dcrat | 95c6777202c918304a78d0d16ecfe1d8969c6c89c920a969bb7e27f34e8c78b6

General

Target

156e3d59adc4d47edf5b12f8e10e4f9d_JaffaCakes118.exe
Size

774KB
MD5

156e3d59adc4d47edf5b12f8e10e4f9d
SHA1

a26ea9dc199039acb998a79ae4350e944d674bf9
SHA256

95c6777202c918304a78d0d16ecfe1d8969c6c89c920a969bb7e27f34e8c78b6
SHA512

b5ab8953fccf9af7c54a2b5963aaab69303c8a6342f3f0856249c535a003e33025dcc08bc662ad57a4bc49f5afa1f96e3eace1bf94817625d36717dc461d7a16
SSDEEP

24576:kNSDqhcQfj7xDq2N+4uF6I8QsaOXA/n3z:ocg92R9F92XA/z

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Modifies WinLogon for persistence 2 TTPs 7 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\StartMenuExperienceHost\\StartMenuExperienceHost.exe\", \"C:\\Windows\\System32\\Windows.Internal.Shell.Broker\\RuntimeBroker.exe\", \"C:\\Windows\\System32\\accountaccessor\\fontdrvhost.exe\", \"C:\\Windows\\System32\\baaupdate\\taskhostw.exe\", \"C:\\Windows\\System32\\cscdll\\dwm.exe\", \"C:\\Windows\\System32\\wbiosrvc\\RuntimeBroker.exe\", \"C:\\Windows\\System32\\gpupdate\\taskhostw.exe\""	156e3d59adc4d47edf5b12f8e10e4f9d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\StartMenuExperienceHost\\StartMenuExperienceHost.exe\""	156e3d59adc4d47edf5b12f8e10e4f9d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\StartMenuExperienceHost\\StartMenuExperienceHost.exe\", \"C:\\Windows\\System32\\Windows.Internal.Shell.Broker\\RuntimeBroker.exe\""	156e3d59adc4d47edf5b12f8e10e4f9d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\StartMenuExperienceHost\\StartMenuExperienceHost.exe\", \"C:\\Windows\\System32\\Windows.Internal.Shell.Broker\\RuntimeBroker.exe\", \"C:\\Windows\\System32\\accountaccessor\\fontdrvhost.exe\""	156e3d59adc4d47edf5b12f8e10e4f9d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\StartMenuExperienceHost\\StartMenuExperienceHost.exe\", \"C:\\Windows\\System32\\Windows.Internal.Shell.Broker\\RuntimeBroker.exe\", \"C:\\Windows\\System32\\accountaccessor\\fontdrvhost.exe\", \"C:\\Windows\\System32\\baaupdate\\taskhostw.exe\""	156e3d59adc4d47edf5b12f8e10e4f9d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\StartMenuExperienceHost\\StartMenuExperienceHost.exe\", \"C:\\Windows\\System32\\Windows.Internal.Shell.Broker\\RuntimeBroker.exe\", \"C:\\Windows\\System32\\accountaccessor\\fontdrvhost.exe\", \"C:\\Windows\\System32\\baaupdate\\taskhostw.exe\", \"C:\\Windows\\System32\\cscdll\\dwm.exe\""	156e3d59adc4d47edf5b12f8e10e4f9d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\StartMenuExperienceHost\\StartMenuExperienceHost.exe\", \"C:\\Windows\\System32\\Windows.Internal.Shell.Broker\\RuntimeBroker.exe\", \"C:\\Windows\\System32\\accountaccessor\\fontdrvhost.exe\", \"C:\\Windows\\System32\\baaupdate\\taskhostw.exe\", \"C:\\Windows\\System32\\cscdll\\dwm.exe\", \"C:\\Windows\\System32\\wbiosrvc\\RuntimeBroker.exe\""	156e3d59adc4d47edf5b12f8e10e4f9d_JaffaCakes118.exe

Process spawned unexpected child process 7 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4140	2448	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1220	2448	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4348	2448	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2448	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4400	2448	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1172	2448	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4404	2448	schtasks.exe	89

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/2728-0-0x0000000000040000-0x0000000000108000-memory.dmp	dcrat
behavioral2/files/0x000700000002323c-11.dat	dcrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	156e3d59adc4d47edf5b12f8e10e4f9d_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
1660	dwm.exe

Adds Run key to start application 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\StartMenuExperienceHost\\StartMenuExperienceHost.exe\""	156e3d59adc4d47edf5b12f8e10e4f9d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\StartMenuExperienceHost\\StartMenuExperienceHost.exe\""	156e3d59adc4d47edf5b12f8e10e4f9d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\System32\\accountaccessor\\fontdrvhost.exe\""	156e3d59adc4d47edf5b12f8e10e4f9d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\wbiosrvc\\RuntimeBroker.exe\""	156e3d59adc4d47edf5b12f8e10e4f9d_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Windows\\System32\\gpupdate\\taskhostw.exe\""	156e3d59adc4d47edf5b12f8e10e4f9d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\Windows.Internal.Shell.Broker\\RuntimeBroker.exe\""	156e3d59adc4d47edf5b12f8e10e4f9d_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\System32\\accountaccessor\\fontdrvhost.exe\""	156e3d59adc4d47edf5b12f8e10e4f9d_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Windows\\System32\\baaupdate\\taskhostw.exe\""	156e3d59adc4d47edf5b12f8e10e4f9d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Windows\\System32\\baaupdate\\taskhostw.exe\""	156e3d59adc4d47edf5b12f8e10e4f9d_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\wbiosrvc\\RuntimeBroker.exe\""	156e3d59adc4d47edf5b12f8e10e4f9d_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\Windows.Internal.Shell.Broker\\RuntimeBroker.exe\""	156e3d59adc4d47edf5b12f8e10e4f9d_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\cscdll\\dwm.exe\""	156e3d59adc4d47edf5b12f8e10e4f9d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\cscdll\\dwm.exe\""	156e3d59adc4d47edf5b12f8e10e4f9d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Windows\\System32\\gpupdate\\taskhostw.exe\""	156e3d59adc4d47edf5b12f8e10e4f9d_JaffaCakes118.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\System32\accountaccessor\fontdrvhost.exe	156e3d59adc4d47edf5b12f8e10e4f9d_JaffaCakes118.exe
File created	C:\Windows\System32\accountaccessor\5b884080fd4f94e2695da25c503f9e33b9605b83	156e3d59adc4d47edf5b12f8e10e4f9d_JaffaCakes118.exe
File created	C:\Windows\System32\wbiosrvc\9e8d7a4ca61bd92aff00cc37a7a4d62a2cac998d	156e3d59adc4d47edf5b12f8e10e4f9d_JaffaCakes118.exe
File created	C:\Windows\System32\gpupdate\ea9f0e6c9e2dcd4dfacdaf29ba21541fb815a988	156e3d59adc4d47edf5b12f8e10e4f9d_JaffaCakes118.exe
File created	C:\Windows\System32\Windows.Internal.Shell.Broker\RuntimeBroker.exe	156e3d59adc4d47edf5b12f8e10e4f9d_JaffaCakes118.exe
File created	C:\Windows\System32\baaupdate\taskhostw.exe	156e3d59adc4d47edf5b12f8e10e4f9d_JaffaCakes118.exe
File created	C:\Windows\System32\baaupdate\ea9f0e6c9e2dcd4dfacdaf29ba21541fb815a988	156e3d59adc4d47edf5b12f8e10e4f9d_JaffaCakes118.exe
File created	C:\Windows\System32\cscdll\dwm.exe	156e3d59adc4d47edf5b12f8e10e4f9d_JaffaCakes118.exe
File created	C:\Windows\System32\cscdll\6cb0b6c459d5d3455a3da700e713f2e2529862ff	156e3d59adc4d47edf5b12f8e10e4f9d_JaffaCakes118.exe
File created	C:\Windows\System32\wbiosrvc\RuntimeBroker.exe	156e3d59adc4d47edf5b12f8e10e4f9d_JaffaCakes118.exe
File created	C:\Windows\System32\gpupdate\taskhostw.exe	156e3d59adc4d47edf5b12f8e10e4f9d_JaffaCakes118.exe
File created	C:\Windows\System32\Windows.Internal.Shell.Broker\9e8d7a4ca61bd92aff00cc37a7a4d62a2cac998d	156e3d59adc4d47edf5b12f8e10e4f9d_JaffaCakes118.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost\StartMenuExperienceHost.exe	156e3d59adc4d47edf5b12f8e10e4f9d_JaffaCakes118.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost\StartMenuExperienceHost.exe	156e3d59adc4d47edf5b12f8e10e4f9d_JaffaCakes118.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost\55b276f4edf653fe07efe8f1ecc32d3d195abd16	156e3d59adc4d47edf5b12f8e10e4f9d_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 7 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1172	schtasks.exe
4404	schtasks.exe
4140	schtasks.exe
1220	schtasks.exe
4348	schtasks.exe
2648	schtasks.exe
4400	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings	156e3d59adc4d47edf5b12f8e10e4f9d_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
2728	156e3d59adc4d47edf5b12f8e10e4f9d_JaffaCakes118.exe
2728	156e3d59adc4d47edf5b12f8e10e4f9d_JaffaCakes118.exe
2728	156e3d59adc4d47edf5b12f8e10e4f9d_JaffaCakes118.exe
2728	156e3d59adc4d47edf5b12f8e10e4f9d_JaffaCakes118.exe
2728	156e3d59adc4d47edf5b12f8e10e4f9d_JaffaCakes118.exe
2728	156e3d59adc4d47edf5b12f8e10e4f9d_JaffaCakes118.exe
1660	dwm.exe
1660	dwm.exe
1660	dwm.exe
1660	dwm.exe
1660	dwm.exe
1660	dwm.exe
1660	dwm.exe
1660	dwm.exe
1660	dwm.exe
1660	dwm.exe
1660	dwm.exe
1660	dwm.exe
1660	dwm.exe
1660	dwm.exe
1660	dwm.exe
1660	dwm.exe
1660	dwm.exe
1660	dwm.exe
1660	dwm.exe
1660	dwm.exe
1660	dwm.exe
1660	dwm.exe
1660	dwm.exe
1660	dwm.exe
1660	dwm.exe
1660	dwm.exe
1660	dwm.exe
1660	dwm.exe
1660	dwm.exe
1660	dwm.exe
1660	dwm.exe
1660	dwm.exe
1660	dwm.exe
1660	dwm.exe
1660	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2728	156e3d59adc4d47edf5b12f8e10e4f9d_JaffaCakes118.exe
Token: 33	2728	156e3d59adc4d47edf5b12f8e10e4f9d_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2728	156e3d59adc4d47edf5b12f8e10e4f9d_JaffaCakes118.exe
Token: SeDebugPrivilege	1660	dwm.exe
Token: 33	1660	dwm.exe
Token: SeIncBasePriorityPrivilege	1660	dwm.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 1932	2728	156e3d59adc4d47edf5b12f8e10e4f9d_JaffaCakes118.exe	97
PID 2728 wrote to memory of 1932	2728	156e3d59adc4d47edf5b12f8e10e4f9d_JaffaCakes118.exe	97
PID 1932 wrote to memory of 4336	1932	cmd.exe	99
PID 1932 wrote to memory of 4336	1932	cmd.exe	99
PID 1932 wrote to memory of 2492	1932	cmd.exe	100
PID 1932 wrote to memory of 2492	1932	cmd.exe	100
PID 1932 wrote to memory of 1660	1932	cmd.exe	105
PID 1932 wrote to memory of 1660	1932	cmd.exe	105

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\156e3d59adc4d47edf5b12f8e10e4f9d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\156e3d59adc4d47edf5b12f8e10e4f9d_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wJA1ZfeT28.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:4336
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2492
- - C:\Windows\System32\cscdll\dwm.exe
    "C:\Windows\System32\cscdll\dwm.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\Windows.Internal.Shell.Broker\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\accountaccessor\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\System32\baaupdate\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\cscdll\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\wbiosrvc\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\System32\gpupdate\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

Scheduled Task/Job

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\wJA1ZfeT28.bat

Filesize
210B

MD5
fd84263e6776d56140846fb4cedd31dd

SHA1
f5db1d2f119105ecea15904ef2e972a180fdfae2

SHA256
da9ae164477c3d4631c22e084df18a2802c80b90e4df76abbf67f2b6af96baa3

SHA512
61a2174e1a7d8e8b2b92dfa22f8728d843c040c25262a3878f81a50c1f919c3665b0f640e142043807823fab251c18256adfe6ca9caa03f8a718d23b2492d21e

Download Submit
C:\Windows\System32\cscdll\dwm.exe

Filesize
774KB

MD5
156e3d59adc4d47edf5b12f8e10e4f9d

SHA1
a26ea9dc199039acb998a79ae4350e944d674bf9

SHA256
95c6777202c918304a78d0d16ecfe1d8969c6c89c920a969bb7e27f34e8c78b6

SHA512
b5ab8953fccf9af7c54a2b5963aaab69303c8a6342f3f0856249c535a003e33025dcc08bc662ad57a4bc49f5afa1f96e3eace1bf94817625d36717dc461d7a16

Download Submit
memory/1660-39-0x000000001CEF0000-0x000000001CFF0000-memory.dmp

Filesize
1024KB

Download
memory/1660-48-0x000000001B2F0000-0x000000001B300000-memory.dmp

Filesize
64KB

Download
memory/1660-58-0x00007FF9B5CD0000-0x00007FF9B6791000-memory.dmp

Filesize
10.8MB

Download
memory/1660-57-0x000000001CEF0000-0x000000001CFF0000-memory.dmp

Filesize
1024KB

Download
memory/1660-27-0x00007FF9B5CD0000-0x00007FF9B6791000-memory.dmp

Filesize
10.8MB

Download
memory/1660-28-0x000000001B2F0000-0x000000001B300000-memory.dmp

Filesize
64KB

Download
memory/1660-29-0x0000000000C00000-0x0000000000C0C000-memory.dmp

Filesize
48KB

Download
memory/1660-30-0x0000000000C50000-0x0000000000C5C000-memory.dmp

Filesize
48KB

Download
memory/1660-31-0x0000000000C40000-0x0000000000C4C000-memory.dmp

Filesize
48KB

Download
memory/1660-32-0x0000000000C30000-0x0000000000C38000-memory.dmp

Filesize
32KB

Download
memory/1660-33-0x0000000000C20000-0x0000000000C28000-memory.dmp

Filesize
32KB

Download
memory/1660-34-0x0000000000C60000-0x0000000000C68000-memory.dmp

Filesize
32KB

Download
memory/1660-35-0x000000001B2F0000-0x000000001B300000-memory.dmp

Filesize
64KB

Download
memory/1660-36-0x000000001B2F0000-0x000000001B300000-memory.dmp

Filesize
64KB

Download
memory/1660-37-0x000000001B2F0000-0x000000001B300000-memory.dmp

Filesize
64KB

Download
memory/1660-38-0x000000001B2F0000-0x000000001B300000-memory.dmp

Filesize
64KB

Download
memory/1660-40-0x000000001CEF0000-0x000000001CFF0000-memory.dmp

Filesize
1024KB

Download
memory/1660-56-0x000000001CEF0000-0x000000001CFF0000-memory.dmp

Filesize
1024KB

Download
memory/1660-51-0x000000001CEF0000-0x000000001CFF0000-memory.dmp

Filesize
1024KB

Download
memory/1660-42-0x000000001CEF0000-0x000000001CFF0000-memory.dmp

Filesize
1024KB

Download
memory/1660-43-0x00007FF9B5CD0000-0x00007FF9B6791000-memory.dmp

Filesize
10.8MB

Download
memory/1660-44-0x000000001CEF0000-0x000000001CFF0000-memory.dmp

Filesize
1024KB

Download
memory/1660-45-0x000000001B2F0000-0x000000001B300000-memory.dmp

Filesize
64KB

Download
memory/1660-46-0x000000001B2F0000-0x000000001B300000-memory.dmp

Filesize
64KB

Download
memory/1660-47-0x000000001B2F0000-0x000000001B300000-memory.dmp

Filesize
64KB

Download
memory/1660-55-0x000000001CEF0000-0x000000001CFF0000-memory.dmp

Filesize
1024KB

Download
memory/1660-49-0x000000001B2F0000-0x000000001B300000-memory.dmp

Filesize
64KB

Download
memory/1660-50-0x000000001B2F0000-0x000000001B300000-memory.dmp

Filesize
64KB

Download
memory/1660-41-0x000000001CEF0000-0x000000001CFF0000-memory.dmp

Filesize
1024KB

Download
memory/1660-52-0x000000001B2F0000-0x000000001B300000-memory.dmp

Filesize
64KB

Download
memory/1660-53-0x000000001CEF0000-0x000000001CFF0000-memory.dmp

Filesize
1024KB

Download
memory/1660-54-0x000000001CEF0000-0x000000001CFF0000-memory.dmp

Filesize
1024KB

Download
memory/2728-0-0x0000000000040000-0x0000000000108000-memory.dmp

Filesize
800KB

Download
memory/2728-2-0x0000000002200000-0x0000000002210000-memory.dmp

Filesize
64KB

Download
memory/2728-23-0x00007FF9B6020000-0x00007FF9B6AE1000-memory.dmp

Filesize
10.8MB

Download
memory/2728-1-0x00007FF9B6020000-0x00007FF9B6AE1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads