dcrat | fc03d35f9944714a7c87d3cc040298e1a1d6e5af857c457590f973db6048e11b

Analysis

max time kernel
149s
max time network
145s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 19:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_fc03d35f9944714a7c87d3cc040298e1a1d6e5af857c457590f973db6048e11b.exe
Size

1.3MB
MD5

1a035e9d86d9142c505bc8ed6523dd23
SHA1

7e0d941c85a9ba8f3aeaa97ea806d5473071e549
SHA256

fc03d35f9944714a7c87d3cc040298e1a1d6e5af857c457590f973db6048e11b
SHA512

30a51160e602c7c2e5c745d55d3655f13cf78e2a4baf45b3bfb9f316b3df7586af976a545efcadfa5ed88685bd6bca64755220c591f8a44e83f3db5da685d49b
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	2140	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	2140	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2140	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2140	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2140	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2140	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2140	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2140	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2140	schtasks.exe	32

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000800000001567f-12.dat	dcrat
behavioral1/memory/1884-13-0x0000000000A90000-0x0000000000BA0000-memory.dmp	dcrat
behavioral1/memory/1780-52-0x00000000010B0000-0x00000000011C0000-memory.dmp	dcrat
behavioral1/memory/1748-111-0x00000000010F0000-0x0000000001200000-memory.dmp	dcrat
behavioral1/memory/2100-349-0x0000000000140000-0x0000000000250000-memory.dmp	dcrat
behavioral1/memory/996-409-0x0000000000D20000-0x0000000000E30000-memory.dmp	dcrat
behavioral1/memory/1800-469-0x0000000000360000-0x0000000000470000-memory.dmp	dcrat
behavioral1/memory/1584-530-0x0000000000B10000-0x0000000000C20000-memory.dmp	dcrat
behavioral1/memory/2496-649-0x0000000000350000-0x0000000000460000-memory.dmp	dcrat
behavioral1/memory/1744-709-0x0000000000300000-0x0000000000410000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2664	powershell.exe
2544	powershell.exe
2756	powershell.exe
2496	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
1884	DllCommonsvc.exe
1780	sppsvc.exe
1748	sppsvc.exe
1172	sppsvc.exe
2808	sppsvc.exe
2172	sppsvc.exe
2100	sppsvc.exe
996	sppsvc.exe
1800	sppsvc.exe
1584	sppsvc.exe
2516	sppsvc.exe
2496	sppsvc.exe
1744	sppsvc.exe

Loads dropped DLL 2 IoCs

pid	Process
3060	cmd.exe
3060	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
19	raw.githubusercontent.com
22	raw.githubusercontent.com
25	raw.githubusercontent.com
28	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
32	raw.githubusercontent.com
35	raw.githubusercontent.com
9	raw.githubusercontent.com
38	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_fc03d35f9944714a7c87d3cc040298e1a1d6e5af857c457590f973db6048e11b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2720	schtasks.exe
1624	schtasks.exe
2240	schtasks.exe
2696	schtasks.exe
2604	schtasks.exe
2652	schtasks.exe
2736	schtasks.exe
2616	schtasks.exe
2672	schtasks.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 12 IoCs

pid	Process
1780	sppsvc.exe
1748	sppsvc.exe
1172	sppsvc.exe
2808	sppsvc.exe
2172	sppsvc.exe
2100	sppsvc.exe
996	sppsvc.exe
1800	sppsvc.exe
1584	sppsvc.exe
2516	sppsvc.exe
2496	sppsvc.exe
1744	sppsvc.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
1884	DllCommonsvc.exe
2544	powershell.exe
2756	powershell.exe
2664	powershell.exe
2496	powershell.exe
1780	sppsvc.exe
1748	sppsvc.exe
1172	sppsvc.exe
2808	sppsvc.exe
2172	sppsvc.exe
2100	sppsvc.exe
996	sppsvc.exe
1800	sppsvc.exe
1584	sppsvc.exe
2516	sppsvc.exe
2496	sppsvc.exe
1744	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	1884	DllCommonsvc.exe
Token: SeDebugPrivilege	2544	powershell.exe
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	2496	powershell.exe
Token: SeDebugPrivilege	1780	sppsvc.exe
Token: SeDebugPrivilege	1748	sppsvc.exe
Token: SeDebugPrivilege	1172	sppsvc.exe
Token: SeDebugPrivilege	2808	sppsvc.exe
Token: SeDebugPrivilege	2172	sppsvc.exe
Token: SeDebugPrivilege	2100	sppsvc.exe
Token: SeDebugPrivilege	996	sppsvc.exe
Token: SeDebugPrivilege	1800	sppsvc.exe
Token: SeDebugPrivilege	1584	sppsvc.exe
Token: SeDebugPrivilege	2516	sppsvc.exe
Token: SeDebugPrivilege	2496	sppsvc.exe
Token: SeDebugPrivilege	1744	sppsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2288 wrote to memory of 2236	2288	JaffaCakes118_fc03d35f9944714a7c87d3cc040298e1a1d6e5af857c457590f973db6048e11b.exe	28
PID 2288 wrote to memory of 2236	2288	JaffaCakes118_fc03d35f9944714a7c87d3cc040298e1a1d6e5af857c457590f973db6048e11b.exe	28
PID 2288 wrote to memory of 2236	2288	JaffaCakes118_fc03d35f9944714a7c87d3cc040298e1a1d6e5af857c457590f973db6048e11b.exe	28
PID 2288 wrote to memory of 2236	2288	JaffaCakes118_fc03d35f9944714a7c87d3cc040298e1a1d6e5af857c457590f973db6048e11b.exe	28
PID 2236 wrote to memory of 3060	2236	WScript.exe	29
PID 2236 wrote to memory of 3060	2236	WScript.exe	29
PID 2236 wrote to memory of 3060	2236	WScript.exe	29
PID 2236 wrote to memory of 3060	2236	WScript.exe	29
PID 3060 wrote to memory of 1884	3060	cmd.exe	31
PID 3060 wrote to memory of 1884	3060	cmd.exe	31
PID 3060 wrote to memory of 1884	3060	cmd.exe	31
PID 3060 wrote to memory of 1884	3060	cmd.exe	31
PID 1884 wrote to memory of 2664	1884	DllCommonsvc.exe	42
PID 1884 wrote to memory of 2664	1884	DllCommonsvc.exe	42
PID 1884 wrote to memory of 2664	1884	DllCommonsvc.exe	42
PID 1884 wrote to memory of 2544	1884	DllCommonsvc.exe	43
PID 1884 wrote to memory of 2544	1884	DllCommonsvc.exe	43
PID 1884 wrote to memory of 2544	1884	DllCommonsvc.exe	43
PID 1884 wrote to memory of 2756	1884	DllCommonsvc.exe	44
PID 1884 wrote to memory of 2756	1884	DllCommonsvc.exe	44
PID 1884 wrote to memory of 2756	1884	DllCommonsvc.exe	44
PID 1884 wrote to memory of 2496	1884	DllCommonsvc.exe	45
PID 1884 wrote to memory of 2496	1884	DllCommonsvc.exe	45
PID 1884 wrote to memory of 2496	1884	DllCommonsvc.exe	45
PID 1884 wrote to memory of 2548	1884	DllCommonsvc.exe	50
PID 1884 wrote to memory of 2548	1884	DllCommonsvc.exe	50
PID 1884 wrote to memory of 2548	1884	DllCommonsvc.exe	50
PID 2548 wrote to memory of 1284	2548	cmd.exe	52
PID 2548 wrote to memory of 1284	2548	cmd.exe	52
PID 2548 wrote to memory of 1284	2548	cmd.exe	52
PID 2548 wrote to memory of 1780	2548	cmd.exe	53
PID 2548 wrote to memory of 1780	2548	cmd.exe	53
PID 2548 wrote to memory of 1780	2548	cmd.exe	53
PID 2548 wrote to memory of 1780	2548	cmd.exe	53
PID 2548 wrote to memory of 1780	2548	cmd.exe	53
PID 1780 wrote to memory of 696	1780	sppsvc.exe	56
PID 1780 wrote to memory of 696	1780	sppsvc.exe	56
PID 1780 wrote to memory of 696	1780	sppsvc.exe	56
PID 696 wrote to memory of 1656	696	cmd.exe	58
PID 696 wrote to memory of 1656	696	cmd.exe	58
PID 696 wrote to memory of 1656	696	cmd.exe	58
PID 696 wrote to memory of 1748	696	cmd.exe	59
PID 696 wrote to memory of 1748	696	cmd.exe	59
PID 696 wrote to memory of 1748	696	cmd.exe	59
PID 696 wrote to memory of 1748	696	cmd.exe	59
PID 696 wrote to memory of 1748	696	cmd.exe	59
PID 1748 wrote to memory of 2784	1748	sppsvc.exe	60
PID 1748 wrote to memory of 2784	1748	sppsvc.exe	60
PID 1748 wrote to memory of 2784	1748	sppsvc.exe	60
PID 2784 wrote to memory of 3000	2784	cmd.exe	62
PID 2784 wrote to memory of 3000	2784	cmd.exe	62
PID 2784 wrote to memory of 3000	2784	cmd.exe	62
PID 2784 wrote to memory of 1172	2784	cmd.exe	63
PID 2784 wrote to memory of 1172	2784	cmd.exe	63
PID 2784 wrote to memory of 1172	2784	cmd.exe	63
PID 2784 wrote to memory of 1172	2784	cmd.exe	63
PID 2784 wrote to memory of 1172	2784	cmd.exe	63
PID 1172 wrote to memory of 2496	1172	sppsvc.exe	64
PID 1172 wrote to memory of 2496	1172	sppsvc.exe	64
PID 1172 wrote to memory of 2496	1172	sppsvc.exe	64
PID 2496 wrote to memory of 1440	2496	cmd.exe	66
PID 2496 wrote to memory of 1440	2496	cmd.exe	66
PID 2496 wrote to memory of 1440	2496	cmd.exe	66
PID 2496 wrote to memory of 2808	2496	cmd.exe	67

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fc03d35f9944714a7c87d3cc040298e1a1d6e5af857c457590f973db6048e11b.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fc03d35f9944714a7c87d3cc040298e1a1d6e5af857c457590f973db6048e11b.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3060
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1884
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2664
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Favorites\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2544
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2756
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\NetHood\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2496
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QazrxQR9tJ.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2548
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1284
      - C:\providercommon\sppsvc.exe
        
        "C:\providercommon\sppsvc.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1780
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JCnMdX7E06.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:696
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1656
        
        C:\providercommon\sppsvc.exe
        
        "C:\providercommon\sppsvc.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tYG4XGbOex.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2784
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:3000
        
        C:\providercommon\sppsvc.exe
        
        "C:\providercommon\sppsvc.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1172
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QLJ4q7S46F.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2496
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1440
        
        C:\providercommon\sppsvc.exe
        
        "C:\providercommon\sppsvc.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2808
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ottjOj3FQt.bat"
        13⤵
        
        PID:2256
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:112
        
        C:\providercommon\sppsvc.exe
        
        "C:\providercommon\sppsvc.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2172
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6VAw4LgrmW.bat"
        15⤵
        
        PID:2208
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2776
        
        C:\providercommon\sppsvc.exe
        
        "C:\providercommon\sppsvc.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2100
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FdUsM3mSuD.bat"
        17⤵
        
        PID:1728
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2744
        
        C:\providercommon\sppsvc.exe
        
        "C:\providercommon\sppsvc.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:996
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5eI0Zh92hY.bat"
        19⤵
        
        PID:1068
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1952
        
        C:\providercommon\sppsvc.exe
        
        "C:\providercommon\sppsvc.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1800
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vdJwOJplm6.bat"
        21⤵
        
        PID:2180
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:892
        
        C:\providercommon\sppsvc.exe
        
        "C:\providercommon\sppsvc.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1584
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aoAocY3YSO.bat"
        23⤵
        
        PID:988
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2996
        
        C:\providercommon\sppsvc.exe
        
        "C:\providercommon\sppsvc.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2516
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UMVEid32eq.bat"
        25⤵
        
        PID:2212
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2552
        
        C:\providercommon\sppsvc.exe
        
        "C:\providercommon\sppsvc.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2496
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\23CLvB8Ots.bat"
        27⤵
        
        PID:2588
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:1692
        
        C:\providercommon\sppsvc.exe
        
        "C:\providercommon\sppsvc.exe"
        28⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Favorites\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\All Users\Favorites\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Favorites\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\providercommon\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\NetHood\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Admin\NetHood\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\NetHood\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
17f93ed00a047e95354e3c2739b45ebc

SHA1
977a2c156e5442b5c795ee51c74b4f6543cf3f9c

SHA256
5973d960696d2bd981a3d22a9b57e0a87832f5bb2622bafdea9ed87ddbd813af

SHA512
3a024ee3c9ad384dca382143d19806b3f049d719eaf364d3ce3b5870d32b259c93c5cca7559391c6ac3716d781fa242ee86cb2bf18120076e331d01186b858f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8e259f10ddc47c736e69c327b1b91a6a

SHA1
eb034513f83167cb28caf389369629e9b7aecfb9

SHA256
b6da3a741d8f66dae6a830d2b678267f3a1645b044080c3a843a4fd2f0cde505

SHA512
d335aaecbf84b08ed3568edd57e5cb996432ee5f649a17a56e03f19b04744126a2815d0c2208b41f1b05fa6316e015b4a8d17c78f10c54c435e7c30f4f53adc7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
097f6d6312c649ac786b704686eb178c

SHA1
3550ca57b40b54156716d0c8ec4df512cfb1f20c

SHA256
36a4fc341c1a5e6ced5e4c79ff6ded2c85a5259b890dd3948d4ab6da1acf46a2

SHA512
9711e6419e7a41ce2c872cfa78e51472416230abca69cad4bb3e3ea7baf8313567b0ccf4144337d5fcb7ab94b2739359313694edb801504cb6afde502ea93f79

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3642e52ca0806d38b666d36fde61f261

SHA1
173a2cb5312069c0d45e02d85db32520ddc2e5d6

SHA256
8ba88d96c1ceae094ca19007e349f8a98f64ee5b108b3fa968092191d6613dad

SHA512
fb34ce0e9aa69f340cb327f2d5ccc245ea28b3da46edf8f60a338bd3dbc6bd1335798035dd16ce3df4dbdb121bb5419d6f17f68ca215719a33fd2ca7adc13f76

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bf24e44bb0e54430e459f7bbff5a737b

SHA1
02466c27b2ed2ad9c8a1d8c484695154db1314de

SHA256
11d2726be19ada93678a08dad2c4881a8c67c939275c96419a3ef1b9ec1aef4e

SHA512
0750fd406a2de4aa68b16c1a52931a1abd2405f069654d305e93bed236f4c1c4a8d95b6b36de8217b4ad9e8da93b793ac789a4b5fe1c2d35b2a703c902444829

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1d0c80b8b22b862359619a4a72ee5240

SHA1
2d0012124b439c69f2a68ba1693608a05e4e20ac

SHA256
b11299ecea8e831325245622f2ef683eaa1fb26e93e178146bbcf780f121a585

SHA512
2da3966cc9757aa390cd46d830d47cf967840fde106130bfb402a8991e125213bb8af49a3103c1ac6ff60ef671b0ed728bc0287c166317a12773fdde55614f33

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0e40ac9f87d0efba95a2671918cdba4a

SHA1
dc0c4a224ad34b89737a90fb65e0e78928780091

SHA256
e66cbe27674354e48545b05827526b7cbaad2cac251480231227a99003c99054

SHA512
e48f379c502cb708f75031785baf679d56f3bb103dc2b2398434288ddaf6325fc0c65cbeddd621fe04e634ec19af1be41107953fb55a16527a71386ea82c7f2b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
143a30fea8daeacfd30b4bdbb1967032

SHA1
5d816d02fa4018cb4b201433fc813522a8821cd2

SHA256
76776884204be6ddd7d546aa240bbea934f0245b285b060f2b38086b02dbe58a

SHA512
49911dcd8e2faef90415b798892ff12c5ebbd002fb30fecaf5ad540d384f5e5ec22e7c8f11d7be965f4a84872c0b102b3b4272d6bdb6e231d5821782c254e9a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0da2877a4f5ee62efc333a7fd08f7beb

SHA1
b3398e1eb659dbeed2698e8e7134db3f8c3a6aed

SHA256
df90904fa015912893b2987899b388c74e0c5892b32a7acb473dd9b444b0ea5a

SHA512
bc7e682f8a18a48187551d5c7e8766d23dfd562a89eb867ed676681fa8fb4c80bd349f690893f34172316333d806c2bfd6d48c38db08b29a7373badb659c4fbf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
030fa7b50f9b6073eae3cf0c98fe4f13

SHA1
e8ced9b61cf3868feed33cfd6b1344db3aba7f06

SHA256
d1b32f7d1972e8ab3e6ba8cf33559cb8aac9294a479da03d7decc2d59e85e6f0

SHA512
52ac6fe5b7d480b04a832f1676b579b3e35a0676f4da5a0a2cb917a96cdfebe42e1978eb3cddbf4c67ab6557a69c2b215fbd89fe77461ff90d1c6e3c00842b93

Download Submit
C:\Users\Admin\AppData\Local\Temp\23CLvB8Ots.bat

Filesize
193B

MD5
dbbb8856a1175f38b191589f48c3f208

SHA1
f3ffea468a39f268b025e416267ac1c03958a03e

SHA256
1cfd5c2bddce094947339585fe5b7cbc0aca82fe44aa2ec5c2ddb72b1fdaba31

SHA512
e235863a5ae957199161bb80e9d9e78b4cc7ce83b47074cbe60531973ca68524d0600119322e02132a507a78871d6066ae0125c6adfb9f386ddf9f81336ab847

Download Submit
C:\Users\Admin\AppData\Local\Temp\5eI0Zh92hY.bat

Filesize
193B

MD5
1d33dd9645fd1b8227629538f6be7533

SHA1
ac5e5b0c26a3d98eac9b9d5155a4cd178ac5d5e9

SHA256
2b71ece0b2f48fb9f70af93940392f760567abce4c2b4b0a55a3bfecaa68150d

SHA512
5ebcde9b07853220551a38e707b547ad9812ad46d76e1cf3f603ca58e0a3fc91252d207902f902927395ed4a961d1a6705726e3144959368fce3fcb69e5bcff8

Download Submit
C:\Users\Admin\AppData\Local\Temp\6VAw4LgrmW.bat

Filesize
193B

MD5
1401dad77f6205e9c6b3417bf6c1c983

SHA1
933c8ad9b62073ef846073680209ef0bff9ad7ac

SHA256
e73f8350ebbc8172e70900c9fd3543cbc7ca041215cfa15112b2a913eab927e0

SHA512
26426e406094752817896f24a25703b3e552c48ab43ce632f5927714745fb453df9177822181183ed397c983684c295bb2f94837b4c9a41f4e33913a66b79729

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFBA0.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FdUsM3mSuD.bat

Filesize
193B

MD5
c91b13887d4f95668887bbe0d1880b11

SHA1
ebee240840f87a87059d4405717e0e112e23afef

SHA256
db4f6b731d0522f44b9f4a9fc16dc85b82cf65a0ee290d877f3259238f89787b

SHA512
e392766616c96e14bcd2ee69c83583be1f243a6bea463a3052cb764955df3303faecbf705ed59ddf387e5641ea0c547324ca23d77f31321f252772eeee58d349

Download Submit
C:\Users\Admin\AppData\Local\Temp\JCnMdX7E06.bat

Filesize
193B

MD5
4d5507b80809785c48143dc37584a138

SHA1
96890b8cea1466ffc69aae3a446ea13140640efe

SHA256
4b78060cb45636ab210f602a46002f898cfece709bfecd814d7a7f30062e20e7

SHA512
8620973335973d215e6f82263cbdd4f9bb8be98c74cb9a9a683ab7c80d71da9424b1d04a36ef690504f3076406e3d639a4f66373fc4e0b61826cfaed6f41b81e

Download Submit
C:\Users\Admin\AppData\Local\Temp\QLJ4q7S46F.bat

Filesize
193B

MD5
cc5f9e1273c138480e2a366c4fd28489

SHA1
1f18d6be904c4747ba4bbc4b2a454efff617fc23

SHA256
a376e6b3c55a74c239b621c5780640b78ab2f80cff9e3faac1ec787bcd14cb7a

SHA512
bbd6201d595793adca3433b45d6a197e9e845706d272e72c022d3300fc56bf2175e163f80df657258d01c8b837bd126bc88646f60653056b51d11db776006252

Download Submit
C:\Users\Admin\AppData\Local\Temp\QazrxQR9tJ.bat

Filesize
193B

MD5
329e74e7efe77b7f9cf1fadd7de9f7dc

SHA1
3efbe7ac0b7d5cbe2bca6ea5ca91a56bf93fd34a

SHA256
0afcbdc1b1cd1ec7bac9968f784c14deb6b00d2628ba7b39b204f0c2809856db

SHA512
8d1d2ba05b2751f89e9c4b646ffc43c1862deaadf95bc75eb0c5e47d1692d9a741827ac4217c87068ce99cd6e503b839ac5e4204959f08f91a99ee2eef834c1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFBB2.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMVEid32eq.bat

Filesize
193B

MD5
bfd40bda527760d256250b2792a82df8

SHA1
823e346049b213fac6e8bee9cb66ae47d225c115

SHA256
a14d564fc515338f8583978b7d0de1c1c8a9c5372076b38b846abd9d377c3950

SHA512
569de2e0408dfe646f4562247be6d88333b634bf876b0510754574dd9ff931b44b11d61add4ce274c9f20fc8d92256db8f6b635a3a75358cf875b08e4f0b5774

Download Submit
C:\Users\Admin\AppData\Local\Temp\aoAocY3YSO.bat

Filesize
193B

MD5
85345f686ace37b64b969d48d9068a37

SHA1
ac937d0599671b435c1b3f69f21477e2474b51bb

SHA256
a4601b08d8877c89b6c83a858add10218e5396ffab6e10ece65a7857ed6ef076

SHA512
75d1909be069bf195d0d7744848d436ca96629292dc9b4511563e3781347dc548862addb88ec948bf0765159f44df1e0bba5ad09021862fcbcb0121c64717c48

Download Submit
C:\Users\Admin\AppData\Local\Temp\ottjOj3FQt.bat

Filesize
193B

MD5
4b80e605d79a6011362355fa21fac6a9

SHA1
875608434345c7e910134f44642b54ad10268f6e

SHA256
edfb61ab8d50977756654fb1245492cec9752a7c2cc0f7a91aee553aab2b12d8

SHA512
4d78fc89442a96fb32661e5c9af04ebe0dfe3ad1d7491f954c0815efba869adecc68e9b0787321c64f4b85b517bd84b4ad59bb0100f1bd3ca54964d15d79ed8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tYG4XGbOex.bat

Filesize
193B

MD5
ff853073bbb3a82c7fcf8065fe3fc59a

SHA1
e163db853aa7309a596e2170f2889a0a7334cea5

SHA256
8fb0a4e657c918c532c81bfac08f8104c012bf663790f6d698e46181461a57d6

SHA512
8408e808986596e1a8f80beb429ea0ee96ce0b0f821f1fcea662ace8ca2fbbedb95b03a7ef8c1cdb9df682565007c36e7d8243bc9047c5444d2a06faa4d06233

Download Submit
C:\Users\Admin\AppData\Local\Temp\vdJwOJplm6.bat

Filesize
193B

MD5
81b023b1ca5aa9907f823205133d3415

SHA1
d97f9afaa59d6663d8da06376419877daaf62c1d

SHA256
0cd117d80746a9dc5af0bbaeb8b459fc416051e907b2b582673a348b06bd729d

SHA512
f5aafd68b73d8a2653e92fc8d6a2ba1ca1efa42818459097aa4d99fb126e4e7d3de5481ecef79dc21461b2199fecf0820fba92255ec130932290655eb7a75b4d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8687a3bbfe5500cb412d0369824588a8

SHA1
88b735431efd675718a0e50c663502f974aff950

SHA256
c412cd50a4f8d102a57b55488e0fe1db445f9ee6793ae585180903eafa149da2

SHA512
a89277db9bbce76f5280b224e7cf99f27faf588b6acc33a1be9fd95625af37f5bba3372c131376f9dcaa46baf61b65f313d62ff00234d0948d711562bb5fa7de

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/996-409-0x0000000000D20000-0x0000000000E30000-memory.dmp

Filesize
1.1MB

Download
memory/1584-530-0x0000000000B10000-0x0000000000C20000-memory.dmp

Filesize
1.1MB

Download
memory/1744-709-0x0000000000300000-0x0000000000410000-memory.dmp

Filesize
1.1MB

Download
memory/1748-111-0x00000000010F0000-0x0000000001200000-memory.dmp

Filesize
1.1MB

Download
memory/1780-52-0x00000000010B0000-0x00000000011C0000-memory.dmp

Filesize
1.1MB

Download
memory/1800-469-0x0000000000360000-0x0000000000470000-memory.dmp

Filesize
1.1MB

Download
memory/1800-470-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/1884-17-0x0000000000200000-0x000000000020C000-memory.dmp

Filesize
48KB

Download
memory/1884-16-0x00000000001E0000-0x00000000001EC000-memory.dmp

Filesize
48KB

Download
memory/1884-15-0x00000000001F0000-0x00000000001FC000-memory.dmp

Filesize
48KB

Download
memory/1884-14-0x00000000001D0000-0x00000000001E2000-memory.dmp

Filesize
72KB

Download
memory/1884-13-0x0000000000A90000-0x0000000000BA0000-memory.dmp

Filesize
1.1MB

Download
memory/2100-349-0x0000000000140000-0x0000000000250000-memory.dmp

Filesize
1.1MB

Download
memory/2172-289-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/2496-649-0x0000000000350000-0x0000000000460000-memory.dmp

Filesize
1.1MB

Download
memory/2544-43-0x00000000027D0000-0x00000000027D8000-memory.dmp

Filesize
32KB

Download
memory/2544-42-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

Filesize
2.9MB

Download