dcrat | 23dc27ef79dad5c0a32209b93cfd9f27cb2c39e7656d173d61e495b9d544e541

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 12:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_23dc27ef79dad5c0a32209b93cfd9f27cb2c39e7656d173d61e495b9d544e541.exe
Size

1.3MB
MD5

3bd0ef823aff9feca85d68237c27d41e
SHA1

4d842ed2787c4b9c226a1b6af14aedb40a51477d
SHA256

23dc27ef79dad5c0a32209b93cfd9f27cb2c39e7656d173d61e495b9d544e541
SHA512

b9076c1d3484059c63b6319d63c15cd0e552023a20799337d087fd709a051e998bc43038c94405c2481e3cfb539abdea569a2de2f5667e026be306c290991261
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1096	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2884	schtasks.exe	34

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0006000000018731-10.dat	dcrat
behavioral1/memory/2356-13-0x0000000000910000-0x0000000000A20000-memory.dmp	dcrat
behavioral1/memory/1160-48-0x0000000000330000-0x0000000000440000-memory.dmp	dcrat
behavioral1/memory/2904-119-0x0000000000380000-0x0000000000490000-memory.dmp	dcrat
behavioral1/memory/1940-180-0x00000000001D0000-0x00000000002E0000-memory.dmp	dcrat
behavioral1/memory/848-240-0x0000000000F20000-0x0000000001030000-memory.dmp	dcrat
behavioral1/memory/1848-360-0x0000000000FA0000-0x00000000010B0000-memory.dmp	dcrat
behavioral1/memory/1312-420-0x00000000003E0000-0x00000000004F0000-memory.dmp	dcrat
behavioral1/memory/2324-539-0x0000000000320000-0x0000000000430000-memory.dmp	dcrat
behavioral1/memory/1096-599-0x0000000000F60000-0x0000000001070000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
636	powershell.exe
576	powershell.exe
2928	powershell.exe
568	powershell.exe
756	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2356	DllCommonsvc.exe
1160	winlogon.exe
2208	winlogon.exe
2904	winlogon.exe
1940	winlogon.exe
848	winlogon.exe
1932	winlogon.exe
1848	winlogon.exe
1312	winlogon.exe
1044	winlogon.exe
2324	winlogon.exe
1096	winlogon.exe

Loads dropped DLL 2 IoCs

pid	Process
2332	cmd.exe
2332	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
13	raw.githubusercontent.com
23	raw.githubusercontent.com
26	raw.githubusercontent.com
35	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
29	raw.githubusercontent.com
32	raw.githubusercontent.com
39	raw.githubusercontent.com

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows NT\audiodg.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Windows NT\audiodg.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\42af1c969fbb7b	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Downloaded Program Files\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Windows\Downloaded Program Files\Idle.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_23dc27ef79dad5c0a32209b93cfd9f27cb2c39e7656d173d61e495b9d544e541.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2924	schtasks.exe
1096	schtasks.exe
2812	schtasks.exe
2908	schtasks.exe
2652	schtasks.exe
2144	schtasks.exe
2456	schtasks.exe
3016	schtasks.exe
2624	schtasks.exe
2724	schtasks.exe
2752	schtasks.exe
1640	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2356	DllCommonsvc.exe
2356	DllCommonsvc.exe
2356	DllCommonsvc.exe
568	powershell.exe
2928	powershell.exe
756	powershell.exe
576	powershell.exe
636	powershell.exe
1160	winlogon.exe
2904	winlogon.exe
1940	winlogon.exe
848	winlogon.exe
1932	winlogon.exe
1848	winlogon.exe
1312	winlogon.exe
1044	winlogon.exe
2324	winlogon.exe
1096	winlogon.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2356	DllCommonsvc.exe
Token: SeDebugPrivilege	568	powershell.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	756	powershell.exe
Token: SeDebugPrivilege	576	powershell.exe
Token: SeDebugPrivilege	1160	winlogon.exe
Token: SeDebugPrivilege	636	powershell.exe
Token: SeDebugPrivilege	2904	winlogon.exe
Token: SeDebugPrivilege	1940	winlogon.exe
Token: SeDebugPrivilege	848	winlogon.exe
Token: SeDebugPrivilege	1932	winlogon.exe
Token: SeDebugPrivilege	1848	winlogon.exe
Token: SeDebugPrivilege	1312	winlogon.exe
Token: SeDebugPrivilege	1044	winlogon.exe
Token: SeDebugPrivilege	2324	winlogon.exe
Token: SeDebugPrivilege	1096	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 1764	2672	JaffaCakes118_23dc27ef79dad5c0a32209b93cfd9f27cb2c39e7656d173d61e495b9d544e541.exe	30
PID 2672 wrote to memory of 1764	2672	JaffaCakes118_23dc27ef79dad5c0a32209b93cfd9f27cb2c39e7656d173d61e495b9d544e541.exe	30
PID 2672 wrote to memory of 1764	2672	JaffaCakes118_23dc27ef79dad5c0a32209b93cfd9f27cb2c39e7656d173d61e495b9d544e541.exe	30
PID 2672 wrote to memory of 1764	2672	JaffaCakes118_23dc27ef79dad5c0a32209b93cfd9f27cb2c39e7656d173d61e495b9d544e541.exe	30
PID 1764 wrote to memory of 2332	1764	WScript.exe	31
PID 1764 wrote to memory of 2332	1764	WScript.exe	31
PID 1764 wrote to memory of 2332	1764	WScript.exe	31
PID 1764 wrote to memory of 2332	1764	WScript.exe	31
PID 2332 wrote to memory of 2356	2332	cmd.exe	33
PID 2332 wrote to memory of 2356	2332	cmd.exe	33
PID 2332 wrote to memory of 2356	2332	cmd.exe	33
PID 2332 wrote to memory of 2356	2332	cmd.exe	33
PID 2356 wrote to memory of 2928	2356	DllCommonsvc.exe	47
PID 2356 wrote to memory of 2928	2356	DllCommonsvc.exe	47
PID 2356 wrote to memory of 2928	2356	DllCommonsvc.exe	47
PID 2356 wrote to memory of 568	2356	DllCommonsvc.exe	48
PID 2356 wrote to memory of 568	2356	DllCommonsvc.exe	48
PID 2356 wrote to memory of 568	2356	DllCommonsvc.exe	48
PID 2356 wrote to memory of 756	2356	DllCommonsvc.exe	49
PID 2356 wrote to memory of 756	2356	DllCommonsvc.exe	49
PID 2356 wrote to memory of 756	2356	DllCommonsvc.exe	49
PID 2356 wrote to memory of 636	2356	DllCommonsvc.exe	50
PID 2356 wrote to memory of 636	2356	DllCommonsvc.exe	50
PID 2356 wrote to memory of 636	2356	DllCommonsvc.exe	50
PID 2356 wrote to memory of 576	2356	DllCommonsvc.exe	51
PID 2356 wrote to memory of 576	2356	DllCommonsvc.exe	51
PID 2356 wrote to memory of 576	2356	DllCommonsvc.exe	51
PID 2356 wrote to memory of 1160	2356	DllCommonsvc.exe	57
PID 2356 wrote to memory of 1160	2356	DllCommonsvc.exe	57
PID 2356 wrote to memory of 1160	2356	DllCommonsvc.exe	57
PID 1160 wrote to memory of 2236	1160	winlogon.exe	58
PID 1160 wrote to memory of 2236	1160	winlogon.exe	58
PID 1160 wrote to memory of 2236	1160	winlogon.exe	58
PID 2236 wrote to memory of 2388	2236	cmd.exe	60
PID 2236 wrote to memory of 2388	2236	cmd.exe	60
PID 2236 wrote to memory of 2388	2236	cmd.exe	60
PID 2236 wrote to memory of 2208	2236	cmd.exe	62
PID 2236 wrote to memory of 2208	2236	cmd.exe	62
PID 2236 wrote to memory of 2208	2236	cmd.exe	62
PID 2316 wrote to memory of 2852	2316	cmd.exe	65
PID 2316 wrote to memory of 2852	2316	cmd.exe	65
PID 2316 wrote to memory of 2852	2316	cmd.exe	65
PID 2316 wrote to memory of 2904	2316	cmd.exe	66
PID 2316 wrote to memory of 2904	2316	cmd.exe	66
PID 2316 wrote to memory of 2904	2316	cmd.exe	66
PID 2904 wrote to memory of 2136	2904	winlogon.exe	67
PID 2904 wrote to memory of 2136	2904	winlogon.exe	67
PID 2904 wrote to memory of 2136	2904	winlogon.exe	67
PID 2136 wrote to memory of 676	2136	cmd.exe	69
PID 2136 wrote to memory of 676	2136	cmd.exe	69
PID 2136 wrote to memory of 676	2136	cmd.exe	69
PID 2136 wrote to memory of 1940	2136	cmd.exe	70
PID 2136 wrote to memory of 1940	2136	cmd.exe	70
PID 2136 wrote to memory of 1940	2136	cmd.exe	70
PID 1940 wrote to memory of 2084	1940	winlogon.exe	71
PID 1940 wrote to memory of 2084	1940	winlogon.exe	71
PID 1940 wrote to memory of 2084	1940	winlogon.exe	71
PID 2084 wrote to memory of 1756	2084	cmd.exe	73
PID 2084 wrote to memory of 1756	2084	cmd.exe	73
PID 2084 wrote to memory of 1756	2084	cmd.exe	73
PID 2084 wrote to memory of 848	2084	cmd.exe	74
PID 2084 wrote to memory of 848	2084	cmd.exe	74
PID 2084 wrote to memory of 848	2084	cmd.exe	74
PID 848 wrote to memory of 2516	848	winlogon.exe	75

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_23dc27ef79dad5c0a32209b93cfd9f27cb2c39e7656d173d61e495b9d544e541.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_23dc27ef79dad5c0a32209b93cfd9f27cb2c39e7656d173d61e495b9d544e541.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1764
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2332
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2356
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2928
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:568
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:756
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Recorded TV\Sample Media\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:636
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Downloaded Program Files\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:576
    - - C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\winlogon.exe
        
        "C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\winlogon.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1160
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zHC6P4FzNT.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2388
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\winlogon.exe
        
        "C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\winlogon.exe"
        7⤵
        Executes dropped EXE
        
        PID:2208
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n7UEJyIAjk.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2852
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\winlogon.exe
        
        "C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\winlogon.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lHuJ4aKJis.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:676
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\winlogon.exe
        
        "C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\winlogon.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s1KW4B7p45.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1756
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\winlogon.exe
        
        "C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\winlogon.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:848
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RdAvGBYmjZ.bat"
        14⤵
        
        PID:2516
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1812
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\winlogon.exe
        
        "C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\winlogon.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LkcfmFI5TJ.bat"
        16⤵
        
        PID:2412
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:912
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\winlogon.exe
        
        "C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\winlogon.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1848
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4Q74CISUeM.bat"
        18⤵
        
        PID:808
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2876
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\winlogon.exe
        
        "C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\winlogon.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1312
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5bc4V3lt5Q.bat"
        20⤵
        
        PID:2276
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2236
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\winlogon.exe
        
        "C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\winlogon.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1044
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yaFjl1awzE.bat"
        22⤵
        
        PID:2432
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1372
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\winlogon.exe
        
        "C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\winlogon.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2324
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KOC6cu7vKW.bat"
        24⤵
        
        PID:776
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2688
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\winlogon.exe
        
        "C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\winlogon.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1096
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gJVLZ7RDs3.bat"
        26⤵
        
        PID:1920
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Recorded TV\Sample Media\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\Sample Media\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Recorded TV\Sample Media\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Windows\Downloaded Program Files\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Windows\Downloaded Program Files\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
449279988e9ebfc5dabb41948f33b000

SHA1
7224bd150437f65191a6609df54ea0bc92148d2e

SHA256
af4e508f298e508059600f66bfec7aac977f6972e65af3add9b9ca7a89c37b60

SHA512
388ac6e8641d654f509177d59c75237673fc8891d3b8985e825fec8fc0667b8c577b0e00599a89efbbd093cdb749e3d62ea8e05870314bdc81ad760960103f3f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3a43fc220ac6e2365e7eadb6544a37a2

SHA1
f144ff310b8a934e05ed9bd2678a8dd27df6b155

SHA256
f3e54c52d611d295e3256269ad14db5f003f17dac711c8974e1e23a615cb67cc

SHA512
c8e06fae56a08db3c50581fa6b3d8d1f0b0d488b654549f65a104005d54359bac4358fd7fa2291a61e5c716676bda2e82ad997da6069b1724ad22ddf98ceacb4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d4a164ad957681b4f7b751a0096f24b1

SHA1
7f8b4d44e942b12ecb4fc61861e68139ca843f34

SHA256
eb7a8fb066cd94f8471e34895c269cfbc044fbfd6b03811b1758fc81ca9045d6

SHA512
8a5e1fbcd99620c79f1c3e733773e0549b993f1f2b0ed757bfafe3af31c160f721625d382d7ae98254ee40bbfdb92cfc145f9061fb99ce3c41a70825559e8817

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
71bd9146d3b97855132cef6d0c7e7766

SHA1
d0f661d901afa02dc9b4bce80541bc688ad348fe

SHA256
e854c6fa4d7ef34690ca219c9610e49528021159986a51bb2b87bc21283d090a

SHA512
0a74725f0457dcb97dd4fb0a666ca6b8439fdd93bf29076c1df32cb112903f45e150bff5d06cbe30f3233aacce21270b9f0cc4f07b7c8edaa011dacffe5bcbc9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0fec8906913e1507d4fad1774bbb0f7e

SHA1
73610c74424d2c04e3679188a911c1e8c04cfa96

SHA256
8daef27b8f0549ac8225cf8efb279d5137635a475c02d25d2129715d8feb1335

SHA512
512cd91dee31d824323a7b2f91148391e6a068c12ae5bd597a8f42be40595f8d5ebf43e2ff42394eeb492da3aa43b949895e1ba14740bd32ab501cfe962ca64b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
25050df6570244f769632c2f36d2e54d

SHA1
8e72834b46861debb932b85b742232d5113fdca6

SHA256
ec974674bb3672ca49b6c1b4e290d23bb3b77289c081cd500e4bf6ad4b4c9d8d

SHA512
834fdafcd46aaff0b73c5b361b1e5a234e6d7703523b859618d9497108484ad25191edd9d31369e5d86f949272605cd8b3766fb215be147fb938731caf393841

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c2b06c470a3101d4fde5ff55be2ffb27

SHA1
44b08388a4abe6e53fecb19c130d469dd18f8624

SHA256
02bb866faabde02bcec92578178a2d2ee1c9ba126f9913569ecbeefbd3468b9a

SHA512
e81ebbc15dae445b6a6671f9c96a2c33c8a910eafe008420a561636c3cdaa1f12d89d021681a6e0dc8da008d8e79a3e7b56d7d9c8f63250e651fd7effeb3d14c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f61a62924a3062a3ef497a9079f93b2d

SHA1
4258fdb0d585e394cbb896c44870fb87d4c30d5c

SHA256
4420c25580844bc4e5804aec972df4279d042546dd94fe60a3657488dec09486

SHA512
11dc0cf446531afae16cf8c8d6be045c6b113c50fc46dd7170ceaf85c8aca62c32811b4c3e13c09835342258f6eaf6010daf94ba5756615a967fb1e6648c6a6e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c3282d18b5493f8c2e72593a172aee10

SHA1
1263f50da88134c7169ae93054cb584dadf66bae

SHA256
79088d6e488b19543b88be4bdc2c54e4ea16f5e392eb5a587bf72fdbf01967f3

SHA512
c29d372c3a7ec5267100f1fe36cbfcc8571f2a7c98b3baf03bd4c080339e4ea03351b2b259adf8782dd42e560e9093f0e98af9d51962d5f3e709c2e824bb36f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\4Q74CISUeM.bat

Filesize
226B

MD5
a4c4e4b3d120c89017789b9d1c95e2fd

SHA1
d84fe17b5e3126f61d7d0ab1b4100ab1924bec46

SHA256
61c8cae05280903fd9ace56a5708e4e5cdd4b1e2eaa127daf02ba3d6545fdcda

SHA512
407b78dbd41ec7dd67f67a40fd0007ba79cf6ed0537e7b76437cad0aece9aa5488e833ec62b58087dd309e46ead57b436ebfae001e57b479fda32d6c801ebde8

Download Submit
C:\Users\Admin\AppData\Local\Temp\5bc4V3lt5Q.bat

Filesize
226B

MD5
5ac3f1ed1803e7206d799a0de97ca1d0

SHA1
4c52375dbf713fb6a07c7188194536f0372beb09

SHA256
67caaaa3342bc614fd73473a1f5e73c4e47f7db6c7edd5d731aa2a9615cdd6bd

SHA512
c9fc32a1207f736441c0c60dec3a5680cac4151525074b2cf94b18ff8826d745bf3e31d458930bea94e0f9fcf7e03719a9337aea01f21ba6f771891d7c56b221

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC90B.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\KOC6cu7vKW.bat

Filesize
226B

MD5
c17ebf1d2e4567f31ca20759d7f35f42

SHA1
ab724bbe0c01acd68a27f42eb03c3aaa902c0455

SHA256
76993f751e87f23965123ea00930de2899675243c29148ecaafd76ddb7b5068d

SHA512
39944a79de53e0b6aa8b748828278699de58a58244f3f0357e06cd817b39d80fa20953b6bcd7471b221274af3a2e89cd4c8a600a358516119fba03ed28666548

Download Submit
C:\Users\Admin\AppData\Local\Temp\LkcfmFI5TJ.bat

Filesize
226B

MD5
043a74ce30c0fc6119d847cd3bff3a14

SHA1
3dcc4c72ae3ab5772adcb0030f0c0d853338139d

SHA256
b34b08d8f93ce6bb0f22130fb9b8f0dbd91a8826189d54e524ed403e6d4379c4

SHA512
e732b10ebda8e8bfe857d762df85a6bc9558db7bb901428fd300176fc82489b2d8687f88581edef08123a7f530448d4867cbc3e1bbeb50ba0030a0a10454a2c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RdAvGBYmjZ.bat

Filesize
226B

MD5
439fd2df7e38c4a957f0996b61014e61

SHA1
5f9ca3bb4fed3117b868eefd8c86edb192a74437

SHA256
ccb1bc2b4a54c8cfe4aa208bd4c7bc48e9f9f858a0b65905df7438f9b411fa8e

SHA512
b8eebdfe594c6139748933885b17a7838d9d855c6a755786a41246ac48da7c424ff90c1004eb1fc4fec2831e15a21e97122f55b82b9474363b2701bd527134ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC91E.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gJVLZ7RDs3.bat

Filesize
226B

MD5
63eb485808ee42beab1f2ba4f5394a12

SHA1
e76c5ce3498147dba779cd19d8cc650b4bb4b911

SHA256
02df4ae23bcd00d05033a024e310867799ed834644bdbcebb76593faa91f0150

SHA512
1582b1fa0f213fff0b9839b0a0ea140c6efc2cb2ae4d27f01b0fa07844b64e0ad2450c32c9c5065608f5b0fca2ffc53b0b058b9ae7e811dbaaec5948df877ac1

Download Submit
C:\Users\Admin\AppData\Local\Temp\lHuJ4aKJis.bat

Filesize
226B

MD5
f7c2b970d88b87d0a9e6228c55070eb9

SHA1
385cf6b4d28875c7ed325bc7beb3a0aefda1712a

SHA256
4582bacd66ff3913a27962be70339a3acadf69ddd1b7c7c0c64795e9d8e656ec

SHA512
e11999c72bf0f3c1f746a2cb9af03476e2c52c099568fa66e4ec11f3c86717a056e43e09b59683e8e4403d818e78da434159a2ae378da7501fcfe369365397b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\s1KW4B7p45.bat

Filesize
226B

MD5
4b9583fb49d39835f84d2e695794cc01

SHA1
57b2ef283eec94108bf9a46d781a614af8c71d43

SHA256
8c82d0ef486f5f11e8736c22ae019647390a00223122b04a22fa5a5d33f6cb76

SHA512
e84d0faa41bc956a7730b77d9cc9c3cca2b1545c688a67c7aea3987e8198e11b3146927d9c2b2512b47f578274ee6ece83fd815db8538ff8d1ff8722fd79801b

Download Submit
C:\Users\Admin\AppData\Local\Temp\yaFjl1awzE.bat

Filesize
226B

MD5
5f8ed0ef4d3c0a73e6dece338a12cec0

SHA1
3de9facc1cb78e5855928ee067f628fb8cbc282a

SHA256
fd82ddfa8a47b6f5c575cfbeb99c8caaf75661ac03487b4dc2a6804c5e62d7b9

SHA512
26e3ee058882d69216941775808bef32ce571a2cff5e111190347f18c096e62228db532931445898ec9233826028533ae4d2ffbe4e080fd7fbf02f06348d4333

Download Submit
C:\Users\Admin\AppData\Local\Temp\zHC6P4FzNT.bat

Filesize
226B

MD5
8f20df9542bfb48dc9111ae1a73fb106

SHA1
bd12f79b8e047e35bc67f64a3c2aefc7c1d0df34

SHA256
df69df721c1a1bc3b7fcd5cf4ed20a2ae68c25109bf2afda6580ff5ea6966bb2

SHA512
41e91e19ddc6cc6d84fd4e6136cfcf6aabcd7ecf76211d317f70420e2c4e9e0fabce154a12b0917b2cb54aa1aa9e4e1d3c883a225f9da7f64176af88990ca0c9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
77742b00683836e5f64cc6bb3127ffe5

SHA1
0150e5efb66d84cb803ec9cb83a0ead0521ee6de

SHA256
98d5ee26e149608c883018f6683a9d8bf44c68e7e6a0d941a19f68141f0daa5e

SHA512
3bf07fe37912b8d8a8eb7ad6d719366cd77303ce203677bcaab1d59efbe0ee666cd4e975c93e372dfd7c366a1dc00fb29348a67c117d88b0f1aa982027863a6f

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/568-46-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

Filesize
32KB

Download
memory/568-39-0x000000001B750000-0x000000001BA32000-memory.dmp

Filesize
2.9MB

Download
memory/848-240-0x0000000000F20000-0x0000000001030000-memory.dmp

Filesize
1.1MB

Download
memory/848-241-0x0000000000150000-0x0000000000162000-memory.dmp

Filesize
72KB

Download
memory/1096-599-0x0000000000F60000-0x0000000001070000-memory.dmp

Filesize
1.1MB

Download
memory/1160-59-0x0000000000550000-0x0000000000562000-memory.dmp

Filesize
72KB

Download
memory/1160-48-0x0000000000330000-0x0000000000440000-memory.dmp

Filesize
1.1MB

Download
memory/1312-420-0x00000000003E0000-0x00000000004F0000-memory.dmp

Filesize
1.1MB

Download
memory/1848-360-0x0000000000FA0000-0x00000000010B0000-memory.dmp

Filesize
1.1MB

Download
memory/1940-180-0x00000000001D0000-0x00000000002E0000-memory.dmp

Filesize
1.1MB

Download
memory/2324-539-0x0000000000320000-0x0000000000430000-memory.dmp

Filesize
1.1MB

Download
memory/2356-16-0x00000000005A0000-0x00000000005AC000-memory.dmp

Filesize
48KB

Download
memory/2356-17-0x000000001AD00000-0x000000001AD0C000-memory.dmp

Filesize
48KB

Download
memory/2356-15-0x0000000000500000-0x000000000050C000-memory.dmp

Filesize
48KB

Download
memory/2356-14-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2356-13-0x0000000000910000-0x0000000000A20000-memory.dmp

Filesize
1.1MB

Download
memory/2904-119-0x0000000000380000-0x0000000000490000-memory.dmp

Filesize
1.1MB

Download
memory/2904-120-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download