Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2024, 17:45
Behavioral task
behavioral1
Sample
JaffaCakes118_9a1271b3592e05b264b394a87091f79bb7597d0a18f011be21833c662044ecbb.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
JaffaCakes118_9a1271b3592e05b264b394a87091f79bb7597d0a18f011be21833c662044ecbb.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_9a1271b3592e05b264b394a87091f79bb7597d0a18f011be21833c662044ecbb.exe
-
Size
1.3MB
-
MD5
c9c1a928abbc7ce1398f28a970c84933
-
SHA1
5f92b79f4d085a5840b8612f7886c86dc7dff018
-
SHA256
9a1271b3592e05b264b394a87091f79bb7597d0a18f011be21833c662044ecbb
-
SHA512
c37881d9428b64f97e24e808c394f05f29e19334b1ad25c2ea0eb32a507a9a08791d6d8192bc951865d9247c8ae975418165932e9ceb4a0ab7638a8792f4b8e7
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 6 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2028 1224 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1436 1224 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3644 1224 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3836 1224 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3556 1224 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2960 1224 schtasks.exe 88 -
resource yara_rule behavioral2/files/0x000a000000023b89-10.dat dcrat behavioral2/memory/4384-13-0x00000000005B0000-0x00000000006C0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3272 powershell.exe 4296 powershell.exe 4400 powershell.exe -
Checks computer location settings 2 TTPs 16 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation JaffaCakes118_9a1271b3592e05b264b394a87091f79bb7597d0a18f011be21833c662044ecbb.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation cmd.exe -
Executes dropped EXE 14 IoCs
pid Process 4384 DllCommonsvc.exe 2328 cmd.exe 2356 cmd.exe 2976 cmd.exe 4196 cmd.exe 4960 cmd.exe 3224 cmd.exe 1944 cmd.exe 1192 cmd.exe 4460 cmd.exe 2212 cmd.exe 2472 cmd.exe 2800 cmd.exe 5072 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs
flow ioc 40 raw.githubusercontent.com 46 raw.githubusercontent.com 56 raw.githubusercontent.com 15 raw.githubusercontent.com 20 raw.githubusercontent.com 26 raw.githubusercontent.com 47 raw.githubusercontent.com 54 raw.githubusercontent.com 41 raw.githubusercontent.com 45 raw.githubusercontent.com 53 raw.githubusercontent.com 14 raw.githubusercontent.com 55 raw.githubusercontent.com 57 raw.githubusercontent.com -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\System32\AdvancedInstallers\spoolsv.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_9a1271b3592e05b264b394a87091f79bb7597d0a18f011be21833c662044ecbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
Modifies registry class 14 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings JaffaCakes118_9a1271b3592e05b264b394a87091f79bb7597d0a18f011be21833c662044ecbb.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2028 schtasks.exe 1436 schtasks.exe 3644 schtasks.exe 3836 schtasks.exe 3556 schtasks.exe 2960 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 4384 DllCommonsvc.exe 4296 powershell.exe 3272 powershell.exe 3272 powershell.exe 4296 powershell.exe 4400 powershell.exe 2328 cmd.exe 4400 powershell.exe 2356 cmd.exe 2976 cmd.exe 4196 cmd.exe 4960 cmd.exe 3224 cmd.exe 1944 cmd.exe 1192 cmd.exe 4460 cmd.exe 2212 cmd.exe 2472 cmd.exe 2800 cmd.exe 5072 cmd.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
description pid Process Token: SeDebugPrivilege 4384 DllCommonsvc.exe Token: SeDebugPrivilege 4296 powershell.exe Token: SeDebugPrivilege 3272 powershell.exe Token: SeDebugPrivilege 2328 cmd.exe Token: SeDebugPrivilege 4400 powershell.exe Token: SeDebugPrivilege 2356 cmd.exe Token: SeDebugPrivilege 2976 cmd.exe Token: SeDebugPrivilege 4196 cmd.exe Token: SeDebugPrivilege 4960 cmd.exe Token: SeDebugPrivilege 3224 cmd.exe Token: SeDebugPrivilege 1944 cmd.exe Token: SeDebugPrivilege 1192 cmd.exe Token: SeDebugPrivilege 4460 cmd.exe Token: SeDebugPrivilege 2212 cmd.exe Token: SeDebugPrivilege 2472 cmd.exe Token: SeDebugPrivilege 2800 cmd.exe Token: SeDebugPrivilege 5072 cmd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2364 wrote to memory of 1888 2364 JaffaCakes118_9a1271b3592e05b264b394a87091f79bb7597d0a18f011be21833c662044ecbb.exe 83 PID 2364 wrote to memory of 1888 2364 JaffaCakes118_9a1271b3592e05b264b394a87091f79bb7597d0a18f011be21833c662044ecbb.exe 83 PID 2364 wrote to memory of 1888 2364 JaffaCakes118_9a1271b3592e05b264b394a87091f79bb7597d0a18f011be21833c662044ecbb.exe 83 PID 1888 wrote to memory of 3456 1888 WScript.exe 85 PID 1888 wrote to memory of 3456 1888 WScript.exe 85 PID 1888 wrote to memory of 3456 1888 WScript.exe 85 PID 3456 wrote to memory of 4384 3456 cmd.exe 87 PID 3456 wrote to memory of 4384 3456 cmd.exe 87 PID 4384 wrote to memory of 4400 4384 DllCommonsvc.exe 96 PID 4384 wrote to memory of 4400 4384 DllCommonsvc.exe 96 PID 4384 wrote to memory of 4296 4384 DllCommonsvc.exe 97 PID 4384 wrote to memory of 4296 4384 DllCommonsvc.exe 97 PID 4384 wrote to memory of 3272 4384 DllCommonsvc.exe 98 PID 4384 wrote to memory of 3272 4384 DllCommonsvc.exe 98 PID 4384 wrote to memory of 2328 4384 DllCommonsvc.exe 101 PID 4384 wrote to memory of 2328 4384 DllCommonsvc.exe 101 PID 2328 wrote to memory of 2092 2328 cmd.exe 104 PID 2328 wrote to memory of 2092 2328 cmd.exe 104 PID 2092 wrote to memory of 2192 2092 cmd.exe 106 PID 2092 wrote to memory of 2192 2092 cmd.exe 106 PID 2092 wrote to memory of 2356 2092 cmd.exe 113 PID 2092 wrote to memory of 2356 2092 cmd.exe 113 PID 2356 wrote to memory of 1752 2356 cmd.exe 117 PID 2356 wrote to memory of 1752 2356 cmd.exe 117 PID 1752 wrote to memory of 4040 1752 cmd.exe 119 PID 1752 wrote to memory of 4040 1752 cmd.exe 119 PID 1752 wrote to memory of 2976 1752 cmd.exe 125 PID 1752 wrote to memory of 2976 1752 cmd.exe 125 PID 2976 wrote to memory of 1012 2976 cmd.exe 127 PID 2976 wrote to memory of 1012 2976 cmd.exe 127 PID 1012 wrote to memory of 4824 1012 cmd.exe 129 PID 1012 wrote to memory of 4824 1012 cmd.exe 129 PID 1012 wrote to memory of 4196 1012 cmd.exe 133 PID 1012 wrote to memory of 4196 1012 cmd.exe 133 PID 4196 wrote to memory of 3220 4196 cmd.exe 136 PID 4196 wrote to memory of 3220 4196 cmd.exe 136 PID 3220 wrote to memory of 2128 3220 cmd.exe 138 PID 3220 wrote to memory of 2128 3220 cmd.exe 138 PID 3220 wrote to memory of 4960 3220 cmd.exe 140 PID 3220 wrote to memory of 4960 3220 cmd.exe 140 PID 4960 wrote to memory of 4052 4960 cmd.exe 142 PID 4960 wrote to memory of 4052 4960 cmd.exe 142 PID 4052 wrote to memory of 3560 4052 cmd.exe 144 PID 4052 wrote to memory of 3560 4052 cmd.exe 144 PID 4052 wrote to memory of 3224 4052 cmd.exe 146 PID 4052 wrote to memory of 3224 4052 cmd.exe 146 PID 3224 wrote to memory of 4384 3224 cmd.exe 149 PID 3224 wrote to memory of 4384 3224 cmd.exe 149 PID 4384 wrote to memory of 4604 4384 cmd.exe 151 PID 4384 wrote to memory of 4604 4384 cmd.exe 151 PID 4384 wrote to memory of 1944 4384 cmd.exe 153 PID 4384 wrote to memory of 1944 4384 cmd.exe 153 PID 1944 wrote to memory of 4896 1944 cmd.exe 155 PID 1944 wrote to memory of 4896 1944 cmd.exe 155 PID 4896 wrote to memory of 872 4896 cmd.exe 157 PID 4896 wrote to memory of 872 4896 cmd.exe 157 PID 4896 wrote to memory of 1192 4896 cmd.exe 159 PID 4896 wrote to memory of 1192 4896 cmd.exe 159 PID 1192 wrote to memory of 3968 1192 cmd.exe 161 PID 1192 wrote to memory of 3968 1192 cmd.exe 161 PID 3968 wrote to memory of 4296 3968 cmd.exe 163 PID 3968 wrote to memory of 4296 3968 cmd.exe 163 PID 3968 wrote to memory of 4460 3968 cmd.exe 165 PID 3968 wrote to memory of 4460 3968 cmd.exe 165 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9a1271b3592e05b264b394a87091f79bb7597d0a18f011be21833c662044ecbb.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9a1271b3592e05b264b394a87091f79bb7597d0a18f011be21833c662044ecbb.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3456 -
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4400
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4296
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\cmd.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3272
-
-
C:\Recovery\WindowsRE\cmd.exe"C:\Recovery\WindowsRE\cmd.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VeFqpJq3BV.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:2192
-
-
C:\Recovery\WindowsRE\cmd.exe"C:\Recovery\WindowsRE\cmd.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RnBkS9jGYw.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:4040
-
-
C:\Recovery\WindowsRE\cmd.exe"C:\Recovery\WindowsRE\cmd.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\574RqM7W2b.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:4824
-
-
C:\Recovery\WindowsRE\cmd.exe"C:\Recovery\WindowsRE\cmd.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4196 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nDq7RH5Uwz.bat"12⤵
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:2128
-
-
C:\Recovery\WindowsRE\cmd.exe"C:\Recovery\WindowsRE\cmd.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eON2Ze4cSc.bat"14⤵
- Suspicious use of WriteProcessMemory
PID:4052 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:3560
-
-
C:\Recovery\WindowsRE\cmd.exe"C:\Recovery\WindowsRE\cmd.exe"15⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fZs2sOO0th.bat"16⤵
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:4604
-
-
C:\Recovery\WindowsRE\cmd.exe"C:\Recovery\WindowsRE\cmd.exe"17⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zDcPfnAXs0.bat"18⤵
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:872
-
-
C:\Recovery\WindowsRE\cmd.exe"C:\Recovery\WindowsRE\cmd.exe"19⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MpmmxgpAh8.bat"20⤵
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:4296
-
-
C:\Recovery\WindowsRE\cmd.exe"C:\Recovery\WindowsRE\cmd.exe"21⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4460 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fZs2sOO0th.bat"22⤵PID:1164
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:2364
-
-
C:\Recovery\WindowsRE\cmd.exe"C:\Recovery\WindowsRE\cmd.exe"23⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2212 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zDcPfnAXs0.bat"24⤵PID:3660
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:4048
-
-
C:\Recovery\WindowsRE\cmd.exe"C:\Recovery\WindowsRE\cmd.exe"25⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2472 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uLZJId2lFR.bat"26⤵PID:3244
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:2152
-
-
C:\Recovery\WindowsRE\cmd.exe"C:\Recovery\WindowsRE\cmd.exe"27⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2800 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6raUEgr1vJ.bat"28⤵PID:4904
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:229⤵PID:2660
-
-
C:\Recovery\WindowsRE\cmd.exe"C:\Recovery\WindowsRE\cmd.exe"29⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5072 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KtkjGbmHOL.bat"30⤵PID:4304
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:231⤵PID:5044
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\providercommon\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
Filesize
944B
MD56d42b6da621e8df5674e26b799c8e2aa
SHA1ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA2565ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA51253faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29
-
Filesize
194B
MD573e5aed612c68b10bd61bb825e518294
SHA15cea2b99c811d8f7ba692df081296b1f3a8cc10f
SHA256c4b83e1c10ed0e474e9a33c2dc9420c3db5d20ad2af230ffbe4e6833ba094ea5
SHA5125a03a205125c72d174c248d2147220480bc66dfca98e287b635e733f0d12747826b50fd16cefc740fd15e15a3e464f51d9a70c3439cce009e7ef5268b49357c3
-
Filesize
194B
MD531463eb341eccf99b0c483e81309daab
SHA1dacdb7a91d4e4e688d9c9aa43482cc53f3f8db3f
SHA25643270e83d0ef877c44f8c003ae7beefc907e1101610a1c0e7877bae343ad6ba8
SHA51257b1ef9705cc374e0b59a3d6da40add278e0d2c4da30249418f185821ede010e8e88be6f11c7864f38a5c9fad0fd59605bcfcd638a935a4d7c5a900bd2671a29
-
Filesize
194B
MD5d3f03040e80d0a602d04849ad0565ca2
SHA1ee87b71f45c9ae090b103ee307c2e11b3e170ac0
SHA2566b7dd84566ce0d104a3a8326ee9615b6138a0370995ed4f07b539fe49c153d99
SHA5121f3fb2d0e4137f047d8a821f1bae0b6c0276e2f3fe5425a0d82572ed85209c9fffdbf62668d7ed9cea424775157fb254af2312e656ba39d5884aa92a3bee2a21
-
Filesize
194B
MD5dd3e892c715dcd7c55e2a3537bc91d58
SHA1a716f1c4d8e8fd2d92c7b83c6c53fc255dcaf4f1
SHA256501f93c9e9ee1b7dda6b21166e1b41bbde447be9f578fe0fa1cd7a857fb5b6c6
SHA512406774779d19c84048fb26cc86cf84f4783c7f10c6ebf972220ffd7949f59aa57d6a500a50737bac7ff975ae0e6d810046b243b4ac1829d068c69bc4d7fcfeb4
-
Filesize
194B
MD58dad39976d9bd80d3bdc7696db0db76e
SHA12fc38e2a66b526ab9671fa3aaa643da289d547df
SHA256b3eccf6c21497e0633795b9d9d62dc526bea4cb8554edc9e71cc2384be34ae9a
SHA51221e7bec3ca8cbca2858c45f0e52b0ef429778c0b4ce411cf0c30c62e153fb14d2b8238ddd1a2ff8ecfd304071c287412ddcf7d8e1942944c4169e4fc2b1c1ea3
-
Filesize
194B
MD59e6fa2b8100f574d1d7e7fb7f9b7660f
SHA11cc4053483621a3656918bcbdf2c6052e6f00345
SHA256c2333573fc49042d1af06ad0ba402b1f8f7361da6aa6716e12c9d52df60175ed
SHA512aebb52a2105748cb6c4be4fa749e63d6e56c02a76f8a19a67905ea2c6bab2093e54a1a1b2b3ffddd7a229e707e6c0194514ee52fe71995b03b89f15647fe061d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
194B
MD5a17a7958f19a5a99aec8ae79f3eaece5
SHA13d5f30e453a7ced9973cdd96b9d8de6aa2923ddd
SHA2566175238254afedf51eaef997c89884c514ee2a8765ed2f6f158106ec07cd1d53
SHA5124874b85cdbfbbcc293051ecfd130627a2684eec78c3b8998776cc3bde3d715e60037c541467223531c387ca9ac8cb1f7d2d30504f0531e2099e934f67fcb2f14
-
Filesize
194B
MD540e99bddaff6c7a5c940942f17aaf827
SHA18c20e3541387696bebd2cddc1febc6bbaa63a977
SHA25613e4f72f9500d768777f3c95479da5890a78e5e6bb38c12eabfe049ad66c94bc
SHA51234ef69beb6474d46be34256ad90c86d67c8748505dfa7a6db6f8766e6da265447c6efb00656db68cff67bc17376a3d5beb61efbb6865ded29f7b0c976f52fdb8
-
Filesize
194B
MD52bae0e8a40ddd09553961d0c4d47f41d
SHA142fe270452869c4f5717e6ca9b99bd23c9e6ec21
SHA256f2bd20482842eff5fffdf9dac2ff8deb419c7aa250cd4e89c732d1e621a71fea
SHA512b3945ff9c64b88ed8202314917df43833e5b6e17f3358eb8857c06e208555d34a85c6cc525451795ec0af43c110b7ed874c5c8166a6d49cec88f10998475c132
-
Filesize
194B
MD5d98ae6ae7a73f96bfc03c3eefef0242d
SHA1bf7f1f77ffe782b22a128474e2c4e1e321ad9712
SHA256402d0342c6c38bf373c26d785890fb36dfd1ea5dad3875ef06196d2a19fb0d91
SHA512901e94ab7af3569e77e265b4415d23e3cecffcd0d4de4193d97ecddbdfbc77be9e8c454f1a8a309f452329300ec8511d027b77c46f4c7021f05434bcfdb0b1df
-
Filesize
194B
MD522a27ce474186d6c25a073ca620eda70
SHA1dca0773ddf02e17be580759af3e26ba88fccb03a
SHA2566b1402f3d621aaf88e72f7b617c28a9d30121d752b0b92727e9a8a28d5cfe326
SHA512813df3da18a801e80352f68fd458acb1b17ecb8b0d958977f47133954fbd91c08892d0a474ab50578c2b84a9dd040450615a38a5388adce32f6cda2583a8ad27
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478