dcrat | ee09d66a9ffc05f8b64b63809e24e68c0143b27f27c38a67c1be020cffe5926e

Analysis

max time kernel
120s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 10:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ee09d66a9ffc05f8b64b63809e24e68c0143b27f27c38a67c1be020cffe5926eN.exe
Size

1.6MB
MD5

74c1f67c58214d1d3629f0be21d90590
SHA1

2de1855efc9b23cc3964e085a902c1de83c2c1f7
SHA256

ee09d66a9ffc05f8b64b63809e24e68c0143b27f27c38a67c1be020cffe5926e
SHA512

134717ef9a405272f34aecff622d7c420d3de9cd421e79638e12a90aab5c804968d50de8510c9491cee87c0f860b987ec5a98470535b5d59f1fd900f7dbe75be
SSDEEP

49152:FYXvuodR5X4JqgOOnoIluPNFMX06otsEkA:eXvu8v+qUo+4tfkA

Score

10^/10

dcrat luminosity discovery execution infostealer persistence rat

Malware Config

Signatures

DcRat 2 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""		ee09d66a9ffc05f8b64b63809e24e68c0143b27f27c38a67c1be020cffe5926eN.exe
		4384	schtasks.exe

Luminosity 2 IoCs

Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.

rat luminosity

description	ioc	pid	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""		ee09d66a9ffc05f8b64b63809e24e68c0143b27f27c38a67c1be020cffe5926eN.exe
		4384	schtasks.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
5020	powershell.exe
4868	powershell.exe
3340	powershell.exe
4320	powershell.exe
3284	powershell.exe
2880	powershell.exe
3440	powershell.exe
116	powershell.exe
3308	powershell.exe
4400	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
1980	176846831.exe
2280	136180073.exe
4220	916703795.exe
1692	96078202.exe
1844	335520359.exe
3916	675569637.exe
2900	1043532612.exe
3336	1480261882.exe
2836	1303158827.exe
3944	1576440844.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	176846831.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	136180073.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	916703795.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	96078202.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	335520359.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1480261882.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	1303158827.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ee09d66a9ffc05f8b64b63809e24e68c0143b27f27c38a67c1be020cffe5926eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	675569637.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	1043532612.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1576440844.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4384	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
116	powershell.exe
116	powershell.exe
3308	powershell.exe
3308	powershell.exe
4400	powershell.exe
4400	powershell.exe
3340	powershell.exe
3340	powershell.exe
5020	powershell.exe
5020	powershell.exe
4320	powershell.exe
4320	powershell.exe
3284	powershell.exe
3284	powershell.exe
4868	powershell.exe
4868	powershell.exe
2880	powershell.exe
2880	powershell.exe
3440	powershell.exe
3440	powershell.exe
3944	1576440844.exe
3944	1576440844.exe
3944	1576440844.exe
3944	1576440844.exe
3944	1576440844.exe
3944	1576440844.exe
3944	1576440844.exe
3944	1576440844.exe
3944	1576440844.exe
3944	1576440844.exe
3944	1576440844.exe
3944	1576440844.exe
3944	1576440844.exe
3944	1576440844.exe
3944	1576440844.exe
3944	1576440844.exe
3944	1576440844.exe
3944	1576440844.exe
3944	1576440844.exe
3944	1576440844.exe
3944	1576440844.exe
3944	1576440844.exe
3944	1576440844.exe
3944	1576440844.exe
3944	1576440844.exe
3944	1576440844.exe
3944	1576440844.exe
3944	1576440844.exe
3944	1576440844.exe
3944	1576440844.exe
3944	1576440844.exe
3944	1576440844.exe
3944	1576440844.exe
3944	1576440844.exe
3944	1576440844.exe
3944	1576440844.exe
3944	1576440844.exe
3944	1576440844.exe
3944	1576440844.exe
3944	1576440844.exe
3944	1576440844.exe
3944	1576440844.exe
3944	1576440844.exe
3944	1576440844.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	116	powershell.exe
Token: SeDebugPrivilege	3308	powershell.exe
Token: SeDebugPrivilege	4400	powershell.exe
Token: SeDebugPrivilege	3340	powershell.exe
Token: SeDebugPrivilege	5020	powershell.exe
