dcrat | 5d6e21ab246405199a5dbf1518bada52dde0e94e1bde5f6645560c4d9e7feb0c

Analysis

max time kernel
147s
max time network
143s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 20:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_5d6e21ab246405199a5dbf1518bada52dde0e94e1bde5f6645560c4d9e7feb0c.exe
Size

1.3MB
MD5

12806113cd34ca75889d31369257c70e
SHA1

290bb3aa2ca337f650dfd8c3888d4ebddf3a7b11
SHA256

5d6e21ab246405199a5dbf1518bada52dde0e94e1bde5f6645560c4d9e7feb0c
SHA512

33cf314850c96dc9efa29973cfe4079c78e15f903b113cac084ba9a799c7c0866257bbf0eb913a42cb01454626237a1bd2691ab01d09075669d3c1b5649ddd48
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	264	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2656	schtasks.exe	34

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00070000000170b5-12.dat	dcrat
behavioral1/memory/2632-13-0x0000000000150000-0x0000000000260000-memory.dmp	dcrat
behavioral1/memory/1472-52-0x0000000000D50000-0x0000000000E60000-memory.dmp	dcrat
behavioral1/memory/2244-111-0x0000000001380000-0x0000000001490000-memory.dmp	dcrat
behavioral1/memory/2868-348-0x0000000000040000-0x0000000000150000-memory.dmp	dcrat
behavioral1/memory/2928-408-0x00000000010D0000-0x00000000011E0000-memory.dmp	dcrat
behavioral1/memory/3020-437-0x00000000010F0000-0x0000000001200000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2960	powershell.exe
2972	powershell.exe
2992	powershell.exe
2932	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2632	DllCommonsvc.exe
1472	DllCommonsvc.exe
2244	DllCommonsvc.exe
1788	DllCommonsvc.exe
2924	DllCommonsvc.exe
2580	DllCommonsvc.exe
2868	DllCommonsvc.exe
2928	DllCommonsvc.exe
3020	DllCommonsvc.exe
2512	DllCommonsvc.exe
2280	DllCommonsvc.exe

Loads dropped DLL 2 IoCs

pid	Process
2908	cmd.exe
2908	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
9	raw.githubusercontent.com
16	raw.githubusercontent.com
23	raw.githubusercontent.com
26	raw.githubusercontent.com
30	raw.githubusercontent.com
4	raw.githubusercontent.com
19	raw.githubusercontent.com
34	raw.githubusercontent.com
12	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_5d6e21ab246405199a5dbf1518bada52dde0e94e1bde5f6645560c4d9e7feb0c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2640	schtasks.exe
2356	schtasks.exe
2080	schtasks.exe
2856	schtasks.exe
2540	schtasks.exe
1476	schtasks.exe
2404	schtasks.exe
1944	schtasks.exe
264	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2632	DllCommonsvc.exe
2960	powershell.exe
2992	powershell.exe
2932	powershell.exe
2972	powershell.exe
1472	DllCommonsvc.exe
2244	DllCommonsvc.exe
1788	DllCommonsvc.exe
2924	DllCommonsvc.exe
2580	DllCommonsvc.exe
2868	DllCommonsvc.exe
2928	DllCommonsvc.exe
3020	DllCommonsvc.exe
2512	DllCommonsvc.exe
2280	DllCommonsvc.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2632	DllCommonsvc.exe
Token: SeDebugPrivilege	2960	powershell.exe
Token: SeDebugPrivilege	2992	powershell.exe
Token: SeDebugPrivilege	2932	powershell.exe
Token: SeDebugPrivilege	2972	powershell.exe
Token: SeDebugPrivilege	1472	DllCommonsvc.exe
Token: SeDebugPrivilege	2244	DllCommonsvc.exe
Token: SeDebugPrivilege	1788	DllCommonsvc.exe
Token: SeDebugPrivilege	2924	DllCommonsvc.exe
Token: SeDebugPrivilege	2580	DllCommonsvc.exe
Token: SeDebugPrivilege	2868	DllCommonsvc.exe
Token: SeDebugPrivilege	2928	DllCommonsvc.exe
Token: SeDebugPrivilege	3020	DllCommonsvc.exe
Token: SeDebugPrivilege	2512	DllCommonsvc.exe
Token: SeDebugPrivilege	2280	DllCommonsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 3028	2232	JaffaCakes118_5d6e21ab246405199a5dbf1518bada52dde0e94e1bde5f6645560c4d9e7feb0c.exe	30
PID 2232 wrote to memory of 3028	2232	JaffaCakes118_5d6e21ab246405199a5dbf1518bada52dde0e94e1bde5f6645560c4d9e7feb0c.exe	30
PID 2232 wrote to memory of 3028	2232	JaffaCakes118_5d6e21ab246405199a5dbf1518bada52dde0e94e1bde5f6645560c4d9e7feb0c.exe	30
PID 2232 wrote to memory of 3028	2232	JaffaCakes118_5d6e21ab246405199a5dbf1518bada52dde0e94e1bde5f6645560c4d9e7feb0c.exe	30
PID 3028 wrote to memory of 2908	3028	WScript.exe	31
PID 3028 wrote to memory of 2908	3028	WScript.exe	31
PID 3028 wrote to memory of 2908	3028	WScript.exe	31
PID 3028 wrote to memory of 2908	3028	WScript.exe	31
PID 2908 wrote to memory of 2632	2908	cmd.exe	33
PID 2908 wrote to memory of 2632	2908	cmd.exe	33
PID 2908 wrote to memory of 2632	2908	cmd.exe	33
PID 2908 wrote to memory of 2632	2908	cmd.exe	33
PID 2632 wrote to memory of 2932	2632	DllCommonsvc.exe	44
PID 2632 wrote to memory of 2932	2632	DllCommonsvc.exe	44
PID 2632 wrote to memory of 2932	2632	DllCommonsvc.exe	44
PID 2632 wrote to memory of 2960	2632	DllCommonsvc.exe	45
PID 2632 wrote to memory of 2960	2632	DllCommonsvc.exe	45
PID 2632 wrote to memory of 2960	2632	DllCommonsvc.exe	45
PID 2632 wrote to memory of 2972	2632	DllCommonsvc.exe	46
PID 2632 wrote to memory of 2972	2632	DllCommonsvc.exe	46
PID 2632 wrote to memory of 2972	2632	DllCommonsvc.exe	46
PID 2632 wrote to memory of 2992	2632	DllCommonsvc.exe	47
PID 2632 wrote to memory of 2992	2632	DllCommonsvc.exe	47
PID 2632 wrote to memory of 2992	2632	DllCommonsvc.exe	47
PID 2632 wrote to memory of 2324	2632	DllCommonsvc.exe	52
PID 2632 wrote to memory of 2324	2632	DllCommonsvc.exe	52
PID 2632 wrote to memory of 2324	2632	DllCommonsvc.exe	52
PID 2324 wrote to memory of 2480	2324	cmd.exe	54
PID 2324 wrote to memory of 2480	2324	cmd.exe	54
PID 2324 wrote to memory of 2480	2324	cmd.exe	54
PID 2324 wrote to memory of 1472	2324	cmd.exe	55
PID 2324 wrote to memory of 1472	2324	cmd.exe	55
PID 2324 wrote to memory of 1472	2324	cmd.exe	55
PID 1472 wrote to memory of 1796	1472	DllCommonsvc.exe	57
PID 1472 wrote to memory of 1796	1472	DllCommonsvc.exe	57
PID 1472 wrote to memory of 1796	1472	DllCommonsvc.exe	57
PID 1796 wrote to memory of 348	1796	cmd.exe	59
PID 1796 wrote to memory of 348	1796	cmd.exe	59
PID 1796 wrote to memory of 348	1796	cmd.exe	59
PID 1796 wrote to memory of 2244	1796	cmd.exe	60
PID 1796 wrote to memory of 2244	1796	cmd.exe	60
PID 1796 wrote to memory of 2244	1796	cmd.exe	60
PID 2244 wrote to memory of 2212	2244	DllCommonsvc.exe	61
PID 2244 wrote to memory of 2212	2244	DllCommonsvc.exe	61
PID 2244 wrote to memory of 2212	2244	DllCommonsvc.exe	61
PID 2212 wrote to memory of 2964	2212	cmd.exe	63
PID 2212 wrote to memory of 2964	2212	cmd.exe	63
PID 2212 wrote to memory of 2964	2212	cmd.exe	63
PID 2212 wrote to memory of 1788	2212	cmd.exe	64
PID 2212 wrote to memory of 1788	2212	cmd.exe	64
PID 2212 wrote to memory of 1788	2212	cmd.exe	64
PID 1788 wrote to memory of 2696	1788	DllCommonsvc.exe	65
PID 1788 wrote to memory of 2696	1788	DllCommonsvc.exe	65
PID 1788 wrote to memory of 2696	1788	DllCommonsvc.exe	65
PID 2696 wrote to memory of 1152	2696	cmd.exe	67
PID 2696 wrote to memory of 1152	2696	cmd.exe	67
PID 2696 wrote to memory of 1152	2696	cmd.exe	67
PID 2696 wrote to memory of 2924	2696	cmd.exe	68
PID 2696 wrote to memory of 2924	2696	cmd.exe	68
PID 2696 wrote to memory of 2924	2696	cmd.exe	68
PID 2924 wrote to memory of 2392	2924	DllCommonsvc.exe	69
PID 2924 wrote to memory of 2392	2924	DllCommonsvc.exe	69
PID 2924 wrote to memory of 2392	2924	DllCommonsvc.exe	69
PID 2392 wrote to memory of 1940	2392	cmd.exe	71

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5d6e21ab246405199a5dbf1518bada52dde0e94e1bde5f6645560c4d9e7feb0c.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5d6e21ab246405199a5dbf1518bada52dde0e94e1bde5f6645560c4d9e7feb0c.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2908
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2632
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2932
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2960
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2972
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2992
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\amHMU2DnZz.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2324
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2480
      - C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1472
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WM6x9zCNT5.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1796
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:348
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2244
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MNu5MeZyGQ.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2964
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CZdmQsnKkU.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1152
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AJeLhFiBvb.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1940
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2580
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8UyA8TRco5.bat"
        15⤵
        
        PID:2516
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1976
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2868
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3Fb5uY85DH.bat"
        17⤵
        
        PID:2420
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2200
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2928
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\826UXRAQMN.bat"
        19⤵
        
        PID:896
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1520
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3020
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\T7QXgceCiI.bat"
        21⤵
        
        PID:2712
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1776
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2512
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\410ZzJtAuR.bat"
        23⤵
        
        PID:2900
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2760
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fdf5341e974fe9578381f1e9cad77468

SHA1
ea5cda57d29988c63e20806ff1d0fb11ebece52f

SHA256
0c66ead39d48615edb23f18772b9b0a31507713f743e2a87fe7db26fbe514c6c

SHA512
11ca73d658b5fef158db4aa805cb090c17d734b499dedb679cc932b85b4a3702bb1903b80b2b8286d28c0ab2d24519cd701d7a56101a19d88c88c1c1e20eff3d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8b446689ec4fbf5c7a5cd502b0b60883

SHA1
c71ab4aca9149883bd230ca0a0e92098c81a7c4f

SHA256
70aaeececb7bcba2ae989abafcb2e0e806e7c47b40c437109919416707045197

SHA512
a24d1987267e5f7f7f30abd6df0f7e13b7b1295b821bb75b2fce0951022ac671cc9ef3b87b0742aef1fbc7db10b8fdd55e8de49720c77fcb5ab58b0fde047f2a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
187637a7eeb2553571ea3f1aa3af0d9d

SHA1
149c559172fe91f729b6fab7a9991ad53ba872ba

SHA256
07af5c2fc5f2d61888a9e56d389c449f587168c1f765f34920f0c9b4f9c0e91d

SHA512
d41f0f01461e5d15a19dad4c5428395ee55b8081e1d1be2358de703b010e4c388b37f7c6244c08e96df9bb14a3c2cc0f42e86a01dbe501aea0cfcdc2a9be86e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
50ab5c1c73962bd0cca9da66c844c2ff

SHA1
f4c23247be8700dcc81b9ed69f70a599d3b9464b

SHA256
4f9829de2ab21546c74c2c192322a8a47fd388088b4113ef9a0620cdd0a65a4d

SHA512
4c967e9780f044c06c26aaa06a89e2773bbeb3a774ec937d77e055de60118e95d66eb443f6b5659824c1a2ee0aa94a6efd068cb5ab9fe02dfdd0bd43ded08395

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5a017f42eb4af3307708e09b3ff8885a

SHA1
fa7ce0ecf796f5c6d985cd26dbfccba7f1b4a482

SHA256
7507eb3eb41339c0e93f699fc5763b2b3f8393e3c680804477eea0160306e49c

SHA512
9fde4cffdeebfad43a2dd13d263c2d2643230eed49b7f2dd4def4d79b5adae1cb7023d0e40c1006e083987d166d3e4ba34ad20426235d6f3d31b7ac1091c93f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
36a5cde01789e8f22014c095c00043e0

SHA1
e97d5cdaf6861321644a1a96a58a0afcd102f28c

SHA256
bf0139295f2af77748aeac1b9ae0452f71753beb81ef23604cfc4a7790a46365

SHA512
90010f16b663bc8f113af19a6c58f2bde3345dd9368bc01e962dd68eb9a518427be16521b875ed1c092bfad2eafb74769d5450900f16ce98fd3f3a69e40c6ea4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4ce7947d7388ab564dae54384e719e1f

SHA1
4b2e24197b217188475a6ae8e77092a469ca899a

SHA256
eaf406b66cbf941fedacbe6abab33e1a3b770613ff4fde8c7d301b55f8a71bc8

SHA512
fa8759c7017dd33eb4f401884215ee39252ad3fefb104da068e255dd27b69bed98341b308a230598e4a4894076cc21083cae6e5943a23d78fc0d49382c3c9fbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\3Fb5uY85DH.bat

Filesize
244B

MD5
640e56d97e9ed2001aa6bfb1dcf76ce1

SHA1
873cfd81571fd8bf45eb87e640285562413e6af9

SHA256
6307214f70166ab27409e241792c20e9287bee68db6af4607b9e7d7650aec3fd

SHA512
f499c208943d151d82cb0f85b16e173400ed50edfc1fb8305400df7459fbdfdbc72e3f3a3de8b7545c15e08bdc411fa96dd6c5ee77a54a931c7f24297edd3494

Download Submit
C:\Users\Admin\AppData\Local\Temp\410ZzJtAuR.bat

Filesize
244B

MD5
7a5171ceeb9d63bd8bf0482c74c97139

SHA1
395d3d1578a55548c242a700d4a7e6e09635701b

SHA256
a4d51a16f0ab823a0d34556cd25177c906e2d456a433497af21b743ccb841eaf

SHA512
80d57aebb098d5f39526ff9574b650826b6c0b510b31054272f1c547bc5a7330c266f4b995a8099eba8585567d75d631f7955b6159bf2ab0430a84b61f9f0f4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\826UXRAQMN.bat

Filesize
244B

MD5
adb96ca016754c92060a999fadc5a9fa

SHA1
2bc1cd58e9d304ceae14f20213faccbd4845cb3d

SHA256
398d295db04363b3c55c3368d7ba729731e837d582b89f8675f9d7c637e7e324

SHA512
3f07a071188d8d7237804e5857d112ca4dad6feb1e1169c62c05cd2a3c2bcc54ee1b87458b1600b14c4dbe3d9045646492e511e375fdd3b687c28a5cea498ec5

Download Submit
C:\Users\Admin\AppData\Local\Temp\8UyA8TRco5.bat

Filesize
244B

MD5
3d9a7860897b0c39f6b3085dc3155224

SHA1
c223758613e3d6ea7d309c25ada83709e8be50b8

SHA256
87eb7815f0cf0e2fadda8f98d0fa534a96852fea78e7a81829f00c19a1ef7bc3

SHA512
07616c78c453fbc81b87b11e4240c5da4ae885de8b0c6301edb9c906d8e45f2f6dde5d50838429be92ea0a7d3fb98a4b90e662a874cadf57b48b7220190fcea2

Download Submit
C:\Users\Admin\AppData\Local\Temp\AJeLhFiBvb.bat

Filesize
244B

MD5
1a9c0001702da0fb4af2f626deb0ae1f

SHA1
497a4ecea8f88d3012637d8cdc3523a15b8be60f

SHA256
2ed32edf382b0e66d423742e3804a3adcc3f58dfa119a80a6f73a37f30f8d512

SHA512
34a4a01b7104e4f403abe2b69d1b7563d89fcf1d8067a33549ef13a7bd000f37391cbc3d2314a6302761870d274dcd7a6e1d032f13d91a736025bd964801655e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CZdmQsnKkU.bat

Filesize
244B

MD5
ebf77a1f0990c10529042d7816bd72bd

SHA1
b74cf1c1f034ac7bbe7af52bf01a882d01af3286

SHA256
a8ae6b9b9c94724547818e29bf7ecfe40d7a6f8ae4bd268c9ce78fbd06ba9f01

SHA512
cf84eb02d6cbecaae01dbdfc981ee6130777c2148e59e6133aa28556530b94be32fb0ae7053ab8502c972d3d6c55fd0594353dacc29a348708b2bf779bc947df

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCC65.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MNu5MeZyGQ.bat

Filesize
244B

MD5
fc7a308a54ae222a2a747555fae56fee

SHA1
23effceb7fe9ec7044183c7c6fefb325de55c72e

SHA256
4b2eb062b91ab6c4096ce7327e35d9d0264188c14e302c4aeef9adccf37ed134

SHA512
fd14c78f416b9ea479820f842763ea8c766f7a424ecd6ac4cb5cc2d94de8991e9fb9af36940e9d8ed85a598fe16d9d7d490d39938855f5270d506205f3412b0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\T7QXgceCiI.bat

Filesize
244B

MD5
28033b55758c59beb54ca119b9d0097d

SHA1
f4db3719e0f74c1921b1d5cb3425492fca890fba

SHA256
376fb0fba837327f06818b5a704bdb1f87dc1c1a9445d243085b72cf15a2fafe

SHA512
2ac0ec2b5a6becb962ffffc242fc5a695d878ce40703e54d18f3998fc9735476ec38f9b59034eede9af542110ffa897944e37236f5ae9ef0fdc672ed4c1b0d96

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCC68.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WM6x9zCNT5.bat

Filesize
244B

MD5
3fbf86ece49d051806d36df077b378bd

SHA1
8743459f65208033e73c936af06cb950f454e4a1

SHA256
04cdc581d358d11a6ea49b34345e43da105aed5ac11efd3970186f8ac7ef4e36

SHA512
b0656e070a5aed3577999ad9f4cee9c79a7a751da84716ffd56f8bc73e925410d64df1bd6e6fce135ec5455958d59d223eb56a3dd89c321bb094f4d3f4ca85f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\amHMU2DnZz.bat

Filesize
244B

MD5
fea08fb5d4a4f8dbee1dacfa9fe3470e

SHA1
4d1bb43ada3e9f8dbc1267128c23b3c1412812ee

SHA256
b1f28979c16304fe4b0aaddcade79157f2e00cc45d09e78498ada7082b7d1da2

SHA512
3f26924fe19752a7ad802f85d22d37cbeb676104dabe676d5101874d1f3702d8ce69f3f6491630a0a539ae929b0c813577f0c09e0c4a2104fcd0a3e545a5e325

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
eb83d231fc25390cc78c7966cce27bad

SHA1
269c000cd7f3a542f990d0a8db22335e766c769c

SHA256
5b87ce0e869280ab6ddfae527249ff579f759c4f56cf970071b4946d99a2386b

SHA512
378075f3f2c9983c328e170f358e4ce93fa815e920273783d506820db45e1bd5005abaad5590b78ca4263b38a60f0f249ae812787db58876bd3559ef1d0b990a

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1472-52-0x0000000000D50000-0x0000000000E60000-memory.dmp

Filesize
1.1MB

Download
memory/2244-111-0x0000000001380000-0x0000000001490000-memory.dmp

Filesize
1.1MB

Download
memory/2632-15-0x0000000000370000-0x000000000037C000-memory.dmp

Filesize
48KB

Download
memory/2632-17-0x0000000000390000-0x000000000039C000-memory.dmp

Filesize
48KB

Download
memory/2632-16-0x0000000000380000-0x000000000038C000-memory.dmp

Filesize
48KB

Download
memory/2632-14-0x0000000000360000-0x0000000000372000-memory.dmp

Filesize
72KB

Download
memory/2632-13-0x0000000000150000-0x0000000000260000-memory.dmp

Filesize
1.1MB

Download
memory/2868-348-0x0000000000040000-0x0000000000150000-memory.dmp

Filesize
1.1MB

Download
memory/2928-408-0x00000000010D0000-0x00000000011E0000-memory.dmp

Filesize
1.1MB

Download
memory/2960-39-0x0000000001D00000-0x0000000001D08000-memory.dmp

Filesize
32KB

Download
memory/2960-38-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/3020-437-0x00000000010F0000-0x0000000001200000-memory.dmp

Filesize
1.1MB

Download