dcrat | 696223a14acff7b4532c1b22191ae0403feef3d5e13b1d68b4b8dc6a80867e44

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 18:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_696223a14acff7b4532c1b22191ae0403feef3d5e13b1d68b4b8dc6a80867e44.exe
Size

1.3MB
MD5

f9645dfe7ffbebdb967ab819c9a67ff2
SHA1

05d7545b61059b738e87cc905fce6aa51941d18e
SHA256

696223a14acff7b4532c1b22191ae0403feef3d5e13b1d68b4b8dc6a80867e44
SHA512

00b627b7b4e128d7f6bc8e73bf12a9f52a14621a43b3e742f64d9f0610034c3013b89e5f0b1e10c857a30afd94256bac0a14a4d11f40ecd2a2d331bfc8958ea9
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	2776	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2776	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2776	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2776	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2776	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2776	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	2776	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2776	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	2776	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	980	2776	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2776	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1180	2776	schtasks.exe	34

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00070000000186fd-9.dat	dcrat
behavioral1/memory/2808-13-0x0000000000A10000-0x0000000000B20000-memory.dmp	dcrat
behavioral1/memory/1300-56-0x0000000000A70000-0x0000000000B80000-memory.dmp	dcrat
behavioral1/memory/1720-115-0x0000000000E80000-0x0000000000F90000-memory.dmp	dcrat
behavioral1/memory/836-295-0x0000000001340000-0x0000000001450000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1484	powershell.exe
2972	powershell.exe
2992	powershell.exe
1640	powershell.exe
2352	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2808	DllCommonsvc.exe
1300	sppsvc.exe
1720	sppsvc.exe
1148	sppsvc.exe
1068	sppsvc.exe
836	sppsvc.exe
2292	sppsvc.exe
2344	sppsvc.exe
2856	sppsvc.exe
2404	sppsvc.exe
2868	sppsvc.exe
3060	sppsvc.exe

Loads dropped DLL 2 IoCs

pid	Process
1812	cmd.exe
1812	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
9	raw.githubusercontent.com
16	raw.githubusercontent.com
23	raw.githubusercontent.com
4	raw.githubusercontent.com
12	raw.githubusercontent.com
19	raw.githubusercontent.com
26	raw.githubusercontent.com
30	raw.githubusercontent.com
33	raw.githubusercontent.com
37	raw.githubusercontent.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Internet Explorer\images\42af1c969fbb7b	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\images\audiodg.exe	DllCommonsvc.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\PLA\winlogon.exe	DllCommonsvc.exe
File created	C:\Windows\PLA\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Windows\PLA\winlogon.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_696223a14acff7b4532c1b22191ae0403feef3d5e13b1d68b4b8dc6a80867e44.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2876	schtasks.exe
2732	schtasks.exe
2052	schtasks.exe
1716	schtasks.exe
2976	schtasks.exe
2736	schtasks.exe
2672	schtasks.exe
980	schtasks.exe
2940	schtasks.exe
1180	schtasks.exe
1048	schtasks.exe
2636	schtasks.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 11 IoCs

pid	Process
1300	sppsvc.exe
1720	sppsvc.exe
1148	sppsvc.exe
1068	sppsvc.exe
836	sppsvc.exe
2292	sppsvc.exe
2344	sppsvc.exe
2856	sppsvc.exe
2404	sppsvc.exe
2868	sppsvc.exe
3060	sppsvc.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
2808	DllCommonsvc.exe
2972	powershell.exe
1640	powershell.exe
2992	powershell.exe
1484	powershell.exe
2352	powershell.exe
1300	sppsvc.exe
1720	sppsvc.exe
1148	sppsvc.exe
1068	sppsvc.exe
836	sppsvc.exe
2292	sppsvc.exe
2344	sppsvc.exe
2856	sppsvc.exe
2404	sppsvc.exe
2868	sppsvc.exe
3060	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	2808	DllCommonsvc.exe
Token: SeDebugPrivilege	2972	powershell.exe
Token: SeDebugPrivilege	1640	powershell.exe
Token: SeDebugPrivilege	2992	powershell.exe
Token: SeDebugPrivilege	1484	powershell.exe
Token: SeDebugPrivilege	2352	powershell.exe
Token: SeDebugPrivilege	1300	sppsvc.exe
Token: SeDebugPrivilege	1720	sppsvc.exe
Token: SeDebugPrivilege	1148	sppsvc.exe
Token: SeDebugPrivilege	1068	sppsvc.exe
Token: SeDebugPrivilege	836	sppsvc.exe
Token: SeDebugPrivilege	2292	sppsvc.exe
Token: SeDebugPrivilege	2344	sppsvc.exe
Token: SeDebugPrivilege	2856	sppsvc.exe
Token: SeDebugPrivilege	2404	sppsvc.exe
Token: SeDebugPrivilege	2868	sppsvc.exe
Token: SeDebugPrivilege	3060	sppsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2444 wrote to memory of 1124	2444	JaffaCakes118_696223a14acff7b4532c1b22191ae0403feef3d5e13b1d68b4b8dc6a80867e44.exe	30
PID 2444 wrote to memory of 1124	2444	JaffaCakes118_696223a14acff7b4532c1b22191ae0403feef3d5e13b1d68b4b8dc6a80867e44.exe	30
PID 2444 wrote to memory of 1124	2444	JaffaCakes118_696223a14acff7b4532c1b22191ae0403feef3d5e13b1d68b4b8dc6a80867e44.exe	30
PID 2444 wrote to memory of 1124	2444	JaffaCakes118_696223a14acff7b4532c1b22191ae0403feef3d5e13b1d68b4b8dc6a80867e44.exe	30
PID 1124 wrote to memory of 1812	1124	WScript.exe	31
PID 1124 wrote to memory of 1812	1124	WScript.exe	31
PID 1124 wrote to memory of 1812	1124	WScript.exe	31
PID 1124 wrote to memory of 1812	1124	WScript.exe	31
PID 1812 wrote to memory of 2808	1812	cmd.exe	33
PID 1812 wrote to memory of 2808	1812	cmd.exe	33
PID 1812 wrote to memory of 2808	1812	cmd.exe	33
PID 1812 wrote to memory of 2808	1812	cmd.exe	33
PID 2808 wrote to memory of 1484	2808	DllCommonsvc.exe	48
PID 2808 wrote to memory of 1484	2808	DllCommonsvc.exe	48
PID 2808 wrote to memory of 1484	2808	DllCommonsvc.exe	48
PID 2808 wrote to memory of 2972	2808	DllCommonsvc.exe	49
PID 2808 wrote to memory of 2972	2808	DllCommonsvc.exe	49
PID 2808 wrote to memory of 2972	2808	DllCommonsvc.exe	49
PID 2808 wrote to memory of 2992	2808	DllCommonsvc.exe	50
PID 2808 wrote to memory of 2992	2808	DllCommonsvc.exe	50
PID 2808 wrote to memory of 2992	2808	DllCommonsvc.exe	50
PID 2808 wrote to memory of 1640	2808	DllCommonsvc.exe	51
PID 2808 wrote to memory of 1640	2808	DllCommonsvc.exe	51
PID 2808 wrote to memory of 1640	2808	DllCommonsvc.exe	51
PID 2808 wrote to memory of 2352	2808	DllCommonsvc.exe	52
PID 2808 wrote to memory of 2352	2808	DllCommonsvc.exe	52
PID 2808 wrote to memory of 2352	2808	DllCommonsvc.exe	52
PID 2808 wrote to memory of 2844	2808	DllCommonsvc.exe	57
PID 2808 wrote to memory of 2844	2808	DllCommonsvc.exe	57
PID 2808 wrote to memory of 2844	2808	DllCommonsvc.exe	57
PID 2844 wrote to memory of 2104	2844	cmd.exe	60
PID 2844 wrote to memory of 2104	2844	cmd.exe	60
PID 2844 wrote to memory of 2104	2844	cmd.exe	60
PID 2844 wrote to memory of 1300	2844	cmd.exe	61
PID 2844 wrote to memory of 1300	2844	cmd.exe	61
PID 2844 wrote to memory of 1300	2844	cmd.exe	61
PID 2844 wrote to memory of 1300	2844	cmd.exe	61
PID 2844 wrote to memory of 1300	2844	cmd.exe	61
PID 1300 wrote to memory of 1688	1300	sppsvc.exe	62
PID 1300 wrote to memory of 1688	1300	sppsvc.exe	62
PID 1300 wrote to memory of 1688	1300	sppsvc.exe	62
PID 1688 wrote to memory of 2388	1688	cmd.exe	64
PID 1688 wrote to memory of 2388	1688	cmd.exe	64
PID 1688 wrote to memory of 2388	1688	cmd.exe	64
PID 1688 wrote to memory of 1720	1688	cmd.exe	65
PID 1688 wrote to memory of 1720	1688	cmd.exe	65
PID 1688 wrote to memory of 1720	1688	cmd.exe	65
PID 1688 wrote to memory of 1720	1688	cmd.exe	65
PID 1688 wrote to memory of 1720	1688	cmd.exe	65
PID 1720 wrote to memory of 2860	1720	sppsvc.exe	66
PID 1720 wrote to memory of 2860	1720	sppsvc.exe	66
PID 1720 wrote to memory of 2860	1720	sppsvc.exe	66
PID 2860 wrote to memory of 2832	2860	cmd.exe	68
PID 2860 wrote to memory of 2832	2860	cmd.exe	68
PID 2860 wrote to memory of 2832	2860	cmd.exe	68
PID 2860 wrote to memory of 1148	2860	cmd.exe	69
PID 2860 wrote to memory of 1148	2860	cmd.exe	69
PID 2860 wrote to memory of 1148	2860	cmd.exe	69
PID 2860 wrote to memory of 1148	2860	cmd.exe	69
PID 2860 wrote to memory of 1148	2860	cmd.exe	69
PID 1148 wrote to memory of 768	1148	sppsvc.exe	70
PID 1148 wrote to memory of 768	1148	sppsvc.exe	70
PID 1148 wrote to memory of 768	1148	sppsvc.exe	70
PID 768 wrote to memory of 2008	768	cmd.exe	72

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_696223a14acff7b4532c1b22191ae0403feef3d5e13b1d68b4b8dc6a80867e44.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_696223a14acff7b4532c1b22191ae0403feef3d5e13b1d68b4b8dc6a80867e44.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1124
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1812
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2808
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1484
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PLA\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2972
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\images\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2992
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Links\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1640
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2352
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fvEHEwzTUV.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2844
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2104
      - C:\Users\Default\Links\sppsvc.exe
        
        "C:\Users\Default\Links\sppsvc.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1300
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oLfAgN0jmw.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2388
        
        C:\Users\Default\Links\sppsvc.exe
        
        "C:\Users\Default\Links\sppsvc.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1720
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\evbbIz777a.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2832
        
        C:\Users\Default\Links\sppsvc.exe
        
        "C:\Users\Default\Links\sppsvc.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1148
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\syea0WjfTx.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:768
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2008
        
        C:\Users\Default\Links\sppsvc.exe
        
        "C:\Users\Default\Links\sppsvc.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1068
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HcCr6nEVp7.bat"
        13⤵
        
        PID:592
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2412
        
        C:\Users\Default\Links\sppsvc.exe
        
        "C:\Users\Default\Links\sppsvc.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:836
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qX4ufk0Q6M.bat"
        15⤵
        
        PID:1108
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1988
        
        C:\Users\Default\Links\sppsvc.exe
        
        "C:\Users\Default\Links\sppsvc.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2292
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\axBdnWD1Gl.bat"
        17⤵
        
        PID:2972
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2212
        
        C:\Users\Default\Links\sppsvc.exe
        
        "C:\Users\Default\Links\sppsvc.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2344
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wUBsuxMZs4.bat"
        19⤵
        
        PID:284
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2960
        
        C:\Users\Default\Links\sppsvc.exe
        
        "C:\Users\Default\Links\sppsvc.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2856
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Z4XVup0LT1.bat"
        21⤵
        
        PID:2936
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2664
        
        C:\Users\Default\Links\sppsvc.exe
        
        "C:\Users\Default\Links\sppsvc.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2404
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7hZg3igX7v.bat"
        23⤵
        
        PID:3008
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1464
        
        C:\Users\Default\Links\sppsvc.exe
        
        "C:\Users\Default\Links\sppsvc.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2868
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\goxiuQmrpE.bat"
        25⤵
        
        PID:912
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1644
        
        C:\Users\Default\Links\sppsvc.exe
        
        "C:\Users\Default\Links\sppsvc.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Windows\PLA\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\PLA\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Windows\PLA\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files\Internet Explorer\images\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\images\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\images\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Links\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\Links\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Links\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c40daccb0e6a6d014e9f64e0969aa3a3

SHA1
98fca483c235eb63ee840161b7d57dea26774131

SHA256
28f5bc9e94ed13727cf05b0c839d616f34538634c880a50695300a2f20cbe1d4

SHA512
938b8fc487239891d4eff0ed9474d01e316aa9e0adb3e3fa513cbba00bfe4a48d57e2a02490c2d5046085eaa462d9f5a95986e3932d2468dcb55920a41758149

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
163d49a11549ad9b89be3f9e1fe3cef8

SHA1
85cbc3145e1a715da3997b437ea21fc295325786

SHA256
1d5eceabe41329df3bc384270d06ed5ac8dde8a3c0e37c76fcc03253b733b05b

SHA512
d7aace7ce798b531da697d586c0b5a09ef1422db65983c0dc733266aa0482171a8b140fd19feecf2b8e3457fa1acebf496b08598b14c2530e9f7df5b1b9a48e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bbb892842597300038da0164b3168ef0

SHA1
1df3730c4a03ca07b2c1f895bc997eb087b55f68

SHA256
45d04165ab372b18de025199d9aab49316b42228506d1c02a9019972b2560aa8

SHA512
1fe212821f97f3e4d8c1400d78176cfca02ab5f739426771ff86748919d3414979918a51ace0ee6e2f3298f42faac6a710aec69ff0edc044051588ec1c28cd31

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3db5d208b150d94db5f715b85e361100

SHA1
4ec19d9781da424bb1a9bf6d5e3bc33e7b690f05

SHA256
d6b92ebf8fce123c8bd665d2edf0d4e4f9ba1deae2d5dc8060e6760d681f4a22

SHA512
415fa985cf78508edd82b35560f61e24fd7bbbab862947c255b8089a224dee21ae00d2e9de45b31d898ddbe4f67b0421e6a5a05128110ac838b858352adfe737

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8ba94e366aa43094bd541619e34de949

SHA1
498b6633ef4463af0e81104dab7d854f1c43ea9e

SHA256
63d3a61a5d03c6c9dc88fddcf4d1aa5bcc84ce8ceb41409445781e729f1bf4e3

SHA512
2b6e0f240bce964b89bf645f218180d3f966e3f4db4c859820464af1e76f0e4924f6abe7c635a33cecca32db5e6cbb864c812b5721fc821aaf68b159eee5c5b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
57bb6119ec95cec37b998c14d4d0ffae

SHA1
bd10bbfb7f05fc010c848d66e7c02f5024180023

SHA256
b51f7cfefce820e12372d534f043758d31ed43869cf23919a5fa5e8ea472f7ff

SHA512
6b67d60dc94ce2eeba52610f93085fc2895651c5b420241942742904cd48caed3450804ee384c5626f73c5e688cb38068b745600ddcda5905bf444eaf4e07d0d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
13be3efe11d05c5c2b5fd2c2f6e1a874

SHA1
ef22cae6688ed86f27b235a6e30b688a2f9c4ae6

SHA256
0b90952c99502c934c8387b40f155c221107b919c431f49f882f06e43d935b7f

SHA512
8bfebeea3385755f43397da7d43171196a2173dae23d1a2c1f69ab259a64f1e8bfc6475ba0adcbd33a8b461e10b4d061042ec03a1a0bd02b95030875a0dac915

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4b1877c8cca531378d4a4dfdeecee6a3

SHA1
34fe4557287258895be4acad607e4fabf91ad40e

SHA256
f7e52bfcc866d14f693c2215cb58c8a57297ebf3193028f03e496933cba2327c

SHA512
794389f0e063a200ce7edd52836c3570c462f2e3b2677217553b089d399b27cf01be91353016627713be15c938cba29478bb3456e57ac42ee5fefefbf09bfb02

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e891ed6027e5f55e0d3ec5105296685a

SHA1
e2720e9c8425e80d8fae005142ef49127872869d

SHA256
dcffa8fe71369bd1590a106d94bc7347f3202c888c0c71b93aa17833802182c2

SHA512
b48252e850447841eb5db5a101f0127fa325be060a428bd136d594bf857253da6121def4771db51d2933bd895aae06b5c72c5a0cf002ca2604c82a3a2350b058

Download Submit
C:\Users\Admin\AppData\Local\Temp\7hZg3igX7v.bat

Filesize
198B

MD5
78efb0b2921d1bcf0d00ac4755e7f2c6

SHA1
8b06e6b7a1aa5adbb7bd567e1892d5d64b7f75c5

SHA256
c3bd59d95e3b7f894662d2764c7f81e1adecfb3be30e4c1a5ac0139711de9a6b

SHA512
d70be897d92292ad659a74a7393a1953bdb3e052566002752bc6d6b9e716ec40ae8897de7a8ca1cca143517a9f0f161147e7992f89656deda1aca3cb266e5e5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF3B4.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HcCr6nEVp7.bat

Filesize
198B

MD5
a24aecb0696a1e01ece5ab7aea81b12a

SHA1
7e8150d37f6e6f9fa985e7369e8b2bad8f40e6b9

SHA256
f5d5ccf680fa966df07057c849c3ccbee0a9e950185e469b4263ea7d3e4cff07

SHA512
ee2cbaa40de28b97e67e096c1a3df491e9cce3a93f2df74dc7f354837e8557229c0eff8d0038cc9e2896ee86a2e3130529419f02e42e2aef783e9540f79c52c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF3D6.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z4XVup0LT1.bat

Filesize
198B

MD5
bfceb2e9519946b22d6d785096529d92

SHA1
26b50d8b47d02561172bde81b3e551606b9e145a

SHA256
33cde249e9883314e2861777ebef1132b825f26483459372989de60891894407

SHA512
605b2e08a50a7ee00287b3564933f96213d403c52288d1b9237d97ecc5329f8b386fcc5404ffb435ccb6bf1235c59d04ea6fedce2dec43d6ba3ffd078e313693

Download Submit
C:\Users\Admin\AppData\Local\Temp\axBdnWD1Gl.bat

Filesize
198B

MD5
0d915039e39175e0a8b79280e64798fc

SHA1
1775224ae7b45a5478b147a6fb51ef07f07089b2

SHA256
377659dff85c32fb1c54ed27dbcd6e7be1af5d0de7b79eb39d7fa44cdf15b64c

SHA512
39417dcd708f81e1e702d20dfae7f58c93fa2604e376a97265d05575bb6739db12a6fb3574c7ed72208c33caea07bc6af2544f897caec17bae001ec1a8852532

Download Submit
C:\Users\Admin\AppData\Local\Temp\evbbIz777a.bat

Filesize
198B

MD5
1fe5af2766fa8ff75f8f58ac4b4c47b2

SHA1
a49da200668332723cac45d41a2f83488b722283

SHA256
cab79599a32cbb4e754357929a8c87943c2e194445ba4b9ef2b16b90b8acd1b4

SHA512
d6ba85fe5c93b48fbf9fc1f5298ba7da1c31fb57b95e87f84a77d67bb4b66536ad93416bc3482c26180b37c89cb022eeb9d7dd0845213cef23776ecc9cb0112e

Download Submit
C:\Users\Admin\AppData\Local\Temp\fvEHEwzTUV.bat

Filesize
198B

MD5
5fefc56a4796b3bb1f76626e3e30b34f

SHA1
744b8ee05588a4ffb35853b4eca1399b7e7f8d03

SHA256
3f12d989dee1d3ed47c992b05d85aa68b2c1c898e8edb9029c83a10356a4f788

SHA512
150860e46a92c0082a9d2d50fa9592095f81dfb898968740ddd5e730cb986c3ad52a227ae5e4ea8b60f108abfd54a28ba01fd6ddbe34bbcd95e9d0a164fec75b

Download Submit
C:\Users\Admin\AppData\Local\Temp\goxiuQmrpE.bat

Filesize
198B

MD5
8ff413c2dcaa01297e8d2563c259a27e

SHA1
ace32ff5c51b8477e63019d8984a76550d8b7cad

SHA256
f5833c64fd1d09eabd6e6cd25cd02d448c995e49158029bbe164c9f9bb4308c7

SHA512
80d1e0105e45a13d7095fcf43d000d3e620e762673aca07d4e1f6dc4ea290c8f7116ee9dd80424df387191a2e6a1f46d20136ca8bc0c4a45f84e4334f3d3eecd

Download Submit
C:\Users\Admin\AppData\Local\Temp\oLfAgN0jmw.bat

Filesize
198B

MD5
f20ee259edffef22912d426aa8518b1c

SHA1
63a3d2d9a466440c451fe0623f32915f8b7631a1

SHA256
a20c4fd02c65eea0c82626749b92603f155824548055d9858a90a4456492059d

SHA512
ba791ddc859a815101140d0542df3484879cf2d3e0bfe4848c0385b8049552833918a56327965a35e2f5e14f06f9e486b340ce732f0d3c95442b6254923ac8a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\qX4ufk0Q6M.bat

Filesize
198B

MD5
fd8c6fa0f63b05a6758e5b100c5079d1

SHA1
3ff01a79fd920cf4dd1abf365cdd9b8b357b160e

SHA256
103f5c41646ca8cf40c93f4ec0bae9e77ad149e1291b8bb46146c3ec2dd40c18

SHA512
fd956ed012c9b96ab4e69c8c318d8de3851384b7bbce7aba6cab53606846dcf8e01c9762305afac8382c071324b83d76212163dcf76949e832a8e3743765abd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\syea0WjfTx.bat

Filesize
198B

MD5
608b82a25f40fc7f8604d3021f92a5a6

SHA1
1ad3fdd4135c677cb7279c568e4b56129ca81392

SHA256
b09a48cdce13cc3552c72dbb90c7b3449cef10eab9be8d30662e7b22b39e6ae3

SHA512
7cb66eb9caa97660544556bf3419873afcf9332c4bea10aca994e4f35bb0c8d9b20eb83b9a9d1971eb80f904dbef5a158d570e5ea5bf52e88cccd7d50173c4c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUBsuxMZs4.bat

Filesize
198B

MD5
a7855e80123d9852baacd348d75f54c4

SHA1
32672c1b86299e93b306ac8e6c5e17c7a05596f5

SHA256
c7ea5ead7c05523c02c1e7d82dc8274629fe6524eb9aefa9706927693acfa187

SHA512
49b562f69f95b0bb831120e9d9c01bf3681b412ad84d4f2bcc611e678a74dbbcf183229ce8207f62cc5ebef43fd21b4ec135e4b9050d5cc3e6005660e58bba0c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b20e44a8e64764fe10988563ab075467

SHA1
4a6619b7f8b05269084d868c274a56c27881d49f

SHA256
a966b807e5c0cb11e555f9f352163c285f7827186e137443a09a917931053cf0

SHA512
4cd2b69758197f81ca414f4e0111263ce81cfa0c4d302622b80eecf539d1ccf7707051f8ab93cf630b842aa19a60c2033416e0bbb06f334a11023f943355b47b

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/836-295-0x0000000001340000-0x0000000001450000-memory.dmp

Filesize
1.1MB

Download
memory/1148-176-0x00000000004E0000-0x00000000004F2000-memory.dmp

Filesize
72KB

Download
memory/1300-56-0x0000000000A70000-0x0000000000B80000-memory.dmp

Filesize
1.1MB

Download
memory/1720-116-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/1720-115-0x0000000000E80000-0x0000000000F90000-memory.dmp

Filesize
1.1MB

Download
memory/2808-16-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/2808-17-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2808-15-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download
memory/2808-14-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/2808-13-0x0000000000A10000-0x0000000000B20000-memory.dmp

Filesize
1.1MB

Download
memory/2868-591-0x00000000002D0000-0x00000000002E2000-memory.dmp

Filesize
72KB

Download
memory/2972-37-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download
memory/2972-38-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

Filesize
32KB

Download