dcrat | 0d468074bb16f7dd2f914129bf9e973caebd7c5b15322707cea423c7529873d1

Analysis

max time kernel
150s
max time network
155s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 11:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_0d468074bb16f7dd2f914129bf9e973caebd7c5b15322707cea423c7529873d1.exe
Size

1.3MB
MD5

3fd1d1295ac4f34eb69b174fd7da4b02
SHA1

e9ac3085fc46603d0f624bf73a960d58ed1e5476
SHA256

0d468074bb16f7dd2f914129bf9e973caebd7c5b15322707cea423c7529873d1
SHA512

97fec0ec525de5575683c6e044982d8da6345a3c16dc2235c7dc1f3aab7ec2bd09c35817412412c8f8a27f8f22787905a21f0699c5af81114db03642f803ba0a
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	2724	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2724	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	2724	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2724	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	2724	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2724	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2724	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	2724	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2724	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	2724	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	2724	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	552	2724	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	2724	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2724	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1464	2724	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2724	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	2724	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1072	2724	schtasks.exe	33

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000016d1c-11.dat	dcrat
behavioral1/memory/2896-13-0x00000000012A0000-0x00000000013B0000-memory.dmp	dcrat
behavioral1/memory/2388-71-0x0000000000920000-0x0000000000A30000-memory.dmp	dcrat
behavioral1/memory/544-130-0x00000000002D0000-0x00000000003E0000-memory.dmp	dcrat
behavioral1/memory/2200-190-0x0000000001000000-0x0000000001110000-memory.dmp	dcrat
behavioral1/memory/2152-250-0x00000000002A0000-0x00000000003B0000-memory.dmp	dcrat
behavioral1/memory/852-311-0x0000000000260000-0x0000000000370000-memory.dmp	dcrat
behavioral1/memory/2212-371-0x00000000013B0000-0x00000000014C0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1908	powershell.exe
1976	powershell.exe
1988	powershell.exe
1920	powershell.exe
1632	powershell.exe
1824	powershell.exe
1740	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
2896	DllCommonsvc.exe
2388	System.exe
544	System.exe
2200	System.exe
2152	System.exe
852	System.exe
2212	System.exe
1596	System.exe
1208	System.exe
2492	System.exe

Loads dropped DLL 2 IoCs

pid	Process
2156	cmd.exe
2156	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
9	raw.githubusercontent.com
16	raw.githubusercontent.com
23	raw.githubusercontent.com
30	raw.githubusercontent.com
4	raw.githubusercontent.com
13	raw.githubusercontent.com
20	raw.githubusercontent.com
26	raw.githubusercontent.com
33	raw.githubusercontent.com
5	raw.githubusercontent.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\ja-JP\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files\Common Files\System\ja-JP\cmd.exe	DllCommonsvc.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ServiceProfiles\System.exe	DllCommonsvc.exe
File created	C:\Windows\ServiceProfiles\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Windows\ServiceProfiles\System.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0d468074bb16f7dd2f914129bf9e973caebd7c5b15322707cea423c7529873d1.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2732	schtasks.exe
908	schtasks.exe
1464	schtasks.exe
1424	schtasks.exe
2944	schtasks.exe
1072	schtasks.exe
2428	schtasks.exe
2672	schtasks.exe
552	schtasks.exe
2740	schtasks.exe
1712	schtasks.exe
2692	schtasks.exe
2752	schtasks.exe
1636	schtasks.exe
3016	schtasks.exe
3032	schtasks.exe
2320	schtasks.exe
3040	schtasks.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
2896	DllCommonsvc.exe
1632	powershell.exe
1988	powershell.exe
1824	powershell.exe
1740	powershell.exe
1908	powershell.exe
1976	powershell.exe
1920	powershell.exe
2388	System.exe
544	System.exe
2200	System.exe
2152	System.exe
852	System.exe
2212	System.exe
1596	System.exe
1208	System.exe
2492	System.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	2896	DllCommonsvc.exe
Token: SeDebugPrivilege	1632	powershell.exe
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeDebugPrivilege	1824	powershell.exe
Token: SeDebugPrivilege	1740	powershell.exe
Token: SeDebugPrivilege	1908	powershell.exe
Token: SeDebugPrivilege	1976	powershell.exe
Token: SeDebugPrivilege	1920	powershell.exe
Token: SeDebugPrivilege	2388	System.exe
Token: SeDebugPrivilege	544	System.exe
Token: SeDebugPrivilege	2200	System.exe
Token: SeDebugPrivilege	2152	System.exe
Token: SeDebugPrivilege	852	System.exe
Token: SeDebugPrivilege	2212	System.exe
Token: SeDebugPrivilege	1596	System.exe
Token: SeDebugPrivilege	1208	System.exe
Token: SeDebugPrivilege	2492	System.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 3068	2104	JaffaCakes118_0d468074bb16f7dd2f914129bf9e973caebd7c5b15322707cea423c7529873d1.exe	29
PID 2104 wrote to memory of 3068	2104	JaffaCakes118_0d468074bb16f7dd2f914129bf9e973caebd7c5b15322707cea423c7529873d1.exe	29
PID 2104 wrote to memory of 3068	2104	JaffaCakes118_0d468074bb16f7dd2f914129bf9e973caebd7c5b15322707cea423c7529873d1.exe	29
PID 2104 wrote to memory of 3068	2104	JaffaCakes118_0d468074bb16f7dd2f914129bf9e973caebd7c5b15322707cea423c7529873d1.exe	29
PID 3068 wrote to memory of 2156	3068	WScript.exe	30
PID 3068 wrote to memory of 2156	3068	WScript.exe	30
PID 3068 wrote to memory of 2156	3068	WScript.exe	30
PID 3068 wrote to memory of 2156	3068	WScript.exe	30
PID 2156 wrote to memory of 2896	2156	cmd.exe	32
PID 2156 wrote to memory of 2896	2156	cmd.exe	32
PID 2156 wrote to memory of 2896	2156	cmd.exe	32
PID 2156 wrote to memory of 2896	2156	cmd.exe	32
PID 2896 wrote to memory of 1976	2896	DllCommonsvc.exe	52
PID 2896 wrote to memory of 1976	2896	DllCommonsvc.exe	52
PID 2896 wrote to memory of 1976	2896	DllCommonsvc.exe	52
PID 2896 wrote to memory of 1988	2896	DllCommonsvc.exe	53
PID 2896 wrote to memory of 1988	2896	DllCommonsvc.exe	53
PID 2896 wrote to memory of 1988	2896	DllCommonsvc.exe	53
PID 2896 wrote to memory of 1920	2896	DllCommonsvc.exe	54
PID 2896 wrote to memory of 1920	2896	DllCommonsvc.exe	54
PID 2896 wrote to memory of 1920	2896	DllCommonsvc.exe	54
PID 2896 wrote to memory of 1632	2896	DllCommonsvc.exe	55
PID 2896 wrote to memory of 1632	2896	DllCommonsvc.exe	55
PID 2896 wrote to memory of 1632	2896	DllCommonsvc.exe	55
PID 2896 wrote to memory of 1824	2896	DllCommonsvc.exe	56
PID 2896 wrote to memory of 1824	2896	DllCommonsvc.exe	56
PID 2896 wrote to memory of 1824	2896	DllCommonsvc.exe	56
PID 2896 wrote to memory of 1740	2896	DllCommonsvc.exe	57
PID 2896 wrote to memory of 1740	2896	DllCommonsvc.exe	57
PID 2896 wrote to memory of 1740	2896	DllCommonsvc.exe	57
PID 2896 wrote to memory of 1908	2896	DllCommonsvc.exe	58
PID 2896 wrote to memory of 1908	2896	DllCommonsvc.exe	58
PID 2896 wrote to memory of 1908	2896	DllCommonsvc.exe	58
PID 2896 wrote to memory of 1224	2896	DllCommonsvc.exe	66
PID 2896 wrote to memory of 1224	2896	DllCommonsvc.exe	66
PID 2896 wrote to memory of 1224	2896	DllCommonsvc.exe	66
PID 1224 wrote to memory of 2496	1224	cmd.exe	68
PID 1224 wrote to memory of 2496	1224	cmd.exe	68
PID 1224 wrote to memory of 2496	1224	cmd.exe	68
PID 1224 wrote to memory of 2388	1224	cmd.exe	69
PID 1224 wrote to memory of 2388	1224	cmd.exe	69
PID 1224 wrote to memory of 2388	1224	cmd.exe	69
PID 2388 wrote to memory of 2504	2388	System.exe	70
PID 2388 wrote to memory of 2504	2388	System.exe	70
PID 2388 wrote to memory of 2504	2388	System.exe	70
PID 2504 wrote to memory of 3044	2504	cmd.exe	72
PID 2504 wrote to memory of 3044	2504	cmd.exe	72
PID 2504 wrote to memory of 3044	2504	cmd.exe	72
PID 2504 wrote to memory of 544	2504	cmd.exe	73
PID 2504 wrote to memory of 544	2504	cmd.exe	73
PID 2504 wrote to memory of 544	2504	cmd.exe	73
PID 544 wrote to memory of 2220	544	System.exe	74
PID 544 wrote to memory of 2220	544	System.exe	74
PID 544 wrote to memory of 2220	544	System.exe	74
PID 2220 wrote to memory of 1948	2220	cmd.exe	76
PID 2220 wrote to memory of 1948	2220	cmd.exe	76
PID 2220 wrote to memory of 1948	2220	cmd.exe	76
PID 2220 wrote to memory of 2200	2220	cmd.exe	77
PID 2220 wrote to memory of 2200	2220	cmd.exe	77
PID 2220 wrote to memory of 2200	2220	cmd.exe	77
PID 2200 wrote to memory of 2216	2200	System.exe	78
PID 2200 wrote to memory of 2216	2200	System.exe	78
PID 2200 wrote to memory of 2216	2200	System.exe	78
PID 2216 wrote to memory of 2984	2216	cmd.exe	80

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0d468074bb16f7dd2f914129bf9e973caebd7c5b15322707cea423c7529873d1.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0d468074bb16f7dd2f914129bf9e973caebd7c5b15322707cea423c7529873d1.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2156
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2896
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1976
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ServiceProfiles\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1988
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1920
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ja-JP\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1632
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1824
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1740
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1908
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sdnzbYHJb4.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1224
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2496
      - C:\Windows\ServiceProfiles\System.exe
        
        "C:\Windows\ServiceProfiles\System.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\veDg5wW3gS.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:3044
        
        C:\Windows\ServiceProfiles\System.exe
        
        "C:\Windows\ServiceProfiles\System.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:544
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7bDnwPuEug.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1948
        
        C:\Windows\ServiceProfiles\System.exe
        
        "C:\Windows\ServiceProfiles\System.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SXo39smTXJ.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2984
        
        C:\Windows\ServiceProfiles\System.exe
        
        "C:\Windows\ServiceProfiles\System.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2152
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uLZJId2lFR.bat"
        13⤵
        
        PID:2356
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1712
        
        C:\Windows\ServiceProfiles\System.exe
        
        "C:\Windows\ServiceProfiles\System.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:852
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\S2GQUB77UU.bat"
        15⤵
        
        PID:1788
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2960
        
        C:\Windows\ServiceProfiles\System.exe
        
        "C:\Windows\ServiceProfiles\System.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2212
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RBOUzXbIOW.bat"
        17⤵
        
        PID:2204
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2944
        
        C:\Windows\ServiceProfiles\System.exe
        
        "C:\Windows\ServiceProfiles\System.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1596
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eQ9EwglUAP.bat"
        19⤵
        
        PID:2652
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2864
        
        C:\Windows\ServiceProfiles\System.exe
        
        "C:\Windows\ServiceProfiles\System.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1208
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D9KWG0zl28.bat"
        21⤵
        
        PID:1472
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:964
        
        C:\Windows\ServiceProfiles\System.exe
        
        "C:\Windows\ServiceProfiles\System.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Windows\ServiceProfiles\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Windows\ServiceProfiles\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Common Files\System\ja-JP\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Common Files\System\ja-JP\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Common Files\System\ja-JP\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\providercommon\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
28928dc1ef7c2c094636f764d345b9ae

SHA1
b69bfd61552679084ca1bcb131404d60f008a537

SHA256
b7b30fa40c8cc09557b0b5bbf68ce19e9867b08b5f70ffc0cdaf97d4ff688d41

SHA512
c3d965fd96974912464ecf32ba79f92552f13d8bae49b6263b16ffa04b88eda0b3b339b3dc5842ed02c4b05f166edbca5ab9449718d1e0f7ed763e4ebdbb6a70

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
684ea416fb73b687edd2b131e593dd49

SHA1
80d56ae35d1cfdd1da5e5e215d7623686972713f

SHA256
1741976e265ec3ec5c864b64c7e5aaaf98ac7580d401fa69bfcf82b589d2bfe1

SHA512
6a6c420105b2d41e063816e834643c975ea4e52ca2df759c710d97e4b7ffcfe9d2ed0442a38e22b0978633d9da7492fae264cc3ca29d99a3ff01d99dba7be058

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
525d2e565bd2468fa121f7696ef1dac5

SHA1
9f496f0e7e19388d205fefb942c7462dd40287dc

SHA256
c3de1df2b3468d32a305858e458ed6a25768e5fd43ba7f9060490c0a51301703

SHA512
82d83b034cf24a117ded22f23a2d8495c6ad32094f87f57019fac33bf938e0d936c190acdff28dc00fbed345b0f0ea281c6716c37a4f3fc5c5a321119ffc52bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a143f70084dc4eeafc7328ad8b90e357

SHA1
2a0a8ee937c3876709216f9ce1171b3fffb45afe

SHA256
95ec2dcf693e0ab6563b4daf561b30247490cc1876b3be7d653ca5caf3585364

SHA512
b6ae94e6434786f825843fdec2db79131a3df3f9ca26c6989ed5acf8631323ab89573aa114de42b736073db43700469cc283950d3f21440eb0e0e5037bdf47fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
08ecc149bbdc7b87baaa1c8ea305dc5e

SHA1
863a5f1e8fe929124e76a48ebceb93a5492a5858

SHA256
9890f0fc68ac126c30d643ff64dc0abe4c946a20b09ae52714094027cfb630ec

SHA512
c1b7582ca3c6c53e3debd3ea32fa20bbfa25b7922f8c0751994373f7471fcd2ef123235939c27b0cf85f727fc25e57f242d6d17bb1fe39524203576dcddc51a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
857efb15efb314530fbdc96f953b28d8

SHA1
003042df7436b57cd7bed63db97154ec4c9b088a

SHA256
f964439c9f9c16c0439a716e4b24f0327be75e17d215e496c1bf138694d74598

SHA512
1325354e3eabbb60ffdd0719fb30642dee63d363267874b877284aee4fe327b52b59e8d64731add4ec34dc167fe6ffeb7ae65f22d43cbfe6884f86ff8ea31b9f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c43b3697f3c6c28f4986c1025b2b9873

SHA1
481f39ce5130b7779d4162e55cc5229ddf7c7c47

SHA256
a374b596a403cb7e4b4807554fe7692b72283104bd708e92d47a3972de2a2e04

SHA512
5ddcbd6df3246c20bbcfda4f72cc1da278e61e3cdc08b45a9fac717658c4187f5e045b7fca3ebba4779bbc648e9a44347df94b8c467d5a76bbe36c897d3c48d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
62de4a920635360ebc47f92f21ddac84

SHA1
180f735e8d594bba98bef099e6d1cc715e2e9690

SHA256
1186ee973591a175201c2465610d654ab4447c80a0e93f4c420fe43cf2be57ca

SHA512
901d9cb3aaac5bb06b79678a8ff9ed181de633dd756fdc91cacbb4c7e76931eebfecb62833150142236bda85a10850f6dabe5239f53a811a992af78069c96958

Download Submit
C:\Users\Admin\AppData\Local\Temp\7bDnwPuEug.bat

Filesize
202B

MD5
710cc3cfb1ccf8803003b22b20e6ac53

SHA1
9dde58cc60a2242c681e4699c09c6d8bc7e5b48d

SHA256
f9d4e007b54136195f18e11562b861393e685b2782088f7e8c8a4c9afdfd193c

SHA512
ff651573f99f9f11485efd2db3c26a6ba8775dd91373a8592cfd6943334082f7e21f0998dde4024a406262b2d23bee0b680409954381094b5f0c76f0c7ea9121

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7496.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\D9KWG0zl28.bat

Filesize
202B

MD5
1bfcb76907359c6a1f17de0b4828607b

SHA1
dc299ecb0decd3a49dbf7f5540ae3671260d557a

SHA256
2b429db75940519a6491abeb86c5ba7f8d8a6da72c9a1f715a86cebeb07a1218

SHA512
37b13c3cc068dfaacf75740c4d47c58708c561cb56c3ffda30a5876cd46a69b9ecbe4194c1214a9e8fb9b680df4442ce2d40868b296d2cd2186d1ceab8c4c911

Download Submit
C:\Users\Admin\AppData\Local\Temp\RBOUzXbIOW.bat

Filesize
202B

MD5
49ac37b7a8871ad13c44ce59ade92e73

SHA1
023253fec079654860a9426208705b867fe8cd35

SHA256
232308afa22898243f81b5f932a7f98215cfc472074c2685e1c328896bd01414

SHA512
bf2d679cc9e37a17dcd12f1e582ca4879f82417149f84bc09799e0b070cfa162c2d6291f076670bef178a9b12f926f4df49074369ccdc82faed695176c8ce412

Download Submit
C:\Users\Admin\AppData\Local\Temp\S2GQUB77UU.bat

Filesize
202B

MD5
c50da96c352375e2e6c85e8fc391866e

SHA1
6382b5e87fc66ea95ce6709f80e41eeed98178df

SHA256
afc63ad624b6113efb4903b658b2c60cd2a341cc23f0df556327986eceb94f39

SHA512
7a7d0f4a959f8e4cca127140c7acc6e1054dbdd70ef8dfc2b396ff0b7d1152170b1bb259a1b4999a38c4562ca2071c146a15107610792ace07d48f33d6e22b2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\SXo39smTXJ.bat

Filesize
202B

MD5
f6ec7fd6f7d753473ebb2f0ca6e555c0

SHA1
a930f846d08f5620fe1f34d62b8e8bc9f2c3a7d4

SHA256
eadbb6b5f9a817ec366c9c23c6c272e02ea70ce02feeeb575ba0df010cf766f6

SHA512
73ef0a527d507f1568dc1a2a246b9a5e7d9653fd4f9268323edf03ad68f4f6bbe1aaad0e8117a2c3b030b5ebe3bdf6d483666803212c64a6479a8809164063ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7583.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\eQ9EwglUAP.bat

Filesize
202B

MD5
3ca7897f9632ec3a393cc133ffea8901

SHA1
964ccf14b24b9ac2b3966eaee217621e8c0d3370

SHA256
1fe0d24361d681d9f3716b59c3d7fcac96360c1e7a7d5ff3a4aba09aeceb5df1

SHA512
49d7e17e5d66fbc83f115f7d4d83ef0eb8c672964308f5e3dacd71ac2251695f72333d72ae03bca65df15389b8af74529931fd6f82563098d1fb96d27c2e5fbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\sdnzbYHJb4.bat

Filesize
202B

MD5
36277f8913831ae74b72ce48cef20a45

SHA1
9f201c71147a33b3dc95e80b00c5917a6a557d78

SHA256
bd726e62f929f416b2d055dd741148779ea144059ee34cc88e78616d296b603a

SHA512
ac73903f111ec870224553deb3eccde3cf298e9e6b6e7e2058285a9383f2a83636c8b99be51335880a52ec7c28add29efb84a3d10e5b556f8c455a3f4bda3bfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\uLZJId2lFR.bat

Filesize
202B

MD5
86a1132b19d0e7d5757289dcff774b65

SHA1
f5afc8f1091f7e01ecbbc5b25133e9f902fa7c02

SHA256
b9cc2a12cff54168fd9863e2c1a6db6430738566ab897b3745ad90258ef84438

SHA512
3a32ebbd18e10061350fcb58c7dd924ea06860fb58985f119636cfa901472fe95c549d0787d8e882c932d4fb243221fb29767c4c7db3eff7a0f8428c4265ebbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\veDg5wW3gS.bat

Filesize
202B

MD5
cdc73373782b0c4bafdf2c58bb017087

SHA1
578084da9fb58f521f18fab6ff578778f40c898c

SHA256
f63467177d959717baef6a1dd6b0aad3775d312c2b580a84ad80762cc00f9d11

SHA512
0e7c15e2fb57aa0b38d345c097fe92520ae1521838b980e51be0ff0eea2ac9841cde480e90f07b4003a3947494c231b1ca2da20dba560b7f1bd1691bfc722abb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
396117872751a3fa4b00b28659ccdf3b

SHA1
d225f3e620696dab55bc670cad04125875f8d1b6

SHA256
7f1579d07ab1fae817198892b3756acc664dabf90dfac4a980daf0fddff01b4a

SHA512
34286a98b82cfb70f854c6a22c65ca441d1d2a238f95d46bfddca4ffa153130fed3d48154d7008a45cec037110775497df1b9df1e201860cd2aa1961cc58c174

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/544-130-0x00000000002D0000-0x00000000003E0000-memory.dmp

Filesize
1.1MB

Download
memory/852-311-0x0000000000260000-0x0000000000370000-memory.dmp

Filesize
1.1MB

Download
memory/1988-68-0x0000000001D70000-0x0000000001D78000-memory.dmp

Filesize
32KB

Download
memory/1988-45-0x000000001B390000-0x000000001B672000-memory.dmp

Filesize
2.9MB

Download
memory/2152-251-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2152-250-0x00000000002A0000-0x00000000003B0000-memory.dmp

Filesize
1.1MB

Download
memory/2200-190-0x0000000001000000-0x0000000001110000-memory.dmp

Filesize
1.1MB

Download
memory/2212-371-0x00000000013B0000-0x00000000014C0000-memory.dmp

Filesize
1.1MB

Download
memory/2212-372-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/2388-71-0x0000000000920000-0x0000000000A30000-memory.dmp

Filesize
1.1MB

Download
memory/2492-550-0x00000000004C0000-0x00000000004D2000-memory.dmp

Filesize
72KB

Download
memory/2896-15-0x0000000000360000-0x000000000036C000-memory.dmp

Filesize
48KB

Download
memory/2896-14-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/2896-16-0x0000000000370000-0x000000000037C000-memory.dmp

Filesize
48KB

Download
memory/2896-13-0x00000000012A0000-0x00000000013B0000-memory.dmp

Filesize
1.1MB

Download
memory/2896-17-0x0000000000380000-0x000000000038C000-memory.dmp

Filesize
48KB

Download