Token: SeDebugPrivilege	4320	powershell.exe
Token: SeDebugPrivilege	3284	powershell.exe
Token: SeDebugPrivilege	4868	powershell.exe
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	3440	powershell.exe
Token: SeDebugPrivilege	3944	1576440844.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3944	1576440844.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4332 wrote to memory of 408	4332	ee09d66a9ffc05f8b64b63809e24e68c0143b27f27c38a67c1be020cffe5926eN.exe	82
PID 4332 wrote to memory of 408	4332	ee09d66a9ffc05f8b64b63809e24e68c0143b27f27c38a67c1be020cffe5926eN.exe	82
PID 4332 wrote to memory of 552	4332	ee09d66a9ffc05f8b64b63809e24e68c0143b27f27c38a67c1be020cffe5926eN.exe	84
PID 4332 wrote to memory of 552	4332	ee09d66a9ffc05f8b64b63809e24e68c0143b27f27c38a67c1be020cffe5926eN.exe	84
PID 552 wrote to memory of 116	552	cmd.exe	86
PID 552 wrote to memory of 116	552	cmd.exe	86
PID 116 wrote to memory of 1980	116	powershell.exe	87
PID 116 wrote to memory of 1980	116	powershell.exe	87
PID 1980 wrote to memory of 4384	1980	176846831.exe	88
PID 1980 wrote to memory of 4384	1980	176846831.exe	88
PID 1980 wrote to memory of 1208	1980	176846831.exe	90
PID 1980 wrote to memory of 1208	1980	176846831.exe	90
PID 1208 wrote to memory of 3308	1208	cmd.exe	92
PID 1208 wrote to memory of 3308	1208	cmd.exe	92
PID 3308 wrote to memory of 2280	3308	powershell.exe	93
PID 3308 wrote to memory of 2280	3308	powershell.exe	93
PID 2280 wrote to memory of 4988	2280	136180073.exe	94
PID 2280 wrote to memory of 4988	2280	136180073.exe	94
PID 2280 wrote to memory of 1332	2280	136180073.exe	96
PID 2280 wrote to memory of 1332	2280	136180073.exe	96
PID 1332 wrote to memory of 4400	1332	cmd.exe	98
PID 1332 wrote to memory of 4400	1332	cmd.exe	98
PID 4400 wrote to memory of 4220	4400	powershell.exe	99
PID 4400 wrote to memory of 4220	4400	powershell.exe	99
PID 4220 wrote to memory of 1480	4220	916703795.exe	100
PID 4220 wrote to memory of 1480	4220	916703795.exe	100
PID 4220 wrote to memory of 4688	4220	916703795.exe	102
PID 4220 wrote to memory of 4688	4220	916703795.exe	102
PID 4688 wrote to memory of 3340	4688	cmd.exe	104
PID 4688 wrote to memory of 3340	4688	cmd.exe	104
PID 3340 wrote to memory of 1692	3340	powershell.exe	105
PID 3340 wrote to memory of 1692	3340	powershell.exe	105
PID 1692 wrote to memory of 3104	1692	96078202.exe	106
PID 1692 wrote to memory of 3104	1692	96078202.exe	106
PID 1692 wrote to memory of 2448	1692	96078202.exe	108
PID 1692 wrote to memory of 2448	1692	96078202.exe	108
PID 2448 wrote to memory of 5020	2448	cmd.exe	110
PID 2448 wrote to memory of 5020	2448	cmd.exe	110
PID 5020 wrote to memory of 1844	5020	powershell.exe	113
PID 5020 wrote to memory of 1844	5020	powershell.exe	113
PID 1844 wrote to memory of 3932	1844	335520359.exe	114
PID 1844 wrote to memory of 3932	1844	335520359.exe	114
PID 1844 wrote to memory of 2676	1844	335520359.exe	116
PID 1844 wrote to memory of 2676	1844	335520359.exe	116
PID 2676 wrote to memory of 4320	2676	cmd.exe	118
PID 2676 wrote to memory of 4320	2676	cmd.exe	118
PID 4320 wrote to memory of 3916	4320	powershell.exe	120
PID 4320 wrote to memory of 3916	4320	powershell.exe	120
PID 3916 wrote to memory of 3836	3916	675569637.exe	122
PID 3916 wrote to memory of 3836	3916	675569637.exe	122
PID 3916 wrote to memory of 4328	3916	675569637.exe	124
PID 3916 wrote to memory of 4328	3916	675569637.exe	124
PID 4328 wrote to memory of 3284	4328	cmd.exe	126
PID 4328 wrote to memory of 3284	4328	cmd.exe	126
PID 3284 wrote to memory of 2900	3284	powershell.exe	127
PID 3284 wrote to memory of 2900	3284	powershell.exe	127
PID 2900 wrote to memory of 1568	2900	1043532612.exe	128
PID 2900 wrote to memory of 1568	2900	1043532612.exe	128
PID 2900 wrote to memory of 3660	2900	1043532612.exe	130
PID 2900 wrote to memory of 3660	2900	1043532612.exe	130
PID 3660 wrote to memory of 4868	3660	cmd.exe	132
PID 3660 wrote to memory of 4868	3660	cmd.exe	132
PID 4868 wrote to memory of 3336	4868	powershell.exe	133
PID 4868 wrote to memory of 3336	4868	powershell.exe	133

C:\Users\Admin\AppData\Local\Temp\ee09d66a9ffc05f8b64b63809e24e68c0143b27f27c38a67c1be020cffe5926eN.exe
"C:\Users\Admin\AppData\Local\Temp\ee09d66a9ffc05f8b64b63809e24e68c0143b27f27c38a67c1be020cffe5926eN.exe"
1⤵
- DcRat
- Luminosity
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4332
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c echo.
  2⤵
  PID:408
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c exec.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:552
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NonInteractive -WindowStyle Hidden -ExecutionPolicy Bypass -File ".\bits.ps1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:116
  - - C:\Users\Admin\AppData\Local\Temp\176846831\176846831.exe
      "C:\Users\Admin\AppData\Local\Temp\176846831\176846831.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1980
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c echo.
        5⤵
        
        PID:4384
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c exec.bat
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1208
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NonInteractive -WindowStyle Hidden -ExecutionPolicy Bypass -File ".\bits.ps1"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3308
        
        C:\Users\Admin\AppData\Local\Temp\136180073\136180073.exe
        
        "C:\Users\Admin\AppData\Local\Temp\136180073\136180073.exe"
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c echo.
        8⤵
        
        PID:4988
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c exec.bat
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1332
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NonInteractive -WindowStyle Hidden -ExecutionPolicy Bypass -File ".\bits.ps1"
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\916703795\916703795.exe
        
        "C:\Users\Admin\AppData\Local\Temp\916703795\916703795.exe"
        10⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4220
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c echo.
        11⤵
        
        PID:1480
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c exec.bat
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4688
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NonInteractive -WindowStyle Hidden -ExecutionPolicy Bypass -File ".\bits.ps1"
        12⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3340
        
        C:\Users\Admin\AppData\Local\Temp\96078202\96078202.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96078202\96078202.exe"
        13⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c echo.
        14⤵
        
        PID:3104
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c exec.bat
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NonInteractive -WindowStyle Hidden -ExecutionPolicy Bypass -File ".\bits.ps1"
        15⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\335520359\335520359.exe
        
        "C:\Users\Admin\AppData\Local\Temp\335520359\335520359.exe"
        16⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c echo.
        17⤵
        
        PID:3932
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c exec.bat
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NonInteractive -WindowStyle Hidden -ExecutionPolicy Bypass -File ".\bits.ps1"
        18⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4320
        
        C:\Users\Admin\AppData\Local\Temp\675569637\675569637.exe
        
        "C:\Users\Admin\AppData\Local\Temp\675569637\675569637.exe"
        19⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3916
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c echo.
        20⤵
        
        PID:3836
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c exec.bat
        20⤵
        Suspicious use of WriteProcessMemory
        
        PID:4328
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NonInteractive -WindowStyle Hidden -ExecutionPolicy Bypass -File ".\bits.ps1"
        21⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3284
        
        C:\Users\Admin\AppData\Local\Temp\1043532612\1043532612.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1043532612\1043532612.exe"
        22⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c echo.
        23⤵
        
        PID:1568
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c exec.bat
        23⤵
        Suspicious use of WriteProcessMemory
        
        PID:3660
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NonInteractive -WindowStyle Hidden -ExecutionPolicy Bypass -File ".\bits.ps1"
        24⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\1480261882\1480261882.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1480261882\1480261882.exe"
        25⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3336
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c echo.
        26⤵
        
        PID:4500
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c exec.bat
        26⤵
        
        PID:4564
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NonInteractive -WindowStyle Hidden -ExecutionPolicy Bypass -File ".\bits.ps1"
        27⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\1303158827\1303158827.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1303158827\1303158827.exe"
        28⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2836
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c echo.
        29⤵
        
        PID:3460
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c exec.bat
        29⤵
        
        PID:3728
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NonInteractive -WindowStyle Hidden -ExecutionPolicy Bypass -File ".\bits.ps1"
        30⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3440
        
        C:\Users\Admin\AppData\Local\Temp\1576440844\1576440844.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1576440844\1576440844.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3944
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /sc onlogon /tn "Mechanic" /rl highest /tr "'C:\ProgramData\987311\repair.exe' /startup" /f
        32⤵
        DcRat
        Luminosity
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
7442897bb1def57caf15b4c2dfb35a96

SHA1
2b78aaebf595788524fb9f783b58c6680b2f494a

SHA256
b42aaf4b1cab17873aa67111ab79244480435b0ae5e41e14b92ccb20b6bce6a7

SHA512
e9a58a0d2ef142461ae390e93d019ef9007b9620a11195c75f1f32aa7ca30dcc9e76cbe5091479d51d8ac9062132330b4cec44e1995e8cb95a91bc8704807989

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
461a89efec0f2d763f29fe47942f602c

SHA1
f1abd26e138c0e06c06f671329e0260580d990e8

SHA256
36647894e472e9c0df66542cf7ef447c3927b8ab0851675d6b481fa650d77aea

SHA512
1872bc0545cab09d90b902a480c01321ca6d5c997d296e59eb51f7340a08be8fbe6479fd2cf8f845036eabf50066a5f5c40903498cb8e99cc9403ab903a0cc69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7cca0bd25123b93eafde935910554c82

SHA1
8f81eb5c26ec0982ada07c8af8faaed9002ba591

SHA256
2153843b3a8e946c03bd95e65486235d8b379d2c864215cba993ead82905d3ce

SHA512
7d80482a058185f06e45cf609e3cc0fb78338b0b0de6f99d7e08135f6d9a54528fa48eaa8dea9a61049cf58a1db652d87169f26657aa04000a7f2bd75ee30b7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
66582c044b394383d89460b8e5a6eec7

SHA1
9a3b799cf5d9b05af99c287c79e30ebefd1401ca

SHA256
874fbeb9254defdd1832e8b8f07e0abf2c6e2d9caef58e8c267c541811167166

SHA512
07b8bd69a73d5a3f6f380d12f8f3098e5d06dd570d50e98a29f1dc759386115fd251cc60f990e0f63beb6fa9debd21ceab76c4ac45f99bdda6c524cfd5d9e0a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bc01b6d970a6e3cafbb07e1079ae7ced

SHA1
4ce656693c5a56b04d7fcf5a7fd6303ded715b36

SHA256
811a05aa2509e3b5ad668509ef62655d63d3479ba64436861d59760f6b5b3dec

SHA512
ff50c6b794d405c0a98881e903bdf9fd2f7c770ec2fd01877d3dd4470c0c72ccfeec84831b27f1a474d3542c099ce5308fd7c391cc4b8bb0fd09724e2662d7f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e2832cc350ca0bb876dc0da8c1266bf4

SHA1
7f60139ae53567676015aca64e03b247f2d2b0eb

SHA256
2cbdbfe655d7dd86c907412a5a00c016af53bd9b15b642bb664cb36a21baeaaf

SHA512
8e912b9d49cd2d4f0477768ae3a4c6266fb9257754759c90dc2d092506d50e67e340a77a2e20a3e1e20b28c91d5be19a31382f1bb51093bb1fa08a5efb86ace9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a5a5123a1086a2526a2aa40eb9cbdb86

SHA1
286f26966fe09409148842203643a2647bb4d618

SHA256
0231cbdaa9cd48c49f129a538459bbbf0f150ac7173eb821db67a255e41d813c

SHA512
edc647ad30bd4507d946d1002911f193e10955a18055b471108b236ac4b740711eeb9923779fe5c6080ed309059c8c2a8d8a4e0757a5685d1b2d3d0c7c718a82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8e95ba0cfd105c673b9bbc05693e439b

SHA1
047ee9a5749a4d4937edb5fb3eb48d92f8bb4499

SHA256
537e098316025f6dbb58dc458f38ce14f6a40567f026301b73d92ce64164025b

SHA512
04ccdf3487e193f004740546e58fe817cf14e62c80db9aa6f4e9fc0654eb79b89fa9f9206442368f8ba675074f24fc38e4c7dd200825d661d8b6bc2ee60b57c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e3180169efae8e03053c7c09394a9b91

SHA1
6485393168db738da94c957240b7a7be24a9dc59

SHA256
b7da51ad09d5ecda76ccf3498dcce84a439db55b854a4df0ec99b2c67a385e54

SHA512
8ad3870a918940296565f9fdcb9f94f9b679da04b04ca6294ea6e1ad604b467e0c786778d483c4f132dfdc8d6143556918c6cf9423cc456cc2ed2045113d2941

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7b056dbfe387e1118e0d56f5e20019b4

SHA1
c558b809c979a69f99b849fa152ac9cd8aae1f03

SHA256
e7cdd5cb73d74279d96016edcde705dfaca9fc814bafd4c18277ca4cc586b715

SHA512
d799103c01c9fdd65436d9e4f2d14b3aa440876030646b1b88cac63a2e46d16c35b7737b9831f45db74fe7909d7607aa5d07299dea2009bc02e33c6c8acc977b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1043532612\1043532612.exe

Filesize
600KB

MD5
698730fe93809371860c484f707d86c8

SHA1
d425d334eb0a5171f772c70890428a973db5c11e

SHA256
e5e6ec66362f5d5add137c31e224df190579e2a4379fe880f2c472e35bbec79e

SHA512
cc7816579b2fe79d0b7f93dfccff3ad2f73fb0fa4da9e7fd6adc931c4b21a2b6378e8058a735ba1713b52931d93aa3f9e6b46261961c633dee59488c3dd4b209

Download Submit
C:\Users\Admin\AppData\Local\Temp\1303158827\1303158827.exe

Filesize
366KB

MD5
8fa7fc479f5df860cec5470cc3c47165

SHA1
0a48b1f3bfe7199eec0fb78cdcb240a088fec75f

SHA256
1dff518e1dd639efc074ba545a64e49b62c3dabf912cbebac9a97aed7fa81087

SHA512
9818504166d48814a8933e3d80e1eed26d8738998d66700e98ed05674f31816d91cfc1363412a384524b614c0779af28e6be29bbafc1c670bd37617c6361a21b

Download Submit
C:\Users\Admin\AppData\Local\Temp\136180073\136180073.exe

Filesize
1.3MB

MD5
b4de35d69428837d90e1d566d6883157

SHA1
29f4522d90a8f6af73fee3a01bafa6e11a912999

SHA256
697ce85f66dc9adb60b8d1b00be0beed569136963b4ff86e80c07e1044fa4107

SHA512
964d29cb48e6299ab0d3abdbbeea8042c638b8ea7634e6877a362869d77b1cc3cd37b134146fedb9ba90d22c9d6ca3d0b930fb67b94c2b72cc7327bd29227dd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1480261882\1480261882.exe

Filesize
483KB

MD5
f16d5b51b8ab74c0fb62d1e4c88a0ca7

SHA1
fcc37fa7dd9959dfff3a68c409bd4df898ce0088

SHA256
96baa131cde4fc9ae5b1ffcd9092caf52f449aa8bbec12f76952a2c0f50191ab

SHA512
fc5368304aa5b472d15d853e4691976f09f6451dbb8ad4bd7a50b78ebe5b5cfb413522a80304040c0754a21bc01b95d32c5d27dd83a92f63774a3444e5278cb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1576440844\1576440844.exe

Filesize
285KB

MD5
e41259a24cc220a20a850402c49494a2

SHA1
7779340407d897c8184c2392f543e47b58658b2e

SHA256
33faf249b1304719b262131751c1d42ddcbb8a52d4c246e9e4e4d68e9b9771d5

SHA512
0c5b1a10a0ba6830ac4ba46ee4c1acc004b4d2026cd6d15782c890f58fc1773daf08c9e07384874ccf8c37ce4f533e97f6f2539245ccbf697148c7513ae64d19

Download Submit
C:\Users\Admin\AppData\Local\Temp\176846831\176846831.exe

Filesize
1.4MB

MD5
c2b75bbba0fcdd281d57bd47e49a76c8

SHA1
1c4ecc806092227c0b2454daf8f909b4aeae2773

SHA256
cb8dacba89cf907e14f16fa4c6ca480d13a769d3b190024cdc5bcbc7a830a2d6

SHA512
69b82c51531fb0807e29f798b65c2148bf4d40a8ce0fa2457185a0cdab95041a6787f0c060ffe19cbe80b616cb111ac68cab2cdd7a0b301096c955d9e3296ba1

Download Submit
C:\Users\Admin\AppData\Local\Temp\335520359\335520359.exe

Filesize
1.1MB

MD5
2b6bdb3d39a0bd6387c8114394bb6ccc

SHA1
47e430f04adf4f565836378174d531902729bb52

SHA256
f4424f04769008980c08f9c67fee32a70199e01fa212a67d22e81a4698454b5b

SHA512
d0ffedec52334c2044c9babc1851a5328f8abd31ec2eb0bbf3f1c3af6b6938cff1f3008271b3ba60703bcd3fdb9c012bb33308f26cc06a03054dbeb7818d75fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\675569637\675569637.exe

Filesize
718KB

MD5
3a04fb041e946be440a73625834ea28f

SHA1
3355155e0ef2bcad468dee89851f6154ace7b516

SHA256
ee2e672cb3c532447c3d64a5101d7183bae7bb9585947e45adfb758e9a9daf7e

SHA512
d3d37b9a1bcf1a59b2f7005d37618210910b0a6c1ca5a88b4c53f2f25ed2f85fa70cea9051b1fa89e8ef99df7ae58259be524b00e69b06893d2f4ce582d12afb

Download Submit
C:\Users\Admin\AppData\Local\Temp\916703795\916703795.exe

Filesize
1.3MB

MD5
347a20e9cad13d5c5cda256418da7b38

SHA1
c460c0a71177c5f9f6f739e34b6b4624249f5345

SHA256
7a4473f6eeb6b6197d0fc69b4f68b70ea7cd03f8bf5f8dc19402ce5cf2050894

SHA512
312a3f5306fa0e1e70a51b76695d2ecf71eeb0adf02bbcad1ceec3f71f300727d075ea2b4d6007da22f13e638dca74c67567cc90e8ce8c9e4312e8ccb861a1e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\96078202\96078202.exe

