dcrat | d0778fe0a64f40e1d7a820f5ba4c637083082657bfb51fa04de3548cd5f32671

Analysis

max time kernel
145s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 10:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_d0778fe0a64f40e1d7a820f5ba4c637083082657bfb51fa04de3548cd5f32671.exe
Size

1.3MB
MD5

34c735dba48810f26ae411f201d29703
SHA1

5a79a830aea354f9006a0688c7ea9099e79776db
SHA256

d0778fe0a64f40e1d7a820f5ba4c637083082657bfb51fa04de3548cd5f32671
SHA512

c554222b3e8f60780a0cf1e92bb8a6cac7f02454e7a2d931d1015a3d7fda508106bd3bf049f899115073dd71a0cb7b4e3ef07aa7741fbbf52104593536b1621c
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2184	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	2184	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2184	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2184	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	2184	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2184	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2184	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2184	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1260	2184	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	2184	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1208	2184	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2184	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	2184	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	2184	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	308	2184	schtasks.exe	34

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000700000001920f-9.dat	dcrat
behavioral1/memory/3060-13-0x0000000000B30000-0x0000000000C40000-memory.dmp	dcrat
behavioral1/memory/588-66-0x00000000003B0000-0x00000000004C0000-memory.dmp	dcrat
behavioral1/memory/2984-126-0x00000000010E0000-0x00000000011F0000-memory.dmp	dcrat
behavioral1/memory/2160-541-0x00000000013E0000-0x00000000014F0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2444	powershell.exe
1540	powershell.exe
2312	powershell.exe
2300	powershell.exe
848	powershell.exe
1316	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
3060	DllCommonsvc.exe
588	csrss.exe
2984	csrss.exe
3012	csrss.exe
1932	csrss.exe
2932	csrss.exe
1664	csrss.exe
1892	csrss.exe
596	csrss.exe
2160	csrss.exe

Loads dropped DLL 2 IoCs

pid	Process
2868	cmd.exe
2868	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
19	raw.githubusercontent.com
23	raw.githubusercontent.com
30	raw.githubusercontent.com
33	raw.githubusercontent.com
12	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
16	raw.githubusercontent.com
26	raw.githubusercontent.com
4	raw.githubusercontent.com

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\Office14\1033\csrss.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\886983d96e3d3e	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_d0778fe0a64f40e1d7a820f5ba4c637083082657bfb51fa04de3548cd5f32671.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2564	schtasks.exe
1616	schtasks.exe
2584	schtasks.exe
2624	schtasks.exe
1356	schtasks.exe
1956	schtasks.exe
2656	schtasks.exe
2536	schtasks.exe
2324	schtasks.exe
308	schtasks.exe
2540	schtasks.exe
2732	schtasks.exe
1260	schtasks.exe
1208	schtasks.exe
2524	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3060	DllCommonsvc.exe
3060	DllCommonsvc.exe
3060	DllCommonsvc.exe
2444	powershell.exe
2300	powershell.exe
848	powershell.exe
1540	powershell.exe
2312	powershell.exe
1316	powershell.exe
588	csrss.exe
2984	csrss.exe
3012	csrss.exe
1932	csrss.exe
2932	csrss.exe
1664	csrss.exe
1892	csrss.exe
596	csrss.exe
2160	csrss.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	3060	DllCommonsvc.exe
Token: SeDebugPrivilege	2444	powershell.exe
Token: SeDebugPrivilege	2300	powershell.exe
Token: SeDebugPrivilege	848	powershell.exe
Token: SeDebugPrivilege	1540	powershell.exe
Token: SeDebugPrivilege	2312	powershell.exe
Token: SeDebugPrivilege	1316	powershell.exe
Token: SeDebugPrivilege	588	csrss.exe
Token: SeDebugPrivilege	2984	csrss.exe
Token: SeDebugPrivilege	3012	csrss.exe
Token: SeDebugPrivilege	1932	csrss.exe
Token: SeDebugPrivilege	2932	csrss.exe
Token: SeDebugPrivilege	1664	csrss.exe
Token: SeDebugPrivilege	1892	csrss.exe
Token: SeDebugPrivilege	596	csrss.exe
Token: SeDebugPrivilege	2160	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 2116	2484	JaffaCakes118_d0778fe0a64f40e1d7a820f5ba4c637083082657bfb51fa04de3548cd5f32671.exe	30
PID 2484 wrote to memory of 2116	2484	JaffaCakes118_d0778fe0a64f40e1d7a820f5ba4c637083082657bfb51fa04de3548cd5f32671.exe	30
PID 2484 wrote to memory of 2116	2484	JaffaCakes118_d0778fe0a64f40e1d7a820f5ba4c637083082657bfb51fa04de3548cd5f32671.exe	30
PID 2484 wrote to memory of 2116	2484	JaffaCakes118_d0778fe0a64f40e1d7a820f5ba4c637083082657bfb51fa04de3548cd5f32671.exe	30
PID 2116 wrote to memory of 2868	2116	WScript.exe	31
PID 2116 wrote to memory of 2868	2116	WScript.exe	31
PID 2116 wrote to memory of 2868	2116	WScript.exe	31
PID 2116 wrote to memory of 2868	2116	WScript.exe	31
PID 2868 wrote to memory of 3060	2868	cmd.exe	33
PID 2868 wrote to memory of 3060	2868	cmd.exe	33
PID 2868 wrote to memory of 3060	2868	cmd.exe	33
PID 2868 wrote to memory of 3060	2868	cmd.exe	33
PID 3060 wrote to memory of 2444	3060	DllCommonsvc.exe	50
PID 3060 wrote to memory of 2444	3060	DllCommonsvc.exe	50
PID 3060 wrote to memory of 2444	3060	DllCommonsvc.exe	50
PID 3060 wrote to memory of 1540	3060	DllCommonsvc.exe	51
PID 3060 wrote to memory of 1540	3060	DllCommonsvc.exe	51
PID 3060 wrote to memory of 1540	3060	DllCommonsvc.exe	51
PID 3060 wrote to memory of 1316	3060	DllCommonsvc.exe	52
PID 3060 wrote to memory of 1316	3060	DllCommonsvc.exe	52
PID 3060 wrote to memory of 1316	3060	DllCommonsvc.exe	52
PID 3060 wrote to memory of 848	3060	DllCommonsvc.exe	54
PID 3060 wrote to memory of 848	3060	DllCommonsvc.exe	54
PID 3060 wrote to memory of 848	3060	DllCommonsvc.exe	54
PID 3060 wrote to memory of 2312	3060	DllCommonsvc.exe	56
PID 3060 wrote to memory of 2312	3060	DllCommonsvc.exe	56
PID 3060 wrote to memory of 2312	3060	DllCommonsvc.exe	56
PID 3060 wrote to memory of 2300	3060	DllCommonsvc.exe	57
PID 3060 wrote to memory of 2300	3060	DllCommonsvc.exe	57
PID 3060 wrote to memory of 2300	3060	DllCommonsvc.exe	57
PID 3060 wrote to memory of 2012	3060	DllCommonsvc.exe	62
PID 3060 wrote to memory of 2012	3060	DllCommonsvc.exe	62
PID 3060 wrote to memory of 2012	3060	DllCommonsvc.exe	62
PID 2012 wrote to memory of 1932	2012	cmd.exe	64
PID 2012 wrote to memory of 1932	2012	cmd.exe	64
PID 2012 wrote to memory of 1932	2012	cmd.exe	64
PID 2012 wrote to memory of 588	2012	cmd.exe	66
PID 2012 wrote to memory of 588	2012	cmd.exe	66
PID 2012 wrote to memory of 588	2012	cmd.exe	66
PID 588 wrote to memory of 2664	588	csrss.exe	67
PID 588 wrote to memory of 2664	588	csrss.exe	67
PID 588 wrote to memory of 2664	588	csrss.exe	67
PID 2664 wrote to memory of 2424	2664	cmd.exe	69
PID 2664 wrote to memory of 2424	2664	cmd.exe	69
PID 2664 wrote to memory of 2424	2664	cmd.exe	69
PID 2664 wrote to memory of 2984	2664	cmd.exe	70
PID 2664 wrote to memory of 2984	2664	cmd.exe	70
PID 2664 wrote to memory of 2984	2664	cmd.exe	70
PID 2984 wrote to memory of 2068	2984	csrss.exe	71
PID 2984 wrote to memory of 2068	2984	csrss.exe	71
PID 2984 wrote to memory of 2068	2984	csrss.exe	71
PID 2068 wrote to memory of 2640	2068	cmd.exe	73
PID 2068 wrote to memory of 2640	2068	cmd.exe	73
PID 2068 wrote to memory of 2640	2068	cmd.exe	73
PID 2068 wrote to memory of 3012	2068	cmd.exe	74
PID 2068 wrote to memory of 3012	2068	cmd.exe	74
PID 2068 wrote to memory of 3012	2068	cmd.exe	74
PID 3012 wrote to memory of 1732	3012	csrss.exe	75
PID 3012 wrote to memory of 1732	3012	csrss.exe	75
PID 3012 wrote to memory of 1732	3012	csrss.exe	75
PID 1732 wrote to memory of 848	1732	cmd.exe	77
PID 1732 wrote to memory of 848	1732	cmd.exe	77
PID 1732 wrote to memory of 848	1732	cmd.exe	77
PID 1732 wrote to memory of 1932	1732	cmd.exe	78

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d0778fe0a64f40e1d7a820f5ba4c637083082657bfb51fa04de3548cd5f32671.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d0778fe0a64f40e1d7a820f5ba4c637083082657bfb51fa04de3548cd5f32671.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2868
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3060
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2444
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1540
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1316
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:848
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2312
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2300
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\06MMF2II12.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2012
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1932
      - C:\Program Files\Microsoft Office\Office14\1033\csrss.exe
        
        "C:\Program Files\Microsoft Office\Office14\1033\csrss.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:588
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7ouYA2TrKB.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2424
        
        C:\Program Files\Microsoft Office\Office14\1033\csrss.exe
        
        "C:\Program Files\Microsoft Office\Office14\1033\csrss.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pbn0SniZDX.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2640
        
        C:\Program Files\Microsoft Office\Office14\1033\csrss.exe
        
        "C:\Program Files\Microsoft Office\Office14\1033\csrss.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zj0hR7WTEZ.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:848
        
        C:\Program Files\Microsoft Office\Office14\1033\csrss.exe
        
        "C:\Program Files\Microsoft Office\Office14\1033\csrss.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HAQQp9H1T4.bat"
        13⤵
        
        PID:2740
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2280
        
        C:\Program Files\Microsoft Office\Office14\1033\csrss.exe
        
        "C:\Program Files\Microsoft Office\Office14\1033\csrss.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2932
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uSow6ZWML2.bat"
        15⤵
        
        PID:1992
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2348
        
        C:\Program Files\Microsoft Office\Office14\1033\csrss.exe
        
        "C:\Program Files\Microsoft Office\Office14\1033\csrss.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1664
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8xeM6k5O3T.bat"
        17⤵
        
        PID:2580
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1532
        
        C:\Program Files\Microsoft Office\Office14\1033\csrss.exe
        
        "C:\Program Files\Microsoft Office\Office14\1033\csrss.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1892
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4JlC5zfAS6.bat"
        19⤵
        
        PID:2120
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2620
        
        C:\Program Files\Microsoft Office\Office14\1033\csrss.exe
        
        "C:\Program Files\Microsoft Office\Office14\1033\csrss.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:596
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7ezzJRb6cS.bat"
        21⤵
        
        PID:2852
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1432
        
        C:\Program Files\Microsoft Office\Office14\1033\csrss.exe
        
        "C:\Program Files\Microsoft Office\Office14\1033\csrss.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2160
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RId7nS4uU7.bat"
        23⤵
        
        PID:2960
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\Office14\1033\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\Office14\1033\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\providercommon\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ae8f81817aa6a2679530ad36006b08af

SHA1
9426b4824ea29c24541ca318827a8f7ff7d71278

SHA256
d39c4de2006895eb6ab411b5efcb94239d1125f87441d70f4ce343b1694f5212

SHA512
23e1ab37392681547fb7c2cec00ab3b520f193daf41d17e1cda71d9c06af37474381f319e100ae7a472c61db001151b0de124ea58a0f2821be3a89a336517c0b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2f7a8cf17760dac5bc2338e77692ddaa

SHA1
c321893a52343468a0b9d436d3005c5ebc55790d

SHA256
d983c7e0a4fc37d9e22e21c3bf2b1338d1dd78cfcb2144145e3d1cc1922fd749

SHA512
d43914d36051aa53b94c714e6e8fbf8428c8e3491eacd0883bdad6f8bad517d743991e12e02cd213737ab02e5e07bd1fb17ae303613d9e78ea699fe91a7ac6e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6f1ebf25871e6b2d9c15bae287bea6cb

SHA1
77f612cd44e9fccedfcd398c1ac8d19fb43ad875

SHA256
231ae064e44a2270d561233f02282fa10c4b28ecfb6b1e3786f5d4c0220ef08b

SHA512
5023761b3a50254c9db9b41d1566eb1cccdf4312e9d142d6d007329e432a9ad704e5030ca1c057a0974916215e4da7980eb143b26c7b2bd7c54bdb4ede8b3f3f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7013194e1e69cb42c14239f775bf4cf1

SHA1
9612d273f3ac35791e876e0700dc13a91c68deda

SHA256
658415b33bf98206dfc63198711c0d7adffb1082b0cf7d8b08f78dfda8b28f5d

SHA512
c5a0101b37e52a33161c51a5eaa77c83c223fc5a9876d2f1d081641b8feeb61e7b50516fdfd6a3ed40260b639fdf17e155ba69d87a837708295362d881dffc38

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d7d8c7fc2dd481a7a19802abe6f76c1d

SHA1
4ce98ef0eb609fc97de19217845d9819e2bd0e74

SHA256
28fafbdb2837f27a83efb572fd1db7f3f2b3a17f5cb89b75763247288366787c

SHA512
0fd1169179d50454e76f5cb76d77bb937994bc2d8e68c929ede13ef757f4576dcb21235f52fedfedddb61d3ecef352653456dd423961cec5defc468f5e930641

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
22f27c02eb783f2a07c5ab1e0b1b7d52

SHA1
e66adcd8b612efadf2212f96c37627a0ee400ba1

SHA256
50003cfebabc62cd3fba75e234948856d818f0521ecc9ac527be147b35172ccb

SHA512
8070c2433a5664f6ae1d89e245d0bcc529e64056e115b7073df7ae56f143bf0cc918a363fccc5cc5f9cad82893458068f176a488e080143a1aa43b680a1bd3df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bb0f20a0d550f4029b1c19da4d24eb3b

SHA1
7f3fd28680377de88e0d57884860e375acef6551

SHA256
531c26eb929edc3e6f64473161e49f9c8ec1b5367d716e27b0be0c501bd5cd8e

SHA512
64fc59b5bfde8f6aecb839830c6105ec1eb9f28c0d9545cc4f1173ba432abacc851dd4e62c006a85c664380f1909e5b569724445819ef381eb8660b7a57f0408

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d86cb6e19329576593baeefb7dde13e6

SHA1
aca709c022edad8ff427091efe7acba1a3513924

SHA256
427d7541af2015105c88a93fb0b9735c9648025c641d3b9a9b5421f07072fc0b

SHA512
00c361249e773660f41cebd268e3b5bd1b0303f5619c52523c335860ec59a493d81c325210ea9e5e845d84515ab23337029879fe025553d3a8c5084b5d814387

Download Submit
C:\Users\Admin\AppData\Local\Temp\06MMF2II12.bat

Filesize
222B

MD5
c9d06fc54ecb7cbab5c4033d4b50c892

SHA1
3169708511e0c7694e0e0b60c6b6ab98b0103ab4

SHA256
b70032256888705847ac475d6cb5b0f72d276bc04b65236164155e0d51c2e056

SHA512
a02099dc906f08a3bdd4412089b77e6e970774b5d3c169644355a0a4beaf70a915d95e4fff97368bf6a6bd5c88c8ec88e349c5ef88cbd6dd47d0d7c16fa417a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\4JlC5zfAS6.bat

Filesize
222B

MD5
29db2e4327d58689378d990f74848122

SHA1
0f88be83bd973d5264d3901f9c7b610b4606a0cf

SHA256
e3f4aa8cf26e6285d60e7c0bd6d35d525e44d024210565355d4e44a022217dc4

SHA512
207636c1fb5a69040e039a94d8b784180ac14e948603b7f265212c90fd50fb21db00e464242c07221a1ca072fc4e525ef860ec286436f47f305366f9d0b55ba0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ezzJRb6cS.bat

Filesize
222B

MD5
70925616001f8c3f941f4217ba7c632e

SHA1
c35a27419cad4674dd05bf3e6241bbbc4fdacce7

SHA256
b9ddde5cd535ca34775c8b39c1080ad4a95cf1621127f0c51bae6208a9d1a351

SHA512
eccf581dee78aa5fe072835fd586b2bd456dee11496f07f8f4ba8a9adea417d9c236a58622c6c771e1fa91c8594007ce011ba84b3ac8b90c09a9ab8f31863565

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ouYA2TrKB.bat

Filesize
222B

MD5
115542ab63dbb65c1c6981b6de42336c

SHA1
4ab3fe0ac8eae1c9511c6f918664891dc5e9394f

SHA256
5b79931694014f2a40ec9ee154c24c85f098e7a2a1b5bbd7bac6acfc18d52ae1

SHA512
662147bd7637ad100d1a172b2c322d65ef196f555f1ab2f53b7dd1cc9cf6f3d71e842f07ccc286c07b0639b89c0b807663ee5ed7ad0469c52e94bbc03ff1e191

Download Submit
C:\Users\Admin\AppData\Local\Temp\8xeM6k5O3T.bat

Filesize
222B

MD5
d43a68c560632aaa536c694ef32754f9

SHA1
654ff03e9c648188ad838355938c6473284688f7

SHA256
d5c9da28583a7010f79e603dbb344772b191af94c91bbb4a059c9ae62b4457a6

SHA512
a95b1861babebf42d55bdfc105914226426abccb0e00e90df6fb3f4e8d1bb7e252754aaf98dc1f5c6ffc82d8b0d52d54a9195acde4d4e48da52d03490a4e471c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE93.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HAQQp9H1T4.bat

Filesize
222B

MD5
f8708c0ce242c50e98b4392a472c4331

SHA1
79f8942fd08581e4cccd1a5ef4b993ec33ec2e97

SHA256
ef0e0b2422afa287f69a137db3e569569336fdab740e0fae1d7ae80645ce7ed6

SHA512
0153ed22d8cb39e0aee11e3a171dc99df066079c55a71585d5e0f84a71309ad07bff56dfe7ca646d141297a1eb0ebbbed7fcf3566014fbac804eb94de1a84ae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pbn0SniZDX.bat

Filesize
222B

MD5
7db16a51aa0905b4ad038350685414a9

SHA1
9e9f3ccb9cf75f8746197ae392ab1e3746cdf76f

SHA256
4fe839f5e2f495c79535ba4abdcfcdd3598816b5a9503263a338d4832fd31faf

SHA512
0ff5ff31f1750dce747486fc8c5f8f124edef204525b909ad3fbb47c426eef381805f9816ae287066484880ce723218ca68d07ea726aaa494316e4b9d17d7906

Download Submit
C:\Users\Admin\AppData\Local\Temp\RId7nS4uU7.bat

Filesize
222B

MD5
2be669114334f45a1b25774190934520

SHA1
7dfcc6039ab3624c75da01f8fb7e0940cadb3e21

SHA256
309a373e210e7c8467c56b86611ad14558af8d5dd5b3012d0de86276f72c50ba

SHA512
955a2969470a0699b612eeecf2f88a752c42bebec31d2b2821f93af418fa52aef6214c885ee4e5f9fffbdb7cb84e0e3505eb8b3de2c35834c6cc696ae678fe97

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEB5.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zj0hR7WTEZ.bat

Filesize
222B

MD5
2dc18ec29d99cef54e852d1a7649a4bd

SHA1
a1dec21adacd55e98cfae628fae13bdacb89880d

SHA256
077a5ddb04c95fa66e01e5d0530c449ab4c58549cc64c5c59cd3867288ed4670

SHA512
67f24c7901fe04d2d84382da855bcc9ead007daf392f1d8adbf12f01b4d57451fa47339289b229959d8fbb33d9f7ddfcb095e4a322bce3614deb2bcdd0dcddc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\uSow6ZWML2.bat

Filesize
222B

MD5
0bb2a789561a41472c52c88f9872f96a

SHA1
117a1a3ef2eac1b0eec00d492553bb278d17aa6a

SHA256
addca293fb6790f59bae79a93f622b5d652375f7ceef991388c44c7c7ad9d1da

SHA512
e69793ac7c5ab49d774329ff4e510651dfdec51150d01c32b78c1010e6c1d4c919b932c9678470cbe5c5c603a622caa056276c39004874539207c3a81b3ed8c5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ffa7605be6a377993efa5bed46b5b0bb

SHA1
833b824ba11cf770432969065b120aeb27afb45e

SHA256
06140391f105327f598d8f9ec791791dc51f4f8b05525ea290c9a9c1943c8b4b

SHA512
a59b96de775f6d7a14d8578ec2d531b3313b6f5a951aaf59cf05e276720f01235f1d2a6d248d0c4abbcaa8c562adc192cdbc24d3581df48fb8ae0b37a6b6e117

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/588-66-0x00000000003B0000-0x00000000004C0000-memory.dmp

Filesize
1.1MB

Download
memory/588-67-0x0000000000650000-0x0000000000662000-memory.dmp

Filesize
72KB

Download
memory/1664-363-0x0000000000490000-0x00000000004A2000-memory.dmp

Filesize
72KB

Download
memory/2160-541-0x00000000013E0000-0x00000000014F0000-memory.dmp

Filesize
1.1MB

Download
memory/2300-62-0x0000000002910000-0x0000000002918000-memory.dmp

Filesize
32KB

Download
memory/2300-61-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download
memory/2984-126-0x00000000010E0000-0x00000000011F0000-memory.dmp

Filesize
1.1MB

Download
memory/3060-13-0x0000000000B30000-0x0000000000C40000-memory.dmp

Filesize
1.1MB

Download
memory/3060-14-0x0000000000150000-0x0000000000162000-memory.dmp

Filesize
72KB

Download
memory/3060-15-0x00000000004F0000-0x00000000004FC000-memory.dmp

Filesize
48KB

Download
memory/3060-17-0x0000000000510000-0x000000000051C000-memory.dmp

Filesize
48KB

Download
memory/3060-16-0x0000000000160000-0x000000000016C000-memory.dmp

Filesize
48KB

Download