44caliber | fe014092ae92e8372849bed9f5cf33946e8d918bdc50feddc1316bc837414ba8

General

Target

Nursultan.exe
Size

1.4MB
MD5

1b6293c7f0dfed044b0eba8b98b0faff
SHA1

e5705cbb256bb0b1a350e1b9fb71c1a1e4ac605a
SHA256

fe014092ae92e8372849bed9f5cf33946e8d918bdc50feddc1316bc837414ba8
SHA512

694e9afd04089172c991a712849049545459ceeed99780a6f012ca086fa2d1b70bbd627534b85b1797f4be22feda55e46e6966fe96a2ee66effdeeaa2eb650a5
SSDEEP

24576:d2G/nvxW3WckpJWjXbNQsVZy8v8BQSsZWcJ48z2AB4:dbA3wvW+sVZy8fZWmz9

Score

10^/10

44caliber dcrat infostealer rat stealer

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/1253689379948593173/lzPh5dDD7ETWYLRPMt2M_Ml82yS42YxolYTwBWldi4NXuLOvpMPhz7AlFtFln1RxcqaC

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3956	2064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	2064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4544	2064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3584	2064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3860	2064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4904	2064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4340	2064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3080	2064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4780	2064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3508	2064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	384	2064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4724	2064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2064	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4280	2064	schtasks.exe

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/4872-1-0x0000000000A00000-0x0000000000B6C000-memory.dmp	dcrat
C:\Users\Admin\AppData\Local\Temp\svchost.exe	dcrat
behavioral2/memory/2836-32-0x00007FFFF6300000-0x00007FFFF6DC2000-memory.dmp	dcrat
C:\Hypercommon\ServercrtDll.exe	dcrat
behavioral2/memory/5004-39-0x00000000000B0000-0x0000000000186000-memory.dmp	dcrat
behavioral2/memory/2836-63-0x00007FFFF6300000-0x00007FFFF6DC2000-memory.dmp	dcrat

Executes dropped EXE 24 IoCs

Processes:

svchost.exeexplorer.exeServercrtDll.execmd.exedllhost.exeSppExtComObj.exeservices.exedllhost.execmd.exeSppExtComObj.exesppsvc.exeRuntimeBroker.exedllhost.exeSppExtComObj.exeservices.exedllhost.execmd.exeSppExtComObj.exesppsvc.exedllhost.exeRuntimeBroker.exeservices.exeSppExtComObj.exedllhost.exe

pid	process
1544	svchost.exe
2836	explorer.exe
5004	ServercrtDll.exe
3952	cmd.exe
1164	dllhost.exe
5004	SppExtComObj.exe
1456	services.exe
3504	dllhost.exe
3172	cmd.exe
1960	SppExtComObj.exe
4388	sppsvc.exe
4716	RuntimeBroker.exe
4692	dllhost.exe
840	SppExtComObj.exe
4196	services.exe
5000	dllhost.exe
4780	cmd.exe
3280	SppExtComObj.exe
1416	sppsvc.exe
4964	dllhost.exe
3448	RuntimeBroker.exe
4724	services.exe
2696	SppExtComObj.exe
1356	dllhost.exe

Drops file in Program Files directory 4 IoCs

Processes:

ServercrtDll.exe

description	ioc	process
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SppExtComObj.exe	ServercrtDll.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\e1ef82546f0b02	ServercrtDll.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\RuntimeBroker.exe	ServercrtDll.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\9e8d7a4ca61bd9	ServercrtDll.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

svchost.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings	svchost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2564	schtasks.exe
3000	schtasks.exe
4780	schtasks.exe
4724	schtasks.exe
3860	schtasks.exe
4904	schtasks.exe
384	schtasks.exe
3004	schtasks.exe
1164	schtasks.exe
4544	schtasks.exe
3584	schtasks.exe
4340	schtasks.exe
3080	schtasks.exe
3508	schtasks.exe
3956	schtasks.exe
2004	schtasks.exe
3008	schtasks.exe
4280	schtasks.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

explorer.exeServercrtDll.execmd.exedllhost.exeSppExtComObj.exeservices.execmd.exeSppExtComObj.exeRuntimeBroker.exedllhost.exeSppExtComObj.exeservices.execmd.exeSppExtComObj.exedllhost.exeRuntimeBroker.exeservices.exe

pid	process
2836	explorer.exe
2836	explorer.exe
5004	ServercrtDll.exe
5004	ServercrtDll.exe
5004	ServercrtDll.exe
5004	ServercrtDll.exe
5004	ServercrtDll.exe
5004	ServercrtDll.exe
5004	ServercrtDll.exe
5004	ServercrtDll.exe
5004	ServercrtDll.exe
3952	cmd.exe
1164	dllhost.exe
5004	SppExtComObj.exe
1456	services.exe
3172	cmd.exe
1960	SppExtComObj.exe
4716	RuntimeBroker.exe
4692	dllhost.exe
840	SppExtComObj.exe
4196	services.exe
4780	cmd.exe
3280	SppExtComObj.exe
4964	dllhost.exe
3448	RuntimeBroker.exe
4724	services.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

explorer.exeServercrtDll.execmd.exedllhost.exeSppExtComObj.exeservices.exedllhost.execmd.exeSppExtComObj.exesppsvc.exeRuntimeBroker.exedllhost.exeSppExtComObj.exeservices.exedllhost.execmd.exeSppExtComObj.exesppsvc.exedllhost.exeRuntimeBroker.exeservices.exeSppExtComObj.exedllhost.exe

description	pid	process
Token: SeDebugPrivilege	2836	explorer.exe
Token: SeDebugPrivilege	5004	ServercrtDll.exe
Token: SeDebugPrivilege	3952	cmd.exe
Token: SeDebugPrivilege	1164	dllhost.exe
Token: SeDebugPrivilege	5004	SppExtComObj.exe
Token: SeDebugPrivilege	1456	services.exe
Token: SeDebugPrivilege	3504	dllhost.exe
Token: SeDebugPrivilege	3172	cmd.exe
Token: SeDebugPrivilege	1960	SppExtComObj.exe
Token: SeDebugPrivilege	4388	sppsvc.exe
Token: SeDebugPrivilege	4716	RuntimeBroker.exe
Token: SeDebugPrivilege	4692	dllhost.exe
Token: SeDebugPrivilege	840	SppExtComObj.exe
Token: SeDebugPrivilege	4196	services.exe
Token: SeDebugPrivilege	5000	dllhost.exe
Token: SeDebugPrivilege	4780	cmd.exe
Token: SeDebugPrivilege	3280	SppExtComObj.exe
Token: SeDebugPrivilege	1416	sppsvc.exe
Token: SeDebugPrivilege	4964	dllhost.exe
Token: SeDebugPrivilege	3448	RuntimeBroker.exe
Token: SeDebugPrivilege	4724	services.exe
Token: SeDebugPrivilege	2696	SppExtComObj.exe
Token: SeDebugPrivilege	1356	dllhost.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

Nursultan.exesvchost.exeWScript.execmd.exeServercrtDll.exe

description	pid	process	target process
PID 4872 wrote to memory of 1544	4872	Nursultan.exe	svchost.exe
PID 4872 wrote to memory of 1544	4872	Nursultan.exe	svchost.exe
PID 4872 wrote to memory of 1544	4872	Nursultan.exe	svchost.exe
PID 4872 wrote to memory of 2836	4872	Nursultan.exe	explorer.exe
PID 4872 wrote to memory of 2836	4872	Nursultan.exe	explorer.exe
PID 1544 wrote to memory of 4560	1544	svchost.exe	WScript.exe
PID 1544 wrote to memory of 4560	1544	svchost.exe	WScript.exe
PID 1544 wrote to memory of 4560	1544	svchost.exe	WScript.exe
PID 4560 wrote to memory of 1240	4560	WScript.exe	cmd.exe
PID 4560 wrote to memory of 1240	4560	WScript.exe	cmd.exe
PID 4560 wrote to memory of 1240	4560	WScript.exe	cmd.exe
PID 1240 wrote to memory of 5004	1240	cmd.exe	ServercrtDll.exe
PID 1240 wrote to memory of 5004	1240	cmd.exe	ServercrtDll.exe
PID 5004 wrote to memory of 3952	5004	ServercrtDll.exe	cmd.exe
PID 5004 wrote to memory of 3952	5004	ServercrtDll.exe	cmd.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4872

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1544

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Hypercommon\s6qV8wojz3Yx3vhyfOAzGuFvxlJ5l.vbe"
3⤵
- Suspicious use of WriteProcessMemory
PID:4560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Hypercommon\Udwe1ynNPaETo.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:1240

C:\Hypercommon\ServercrtDll.exe
"C:\Hypercommon\ServercrtDll.exe"
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5004

C:\Hypercommon\cmd.exe
"C:\Hypercommon\cmd.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3952

C:\Users\Admin\AppData\Local\Temp\explorer.exe
"C:\Users\Admin\AppData\Local\Temp\explorer.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Public\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Users\Public\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Hypercommon\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Hypercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Hypercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4340

C:\Users\Public\dllhost.exe
C:\Users\Public\dllhost.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1164

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SppExtComObj.exe
"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SppExtComObj.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5004

C:\Recovery\WindowsRE\services.exe
C:\Recovery\WindowsRE\services.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1456

C:\Users\Public\dllhost.exe
C:\Users\Public\dllhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3504

C:\Hypercommon\cmd.exe
C:\Hypercommon\cmd.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3172

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SppExtComObj.exe
"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SppExtComObj.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1960

C:\Recovery\WindowsRE\sppsvc.exe
C:\Recovery\WindowsRE\sppsvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4388

C:\Program Files (x86)\Reference Assemblies\Microsoft\RuntimeBroker.exe
"C:\Program Files (x86)\Reference Assemblies\Microsoft\RuntimeBroker.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4716

C:\Users\Public\dllhost.exe
C:\Users\Public\dllhost.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4692

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SppExtComObj.exe
"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SppExtComObj.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:840

C:\Recovery\WindowsRE\services.exe
C:\Recovery\WindowsRE\services.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4196

C:\Users\Public\dllhost.exe
C:\Users\Public\dllhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5000

C:\Hypercommon\cmd.exe
C:\Hypercommon\cmd.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4780

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SppExtComObj.exe
"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SppExtComObj.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3280

C:\Recovery\WindowsRE\sppsvc.exe
C:\Recovery\WindowsRE\sppsvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1416

C:\Users\Public\dllhost.exe
C:\Users\Public\dllhost.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4964

C:\Program Files (x86)\Reference Assemblies\Microsoft\RuntimeBroker.exe
"C:\Program Files (x86)\Reference Assemblies\Microsoft\RuntimeBroker.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3448

C:\Recovery\WindowsRE\services.exe
C:\Recovery\WindowsRE\services.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4724

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SppExtComObj.exe
"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SppExtComObj.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2696

C:\Users\Public\dllhost.exe
C:\Users\Public\dllhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1356

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Hypercommon\ServercrtDll.exe
Filesize
828KB

MD5
801d5740c780d09b1cc6d971ce8b280f

SHA1
c7188e6f5998405d9dcbe83ce5d29267861be07d

SHA256
b678bee38602b80df34f15e4555bb689e2eb6aef26f4c273d652c88f8825c33f

SHA512
3296e517a6e0d6d3feb1f9d1544664b87589130d8a28f205626b2182ecdf333ff404f311ce69730d509e3072432024d3ed16db7068d35925375d9ecc5fe82b49

Download Submit
C:\Hypercommon\Udwe1ynNPaETo.bat
Filesize
33B

MD5
1af82b77403306ff43f68bf7a0786c52

SHA1
730a3bd4b524ffa024657c1fc27ffd82e25f3f81

SHA256
e358e4c2fc541cc4e5614b1af9360a85a32fc53babbc57ecf5858fe71d334f96

SHA512
0e33b779aceb2a42f5c42e07bcd3ac70a3dbb1fd2bbd4ae154979735f58eeaab5abea05cea682f4b73f6b54174ace8ac3046c6e9a84c4a729a6ed2bffa1a9ec1

Download Submit
C:\Hypercommon\s6qV8wojz3Yx3vhyfOAzGuFvxlJ5l.vbe
Filesize
201B

MD5
0f314eb5d52ce9cd85095eadff4f908c

SHA1
272d25d43f789dd5fad479ab31e96214f82302b3

SHA256
f17ea2d9d889ef2012cb57191ad3a1d2d3351df8539b4029d6f7080d66217e89

SHA512
471b72558c045bc4acd276087d82e564aa7685373dea3ac3e90390df0f7f42ea06ae0254d3a4a9dc57312c7b1485916f4d470bd353b4b8c0b35d705573105f09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dllhost.exe.log
Filesize
1KB

MD5
b4e91d2e5f40d5e2586a86cf3bb4df24

SHA1
31920b3a41aa4400d4a0230a7622848789b38672

SHA256
5d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210

SHA512
968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorer.exe
Filesize
303KB

MD5
7d9282b8529bbb4ac06a3994fbcd0622

SHA1
d38d467c5e533f3bc247b6ed245fb08412a479d7

SHA256
ca5820bbbcbefd08f5ec820b833b23f7f97556a247da39510a70cbe7b809e3a9

SHA512
aec2d63548176dc1a8ad3d2dfce0bc41973230c6898c55171dec7fc2919b84a8061d4308449c9551cc40ac7c08ad773fd6a7818bbd748ede9be64acc11dcfca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
1.1MB

MD5
3ee661f4a9794c72a91fa1f783f54969

SHA1
35780f52351da65b60cc63b302018950cbfe849f

SHA256
ebcaf07121ce2483989e7a71d00b83c54b942f71e51271d5b28886ef03e45b51

SHA512
0b53edac853f257b3c40b8b8014f0b0d53f546410d352965eace8eb251b2d75aa02e171586750a70dd97a4bc103b4b7707e90d5bd7a47c786858514f83281bde

Download Submit
memory/2836-23-0x0000016BD60D0000-0x0000016BD6122000-memory.dmp

Filesize
328KB

Download
memory/2836-32-0x00007FFFF6300000-0x00007FFFF6DC2000-memory.dmp

Filesize
10.8MB

Download
memory/2836-22-0x00007FFFF6303000-0x00007FFFF6305000-memory.dmp

Filesize
8KB

Download
memory/2836-63-0x00007FFFF6300000-0x00007FFFF6DC2000-memory.dmp

Filesize
10.8MB

Download
memory/4872-0-0x000000007488E000-0x000000007488F000-memory.dmp

Filesize
4KB

Download
memory/4872-2-0x00000000055A0000-0x000000000563C000-memory.dmp

Filesize
624KB

Download
memory/4872-1-0x0000000000A00000-0x0000000000B6C000-memory.dmp

Filesize
1.4MB

Download
memory/5004-39-0x00000000000B0000-0x0000000000186000-memory.dmp

Filesize
856KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads