44caliber | fe014092ae92e8372849bed9f5cf33946e8d918bdc50feddc1316bc837414ba8

General

Target

Nursultan.exe
Size

1.4MB
MD5

1b6293c7f0dfed044b0eba8b98b0faff
SHA1

e5705cbb256bb0b1a350e1b9fb71c1a1e4ac605a
SHA256

fe014092ae92e8372849bed9f5cf33946e8d918bdc50feddc1316bc837414ba8
SHA512

694e9afd04089172c991a712849049545459ceeed99780a6f012ca086fa2d1b70bbd627534b85b1797f4be22feda55e46e6966fe96a2ee66effdeeaa2eb650a5
SSDEEP

24576:d2G/nvxW3WckpJWjXbNQsVZy8v8BQSsZWcJ48z2AB4:dbA3wvW+sVZy8fZWmz9

Score

10^/10

44caliber dcrat infostealer rat stealer

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/1253689379948593173/lzPh5dDD7ETWYLRPMt2M_Ml82yS42YxolYTwBWldi4NXuLOvpMPhz7AlFtFln1RxcqaC

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3552	5104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4616	5104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	116	5104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4960	5104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	540	5104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	5104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3724	5104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	5104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	5104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	5104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3712	5104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	5104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	5104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	5104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4416	5104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3952	5104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4668	5104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	264	5104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	408	5104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	5104	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4608	5104	schtasks.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/1872-1-0x00000000005C0000-0x000000000072C000-memory.dmp	dcrat
C:\Users\Admin\AppData\Local\Temp\svchost.exe	dcrat
C:\Hypercommon\ServercrtDll.exe	dcrat
behavioral1/memory/4508-39-0x0000000000C70000-0x0000000000D46000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ServercrtDll.exeNursultan.exesvchost.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	ServercrtDll.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Nursultan.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 22 IoCs

Processes:

svchost.exeexplorer.exeServercrtDll.exeStartMenuExperienceHost.exeexplorer.exespoolsv.exesmss.exeStartMenuExperienceHost.exeexplorer.exeSystem.exewininit.exespoolsv.exeexplorer.exesmss.exeStartMenuExperienceHost.exespoolsv.exeexplorer.exeSystem.exewininit.exesmss.exeexplorer.exeStartMenuExperienceHost.exe

pid	process
3988	svchost.exe
4984	explorer.exe
4508	ServercrtDll.exe
4052	StartMenuExperienceHost.exe
4024	explorer.exe
4368	spoolsv.exe
4920	smss.exe
5064	StartMenuExperienceHost.exe
928	explorer.exe
2948	System.exe
2396	wininit.exe
4740	spoolsv.exe
2720	explorer.exe
3140	smss.exe
4292	StartMenuExperienceHost.exe
3808	spoolsv.exe
3532	explorer.exe
4640	System.exe
4344	wininit.exe
1524	smss.exe
2796	explorer.exe
3752	StartMenuExperienceHost.exe

Drops file in Program Files directory 8 IoCs

Processes:

ServercrtDll.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe	ServercrtDll.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\f3b6ecef712a24	ServercrtDll.exe
File created	C:\Program Files (x86)\Microsoft\smss.exe	ServercrtDll.exe
File created	C:\Program Files (x86)\Microsoft\69ddcba757bf72	ServercrtDll.exe
File created	C:\Program Files\ModifiableWindowsApps\cmd.exe	ServercrtDll.exe
File created	C:\Program Files (x86)\Microsoft\Temp\StartMenuExperienceHost.exe	ServercrtDll.exe
File created	C:\Program Files (x86)\Microsoft\Temp\55b276f4edf653	ServercrtDll.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe	ServercrtDll.exe

Drops file in Windows directory 3 IoCs

Processes:

ServercrtDll.exe

description	ioc	process
File created	C:\Windows\diagnostics\system\Printer\de-DE\wininit.exe	ServercrtDll.exe
File created	C:\Windows\PLA\Templates\smss.exe	ServercrtDll.exe
File created	C:\Windows\PLA\Templates\69ddcba757bf72	ServercrtDll.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

svchost.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	svchost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
540	schtasks.exe
1812	schtasks.exe
1052	schtasks.exe
4668	schtasks.exe
2696	schtasks.exe
4960	schtasks.exe
3028	schtasks.exe
3712	schtasks.exe
4416	schtasks.exe
116	schtasks.exe
2312	schtasks.exe
3724	schtasks.exe
1508	schtasks.exe
448	schtasks.exe
264	schtasks.exe
408	schtasks.exe
4608	schtasks.exe
4616	schtasks.exe
1660	schtasks.exe
3952	schtasks.exe
3552	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

explorer.exeServercrtDll.exeStartMenuExperienceHost.exeexplorer.exespoolsv.exesmss.exeexplorer.exeSystem.exewininit.exespoolsv.exeexplorer.exesmss.exespoolsv.exeSystem.exewininit.exesmss.exe

pid	process
4984	explorer.exe
4984	explorer.exe
4508	ServercrtDll.exe
4508	ServercrtDll.exe
4508	ServercrtDll.exe
4052	StartMenuExperienceHost.exe
4024	explorer.exe
4368	spoolsv.exe
4920	smss.exe
928	explorer.exe
2948	System.exe
2396	wininit.exe
4740	spoolsv.exe
2720	explorer.exe
3140	smss.exe
3808	spoolsv.exe
4640	System.exe
4344	wininit.exe
1524	smss.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

explorer.exeServercrtDll.exeStartMenuExperienceHost.exeexplorer.exespoolsv.exesmss.exeStartMenuExperienceHost.exeexplorer.exeSystem.exewininit.exespoolsv.exeexplorer.exesmss.exeStartMenuExperienceHost.exespoolsv.exeexplorer.exeSystem.exewininit.exesmss.exeStartMenuExperienceHost.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	4984	explorer.exe
Token: SeDebugPrivilege	4508	ServercrtDll.exe
Token: SeDebugPrivilege	4052	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	4024	explorer.exe
Token: SeDebugPrivilege	4368	spoolsv.exe
Token: SeDebugPrivilege	4920	smss.exe
Token: SeDebugPrivilege	5064	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	928	explorer.exe
Token: SeDebugPrivilege	2948	System.exe
Token: SeDebugPrivilege	2396	wininit.exe
Token: SeDebugPrivilege	4740	spoolsv.exe
Token: SeDebugPrivilege	2720	explorer.exe
Token: SeDebugPrivilege	3140	smss.exe
Token: SeDebugPrivilege	4292	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	3808	spoolsv.exe
Token: SeDebugPrivilege	3532	explorer.exe
Token: SeDebugPrivilege	4640	System.exe
Token: SeDebugPrivilege	4344	wininit.exe
Token: SeDebugPrivilege	1524	smss.exe
Token: SeDebugPrivilege	3752	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	2796	explorer.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

Nursultan.exesvchost.exeWScript.execmd.exeServercrtDll.exe

description	pid	process	target process
PID 1872 wrote to memory of 3988	1872	Nursultan.exe	svchost.exe
PID 1872 wrote to memory of 3988	1872	Nursultan.exe	svchost.exe
PID 1872 wrote to memory of 3988	1872	Nursultan.exe	svchost.exe
PID 1872 wrote to memory of 4984	1872	Nursultan.exe	explorer.exe
PID 1872 wrote to memory of 4984	1872	Nursultan.exe	explorer.exe
PID 3988 wrote to memory of 3568	3988	svchost.exe	WScript.exe
PID 3988 wrote to memory of 3568	3988	svchost.exe	WScript.exe
PID 3988 wrote to memory of 3568	3988	svchost.exe	WScript.exe
PID 3568 wrote to memory of 864	3568	WScript.exe	cmd.exe
PID 3568 wrote to memory of 864	3568	WScript.exe	cmd.exe
PID 3568 wrote to memory of 864	3568	WScript.exe	cmd.exe
PID 864 wrote to memory of 4508	864	cmd.exe	ServercrtDll.exe
PID 864 wrote to memory of 4508	864	cmd.exe	ServercrtDll.exe
PID 4508 wrote to memory of 4052	4508	ServercrtDll.exe	StartMenuExperienceHost.exe
PID 4508 wrote to memory of 4052	4508	ServercrtDll.exe	StartMenuExperienceHost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1872

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3988

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Hypercommon\s6qV8wojz3Yx3vhyfOAzGuFvxlJ5l.vbe"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Hypercommon\Udwe1ynNPaETo.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:864

C:\Hypercommon\ServercrtDll.exe
"C:\Hypercommon\ServercrtDll.exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4508

C:\Program Files (x86)\Microsoft\Temp\StartMenuExperienceHost.exe
"C:\Program Files (x86)\Microsoft\Temp\StartMenuExperienceHost.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4052

C:\Users\Admin\AppData\Local\Temp\explorer.exe
"C:\Users\Admin\AppData\Local\Temp\explorer.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Windows\PLA\Templates\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\PLA\Templates\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Windows\PLA\Templates\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft\Temp\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Temp\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft\Temp\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4608

C:\Recovery\WindowsRE\explorer.exe
C:\Recovery\WindowsRE\explorer.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4024

C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe
"C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4368

C:\Program Files (x86)\Microsoft\smss.exe
"C:\Program Files (x86)\Microsoft\smss.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4920

C:\Program Files (x86)\Microsoft\Temp\StartMenuExperienceHost.exe
"C:\Program Files (x86)\Microsoft\Temp\StartMenuExperienceHost.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5064

C:\Recovery\WindowsRE\explorer.exe
C:\Recovery\WindowsRE\explorer.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:928

C:\Recovery\WindowsRE\System.exe
C:\Recovery\WindowsRE\System.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2948

C:\Recovery\WindowsRE\wininit.exe
C:\Recovery\WindowsRE\wininit.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2396

C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe
"C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4740

C:\Recovery\WindowsRE\explorer.exe
C:\Recovery\WindowsRE\explorer.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2720

C:\Program Files (x86)\Microsoft\smss.exe
"C:\Program Files (x86)\Microsoft\smss.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3140

C:\Program Files (x86)\Microsoft\Temp\StartMenuExperienceHost.exe
"C:\Program Files (x86)\Microsoft\Temp\StartMenuExperienceHost.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4292

C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe
"C:\Program Files (x86)\Windows Photo Viewer\spoolsv.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3808

C:\Recovery\WindowsRE\explorer.exe
C:\Recovery\WindowsRE\explorer.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3532

C:\Recovery\WindowsRE\System.exe
C:\Recovery\WindowsRE\System.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4640

C:\Recovery\WindowsRE\wininit.exe
C:\Recovery\WindowsRE\wininit.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4344

C:\Program Files (x86)\Microsoft\smss.exe
"C:\Program Files (x86)\Microsoft\smss.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1524

C:\Recovery\WindowsRE\explorer.exe
C:\Recovery\WindowsRE\explorer.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2796

C:\Program Files (x86)\Microsoft\Temp\StartMenuExperienceHost.exe
"C:\Program Files (x86)\Microsoft\Temp\StartMenuExperienceHost.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Hypercommon\ServercrtDll.exe
Filesize
828KB

MD5
801d5740c780d09b1cc6d971ce8b280f

SHA1
c7188e6f5998405d9dcbe83ce5d29267861be07d

SHA256
b678bee38602b80df34f15e4555bb689e2eb6aef26f4c273d652c88f8825c33f

SHA512
3296e517a6e0d6d3feb1f9d1544664b87589130d8a28f205626b2182ecdf333ff404f311ce69730d509e3072432024d3ed16db7068d35925375d9ecc5fe82b49

Download Submit
C:\Hypercommon\Udwe1ynNPaETo.bat
Filesize
33B

MD5
1af82b77403306ff43f68bf7a0786c52

SHA1
730a3bd4b524ffa024657c1fc27ffd82e25f3f81

SHA256
e358e4c2fc541cc4e5614b1af9360a85a32fc53babbc57ecf5858fe71d334f96

SHA512
0e33b779aceb2a42f5c42e07bcd3ac70a3dbb1fd2bbd4ae154979735f58eeaab5abea05cea682f4b73f6b54174ace8ac3046c6e9a84c4a729a6ed2bffa1a9ec1

Download Submit
C:\Hypercommon\s6qV8wojz3Yx3vhyfOAzGuFvxlJ5l.vbe
Filesize
201B

MD5
0f314eb5d52ce9cd85095eadff4f908c

SHA1
272d25d43f789dd5fad479ab31e96214f82302b3

SHA256
f17ea2d9d889ef2012cb57191ad3a1d2d3351df8539b4029d6f7080d66217e89

SHA512
471b72558c045bc4acd276087d82e564aa7685373dea3ac3e90390df0f7f42ea06ae0254d3a4a9dc57312c7b1485916f4d470bd353b4b8c0b35d705573105f09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\StartMenuExperienceHost.exe.log
Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\explorer.exe.log
Filesize
422B

MD5
6b273e0cbcea417b261afe54d2c7a997

SHA1
caaae505b76884ba95b2465c95c1a47144ecaf8f

SHA256
5e96a6e6a2e5a7216941871f67b8e683b9eea2be80d66d7542b65a6491ba5480

SHA512
968d8a83c63c3029a122e9fc647663f5af261e12a7b23164ed514600174befad6ec3e3767de71607062c9dc37e2968a991b55fa76e35064c3819f960fb7ba196

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorer.exe
Filesize
303KB

MD5
7d9282b8529bbb4ac06a3994fbcd0622

SHA1
d38d467c5e533f3bc247b6ed245fb08412a479d7

SHA256
ca5820bbbcbefd08f5ec820b833b23f7f97556a247da39510a70cbe7b809e3a9

SHA512
aec2d63548176dc1a8ad3d2dfce0bc41973230c6898c55171dec7fc2919b84a8061d4308449c9551cc40ac7c08ad773fd6a7818bbd748ede9be64acc11dcfca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
1.1MB

MD5
3ee661f4a9794c72a91fa1f783f54969

SHA1
35780f52351da65b60cc63b302018950cbfe849f

SHA256
ebcaf07121ce2483989e7a71d00b83c54b942f71e51271d5b28886ef03e45b51

SHA512
0b53edac853f257b3c40b8b8014f0b0d53f546410d352965eace8eb251b2d75aa02e171586750a70dd97a4bc103b4b7707e90d5bd7a47c786858514f83281bde

Download Submit
memory/1872-0-0x00000000750EE000-0x00000000750EF000-memory.dmp

Filesize
4KB

Download
memory/1872-2-0x0000000005150000-0x00000000051EC000-memory.dmp

Filesize
624KB

Download
memory/1872-1-0x00000000005C0000-0x000000000072C000-memory.dmp

Filesize
1.4MB

Download
memory/4508-39-0x0000000000C70000-0x0000000000D46000-memory.dmp

Filesize
856KB

Download
memory/4984-26-0x00007FFE30510000-0x00007FFE30FD1000-memory.dmp

Filesize
10.8MB

Download
memory/4984-24-0x00000187C1660000-0x00000187C16B2000-memory.dmp

Filesize
328KB

Download
memory/4984-23-0x00007FFE30513000-0x00007FFE30515000-memory.dmp

Filesize
8KB

Download
memory/4984-66-0x00007FFE30510000-0x00007FFE30FD1000-memory.dmp

Filesize
10.8MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads