dcrat | 1f223271e0797d707f249e064949dbac5e232a03a0fdfdecf770a671612ea0b7

Analysis

max time kernel
150s
max time network
147s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 10:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_1f223271e0797d707f249e064949dbac5e232a03a0fdfdecf770a671612ea0b7.exe
Size

1.3MB
MD5

30e701cc8cd27ab94e77ea8d5622bd11
SHA1

43f3304833a89cea9c06cefae2c762b52d2b6303
SHA256

1f223271e0797d707f249e064949dbac5e232a03a0fdfdecf770a671612ea0b7
SHA512

2eb54d0b1336860f04b58c7c6eff22990c017a1dee1baa508dba049ba6c7dd02733f0cc2aa58fcf2e0aaae78f358ab814ca2335a667db7eef9d8ae3b0b023a87
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2716	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	2716	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2716	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	2716	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2716	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	2716	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	2716	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	2716	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	2716	schtasks.exe	35

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000700000001955c-9.dat	dcrat
behavioral1/memory/2788-13-0x0000000000DF0000-0x0000000000F00000-memory.dmp	dcrat
behavioral1/memory/2612-52-0x0000000000E40000-0x0000000000F50000-memory.dmp	dcrat
behavioral1/memory/1640-111-0x0000000001300000-0x0000000001410000-memory.dmp	dcrat
behavioral1/memory/1700-408-0x00000000001A0000-0x00000000002B0000-memory.dmp	dcrat
behavioral1/memory/976-468-0x0000000000CF0000-0x0000000000E00000-memory.dmp	dcrat
behavioral1/memory/624-528-0x0000000000F50000-0x0000000001060000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2956	powershell.exe
2784	powershell.exe
1844	powershell.exe
1828	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2788	DllCommonsvc.exe
2612	WmiPrvSE.exe
1640	WmiPrvSE.exe
2076	WmiPrvSE.exe
2832	WmiPrvSE.exe
848	WmiPrvSE.exe
2388	WmiPrvSE.exe
1700	WmiPrvSE.exe
976	WmiPrvSE.exe
624	WmiPrvSE.exe
660	WmiPrvSE.exe

Loads dropped DLL 2 IoCs

pid	Process
484	cmd.exe
484	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
16	raw.githubusercontent.com
27	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com
13	raw.githubusercontent.com
20	raw.githubusercontent.com
24	raw.githubusercontent.com
30	raw.githubusercontent.com
33	raw.githubusercontent.com
5	raw.githubusercontent.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Photo Viewer\es-ES\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Program Files\Common Files\Microsoft Shared\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\Common Files\Microsoft Shared\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\es-ES\dwm.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1f223271e0797d707f249e064949dbac5e232a03a0fdfdecf770a671612ea0b7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2724	schtasks.exe
2732	schtasks.exe
2804	schtasks.exe
2520	schtasks.exe
1484	schtasks.exe
2988	schtasks.exe
1292	schtasks.exe
2692	schtasks.exe
1036	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2788	DllCommonsvc.exe
2784	powershell.exe
1828	powershell.exe
2956	powershell.exe
1844	powershell.exe
2612	WmiPrvSE.exe
1640	WmiPrvSE.exe
2076	WmiPrvSE.exe
2832	WmiPrvSE.exe
848	WmiPrvSE.exe
2388	WmiPrvSE.exe
1700	WmiPrvSE.exe
976	WmiPrvSE.exe
624	WmiPrvSE.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2788	DllCommonsvc.exe
Token: SeDebugPrivilege	2784	powershell.exe
Token: SeDebugPrivilege	1828	powershell.exe
Token: SeDebugPrivilege	2956	powershell.exe
Token: SeDebugPrivilege	1844	powershell.exe
Token: SeDebugPrivilege	2612	WmiPrvSE.exe
Token: SeDebugPrivilege	1640	WmiPrvSE.exe
Token: SeDebugPrivilege	2076	WmiPrvSE.exe
Token: SeDebugPrivilege	2832	WmiPrvSE.exe
Token: SeDebugPrivilege	848	WmiPrvSE.exe
Token: SeDebugPrivilege	2388	WmiPrvSE.exe
Token: SeDebugPrivilege	1700	WmiPrvSE.exe
Token: SeDebugPrivilege	976	WmiPrvSE.exe
Token: SeDebugPrivilege	624	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2620 wrote to memory of 1268	2620	JaffaCakes118_1f223271e0797d707f249e064949dbac5e232a03a0fdfdecf770a671612ea0b7.exe	30
PID 2620 wrote to memory of 1268	2620	JaffaCakes118_1f223271e0797d707f249e064949dbac5e232a03a0fdfdecf770a671612ea0b7.exe	30
PID 2620 wrote to memory of 1268	2620	JaffaCakes118_1f223271e0797d707f249e064949dbac5e232a03a0fdfdecf770a671612ea0b7.exe	30
PID 2620 wrote to memory of 1268	2620	JaffaCakes118_1f223271e0797d707f249e064949dbac5e232a03a0fdfdecf770a671612ea0b7.exe	30
PID 1268 wrote to memory of 484	1268	WScript.exe	32
PID 1268 wrote to memory of 484	1268	WScript.exe	32
PID 1268 wrote to memory of 484	1268	WScript.exe	32
PID 1268 wrote to memory of 484	1268	WScript.exe	32
PID 484 wrote to memory of 2788	484	cmd.exe	34
PID 484 wrote to memory of 2788	484	cmd.exe	34
PID 484 wrote to memory of 2788	484	cmd.exe	34
PID 484 wrote to memory of 2788	484	cmd.exe	34
PID 2788 wrote to memory of 1828	2788	DllCommonsvc.exe	45
PID 2788 wrote to memory of 1828	2788	DllCommonsvc.exe	45
PID 2788 wrote to memory of 1828	2788	DllCommonsvc.exe	45
PID 2788 wrote to memory of 1844	2788	DllCommonsvc.exe	46
PID 2788 wrote to memory of 1844	2788	DllCommonsvc.exe	46
PID 2788 wrote to memory of 1844	2788	DllCommonsvc.exe	46
PID 2788 wrote to memory of 2784	2788	DllCommonsvc.exe	47
PID 2788 wrote to memory of 2784	2788	DllCommonsvc.exe	47
PID 2788 wrote to memory of 2784	2788	DllCommonsvc.exe	47
PID 2788 wrote to memory of 2956	2788	DllCommonsvc.exe	48
PID 2788 wrote to memory of 2956	2788	DllCommonsvc.exe	48
PID 2788 wrote to memory of 2956	2788	DllCommonsvc.exe	48
PID 2788 wrote to memory of 2488	2788	DllCommonsvc.exe	53
PID 2788 wrote to memory of 2488	2788	DllCommonsvc.exe	53
PID 2788 wrote to memory of 2488	2788	DllCommonsvc.exe	53
PID 2488 wrote to memory of 2616	2488	cmd.exe	55
PID 2488 wrote to memory of 2616	2488	cmd.exe	55
PID 2488 wrote to memory of 2616	2488	cmd.exe	55
PID 2488 wrote to memory of 2612	2488	cmd.exe	56
PID 2488 wrote to memory of 2612	2488	cmd.exe	56
PID 2488 wrote to memory of 2612	2488	cmd.exe	56
PID 2612 wrote to memory of 1780	2612	WmiPrvSE.exe	57
PID 2612 wrote to memory of 1780	2612	WmiPrvSE.exe	57
PID 2612 wrote to memory of 1780	2612	WmiPrvSE.exe	57
PID 1780 wrote to memory of 2208	1780	cmd.exe	59
PID 1780 wrote to memory of 2208	1780	cmd.exe	59
PID 1780 wrote to memory of 2208	1780	cmd.exe	59
PID 1780 wrote to memory of 1640	1780	cmd.exe	60
PID 1780 wrote to memory of 1640	1780	cmd.exe	60
PID 1780 wrote to memory of 1640	1780	cmd.exe	60
PID 1640 wrote to memory of 2820	1640	WmiPrvSE.exe	61
PID 1640 wrote to memory of 2820	1640	WmiPrvSE.exe	61
PID 1640 wrote to memory of 2820	1640	WmiPrvSE.exe	61
PID 2820 wrote to memory of 1504	2820	cmd.exe	63
PID 2820 wrote to memory of 1504	2820	cmd.exe	63
PID 2820 wrote to memory of 1504	2820	cmd.exe	63
PID 2820 wrote to memory of 2076	2820	cmd.exe	64
PID 2820 wrote to memory of 2076	2820	cmd.exe	64
PID 2820 wrote to memory of 2076	2820	cmd.exe	64
PID 2076 wrote to memory of 1320	2076	WmiPrvSE.exe	65
PID 2076 wrote to memory of 1320	2076	WmiPrvSE.exe	65
PID 2076 wrote to memory of 1320	2076	WmiPrvSE.exe	65
PID 1320 wrote to memory of 2732	1320	cmd.exe	67
PID 1320 wrote to memory of 2732	1320	cmd.exe	67
PID 1320 wrote to memory of 2732	1320	cmd.exe	67
PID 1320 wrote to memory of 2832	1320	cmd.exe	68
PID 1320 wrote to memory of 2832	1320	cmd.exe	68
PID 1320 wrote to memory of 2832	1320	cmd.exe	68
PID 2832 wrote to memory of 1648	2832	WmiPrvSE.exe	69
PID 2832 wrote to memory of 1648	2832	WmiPrvSE.exe	69
PID 2832 wrote to memory of 1648	2832	WmiPrvSE.exe	69
PID 1648 wrote to memory of 2376	1648	cmd.exe	71

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1f223271e0797d707f249e064949dbac5e232a03a0fdfdecf770a671612ea0b7.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1f223271e0797d707f249e064949dbac5e232a03a0fdfdecf770a671612ea0b7.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2620
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1268
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:484
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2788
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1828
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1844
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\es-ES\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2784
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\Microsoft Shared\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2956
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bWVTs9gqPV.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2488
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2616
      - C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WmiPrvSE.exe
        
        "C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WmiPrvSE.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0WHmS6dpJ0.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1780
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2208
        
        C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WmiPrvSE.exe
        
        "C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WmiPrvSE.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j5VZ5DKdOS.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1504
        
        C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WmiPrvSE.exe
        
        "C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WmiPrvSE.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2076
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\or7X1gMNi7.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1320
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2732
        
        C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WmiPrvSE.exe
        
        "C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WmiPrvSE.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Oupdpj3XpI.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2376
        
        C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WmiPrvSE.exe
        
        "C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WmiPrvSE.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:848
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ay5NT8uJA6.bat"
        15⤵
        
        PID:2296
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1244
        
        C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WmiPrvSE.exe
        
        "C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WmiPrvSE.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2388
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F5GJdikwFG.bat"
        17⤵
        
        PID:2928
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1540
        
        C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WmiPrvSE.exe
        
        "C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WmiPrvSE.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1700
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fZs2sOO0th.bat"
        19⤵
        
        PID:2492
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:3064
        
        C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WmiPrvSE.exe
        
        "C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WmiPrvSE.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:976
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\L9j9zErPDE.bat"
        21⤵
        
        PID:2240
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2676
        
        C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WmiPrvSE.exe
        
        "C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WmiPrvSE.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:624
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\o0FbW2pZd9.bat"
        23⤵
        
        PID:2784
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2996
        
        C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WmiPrvSE.exe
        
        "C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WmiPrvSE.exe"
        24⤵
        Executes dropped EXE
        
        PID:660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\es-ES\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\Microsoft Shared\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\Microsoft Shared\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
96be588dc3fe3618402a1af491c51e84

SHA1
d69daafaf4b5271a17315b9a58fa093d1258accc

SHA256
49254b2898738a96dbedc8f5d472662cd44b43ea8aac49aa930c8691c8355393

SHA512
f740d0eebc43678a3709fa96bd03116a4a37a387d6a2c92aff9d1b0510dea95b450b18e09277ed5e4b26ed7f4dfd1305f34ffc43855b62eb6f58749606eafa0f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
db17286b412efe3ff137c76e80727dcf

SHA1
f8dd30c721136ce9cc5e3c23b240e8f277d7690e

SHA256
6bf0149424a1ac8745b1b23debce3355988f42a3425ce58a339f28439b142676

SHA512
8e55f20d688aafd67fed3bebe6380022633cabd767764b4c3d9f61e5b8449c18ffcf9c5753f34d6413e12d38808bdfb5292799fa2f589b4948bafafa766c8e6f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4b445fb6a9ef8e364cf388e41226d04c

SHA1
e066b2fe58b6c27b1aba936c0ea4f12a69aba4a5

SHA256
9f14873dc007e9a32f300373cd82668b14556e9474123b300203d099f8c4a51d

SHA512
1f0770adf96999fad44f304d7e0f9b22e7ef119cf91e285b9c1386e3a1ac309e73c5ef6f9debbf3fb9b79c9a9e9631bc923f05b2926f93ba62077815eb6edc22

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b1896faac30d037146cd404f2e829dc3

SHA1
ff70f806982d83f4d8d188a1fbda62709524eb45

SHA256
ec5f71b8fd16095d10202eefb031a7e9fc97535d89e2ae51e7bf7e02fa849f18

SHA512
84157a31923dcc1029bb993ffc633c7dc997f74e44e2f229515042be27988d78cf8d266a9d86648212c448d6a2a053de708ae19e8c80fd911e21e13a3098813a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3135944e41fd10846a6a5dae020ff85b

SHA1
18702c4d2dceb4ac41ec8350d31224d08752f629

SHA256
8183b4bc228d6d315f946c5ab148e05282298284ce9a736b04d1f07a78daf764

SHA512
eac7a0cf055a2da696845de2ca9909c8dcbce769e435e9ea1fc9671be337bfd3eafafdfe38fd2a1cc3476613a8ef6dbe27d6727fb385576e27b0fc34ec23414c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
68ee25c852ccb9e61a5c5f7f8419ffcd

SHA1
7341002822405491299cbd31e2ef3623a5f75b83

SHA256
eb167a89524e2c0c71fc4a3dd0cfcfc92dc630d81a72af03a2be77ee0771eb78

SHA512
0d600b1e36231d9d601a360bc0881c3c232e0e034686b393150bcb9982c1c24384681846ab1423a7c61d397ef9bd39ecaf53585b68e1db21c6d605f0eca4a35b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f44376c34350c7683ae3edcb80021dd2

SHA1
3321e33dd5d4b30dad07c194c110b2d7dabaf526

SHA256
00e96c9a5c2910ae46b9800df2bc7fb7dba9f5700d7ec25b3b250bc73c1e9b86

SHA512
6ad3406da7f6bb17e3c8947cabf2066037f5ca31e28891250eb821bab11f11746023bbb678505c382c6e1b6e5e51ff894cc2395349df0635a1b165773616bb78

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3eb92dc0eee41ed3966a4571787bb3c8

SHA1
b955791fa28a1039f21f5c30351c09ec07c2d4e4

SHA256
d95465dfb15c9ee28443cdd06c6f9668acc539bb55b00fee6ade82e2f4c48431

SHA512
3505f28ea9ac4b209b15175eee1835b02107ff90fe4b891926e34c603e85bd0b5ab4c5f2747de823aa882a499d94ae8a7544cd7eae79938084fc02c0528a6b69

Download Submit
C:\Users\Admin\AppData\Local\Temp\0WHmS6dpJ0.bat

Filesize
226B

MD5
d8294274f48bee45b9282b987a98b6fb

SHA1
30f534ec765dd561233b4b9967a36d95740b17cd

SHA256
42722bf7f8b36063751906c2cf53de82745f8ccdb5c6348a0893406adeb06854

SHA512
b0782e8c4efbfce75a4412854408d6b43e975133574c4746da4d8525450ddfecd4788e21fb602026f670958e4dc5984509b38ad14bd11c4d6d5d5656adb655fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA8E.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\F5GJdikwFG.bat

Filesize
226B

MD5
e1c14f286fe8bd4bffc1baa83cdce089

SHA1
5cf4cd277065d3fae017a3d9074e62d8d4d769d8

SHA256
55678fcf43e8244022ed4f2846871d061ad36011ca6bed5a75ab5df6506e9320

SHA512
7dd3d9ddce9126ff1ccd9cdf4332a923c5b3ed49ed05daa69ec29308629e33ec6b291ce5bae8dfcabf77f50165eb6e343b669a36fc1cf7eb8b01f93daa41d63c

Download Submit
C:\Users\Admin\AppData\Local\Temp\L9j9zErPDE.bat

Filesize
226B

MD5
b93d3fcc8a93480d66cfa99e0de1ef47

SHA1
ec9249ce4c73f126f420e1d07e2d4ea24d7d8e93

SHA256
19b71ed04b81ba8e6caf4f428ce6814a72bf3d92093c04c27d098ad4a3e6d9e9

SHA512
2ffb543428010675665e385253c04b0ad3e1f02746ec2d2a4ec130f3bbf99ea93c6a4c3fb577553558c2538b6973cb88fe1d5ed1fecafba24ebe486abadbe63d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Oupdpj3XpI.bat

Filesize
226B

MD5
af0b445c6be2f3257d9560d8448df619

SHA1
f86f23d4d0616e5a40d5f57c3f22292916d596ec

SHA256
0227083a0da9b99495aeceb32127adb54d76fd35052bec2a0a9aac8d823c64fb

SHA512
a7bb9bf255fc4201b7f333829977cf2fb9a95c5d9efaaa0d8de9d71d57e8fc4dd476a42466d29bd26ba9b2ed817128d8d4b2b67a809fe115a1aa6ae7145a6281

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarAB0.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ay5NT8uJA6.bat

Filesize
226B

MD5
fd794faaf1014de8163cf74987e48a5d

SHA1
8dd6dd02238046b065acefce8505ddb0f16a7ee6

SHA256
e0bfe664d05bf6a706bb270b84f9ffd03850deaae821f0a2c932adbae8767d03

SHA512
158999a57fea7fcce81fc1655efa7cfecf94961bf6e12cb696d9760889d89b42a660b1667d849a9bcab4642b39c67adf6cac651b785d0720977a20033d23a61d

Download Submit
C:\Users\Admin\AppData\Local\Temp\bWVTs9gqPV.bat

Filesize
226B

MD5
8868ae8c7240e20a5ee3779a86131221

SHA1
d481fa5351bfe191df5627c0d32296bb5febac22

SHA256
a8617c622d7849dd91c1583f09d141f21075b3c33cf5afdc2bbddba8adbc44a9

SHA512
81f53b6e0c879aaaa3561683066600ea8d795d4b7725fef35bd1f070897c6746ad988155e8c554da55c1f79ae36c7159c6678119e764ff83afaa241d23460cf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\fZs2sOO0th.bat

Filesize
226B

MD5
384fa1c9790273f67aa0f80a910aae04

SHA1
83943c66d812915ad0cc1495b0e5189123231065

SHA256
6837ae21ccbc7d84e4285fad364d98194d686e9afa4d4811099693ea96226d4e

SHA512
4bad149bf8e4abd1e6a525ecdad808c498085449ac54cd0f0720943af62d80d21513dcb96ad7004ec2b360458361bef29be1a7fb448abdbb6fd05d842f578d6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\j5VZ5DKdOS.bat

Filesize
226B

MD5
7d5d220d9a55bf61ba210c2316fbcc40

SHA1
888704c34fff8408a9c5c423c7f605efc235629b

SHA256
abd3640762710798692bae0df2d12a8699b3f3ccb2cf79989a415cd685dfbc6b

SHA512
c00aa14557c2c041959102b5e9e0f95e144c1f2d2eed59b3a01c9505fe790c5e69a1b2c120eb975d15d4595c1da9120401c55c779680c00ce0d9e50a3baed808

Download Submit
C:\Users\Admin\AppData\Local\Temp\o0FbW2pZd9.bat

Filesize
226B

MD5
a2aaa4d1ba204fcd000104cfae87545e

SHA1
9fa3e1445a1236113ada5688c6601866ab6282c6

SHA256
d9bbc34dbbe8d89daabd555bc51f3edf30a3a26057fd57617b09e79ca1da85de

SHA512
45f3f142a31d747bb5cdfbd638c7173be9f0658a0a13daf439da91ec5e540dd6f590b35670004d16443e82b2946db840b665fde6b739277e1f68766e03eaa90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\or7X1gMNi7.bat

Filesize
226B

MD5
3a1338e9e40b65fa7e5406cccd6b27fd

SHA1
9f412f4f147d00c9eba6c841203869e4f59c47d9

SHA256
3b17c5a4f48b79d626f89518a8ebb4ce06904dddffb10babea9a17a8d00ee14e

SHA512
80f2b1015f87ceaa9c66471cd0f3fd5854456eb116d0d7e6ad10bdae1fa040de0068e9f5703c463e05e2d076e3f90e5b76376e86f136f840cc00f33e7c55b2c4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
00207a68b6f6b91a52fcf35f0a16d36d

SHA1
3f7be1d6cd6da96dc28028b6ea79fda3c0b12d72

SHA256
a94833d05922b6700ca20f987f93d0711569be4e8657d4b387d3e80543992bf1

SHA512
6731afb45d5a6a612315f390ebdacfe374e84e85f1f5b3b31a4c2b132a30e6dc310bf6d446f021e8046806debcdc0fd4c34797ed826cc4b9641e124a3eddfbd0

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/624-528-0x0000000000F50000-0x0000000001060000-memory.dmp

Filesize
1.1MB

Download
memory/976-468-0x0000000000CF0000-0x0000000000E00000-memory.dmp

Filesize
1.1MB

Download
memory/1640-111-0x0000000001300000-0x0000000001410000-memory.dmp

Filesize
1.1MB

Download
memory/1700-408-0x00000000001A0000-0x00000000002B0000-memory.dmp

Filesize
1.1MB

Download
memory/2612-52-0x0000000000E40000-0x0000000000F50000-memory.dmp

Filesize
1.1MB

Download
memory/2784-42-0x000000001B560000-0x000000001B842000-memory.dmp

Filesize
2.9MB

Download
memory/2784-43-0x0000000000360000-0x0000000000368000-memory.dmp

Filesize
32KB

Download
memory/2788-17-0x0000000000160000-0x000000000016C000-memory.dmp

Filesize
48KB

Download
memory/2788-13-0x0000000000DF0000-0x0000000000F00000-memory.dmp

Filesize
1.1MB

Download
memory/2788-14-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/2788-15-0x0000000000170000-0x000000000017C000-memory.dmp

Filesize
48KB

Download
memory/2788-16-0x0000000000150000-0x000000000015C000-memory.dmp

Filesize
48KB

Download
memory/2832-230-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download