63ce1887b417ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\ounU5LkXKE.bat

Filesize
225B

MD5
c6fab401ba34dd28f25bbac81803efe7

SHA1
fdd2b57569dc78b49324ee9ef0309e263d5518ee

SHA256
39a99fb0221c77d3c6760c16c98b08dda68b33131648829d0628d903a399b285

SHA512
b3371529a1a76cfbebe36c19c5c2345b802348adb958163201709b6d090c4fa085ed7ad0834f4dc91bf4bbe11feca6c71385add10f2ced500463acb13415af8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\srJhtCwLGi.bat

Filesize
225B

MD5
c6de3f3ab614c9f5529942e127e7a786

SHA1
88a12b551dfae3cac1d105fa88dcde3e3ca1a049

SHA256
1f25f949343d4936fe15387e63f6e7094e953902ec1393f1d5fba63a56743199

SHA512
69a5c6db0b7975693601463bf00be56ab5293db6218096a24f42e077298d9ef4866149083f03434280cfeea5960085a85374acd3dfa81c0f23ccc777b3bd73ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\tA3KztjMoN.bat

Filesize
225B

MD5
d25b1fd3be5dd4c54449b471b3fe414e

SHA1
94c71c2aadd2b181758e7fa7c27048f3ab8041c8

SHA256
29fd78b60a2389117776427de7f5af0df55da593b1428cb05efdb14d640a1b10

SHA512
fa1b6ac81625b821099921e24781db5fea6796061a385e976621e5ab4c1df444f05aaee546c7493f05d12d4978f5a557865fa5e296cb682e60196ff785247bcc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AG9INJ4PQ2GEQ95D7T56.temp

Filesize
7KB

MD5
88cbaa7f1a64c76ec833cd01e8066c02

SHA1
acc322d9d85d509be1deda69b5efaffe50a9f396

SHA256
091c8adfc7915a85a338aac5ee83d86a59329b0fa0dda6c4dbefebe5ea15ad47

SHA512
1faff47bd4b0afec850c9ed1dddda134e348ad2b9b953322abe2f1f3f0b54398f4a63f2820d7877f9a0c2a80e887389469162f349a4efa16ae6905d5ab9d298c

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/628-38-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download
memory/628-39-0x0000000001C70000-0x0000000001C78000-memory.dmp

Filesize
32KB

Download
memory/704-410-0x0000000000160000-0x0000000000172000-memory.dmp

Filesize
72KB

Download
memory/1340-470-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/1476-112-0x0000000000E30000-0x0000000000F40000-memory.dmp

Filesize
1.1MB

Download
memory/1484-350-0x0000000001240000-0x0000000001350000-memory.dmp

Filesize
1.1MB

Download
memory/1892-172-0x0000000001060000-0x0000000001170000-memory.dmp

Filesize
1.1MB

Download
memory/2416-53-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/2416-52-0x0000000000AC0000-0x0000000000BD0000-memory.dmp

Filesize
1.1MB

Download
memory/2628-648-0x0000000000260000-0x0000000000370000-memory.dmp

Filesize
1.1MB

Download
memory/2880-17-0x0000000000370000-0x000000000037C000-memory.dmp

Filesize
48KB

Download
memory/2880-16-0x0000000000360000-0x000000000036C000-memory.dmp

Filesize
48KB

Download
memory/2880-15-0x0000000000350000-0x000000000035C000-memory.dmp

Filesize
48KB

Download
memory/2880-14-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/2880-13-0x0000000000F40000-0x0000000001050000-memory.dmp

Filesize
1.1MB

Download