dcrat | 069818f3ba3127037ffe26196a6fb9f63471492e0c2ec5553ec160a192d812a2

General

Target

HEUR-Trojan-Spy.MSIL.Stealer.gen-069818f3ba31.exe
Size

1.4MB
MD5

713e9e1e0c47b99a953ae2b751faf8d0
SHA1

37f1f0e9fa5698d1daea2a94533d92ea020b154d
SHA256

069818f3ba3127037ffe26196a6fb9f63471492e0c2ec5553ec160a192d812a2
SHA512

c665be420e7a745b916c895751d0cd923b67dff5bb06eea96ac367b3176829b8e217c344c12276bc206abc2fd384bbe1b74d7df0fee287146d68771422c3be64
SSDEEP

24576:u2G/nvxW3WieCY6dk2xGFNPYJCNAUuF23Gyxibkbl+4J:ubA3jYwVGP3yU62nsq

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat 7 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exeRefSessiondlldhcprefbroker.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1952	schtasks.exe
1684	schtasks.exe
File created	C:\Windows\System32\MUILanguageCleanup\dwm.exe	RefSessiondlldhcprefbroker.exe
1108	schtasks.exe
1040	schtasks.exe
2020	schtasks.exe
1908	schtasks.exe

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

RefSessiondlldhcprefbroker.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\MUILanguageCleanup\\dwm.exe\", \"C:\\RefSessiondlldhcp\\RefSessiondlldhcprefbroker\\RefSessiondlldhcprefbroker.exe\", \"C:\\Windows\\System32\\azroles\\spoolsv.exe\", \"C:\\Windows\\Panther\\UnattendGC\\csrss.exe\""	RefSessiondlldhcprefbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\MUILanguageCleanup\\dwm.exe\", \"C:\\RefSessiondlldhcp\\RefSessiondlldhcprefbroker\\RefSessiondlldhcprefbroker.exe\", \"C:\\Windows\\System32\\azroles\\spoolsv.exe\", \"C:\\Windows\\Panther\\UnattendGC\\csrss.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\RefSessiondlldhcprefbroker.exe\""	RefSessiondlldhcprefbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\MUILanguageCleanup\\dwm.exe\", \"C:\\RefSessiondlldhcp\\RefSessiondlldhcprefbroker\\RefSessiondlldhcprefbroker.exe\", \"C:\\Windows\\System32\\azroles\\spoolsv.exe\", \"C:\\Windows\\Panther\\UnattendGC\\csrss.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\RefSessiondlldhcprefbroker.exe\", \"C:\\Windows\\System32\\rdpcore\\taskhost.exe\""	RefSessiondlldhcprefbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\MUILanguageCleanup\\dwm.exe\""	RefSessiondlldhcprefbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\MUILanguageCleanup\\dwm.exe\", \"C:\\RefSessiondlldhcp\\RefSessiondlldhcprefbroker\\RefSessiondlldhcprefbroker.exe\""	RefSessiondlldhcprefbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\MUILanguageCleanup\\dwm.exe\", \"C:\\RefSessiondlldhcp\\RefSessiondlldhcprefbroker\\RefSessiondlldhcprefbroker.exe\", \"C:\\Windows\\System32\\azroles\\spoolsv.exe\""	RefSessiondlldhcprefbroker.exe

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
\RefSessiondlldhcp\RefSessiondlldhcprefbroker.exe	dcrat
C:\RefSessiondlldhcp\RefSessiondlldhcprefbroker.exe	dcrat
\RefSessiondlldhcp\RefSessiondlldhcprefbroker.exe	dcrat
C:\RefSessiondlldhcp\RefSessiondlldhcprefbroker.exe	dcrat
behavioral1/memory/704-65-0x00000000009B0000-0x0000000000ADC000-memory.dmp	dcrat
C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RefSessiondlldhcprefbroker.exe	dcrat
C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RefSessiondlldhcprefbroker.exe	dcrat
behavioral1/memory/1804-75-0x00000000012C0000-0x00000000013EC000-memory.dmp	dcrat

Executes dropped EXE 2 IoCs

Processes:

RefSessiondlldhcprefbroker.exeRefSessiondlldhcprefbroker.exe

pid process

704 RefSessiondlldhcprefbroker.exe
1804 RefSessiondlldhcprefbroker.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

940 cmd.exe
940 cmd.exe

pid	process
704	RefSessiondlldhcprefbroker.exe
1804	RefSessiondlldhcprefbroker.exe

pid	process
940	cmd.exe
940	cmd.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RefSessiondlldhcprefbroker.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\RefSessiondlldhcprefbroker = "\"C:\\RefSessiondlldhcp\\RefSessiondlldhcprefbroker\\RefSessiondlldhcprefbroker.exe\""	RefSessiondlldhcprefbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RefSessiondlldhcprefbroker = "\"C:\\RefSessiondlldhcp\\RefSessiondlldhcprefbroker\\RefSessiondlldhcprefbroker.exe\""	RefSessiondlldhcprefbroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\Panther\\UnattendGC\\csrss.exe\""	RefSessiondlldhcprefbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RefSessiondlldhcprefbroker = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\RefSessiondlldhcprefbroker.exe\""	RefSessiondlldhcprefbroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\RefSessiondlldhcprefbroker = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\RefSessiondlldhcprefbroker.exe\""	RefSessiondlldhcprefbroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\System32\\rdpcore\\taskhost.exe\""	RefSessiondlldhcprefbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\System32\\rdpcore\\taskhost.exe\""	RefSessiondlldhcprefbroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\MUILanguageCleanup\\dwm.exe\""	RefSessiondlldhcprefbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\MUILanguageCleanup\\dwm.exe\""	RefSessiondlldhcprefbroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\System32\\azroles\\spoolsv.exe\""	RefSessiondlldhcprefbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\System32\\azroles\\spoolsv.exe\""	RefSessiondlldhcprefbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\Panther\\UnattendGC\\csrss.exe\""	RefSessiondlldhcprefbroker.exe

Drops file in System32 directory 7 IoCs

Processes:

RefSessiondlldhcprefbroker.exe

description	ioc	process
File created	C:\Windows\System32\MUILanguageCleanup\dwm.exe	RefSessiondlldhcprefbroker.exe
File opened for modification	C:\Windows\System32\MUILanguageCleanup\dwm.exe	RefSessiondlldhcprefbroker.exe
File created	C:\Windows\System32\MUILanguageCleanup\6cb0b6c459d5d3455a3da700e713f2e2529862ff	RefSessiondlldhcprefbroker.exe
File created	C:\Windows\System32\azroles\spoolsv.exe	RefSessiondlldhcprefbroker.exe
File created	C:\Windows\System32\azroles\f3b6ecef712a24f33798f5d2fb3790c3d9b894c4	RefSessiondlldhcprefbroker.exe
File created	C:\Windows\System32\rdpcore\taskhost.exe	RefSessiondlldhcprefbroker.exe
File created	C:\Windows\System32\rdpcore\b75386f1303e64d8139363b71e44ac16341adf4e	RefSessiondlldhcprefbroker.exe

Drops file in Program Files directory 2 IoCs

Processes:

RefSessiondlldhcprefbroker.exe

description	ioc	process
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RefSessiondlldhcprefbroker.exe	RefSessiondlldhcprefbroker.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\a8a1b0e5b8e1134d3321e8ce46ab68c9c5f3c555	RefSessiondlldhcprefbroker.exe

Drops file in Windows directory 2 IoCs

Processes:

RefSessiondlldhcprefbroker.exe

description	ioc	process
File created	C:\Windows\Panther\UnattendGC\csrss.exe	RefSessiondlldhcprefbroker.exe
File created	C:\Windows\Panther\UnattendGC\886983d96e3d3e31032c679b2d4ea91b6c05afef	RefSessiondlldhcprefbroker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1684 schtasks.exe
1108 schtasks.exe
1040 schtasks.exe
2020 schtasks.exe
1908 schtasks.exe
1952 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

RefSessiondlldhcprefbroker.exeRefSessiondlldhcprefbroker.exe

pid process

704 RefSessiondlldhcprefbroker.exe
1804 RefSessiondlldhcprefbroker.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

RefSessiondlldhcprefbroker.exeRefSessiondlldhcprefbroker.exe

description pid process

Token: SeDebugPrivilege 704 RefSessiondlldhcprefbroker.exe
Token: SeDebugPrivilege 1804 RefSessiondlldhcprefbroker.exe

pid	process
1684	schtasks.exe
1108	schtasks.exe
1040	schtasks.exe
2020	schtasks.exe
1908	schtasks.exe
1952	schtasks.exe

pid	process
704	RefSessiondlldhcprefbroker.exe
1804	RefSessiondlldhcprefbroker.exe

description	pid	process
Token: SeDebugPrivilege	704	RefSessiondlldhcprefbroker.exe
Token: SeDebugPrivilege	1804	RefSessiondlldhcprefbroker.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

HEUR-Trojan-Spy.MSIL.Stealer.gen-069818f3ba31.exeWScript.execmd.exeRefSessiondlldhcprefbroker.exe

description	pid	process	target process
PID 1348 wrote to memory of 1008	1348	HEUR-Trojan-Spy.MSIL.Stealer.gen-069818f3ba31.exe	WScript.exe
PID 1348 wrote to memory of 1008	1348	HEUR-Trojan-Spy.MSIL.Stealer.gen-069818f3ba31.exe	WScript.exe
PID 1348 wrote to memory of 1008	1348	HEUR-Trojan-Spy.MSIL.Stealer.gen-069818f3ba31.exe	WScript.exe
PID 1348 wrote to memory of 1008	1348	HEUR-Trojan-Spy.MSIL.Stealer.gen-069818f3ba31.exe	WScript.exe
PID 1008 wrote to memory of 940	1008	WScript.exe	cmd.exe
PID 1008 wrote to memory of 940	1008	WScript.exe	cmd.exe
PID 1008 wrote to memory of 940	1008	WScript.exe	cmd.exe
PID 1008 wrote to memory of 940	1008	WScript.exe	cmd.exe
PID 940 wrote to memory of 704	940	cmd.exe	RefSessiondlldhcprefbroker.exe
PID 940 wrote to memory of 704	940	cmd.exe	RefSessiondlldhcprefbroker.exe
PID 940 wrote to memory of 704	940	cmd.exe	RefSessiondlldhcprefbroker.exe
PID 940 wrote to memory of 704	940	cmd.exe	RefSessiondlldhcprefbroker.exe
PID 704 wrote to memory of 1108	704	RefSessiondlldhcprefbroker.exe	schtasks.exe
PID 704 wrote to memory of 1108	704	RefSessiondlldhcprefbroker.exe	schtasks.exe
PID 704 wrote to memory of 1108	704	RefSessiondlldhcprefbroker.exe	schtasks.exe
PID 704 wrote to memory of 1040	704	RefSessiondlldhcprefbroker.exe	schtasks.exe
PID 704 wrote to memory of 1040	704	RefSessiondlldhcprefbroker.exe	schtasks.exe
PID 704 wrote to memory of 1040	704	RefSessiondlldhcprefbroker.exe	schtasks.exe
PID 704 wrote to memory of 2020	704	RefSessiondlldhcprefbroker.exe	schtasks.exe
PID 704 wrote to memory of 2020	704	RefSessiondlldhcprefbroker.exe	schtasks.exe
PID 704 wrote to memory of 2020	704	RefSessiondlldhcprefbroker.exe	schtasks.exe
PID 704 wrote to memory of 1908	704	RefSessiondlldhcprefbroker.exe	schtasks.exe
PID 704 wrote to memory of 1908	704	RefSessiondlldhcprefbroker.exe	schtasks.exe
PID 704 wrote to memory of 1908	704	RefSessiondlldhcprefbroker.exe	schtasks.exe
PID 704 wrote to memory of 1952	704	RefSessiondlldhcprefbroker.exe	schtasks.exe
PID 704 wrote to memory of 1952	704	RefSessiondlldhcprefbroker.exe	schtasks.exe
PID 704 wrote to memory of 1952	704	RefSessiondlldhcprefbroker.exe	schtasks.exe
PID 704 wrote to memory of 1684	704	RefSessiondlldhcprefbroker.exe	schtasks.exe
PID 704 wrote to memory of 1684	704	RefSessiondlldhcprefbroker.exe	schtasks.exe
PID 704 wrote to memory of 1684	704	RefSessiondlldhcprefbroker.exe	schtasks.exe
PID 704 wrote to memory of 1804	704	RefSessiondlldhcprefbroker.exe	RefSessiondlldhcprefbroker.exe
PID 704 wrote to memory of 1804	704	RefSessiondlldhcprefbroker.exe	RefSessiondlldhcprefbroker.exe
PID 704 wrote to memory of 1804	704	RefSessiondlldhcprefbroker.exe	RefSessiondlldhcprefbroker.exe

C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Spy.MSIL.Stealer.gen-069818f3ba31.exe
"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Spy.MSIL.Stealer.gen-069818f3ba31.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1348

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\RefSessiondlldhcp\5ZImq5G8bisUIgF42b3VyU.vbe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1008

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\RefSessiondlldhcp\HXUaQ2po3YKM.bat" "
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:940

C:\RefSessiondlldhcp\RefSessiondlldhcprefbroker.exe
"C:\RefSessiondlldhcp\RefSessiondlldhcprefbroker.exe"
4⤵
- DcRat
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:704

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\MUILanguageCleanup\dwm.exe'" /rl HIGHEST /f
5⤵
- DcRat
- Creates scheduled task(s)
PID:1108

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RefSessiondlldhcprefbroker" /sc ONLOGON /tr "'C:\RefSessiondlldhcp\RefSessiondlldhcprefbroker\RefSessiondlldhcprefbroker.exe'" /rl HIGHEST /f
5⤵
- DcRat
- Creates scheduled task(s)
PID:1040

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\azroles\spoolsv.exe'" /rl HIGHEST /f
5⤵
- DcRat
- Creates scheduled task(s)
PID:2020

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Panther\UnattendGC\csrss.exe'" /rl HIGHEST /f
5⤵
- DcRat
- Creates scheduled task(s)
PID:1908

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RefSessiondlldhcprefbroker" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RefSessiondlldhcprefbroker.exe'" /rl HIGHEST /f
5⤵
- DcRat
- Creates scheduled task(s)
PID:1952

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\rdpcore\taskhost.exe'" /rl HIGHEST /f
5⤵
- DcRat
- Creates scheduled task(s)
PID:1684

C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RefSessiondlldhcprefbroker.exe
"C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RefSessiondlldhcprefbroker.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1804

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Winlogon Helper DLL

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RefSessiondlldhcprefbroker.exe
Filesize
1.1MB

MD5
361e744e57efd4bc271823b42f432e89

SHA1
9a2a63b5b045b184508c0044c5dcbe90a6f5d6ff

SHA256
a53b9fdd58d83816a7c3f5295cc2d22eed54e100db8bc4da5f4f26a1b055f12e

SHA512
3968ee19077e882e14e9b3d955c37c90d7475b45a7230ed746eb2f4f2e07b6143e008bc46a23485540642548b0d90d4dd0ac2c73eeb3c7588cf8b43ad969cfad

Download Submit
C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RefSessiondlldhcprefbroker.exe
Filesize
1.1MB

MD5
361e744e57efd4bc271823b42f432e89

SHA1
9a2a63b5b045b184508c0044c5dcbe90a6f5d6ff

SHA256
a53b9fdd58d83816a7c3f5295cc2d22eed54e100db8bc4da5f4f26a1b055f12e

SHA512
3968ee19077e882e14e9b3d955c37c90d7475b45a7230ed746eb2f4f2e07b6143e008bc46a23485540642548b0d90d4dd0ac2c73eeb3c7588cf8b43ad969cfad

Download Submit
C:\RefSessiondlldhcp\5ZImq5G8bisUIgF42b3VyU.vbe
Filesize
206B

MD5
ef4a52530ae724af1560718fac8ea4ce

SHA1
84c27d9b7cefa0dcd5437e3e1f3b114343a023fc

SHA256
3fb1c367a9e58fcb8ac9f2f6cf47a7f60371af030aaf3b71be6d28a555104e65

SHA512
8d90088149b01722d07177f12625906094d9603c21ad852798efe15ad9d2484ccd22ac541fea9b206ed09835fee0a716f7e23a8bcadceb400bb94a428a3b9d95

Download Submit
C:\RefSessiondlldhcp\HXUaQ2po3YKM.bat
Filesize
53B

MD5
3b039ddcba9d27b07e169b03c380332e

SHA1
e8208c0ee97a06708c3f7367f16510fa4a3449ed

SHA256
67154ac651824da0d440b8b9843393559dbc3b285d702c4f492be15859196e47

SHA512
f2d2e068b9298f205d559bb4e812bb5479fa1e4dac06780555d87ef60a931ce65e92730548d700855997c3735cbc7df02bbe41891ae0a2cad01ad10cfdd5a4a0

Download Submit
C:\RefSessiondlldhcp\RefSessiondlldhcprefbroker.exe
Filesize
1.1MB

MD5
361e744e57efd4bc271823b42f432e89

SHA1
9a2a63b5b045b184508c0044c5dcbe90a6f5d6ff

SHA256
a53b9fdd58d83816a7c3f5295cc2d22eed54e100db8bc4da5f4f26a1b055f12e

SHA512
3968ee19077e882e14e9b3d955c37c90d7475b45a7230ed746eb2f4f2e07b6143e008bc46a23485540642548b0d90d4dd0ac2c73eeb3c7588cf8b43ad969cfad

Download Submit
C:\RefSessiondlldhcp\RefSessiondlldhcprefbroker.exe
Filesize
1.1MB

MD5
361e744e57efd4bc271823b42f432e89

SHA1
9a2a63b5b045b184508c0044c5dcbe90a6f5d6ff

SHA256
a53b9fdd58d83816a7c3f5295cc2d22eed54e100db8bc4da5f4f26a1b055f12e

SHA512
3968ee19077e882e14e9b3d955c37c90d7475b45a7230ed746eb2f4f2e07b6143e008bc46a23485540642548b0d90d4dd0ac2c73eeb3c7588cf8b43ad969cfad

Download Submit
\RefSessiondlldhcp\RefSessiondlldhcprefbroker.exe
Filesize
1.1MB

MD5
361e744e57efd4bc271823b42f432e89

SHA1
9a2a63b5b045b184508c0044c5dcbe90a6f5d6ff

SHA256
a53b9fdd58d83816a7c3f5295cc2d22eed54e100db8bc4da5f4f26a1b055f12e

SHA512
3968ee19077e882e14e9b3d955c37c90d7475b45a7230ed746eb2f4f2e07b6143e008bc46a23485540642548b0d90d4dd0ac2c73eeb3c7588cf8b43ad969cfad

Download Submit
\RefSessiondlldhcp\RefSessiondlldhcprefbroker.exe
Filesize
1.1MB

MD5
361e744e57efd4bc271823b42f432e89

SHA1
9a2a63b5b045b184508c0044c5dcbe90a6f5d6ff

SHA256
a53b9fdd58d83816a7c3f5295cc2d22eed54e100db8bc4da5f4f26a1b055f12e

SHA512
3968ee19077e882e14e9b3d955c37c90d7475b45a7230ed746eb2f4f2e07b6143e008bc46a23485540642548b0d90d4dd0ac2c73eeb3c7588cf8b43ad969cfad

Download Submit
memory/704-65-0x00000000009B0000-0x0000000000ADC000-memory.dmp

Filesize
1.2MB

Download
memory/704-63-0x0000000000000000-mapping.dmp

Download
memory/940-59-0x0000000000000000-mapping.dmp

Download
memory/1008-55-0x0000000000000000-mapping.dmp

Download
memory/1040-67-0x0000000000000000-mapping.dmp

Download
memory/1108-66-0x0000000000000000-mapping.dmp

Download
memory/1348-54-0x0000000076201000-0x0000000076203000-memory.dmp

Filesize
8KB

Download
memory/1684-71-0x0000000000000000-mapping.dmp

Download
memory/1804-72-0x0000000000000000-mapping.dmp

Download
memory/1804-75-0x00000000012C0000-0x00000000013EC000-memory.dmp

Filesize
1.2MB

Download
memory/1908-69-0x0000000000000000-mapping.dmp

Download
memory/1952-70-0x0000000000000000-mapping.dmp

Download
memory/2020-68-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads