Analysis
-
max time kernel
50s -
max time network
72s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
21-06-2024 17:16
Static task
static1
General
-
Target
дсрат.exe
-
Size
1.8MB
-
MD5
545889c3d894821e69924ca2a1acf5eb
-
SHA1
34c7bec63e692b96d793a8047275be6af779c021
-
SHA256
0f6b00ebfc4324cf4feb87bad29724c3f2c9723c84af4bf4d086352925bf06b7
-
SHA512
6e28f070734ac8d44e917e86394c991e6db5a6389195b5204ccea47a95eb946b505f696f0f8c68b62dddd883f3dbe4ced2bd8a7d152bdc91a5132f686a633618
-
SSDEEP
49152:1Djlabwz9fig9rohmN0qEKX8uSgRHqNGiS:ZqwdRV0fgEiKYiS
Malware Config
Extracted
lumma
https://backcreammykiel.shop/api
https://publicitycharetew.shop/api
https://computerexcudesp.shop/api
https://leafcalfconflcitw.shop/api
https://injurypiggyoewirog.shop/api
https://bargainnygroandjwk.shop/api
https://disappointcredisotw.shop/api
https://doughtdrillyksow.shop/api
https://facilitycoursedw.shop/api
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Processes:
reg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe -
Processes:
resource yara_rule C:\ProgramData\SoftwareDistribution\Bypass.exe dcrat behavioral1/memory/5080-33-0x0000000000F80000-0x0000000001136000-memory.dmp dcrat -
Deletes itself 1 IoCs
Processes:
Bypass.exepid process 5080 Bypass.exe -
Executes dropped EXE 3 IoCs
Processes:
Bypass.exeLoader.exeBypass.exepid process 3604 Bypass.exe 2412 Loader.exe 5080 Bypass.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
Bypass.exedescription ioc process File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf Bypass.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Loader.exedescription pid process target process PID 2412 set thread context of 3580 2412 Loader.exe RegAsm.exe -
Drops file in Program Files directory 64 IoCs
Processes:
Bypass.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\Spider\Tips_4.jpg Bypass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\OneConnectLargeTile.scale-100.png Bypass.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\5613_32x32x32.png Bypass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-white\LargeTile.scale-100_contrast-white.png Bypass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\WideTile.scale-100.png Bypass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\headbang.png Bypass.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\MatchExactly.Tests.ps1 Bypass.exe File opened for modification C:\Program Files\Windows Defender\es-ES\MpEvMsg.dll.mui Bypass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\0.jpg Bypass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageSmallTile.scale-200_contrast-black.png Bypass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.StarClub\Assets\crown.png Bypass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Jumbo\mask\mask_corners.png Bypass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\4642_48x48x32.png Bypass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml Bypass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\7205_32x32x32.png Bypass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubMedTile.scale-200.png Bypass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\WideTile.scale-125.png Bypass.exe File opened for modification C:\Program Files\Windows Defender\NisSrv.exe Bypass.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WindowsBase.dll Bypass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\pyramid\Treasure_Chamber_.png Bypass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\Microsoft.People.Relevance.dll Bypass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-140_8wekyb3d8bbwe\Assets\Office\settle.scale-140.png Bypass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\StopwatchWideTile.scale-125.png Bypass.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailSmallTile.scale-400.png Bypass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\ke_16x11.png Bypass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.24123.0_x86__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\JSByteCodeCache_32 Bypass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\VoiceRecorderLargeTile.contrast-white_scale-125.png Bypass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-80_altform-unplated.png Bypass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\xe_60x42.png Bypass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\_Resources\index.txt Bypass.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad.xml Bypass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\HeroHelp\Scenario2.png Bypass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-200.png Bypass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemePreview\Themes\jumbo.jpg Bypass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookWideTile.scale-125.png Bypass.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\Soft Blue.htm Bypass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedAppList.scale-200_contrast-white.png Bypass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_neutral_split.scale-100_kzf8qxf38zg5c\SkypeApp\Assets\Images\image_placeholder.scale-100.png Bypass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_targetsize-64.png Bypass.exe File opened for modification C:\Program Files (x86)\Internet Explorer\hmmapi.dll Bypass.exe File opened for modification C:\Program Files\Common Files\System\msadc\msadds.dll Bypass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.Awards\Assets\awards_sign_in_tile.jpg Bypass.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\10146_20x20x32.png Bypass.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\5941_40x40x32.png Bypass.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Exchange.scale-100.png Bypass.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Management.Instrumentation.Resources.dll Bypass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe\Microsoft.Graphics.Canvas.winmd Bypass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-32.png Bypass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\ml_60x42.png Bypass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-48.png Bypass.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\2818_20x20x32.png Bypass.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\7834_40x40x32.png Bypass.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\9434_24x24x32.png Bypass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Audio\opt-in-ad-popup.wav Bypass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemeCreation\lobby_deck_style_fable.png Bypass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageLargeTile.scale-200.png Bypass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-black_targetsize-24.png Bypass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-36_altform-fullcolor.png Bypass.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Exchange.scale-150.png Bypass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-white\MedTile.scale-125.png Bypass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\WorldClockSmallTile.contrast-white_scale-100.png Bypass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-black_targetsize-64.png Bypass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-20_altform-unplated_contrast-white.png Bypass.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\TXP_Flight_Dark.png Bypass.exe -
Drops file in Windows directory 64 IoCs
Processes:
Bypass.exedescription ioc process File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-96_contrast-white.png Bypass.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\fr\Microsoft.VisualBasic.Resources.dll Bypass.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\de\System.Device.resources.dll Bypass.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\fr\System.Data.Services.Client.resources.dll Bypass.exe File opened for modification C:\Windows\servicing\Packages\HyperV-Guest-IcSvcExt-onecore-Package~31bf3856ad364e35~amd64~it-IT~10.0.15063.0.cat Bypass.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.DesktopAppInstaller_1.0.10252.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\AppPackageSmallTile.scale-125_contrast-black.png Bypass.exe File opened for modification C:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarLargeTile.scale-400.png Bypass.exe File opened for modification C:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxAccountsStoreLogo.scale-100.png Bypass.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-white\MedTile.scale-200.png Bypass.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-256.png Bypass.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-200_8wekyb3d8bbwe\Assets\contrast-white\LargeLogo.scale-200_contrast-white.png Bypass.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v3.5\Microsoft.VisualC.STLCLR.dll Bypass.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Threading.Thread.dll Bypass.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSmallTile.contrast-white_scale-100.png Bypass.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-white\WideTile.scale-100.png Bypass.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-black\SmallTile.scale-100.png Bypass.exe File opened for modification C:\Windows\rescache\_merged\689984732\2229862038.pri Bypass.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp8.scale-125.png Bypass.exe File opened for modification C:\Windows\INF\image.inf Bypass.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-48.png Bypass.exe File opened for modification C:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\2875_32x32x32.png Bypass.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-150_8wekyb3d8bbwe\Assets\SmallLogo.scale-150.png Bypass.exe File opened for modification C:\Windows\ImmersiveControlPanel\Settings\AAA_SettingsGroupFamilyUsers.settingcontent-ms Bypass.exe File opened for modification C:\Windows\INF\.NET Data Provider for Oracle\_DataOracleClientPerfCounters_shared12_neutral.h Bypass.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\MapsSplashScreen.scale-100.png Bypass.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\es\System.ServiceModel.resources.dll Bypass.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\it\Microsoft.Activities.Build.resources.dll Bypass.exe File opened for modification C:\Windows\INF\mdmpin.inf Bypass.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\smirk.png Bypass.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\gg_16x11.png Bypass.exe File opened for modification C:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\6124_24x24x32.png Bypass.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\it-IT\ServiceModelEvents.dll.mui Bypass.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\xs_16x11.png Bypass.exe File opened for modification C:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailSmallTile.scale-100.png Bypass.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\it\System.Web.Abstractions.resources.dll Bypass.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.BingWeather_4.18.56.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_TileWide.scale-100.png Bypass.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.OneConnect_2.1701.277.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml Bypass.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Lumia.ViewerPlugin\ReliveSurfaces\Video\ReliveVideoControl.xaml Bypass.exe File opened for modification C:\Windows\Cursors\move_im.cur Bypass.exe File opened for modification C:\Windows\servicing\Packages\HyperV-Networking-Containers-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat Bypass.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\de\System.Numerics.resources.dll Bypass.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\de\PresentationUI.resources.dll Bypass.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNotePageSmallTile.scale-400.png Bypass.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GamePlayAssets\FreeCell\ResPacks\gameplayfreecell.respack Bypass.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-60_altform-unplated_contrast-white.png Bypass.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms Bypass.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.XML.dll Bypass.exe File opened for modification C:\Windows\Fonts\8514fixr.fon Bypass.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-180_8wekyb3d8bbwe\Assets\Office\PlaneCutKeepTop.scale-180.png Bypass.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-72.png Bypass.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\osf\progress.gif Bypass.exe File opened for modification C:\Windows\PolicyDefinitions\WindowsFileProtection.admx Bypass.exe File opened for modification C:\Windows\PolicyDefinitions\en-US\DistributedLinkTracking.adml Bypass.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-black\WideTile.scale-200.png Bypass.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Voices\en-US\en-US_female_TTS\ruleset_en-US_TTS.lua Bypass.exe File opened for modification C:\Windows\PLA\Rules\ja-JP\Rules.System.Performance.xml Bypass.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-64_altform-unplated.png Bypass.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Microsoft.Build.Tasks.dll Bypass.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\SampleHeader\globe32.png Bypass.exe File opened for modification C:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-72.png Bypass.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\SplashScreen.scale-100.png Bypass.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\EntCommon.dll Bypass.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe\Assets\Images\Tiles\Square44x44Logo.scale-200.png Bypass.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-40.png Bypass.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
дсрат.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings дсрат.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
Bypass.exepid process 5080 Bypass.exe 5080 Bypass.exe 5080 Bypass.exe 5080 Bypass.exe 5080 Bypass.exe 5080 Bypass.exe 5080 Bypass.exe 5080 Bypass.exe 5080 Bypass.exe 5080 Bypass.exe 5080 Bypass.exe 5080 Bypass.exe 5080 Bypass.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Bypass.exedescription pid process Token: SeDebugPrivilege 5080 Bypass.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
дсрат.exeWScript.exepid process 1884 дсрат.exe 1392 WScript.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
дсрат.execmd.exeBypass.exeLoader.exedescription pid process target process PID 1884 wrote to memory of 1392 1884 дсрат.exe WScript.exe PID 1884 wrote to memory of 1392 1884 дсрат.exe WScript.exe PID 1884 wrote to memory of 4264 1884 дсрат.exe cmd.exe PID 1884 wrote to memory of 4264 1884 дсрат.exe cmd.exe PID 1884 wrote to memory of 3604 1884 дсрат.exe Bypass.exe PID 1884 wrote to memory of 3604 1884 дсрат.exe Bypass.exe PID 4264 wrote to memory of 2412 4264 cmd.exe Loader.exe PID 4264 wrote to memory of 2412 4264 cmd.exe Loader.exe PID 4264 wrote to memory of 2412 4264 cmd.exe Loader.exe PID 4264 wrote to memory of 1952 4264 cmd.exe reg.exe PID 4264 wrote to memory of 1952 4264 cmd.exe reg.exe PID 4264 wrote to memory of 3596 4264 cmd.exe reg.exe PID 4264 wrote to memory of 3596 4264 cmd.exe reg.exe PID 3604 wrote to memory of 5080 3604 Bypass.exe Bypass.exe PID 3604 wrote to memory of 5080 3604 Bypass.exe Bypass.exe PID 2412 wrote to memory of 4452 2412 Loader.exe RegAsm.exe PID 2412 wrote to memory of 4452 2412 Loader.exe RegAsm.exe PID 2412 wrote to memory of 4452 2412 Loader.exe RegAsm.exe PID 2412 wrote to memory of 5044 2412 Loader.exe RegAsm.exe PID 2412 wrote to memory of 5044 2412 Loader.exe RegAsm.exe PID 2412 wrote to memory of 5044 2412 Loader.exe RegAsm.exe PID 2412 wrote to memory of 3580 2412 Loader.exe RegAsm.exe PID 2412 wrote to memory of 3580 2412 Loader.exe RegAsm.exe PID 2412 wrote to memory of 3580 2412 Loader.exe RegAsm.exe PID 2412 wrote to memory of 3580 2412 Loader.exe RegAsm.exe PID 2412 wrote to memory of 3580 2412 Loader.exe RegAsm.exe PID 2412 wrote to memory of 3580 2412 Loader.exe RegAsm.exe PID 2412 wrote to memory of 3580 2412 Loader.exe RegAsm.exe PID 2412 wrote to memory of 3580 2412 Loader.exe RegAsm.exe PID 2412 wrote to memory of 3580 2412 Loader.exe RegAsm.exe PID 4264 wrote to memory of 5068 4264 cmd.exe reg.exe PID 4264 wrote to memory of 5068 4264 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\дсрат.exe"C:\Users\Admin\AppData\Local\Temp\дсрат.exe"1⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Loader\error.vbs"2⤵
- Suspicious use of FindShellTrayWindow
PID:1392 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Loader\KHRnsPaHq6wt4rRYII1q2.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:4264 -
C:\Users\Admin\AppData\Local\Temp\Loader\Loader.exeLoader.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:4452
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:5044
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:3580
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v ╨í:/Users /t REG_DWORD /d 03⤵
- Windows security bypass
PID:1952 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d C:\WINDOWS\system32\userinit.exe, C:\Users\Admin\AppData\Local\Temp/Loader/Bypass.exe3⤵PID:3596
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d C:\WINDOWS\system32\explorer.exe, C:\ProgramData\SoftwareDistribution\Bypass.exe3⤵PID:5068
-
C:\Users\Admin\AppData\Local\Temp\Loader\Bypass.exe"C:\Users\Admin\AppData\Local\Temp\Loader\Bypass.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\ProgramData\SoftwareDistribution\Bypass.exe"C:\ProgramData\SoftwareDistribution\Bypass.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5080
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3aed855 /state1:0x41c64e6d1⤵PID:4564
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\SoftwareDistribution\Bypass.exeFilesize
1.7MB
MD5d5089008582efc34df9cfe5e48550d21
SHA14105575343659919dff89cc18d1d8fbc7bd60289
SHA256c3a15ab0b9e3ebf966ff7fae15c9309c5a739ab755aa706c14c437ed01e3b13c
SHA5127ab28e1e9150f2585c0e20ddc3260aed9b3d8922eabaf05a7bfd88c1c2fe1c4f586cac368a4bae9fdce9093ded2ef6ead9505d28779bcf448e196e29b5a5050b
-
C:\Users\Admin\AppData\Local\Temp\Loader\Bypass.exeFilesize
1.2MB
MD5e569faac3b8f8d70b0c2ed38ab26019b
SHA191adf9b4f18146374a957360f232f61c56595bab
SHA2569f2267e35d5030990fa4d516e45289163aa236a934f8d45546a543db4bf10e40
SHA512d0681e04801b6ce7933f0438c87527e41cd73cb3f7039048cf2d60f85b30bb5f5235145428a6f77e57fcc1600539e336fa433b33bd4e45a50c1aa7ae214f2478
-
C:\Users\Admin\AppData\Local\Temp\Loader\KHRnsPaHq6wt4rRYII1q2.batFilesize
503B
MD53217ead6df07978acaaa5c47812959b4
SHA100b535427aafd0aaa9cbdbd308c42d085af6ff25
SHA2563d70ee828b984f3d71eb9e6bcd902c5d25f8cbb935c0419b6deb9e7707581b3d
SHA512e521688b73e7c87699671864da9badf51fed1ea4afacac17f6656ac37b484b91157b10ed5ebb57348c09ce65cdadf183cc1be326c24716ee2f71867d0231b159
-
C:\Users\Admin\AppData\Local\Temp\Loader\Loader.exeFilesize
594KB
MD5b6c3c00d7cf6d8d13f20dbc590a675ad
SHA1a36e5c3c94f7abe3cbdfd3418e3ae03e66aa5323
SHA2560021b20ecb3a2d562118bae38f00d1bdffc8facda49c8e1d1995966e1cd7957c
SHA512e6f5165b9678cc6818d0213e84a6fdfb606af69dd6be67ea3db12dbb4a8b3503afcb9dc729a727691bef2374a355ea3ab7d8f8864adcab87d0cfee892c660eba
-
C:\Users\Admin\AppData\Local\Temp\Loader\error.vbsFilesize
91B
MD53e9e1d51930b0f7dd74cf0a85279abb7
SHA1344f901c9070611eaa6077bbebfc1b63c28857bf
SHA2562db9bf60266d735cbb49eec9c394c03071e2a3c7763367baeb60c2d60b0c461f
SHA512f056abd5030a1e71e11d06608ebaab38585f8d5f8a14f20e9949d296cd3037fee67ae459a1ad9a8d86bbb117e46957fa4091cbaf9b877b45664e4d9284a3acbf
-
memory/3580-32-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/3580-31-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/5080-33-0x0000000000F80000-0x0000000001136000-memory.dmpFilesize
1.7MB
-
memory/5080-34-0x0000000001950000-0x000000000196C000-memory.dmpFilesize
112KB
-
memory/5080-37-0x0000000003290000-0x00000000032E6000-memory.dmpFilesize
344KB
-
memory/5080-36-0x00000000019C0000-0x00000000019D6000-memory.dmpFilesize
88KB
-
memory/5080-35-0x000000001C400000-0x000000001C450000-memory.dmpFilesize
320KB
-
memory/5080-39-0x00000000032E0000-0x00000000032E8000-memory.dmpFilesize
32KB
-
memory/5080-38-0x0000000001930000-0x000000000193E000-memory.dmpFilesize
56KB