dcrat | d2ac899a907641ad38d3d535723be9fd3f581590bb461c93f30d1d2dc5706087

General

Target

bbd5709ac40896d243f619941d4789c3.exe
Size

1.4MB
MD5

bbd5709ac40896d243f619941d4789c3
SHA1

d6e45ca38ffcb71b1df4fdd51c628ffdc58ab7b0
SHA256

d2ac899a907641ad38d3d535723be9fd3f581590bb461c93f30d1d2dc5706087
SHA512

61d76a75f6143acf0e15b6b6f2b9d810e71b96a32c25f3083476b1cf23bc4d0a04c609115b7def17a91872134f17aa068a484d97306eb2fdd046d97df297eb92
SSDEEP

24576:sWcUeg8DqSBzKMC5n9yjh7VU6KSQBVh5iIq0YLCTayC7NR:PNepqeGMCG9nKLPhIIqjGWyC5

Score

10^/10

dcrat infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1308	1740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	1740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	520	1740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	920	1740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	392	1740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	1740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	112	1740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	276	1740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	1740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	844	1740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1376	1740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	1740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	688	1740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	1740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	1740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	1740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	1740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	564	1740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	568	1740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	1740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	1740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	1740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	1740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	668	1740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	1740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	1740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	684	1740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	1740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	280	1740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1324	1740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	1740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	1740	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	1740	schtasks.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/1884-54-0x0000000000190000-0x00000000002F2000-memory.dmp	dcrat
C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\smss.exe	dcrat
C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\smss.exe	dcrat
behavioral1/memory/1908-66-0x0000000000880000-0x00000000009E2000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

Processes:

smss.exe

pid process

1908 smss.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1908	smss.exe

Drops file in Program Files directory 4 IoCs

Processes:

bbd5709ac40896d243f619941d4789c3.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Idle.exe	bbd5709ac40896d243f619941d4789c3.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\6ccacd8608530f	bbd5709ac40896d243f619941d4789c3.exe
File created	C:\Program Files\Common Files\SpeechEngines\dwm.exe	bbd5709ac40896d243f619941d4789c3.exe
File created	C:\Program Files\Common Files\SpeechEngines\6cb0b6c459d5d3	bbd5709ac40896d243f619941d4789c3.exe

Drops file in Windows directory 15 IoCs

Processes:

bbd5709ac40896d243f619941d4789c3.exe

description	ioc	process
File created	C:\Windows\Cursors\f3b6ecef712a24	bbd5709ac40896d243f619941d4789c3.exe
File created	C:\Windows\RemotePackages\RemoteDesktops\6203df4a6bafc7	bbd5709ac40896d243f619941d4789c3.exe
File created	C:\Windows\inf\smss.exe	bbd5709ac40896d243f619941d4789c3.exe
File created	C:\Windows\addins\c5b4cb5e9653cc	bbd5709ac40896d243f619941d4789c3.exe
File created	C:\Windows\AppCompat\Programs\smss.exe	bbd5709ac40896d243f619941d4789c3.exe
File created	C:\Windows\Cursors\spoolsv.exe	bbd5709ac40896d243f619941d4789c3.exe
File opened for modification	C:\Windows\Cursors\spoolsv.exe	bbd5709ac40896d243f619941d4789c3.exe
File created	C:\Windows\RemotePackages\RemoteDesktops\lsass.exe	bbd5709ac40896d243f619941d4789c3.exe
File created	C:\Windows\addins\services.exe	bbd5709ac40896d243f619941d4789c3.exe
File created	C:\Windows\AppCompat\winlogon.exe	bbd5709ac40896d243f619941d4789c3.exe
File created	C:\Windows\AppCompat\cc11b995f2a76d	bbd5709ac40896d243f619941d4789c3.exe
File created	C:\Windows\inf\69ddcba757bf72	bbd5709ac40896d243f619941d4789c3.exe
File created	C:\Windows\es-ES\services.exe	bbd5709ac40896d243f619941d4789c3.exe
File created	C:\Windows\es-ES\c5b4cb5e9653cc	bbd5709ac40896d243f619941d4789c3.exe
File created	C:\Windows\AppCompat\Programs\69ddcba757bf72	bbd5709ac40896d243f619941d4789c3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2016	schtasks.exe
760	schtasks.exe
1872	schtasks.exe
1792	schtasks.exe
1548	schtasks.exe
1768	schtasks.exe
1772	schtasks.exe
1812	schtasks.exe
688	schtasks.exe
2036	schtasks.exe
564	schtasks.exe
568	schtasks.exe
1308	schtasks.exe
392	schtasks.exe
2028	schtasks.exe
920	schtasks.exe
276	schtasks.exe
1580	schtasks.exe
668	schtasks.exe
112	schtasks.exe
1488	schtasks.exe
1040	schtasks.exe
1472	schtasks.exe
280	schtasks.exe
520	schtasks.exe
844	schtasks.exe
1376	schtasks.exe
1344	schtasks.exe
684	schtasks.exe
1664	schtasks.exe
764	schtasks.exe
1716	schtasks.exe
1324	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

bbd5709ac40896d243f619941d4789c3.exesmss.exe

pid	process
1884	bbd5709ac40896d243f619941d4789c3.exe
1884	bbd5709ac40896d243f619941d4789c3.exe
1884	bbd5709ac40896d243f619941d4789c3.exe
1908	smss.exe
1908	smss.exe
1908	smss.exe
1908	smss.exe
1908	smss.exe
1908	smss.exe
1908	smss.exe
1908	smss.exe
1908	smss.exe
1908	smss.exe
1908	smss.exe
1908	smss.exe
1908	smss.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

bbd5709ac40896d243f619941d4789c3.exesmss.exe

description pid process

Token: SeDebugPrivilege 1884 bbd5709ac40896d243f619941d4789c3.exe
Token: SeDebugPrivilege 1908 smss.exe

description	pid	process
Token: SeDebugPrivilege	1884	bbd5709ac40896d243f619941d4789c3.exe
Token: SeDebugPrivilege	1908	smss.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

bbd5709ac40896d243f619941d4789c3.execmd.exe

description	pid	process	target process
PID 1884 wrote to memory of 764	1884	bbd5709ac40896d243f619941d4789c3.exe	cmd.exe
PID 1884 wrote to memory of 764	1884	bbd5709ac40896d243f619941d4789c3.exe	cmd.exe
PID 1884 wrote to memory of 764	1884	bbd5709ac40896d243f619941d4789c3.exe	cmd.exe
PID 764 wrote to memory of 1676	764	cmd.exe	w32tm.exe
PID 764 wrote to memory of 1676	764	cmd.exe	w32tm.exe
PID 764 wrote to memory of 1676	764	cmd.exe	w32tm.exe
PID 764 wrote to memory of 1908	764	cmd.exe	smss.exe
PID 764 wrote to memory of 1908	764	cmd.exe	smss.exe
PID 764 wrote to memory of 1908	764	cmd.exe	smss.exe

C:\Users\Admin\AppData\Local\Temp\bbd5709ac40896d243f619941d4789c3.exe
"C:\Users\Admin\AppData\Local\Temp\bbd5709ac40896d243f619941d4789c3.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1884

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mjkIL98Z5f.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:764

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:1676

C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\smss.exe
"C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\smss.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Windows\Cursors\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Cursors\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\Cursors\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Windows\RemotePackages\RemoteDesktops\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteDesktops\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Windows\RemotePackages\RemoteDesktops\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Windows\inf\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\inf\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Windows\inf\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\SpeechEngines\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Common Files\SpeechEngines\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\SpeechEngines\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\addins\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\addins\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Windows\addins\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Windows\es-ES\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\es-ES\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Windows\es-ES\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Windows\AppCompat\Programs\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\AppCompat\Programs\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Windows\AppCompat\Programs\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Windows\AppCompat\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\AppCompat\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Windows\AppCompat\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1872

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\smss.exe
Filesize
1.4MB

MD5
bbd5709ac40896d243f619941d4789c3

SHA1
d6e45ca38ffcb71b1df4fdd51c628ffdc58ab7b0

SHA256
d2ac899a907641ad38d3d535723be9fd3f581590bb461c93f30d1d2dc5706087

SHA512
61d76a75f6143acf0e15b6b6f2b9d810e71b96a32c25f3083476b1cf23bc4d0a04c609115b7def17a91872134f17aa068a484d97306eb2fdd046d97df297eb92

Download Submit
C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\smss.exe
Filesize
1.4MB

MD5
bbd5709ac40896d243f619941d4789c3

SHA1
d6e45ca38ffcb71b1df4fdd51c628ffdc58ab7b0

SHA256
d2ac899a907641ad38d3d535723be9fd3f581590bb461c93f30d1d2dc5706087

SHA512
61d76a75f6143acf0e15b6b6f2b9d810e71b96a32c25f3083476b1cf23bc4d0a04c609115b7def17a91872134f17aa068a484d97306eb2fdd046d97df297eb92

Download Submit
C:\Users\Admin\AppData\Local\Temp\mjkIL98Z5f.bat
Filesize
222B

MD5
8a34ab17dac1b8e37cd91ad03f4754d8

SHA1
3c83a266fb8c1ead7abf5d06ca9f068a18d2783b

SHA256
82917e70fbca7cf99b91a81fa616fce9c4192d8e745dcfe58b701212d9783f08

SHA512
edfdbb50b4043061a0f14dfb058158cbfaa8445c25e882baabae7a69833094344a40d64d8fb9d62444d40dfbf15f7b5f8576cd27f950ff12cf4c1496d838debb

Download Submit
memory/764-60-0x0000000000000000-mapping.dmp

Download
memory/1676-62-0x0000000000000000-mapping.dmp

Download
memory/1884-58-0x0000000000910000-0x000000000091C000-memory.dmp

Filesize
48KB

Download
memory/1884-59-0x0000000000920000-0x0000000000932000-memory.dmp

Filesize
72KB

Download
memory/1884-54-0x0000000000190000-0x00000000002F2000-memory.dmp

Filesize
1.4MB

Download
memory/1884-57-0x00000000006F0000-0x0000000000700000-memory.dmp

Filesize
64KB

Download
memory/1884-56-0x0000000000450000-0x0000000000466000-memory.dmp

Filesize
88KB

Download
memory/1884-55-0x0000000000430000-0x000000000044C000-memory.dmp

Filesize
112KB

Download
memory/1908-64-0x0000000000000000-mapping.dmp

Download
memory/1908-66-0x0000000000880000-0x00000000009E2000-memory.dmp

Filesize
1.4MB

Download
memory/1908-67-0x0000000000750000-0x0000000000762000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads