dcrat | 0a391e004942f1c430354872ee059c7691476e07a27ff017aecadc2e1f639ac2

Analysis

max time kernel
149s
max time network
146s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 18:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_0a391e004942f1c430354872ee059c7691476e07a27ff017aecadc2e1f639ac2.exe
Size

1.3MB
MD5

b372992b3eb60f47235583e06889bb24
SHA1

e0fd86a13d82337cf3f6f3da1c7dba54367c395c
SHA256

0a391e004942f1c430354872ee059c7691476e07a27ff017aecadc2e1f639ac2
SHA512

51fa6d56412735148348c358eceedba2cf5e013468d5e35f09cc1fa0680482655ddfeeef0659a52dd1d157f81f4729047cbeebf390ea27d2ebf352988b9b3bf1
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2820	schtasks.exe	34

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000016d49-11.dat	dcrat
behavioral1/memory/2344-13-0x0000000000110000-0x0000000000220000-memory.dmp	dcrat
behavioral1/memory/1764-45-0x0000000000D40000-0x0000000000E50000-memory.dmp	dcrat
behavioral1/memory/2792-164-0x00000000012C0000-0x00000000013D0000-memory.dmp	dcrat
behavioral1/memory/3028-401-0x0000000000040000-0x0000000000150000-memory.dmp	dcrat
behavioral1/memory/1340-461-0x0000000000B50000-0x0000000000C60000-memory.dmp	dcrat
behavioral1/memory/2900-521-0x0000000000D30000-0x0000000000E40000-memory.dmp	dcrat
behavioral1/memory/684-581-0x0000000000310000-0x0000000000420000-memory.dmp	dcrat
behavioral1/memory/1688-642-0x0000000000EC0000-0x0000000000FD0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2564	powershell.exe
2572	powershell.exe
2580	powershell.exe

Executes dropped EXE 14 IoCs

pid	Process
2344	DllCommonsvc.exe
1764	Idle.exe
1676	Idle.exe
2792	Idle.exe
752	Idle.exe
1324	Idle.exe
2376	Idle.exe
3028	Idle.exe
1340	Idle.exe
2900	Idle.exe
684	Idle.exe
1688	Idle.exe
908	Idle.exe
2468	Idle.exe

Loads dropped DLL 2 IoCs

pid	Process
1712	cmd.exe
1712	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
9	raw.githubusercontent.com
15	raw.githubusercontent.com
43	raw.githubusercontent.com
29	raw.githubusercontent.com
32	raw.githubusercontent.com
36	raw.githubusercontent.com
4	raw.githubusercontent.com
12	raw.githubusercontent.com
19	raw.githubusercontent.com
22	raw.githubusercontent.com
26	raw.githubusercontent.com
39	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0a391e004942f1c430354872ee059c7691476e07a27ff017aecadc2e1f639ac2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2684	schtasks.exe
2428	schtasks.exe
2676	schtasks.exe
3040	schtasks.exe
1916	schtasks.exe
2604	schtasks.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
2344	DllCommonsvc.exe
2564	powershell.exe
2580	powershell.exe
2572	powershell.exe
1764	Idle.exe
1676	Idle.exe
2792	Idle.exe
752	Idle.exe
1324	Idle.exe
2376	Idle.exe
3028	Idle.exe
1340	Idle.exe
2900	Idle.exe
684	Idle.exe
1688	Idle.exe
908	Idle.exe
2468	Idle.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	2344	DllCommonsvc.exe
Token: SeDebugPrivilege	2564	powershell.exe
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	2572	powershell.exe
Token: SeDebugPrivilege	1764	Idle.exe
Token: SeDebugPrivilege	1676	Idle.exe
Token: SeDebugPrivilege	2792	Idle.exe
Token: SeDebugPrivilege	752	Idle.exe
Token: SeDebugPrivilege	1324	Idle.exe
Token: SeDebugPrivilege	2376	Idle.exe
Token: SeDebugPrivilege	3028	Idle.exe
Token: SeDebugPrivilege	1340	Idle.exe
Token: SeDebugPrivilege	2900	Idle.exe
Token: SeDebugPrivilege	684	Idle.exe
Token: SeDebugPrivilege	1688	Idle.exe
Token: SeDebugPrivilege	908	Idle.exe
Token: SeDebugPrivilege	2468	Idle.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 2308	2368	JaffaCakes118_0a391e004942f1c430354872ee059c7691476e07a27ff017aecadc2e1f639ac2.exe	30
PID 2368 wrote to memory of 2308	2368	JaffaCakes118_0a391e004942f1c430354872ee059c7691476e07a27ff017aecadc2e1f639ac2.exe	30
PID 2368 wrote to memory of 2308	2368	JaffaCakes118_0a391e004942f1c430354872ee059c7691476e07a27ff017aecadc2e1f639ac2.exe	30
PID 2368 wrote to memory of 2308	2368	JaffaCakes118_0a391e004942f1c430354872ee059c7691476e07a27ff017aecadc2e1f639ac2.exe	30
PID 2308 wrote to memory of 1712	2308	WScript.exe	31
PID 2308 wrote to memory of 1712	2308	WScript.exe	31
PID 2308 wrote to memory of 1712	2308	WScript.exe	31
PID 2308 wrote to memory of 1712	2308	WScript.exe	31
PID 1712 wrote to memory of 2344	1712	cmd.exe	33
PID 1712 wrote to memory of 2344	1712	cmd.exe	33
PID 1712 wrote to memory of 2344	1712	cmd.exe	33
PID 1712 wrote to memory of 2344	1712	cmd.exe	33
PID 2344 wrote to memory of 2564	2344	DllCommonsvc.exe	41
PID 2344 wrote to memory of 2564	2344	DllCommonsvc.exe	41
PID 2344 wrote to memory of 2564	2344	DllCommonsvc.exe	41
PID 2344 wrote to memory of 2572	2344	DllCommonsvc.exe	42
PID 2344 wrote to memory of 2572	2344	DllCommonsvc.exe	42
PID 2344 wrote to memory of 2572	2344	DllCommonsvc.exe	42
PID 2344 wrote to memory of 2580	2344	DllCommonsvc.exe	43
PID 2344 wrote to memory of 2580	2344	DllCommonsvc.exe	43
PID 2344 wrote to memory of 2580	2344	DllCommonsvc.exe	43
PID 2344 wrote to memory of 2232	2344	DllCommonsvc.exe	47
PID 2344 wrote to memory of 2232	2344	DllCommonsvc.exe	47
PID 2344 wrote to memory of 2232	2344	DllCommonsvc.exe	47
PID 2232 wrote to memory of 1236	2232	cmd.exe	49
PID 2232 wrote to memory of 1236	2232	cmd.exe	49
PID 2232 wrote to memory of 1236	2232	cmd.exe	49
PID 2232 wrote to memory of 1764	2232	cmd.exe	51
PID 2232 wrote to memory of 1764	2232	cmd.exe	51
PID 2232 wrote to memory of 1764	2232	cmd.exe	51
PID 1764 wrote to memory of 1204	1764	Idle.exe	52
PID 1764 wrote to memory of 1204	1764	Idle.exe	52
PID 1764 wrote to memory of 1204	1764	Idle.exe	52
PID 1204 wrote to memory of 1564	1204	cmd.exe	54
PID 1204 wrote to memory of 1564	1204	cmd.exe	54
PID 1204 wrote to memory of 1564	1204	cmd.exe	54
PID 1204 wrote to memory of 1676	1204	cmd.exe	55
PID 1204 wrote to memory of 1676	1204	cmd.exe	55
PID 1204 wrote to memory of 1676	1204	cmd.exe	55
PID 1676 wrote to memory of 2516	1676	Idle.exe	56
PID 1676 wrote to memory of 2516	1676	Idle.exe	56
PID 1676 wrote to memory of 2516	1676	Idle.exe	56
PID 2516 wrote to memory of 2928	2516	cmd.exe	58
PID 2516 wrote to memory of 2928	2516	cmd.exe	58
PID 2516 wrote to memory of 2928	2516	cmd.exe	58
PID 2516 wrote to memory of 2792	2516	cmd.exe	59
PID 2516 wrote to memory of 2792	2516	cmd.exe	59
PID 2516 wrote to memory of 2792	2516	cmd.exe	59
PID 2792 wrote to memory of 1316	2792	Idle.exe	60
PID 2792 wrote to memory of 1316	2792	Idle.exe	60
PID 2792 wrote to memory of 1316	2792	Idle.exe	60
PID 1316 wrote to memory of 1700	1316	cmd.exe	62
PID 1316 wrote to memory of 1700	1316	cmd.exe	62
PID 1316 wrote to memory of 1700	1316	cmd.exe	62
PID 1316 wrote to memory of 752	1316	cmd.exe	63
PID 1316 wrote to memory of 752	1316	cmd.exe	63
PID 1316 wrote to memory of 752	1316	cmd.exe	63
PID 752 wrote to memory of 1928	752	Idle.exe	64
PID 752 wrote to memory of 1928	752	Idle.exe	64
PID 752 wrote to memory of 1928	752	Idle.exe	64
PID 1928 wrote to memory of 1860	1928	cmd.exe	66
PID 1928 wrote to memory of 1860	1928	cmd.exe	66
PID 1928 wrote to memory of 1860	1928	cmd.exe	66
PID 1928 wrote to memory of 1324	1928	cmd.exe	67

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0a391e004942f1c430354872ee059c7691476e07a27ff017aecadc2e1f639ac2.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0a391e004942f1c430354872ee059c7691476e07a27ff017aecadc2e1f639ac2.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1712
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2344
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2564
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2572
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2580
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\42CEn0iP2b.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2232
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1236
      - C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1764
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cV1vwDPsky.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1204
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1564
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ww4YVzclJm.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2928
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2792
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pbn0SniZDX.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1316
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1700
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:752
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F8wGhM86rN.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1860
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1324
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KteTxDTZHh.bat"
        15⤵
        
        PID:1576
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2528
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2376
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\I1IMKnnpZ2.bat"
        17⤵
        
        PID:2940
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1744
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3028
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CPhDZIwY3l.bat"
        19⤵
        
        PID:2364
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1136
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1340
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YpMZYQImRp.bat"
        21⤵
        
        PID:1864
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:540
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2900
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UxOjVeUiuv.bat"
        23⤵
        
        PID:2248
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2616
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:684
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kRqsvBC5Qb.bat"
        25⤵
        
        PID:2736
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1456
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Bf5uratM3O.bat"
        27⤵
        
        PID:956
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:828
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe"
        28⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:908
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9BpIS9nw5f.bat"
        29⤵
        
        PID:2492
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        30⤵
        
        PID:2976
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe"
        30⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
789c9c718343002078b5e106ee09a32e

SHA1
e27b515f1e914fd12b8f4a053cee27ff658a36ca

SHA256
c4eaa52ab71c8233cec4545753fd30b85d25afdc494c4e7677e401234f31b07c

SHA512
d30a918ddeb734583e2d10b8b9017ea408524fadc2ca4cab2d7c072581ea591258343f53781de7db3b3562a3f17d96ec307326297147484fc8621b832b98c0a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ee573eaa4dab0cc1aeabe98ae6de98d0

SHA1
45124e7b43150dc6b7748ac8b1441d85037aa53c

SHA256
906e54877cd36904f820c613eb11a002a5fb9a1e4fbb100d2a2517731c44450d

SHA512
eccb401648e378348f08f9558337ebf05c408a39b1041f85d0bb89c9bd3c4665e7d30109295e7e72c9dcc82efac92b2e6c5e0725d5893b74869b25eaa2443929

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
99aae4ec4ea14f9c9c8add982823cafe

SHA1
28d49c12fd6a9e9044034fc793f741b213aa7832

SHA256
d4d33a596ec06256242f6f358d1268d21acf43ac342c265810b20cbc7bfb53ac

SHA512
628b8e67447e7f6a0abaec5e2d4d34d6e4c287c792e06c193df8849566fc89f1043039f4a59e1ec57efcf64f31dd4cd4aed23229a4a19e55bc4a14f0a7cb318d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0f706e94208b00e8db8bdb284d612fa5

SHA1
b7659636b18f9f0a08e8c733f7f8d7f182fd73d5

SHA256
2fad21aedb5c2b2e5074eb069a84e3993f01da95a2e621f6315a1f035feba7eb

SHA512
a7c53ce9a5812bd548d1eefe5a3adc1b00c40f59c13929d58563530da1b58d93cba42e537d006baeb6b64de4044a67f68c15ac68a615d76497744dc246f8c040

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
841efc070cdeb858d1ed86a032b6b1fc

SHA1
f2ff07563752f4c4c079a813f455cc2df6e1004d

SHA256
a44abf33cda264e29b853838abea41f9e3507353a1b2ea3235c228d02fd4eec0

SHA512
24eef42ba409ddddae3c5c73447e0005e59e7077b6eda987ce4f39f8491dcc5eeb8e6707e3102eaef768fba4be93ab4e2bef9000828ea33566a09eda753182e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e11a1f10b0bbcb178a30e84b84b0d338

SHA1
4598513235afea8d7a5b0dadabf1b44cdd545e0e

SHA256
eacaffb13711fe142ad8f2a7533528572184a983622d0667750297333ec832f2

SHA512
d988d150a08c6df1ff9d5bf3a1dd598495e686a5cc0e1995411674bbca9935808dabf8e38e86a133eee642b85b4fceae97f7f25e35cf477576e24967e43833a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8abb9459ae283cee92765b532e1caff3

SHA1
18f5441447dd1284197b999d1fd3969f86d6ba08

SHA256
08f4511e43a71522d97db882ecf0c6aadfb72849b72e3016af276432f38409e7

SHA512
a36b1f5594fe903edde364df6050836996118bc8bbf3801f2c9cfce3899130f63a73fb4988c96d21b6929954b9d7778ec918d899465500aa03ebfa8b37614316

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
33f0b0c9cd16717dc3fdfeff7e8df366

SHA1
29b1faa3a6cfc77abbdc6b4613d8e630d892384d

SHA256
788f126f97fc7f0c3d448af92f5f76e38603ff115d36a298d06cba96771ebc11

SHA512
3aa64bd07feb7506a99abe2864d194a6c0e55f8bf8d120077e5f11c53135b7cde412be6ac33d4ac096fce8cb45ec48215fdca9b8b9b1aae426c29e55eb58d190

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4fa25041891209ae55be35ffc98621ee

SHA1
b6d9c70be36b142435b3adf262451802417c5ad8

SHA256
fc5dcc6183dac9a712406080d6f3e18d5f636764429fd6243e3415b8500b15c6

SHA512
c16713213f8375a9b23b882a77f973d7179dc12a7122b8d02594269c9e80f9e6d72248bae10c3d58c27c566b7089ee466631d5b678ec03273514533a4f8a8867

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9d5a34915535f45fdc7cb6b64d57b0cd

SHA1
f9c142d5e4bae8b8f8cec9e322c06d87b2dbb28b

SHA256
74b2a4f83c6d6489be2cf444bc14754b49cd187a81b426e8ea4b034c4d9c184e

SHA512
15bb63525740a2d7dfedb0d83e4207ee0ada6334a1f7b966a2e2b4f5258505635d66f93748e398d5da27478e4633b9add1cd1ec3c243e15829555307a5990ac2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c079c1ab6ff2520d620195707c75c55e

SHA1
5cd315e6eff60f4f9a9d87748444259d72762cb2

SHA256
d6b531f906f9a61616ca639e9012ed6ba37216e6f35bf67e94216ce21ceb7ef9

SHA512
9fd71a9ea067c81513a7f4f04b7c5bed2a25297c352774101a8cca99cbdace2d1f79562952616bedb257c04024b6b17e746b14f17020713b594e6cd4c40be2e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\42CEn0iP2b.bat

Filesize
222B

MD5
826a0d307173da31e9da90b5980ba459

SHA1
ee16e6e1973a48b59d346d7ea9c3a54ea6f92fea

SHA256
f7f9cf4120befbf04116fe7bbc1d7c1094b6d29c081140d3c8e1a482d122140e

SHA512
d3d50739dee8a8ad2a5ea68897a5759b541d6044afe8cf6d04210b6b39f55af74c46e1a2220b4be23b068ae0403b7fe5ccce2919affb96870538a62b270bfb32

Download Submit
C:\Users\Admin\AppData\Local\Temp\9BpIS9nw5f.bat

Filesize
222B

MD5
46f42915bb634ecacbfb764182ffce50

SHA1
bc42d6dd4a396f0c40153923bb3db518f421c102

SHA256
47999d0fe30c22866c58fff1f2563e7b6365f6e202f56a174f0a728ef69b8cc9

SHA512
068ad3a2a9c5b733e688b3758c3925d015d0af54cd4f193ccf9b7527c85884775a63e90e46634d267b0733a9b51097ea57ba23a87f32aa8735d784801b8d4464

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bf5uratM3O.bat

Filesize
222B

MD5
a8179d6bda253e2b98bdf57fa586b675

SHA1
9c1961e64755cbe282c3546e34502e80925b9eec

SHA256
364b0bd935ec8d1d509c14abc935a096f00b17895bcb2308c62d78fe0df74e1d

SHA512
552ec3d6dd21e3303b494b5128f64c78b33594e27c5944aae79c6e8e57ea13a8d8a33c035e5075d34a5939d882bb9f3ea33bd383c3d6581a6b7a0803d477f003

Download Submit
C:\Users\Admin\AppData\Local\Temp\CPhDZIwY3l.bat

Filesize
222B

MD5
1354ca715a780516a810a6371402e269

SHA1
9bedbf713cd9cff6b42c7c7b7315b90deaf96de9

SHA256
722653c93b8cf4fc2d2b8da0e3322f3ee3827caf1b5b6953c50627efd181ee4c

SHA512
a13db941764d89b339a6af1c149a1b5da0638f39d1a808b51ad9a658412819f990fed0113af3de16cae204adf0e25fb7ea64d5d076e89284e3c34420ec2af3ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab724.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\F8wGhM86rN.bat

Filesize
222B

MD5
92c251197074cd20b764235b81e6aedd

SHA1
65b7431df3bae191da55e3a5cb571d3524a3d0f8

SHA256
bf7fe3e905d03aeaf744c81f5ac30fcd62224361b07185338e0bdb4d2eb2cbb4

SHA512
7a67083641e47a1e89c6027cb28ef41b01590dd8914caad31add7f0b5af10605a0545b67cc053086a2c01a201af5a42c14d06c9d49def33a29f3440a1d05cc3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\I1IMKnnpZ2.bat

Filesize
222B

MD5
016af17d8cb89da8378266ac59f5ec2a

SHA1
e16491627b27bef876e4d9e87e134d5370ed4973

SHA256
8e466fc8aa7c39af1c3a05101d2c17f54c2e4b061614ea1d9203043f723c73e7

SHA512
7bd3e6022cb517b44ab867e7a6ffb9a895d9dc268e1a762a907e947e551f396ee87d85b8785a4c796ce6314e0af87ddac07a99f456304dbe8043189e9279d1e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\KteTxDTZHh.bat

Filesize
222B

MD5
f8362d695d10890bba66e7a3f99b1372

SHA1
669671744c72497b69e05b0426f30199fc7f859f

SHA256
18e9ad98f73cd25943036e2728e5358e4b4064058b75dfe7d0eccfdfa919c76c

SHA512
138ed6e553043703c16dfbdd297f05a0ce324403b349243dc9cb4fb820d0a02bf83ea65533f9e85551af89b775fba781e7891b6a2b35ccfad67100d242fcbfaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pbn0SniZDX.bat

Filesize
222B

MD5
a5cfbeca8967f55d5cbe7ae007b6ef6d

SHA1
92100b517688202434407bcc393c1f23c4ea588f

SHA256
27c101b5363d8e6993255f603d8dc44625382b30f1dda30bd1acf47e4915fbbd

SHA512
c62edb2dc04ee262b112e20bf57a0d94449c0b22ca425ca7e82a65bbb95122d6754d1201c7ebcbdca3e3f20ce6be413b081af6736bb60beadb4f46cf7944ae63

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar746.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UxOjVeUiuv.bat

Filesize
222B

MD5
dc4f582085222f4632321e2d2dc7e067

SHA1
62cef2bd7c525ec096b2e77d034bcd2e1d07c1e6

SHA256
20c58b3232cf555b837da161431948bad3e851793b2890b4b1c041ea6cfb4212

SHA512
2cd78bdfb6c5c282d404722906c81430ee10ff7cf112c34a26de3ab3b5e7c6ceeff68efbf85c7776459b2bbccee5404da094236dad02ac9bb29d784031be4682

Download Submit
C:\Users\Admin\AppData\Local\Temp\YpMZYQImRp.bat

Filesize
222B

MD5
fe0c9a8ba9a247fa532f0c187bea0980

SHA1
d62bde6b26369a48282a1425bad50211e21b89a5

SHA256
242cef7e63b136021123b5dd880395627073f7b5cd97357f171bdc3b32dc5f26

SHA512
c3d2d7283a6cc6a5e768e8e625d31e30f8ca9ba37c87e62063c61f0967f3993727a3d16023f88f33c6b0182254f024d4e2929721a12efc2402974dc9abe30204

Download Submit
C:\Users\Admin\AppData\Local\Temp\cV1vwDPsky.bat

Filesize
222B

MD5
dbb0b7c79bf60fecd082e1ef25b85fb7

SHA1
fcba3f892a12f981ff58c6200da15981d9af0426

SHA256
5afa9172e8ab1915ae45ca1d014558ef85d6e6ae505a14a629d2c003fc0c3f21

SHA512
c7a0177aea415173ada34b3c6ce0515c73c9131b8a4b718a8da1b64eb403195f00f5b368ada681c8a3d0516aa8e44846ba834691ca4a4a9ccf35b6df8f500852

Download Submit
C:\Users\Admin\AppData\Local\Temp\kRqsvBC5Qb.bat

Filesize
222B

MD5
d3e7ca7a9c300a4f9353d808bd60f8b0

SHA1
0ea5edb9fb384586d404e54f7d1414de0b7ca484

SHA256
56a42d46473670eece772f82988cad2351309aa6b57a80ebb75dbe7921fdc370

SHA512
54333eebb21017e46a726941cb0ed31c79d412464c563fcd95d20024a745a650042b52e49e0d6eb9d3d0951f30e200318f4eb50f2768eaf7d7ec84f2934eebfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ww4YVzclJm.bat

Filesize
222B

MD5
14e40c2903ef97aecfbe0f997da388f9

SHA1
11972cd1cd466dff7890fc5d0a57b302a1054e92

SHA256
67e67d93094ddc909a0b0fe7b3443be33358b1888db42b9a965719a0f244fe05

SHA512
91fb50294dcc315ef4da8d7034a62964b35959aac0eeffae9dbb7681ec70e19be49dab06158b171bb5a49fb552b4174c0c7f3324fdeee62e7ece57546392552b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
484cf45e60961750bc2c4bd16e2c7a76

SHA1
1785826abaafa1b45345f33f48194e1e105e53a6

SHA256
7407079d63afced91ad931d6ae8ebd7fbd162aff1c9b3a56f79bce181d402206

SHA512
87ed1804ce0766b50ab3d2e5377007ac2b39d6d2a2236249b9c73f44c24f9a327be969a93b6b010d58cd92f77fd2708a06fa1e7064aeaaa6f54cc2850431da3c

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/684-582-0x00000000001C0000-0x00000000001D2000-memory.dmp

Filesize
72KB

Download
memory/684-581-0x0000000000310000-0x0000000000420000-memory.dmp

Filesize
1.1MB

Download
memory/908-702-0x00000000009F0000-0x0000000000A02000-memory.dmp

Filesize
72KB

Download
memory/1340-461-0x0000000000B50000-0x0000000000C60000-memory.dmp

Filesize
1.1MB

Download
memory/1676-104-0x0000000000380000-0x0000000000392000-memory.dmp

Filesize
72KB

Download
memory/1688-642-0x0000000000EC0000-0x0000000000FD0000-memory.dmp

Filesize
1.1MB

Download
memory/1764-45-0x0000000000D40000-0x0000000000E50000-memory.dmp

Filesize
1.1MB

Download
memory/2344-14-0x00000000004D0000-0x00000000004E2000-memory.dmp

Filesize
72KB

Download
memory/2344-15-0x00000000004E0000-0x00000000004EC000-memory.dmp

Filesize
48KB

Download
memory/2344-16-0x00000000004F0000-0x00000000004FC000-memory.dmp

Filesize
48KB

Download
memory/2344-17-0x0000000000500000-0x000000000050C000-memory.dmp

Filesize
48KB

Download
memory/2344-13-0x0000000000110000-0x0000000000220000-memory.dmp

Filesize
1.1MB

Download
memory/2564-35-0x000000001B520000-0x000000001B802000-memory.dmp

Filesize
2.9MB

Download
memory/2564-37-0x0000000002720000-0x0000000002728000-memory.dmp

Filesize
32KB

Download
memory/2792-164-0x00000000012C0000-0x00000000013D0000-memory.dmp

Filesize
1.1MB

Download
memory/2900-521-0x0000000000D30000-0x0000000000E40000-memory.dmp

Filesize
1.1MB

Download
memory/3028-401-0x0000000000040000-0x0000000000150000-memory.dmp

Filesize
1.1MB

Download