Filesize
1.0MB

MD5
c8b9549a89b49a0be2f69715b2c0b4ce

SHA1
1dd613e0ac66c9dfd9802ffeb9c4b71af90b979f

SHA256
6503bafa62d0cebe26b34ebf3612b3d1232a7ee48a370739c6b965ef0a04a430

SHA512
2c4bad648c580f13557506538edad0832a09371d88c0fb212756b3a2f3d42a44991fcca6add292b093ef29cca2a61f81a11f90e773f8c23ad2a566820cc142db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bits.ps1

Filesize
800KB

MD5
72d5205bdbb305b8cd79640dc01a8cb1

SHA1
0606b1aa88542775cb515eb896d34efc636af274

SHA256
4aa234c5bc4746b80c79c208f932667be507ee1ae748b7bad9ab920d443d12e5

SHA512
3aae229d04ce32ace6bf5d11a5005c21e41d0a1f584baaa4dd73ecc8f1c9693b798fa71b32dcfeef499d3cebd6a327cc5a139a3523ffe337984c95fc7550f406

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bits.ps1

Filesize
1.9MB

MD5
12124e6f39b3db1f52edaf27ef854d39

SHA1
7d51898a81b284067fd2111aaa22b0bc2c863147

SHA256
186f9a5f27e85eb146157832d5485791d4ee410a4a13f62780a7bdc7d5fecf4a

SHA512
4373210e95f5cadbdc2d777390a6eb9d4d38973d03a205f3133c9ae616af79f2a9da64a740afbc75fcaf36cd4af431e6efb5722eb176569b82b60c6616a0fad4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bits.ps1

Filesize
1.7MB

MD5
21b101ae3d4678a4eca1c8971d8e4dee

SHA1
5db625d3314e0cd17c8cd8dcbd5592be5a0f88d2

SHA256
618241d8e05edc3f73fc68578e767a422a5d4b1d2f7640b1cf62773a51ea3aa1

SHA512
6e0b3c30df94b930c3fd7db791061f87e8bd7eb8015f6c30b5208a060f872a84a6138e8a0b817e6a3854a8ca3fa393fbd6dd77eb4747071e4b97330223bd3958

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bits.ps1

Filesize
488KB

MD5
9b224e0dfd853e358f7e9f580b8158fb

SHA1
d1f3a697e59bfcc49689a411c6d5a43ab4366e5e

SHA256
cc71dcb5f191b9e0e1433de2ab1187d9bcbc4e78f11b101328483085432bbbe8

SHA512
80efcdce4175aad2e4b90db4a5c9f3f4812940c71df94aaa8365858ae8d90fc2024bcaabd91ecd863440832bdd7110457b41934a153e88ef6c694523efa3e46b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bits.ps1

Filesize
1.5MB

MD5
69ed799971c0123b503f20050a885220

SHA1
7576f14eab871db4a1e66b62b8c11f7d4f31cba9

SHA256
ffdfd6686259c26b7c288383ed2cface0868ab6ef7eb4d4d690c5cf74e08deb8

SHA512
d8053b93a2c37159f37468187c67049133f289ca8822f23872074b20a18a23052419df7d3feea3b55b3cbee03a57c1a4ab3df5094a7805d081e8443d34a0d53d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\exec.bat

Filesize
95B

MD5
368e0f2c003376d3bdae1c71dd85ec70

SHA1
e5fa7b58cad7f5df6e3a7c2abeec16365ae17827

SHA256
84ab0b7013c706781f6839235d7d59cfad0874e4cc415aeaa4bf86a8dd99b0d9

SHA512
e3e2c9035fca632d04fd411c394301598e6b964d2ebd79db4fcf19816dd876ed23c51831382202d8f5335a0e4a8721d683c377bb1706e4faa4001387f843d553

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bits.ps1

Filesize
1.7MB

MD5
b12928ce5df8aba48844c76cc76ed155

SHA1
4856e2c41a125748f0880af970f4b109307b3639

SHA256
321149f52893224929db8f1111855fbac38f717b83490403721022f25c00e276

SHA512
e0787bd11ab4d98d730a0225f881ae0d06b3b2cb15b659e04138fa87a8b5bbd4db22bfa2d763f5fe5cdd34932b4e998e06458be848aaaff4976bd20edb49e05a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bits.ps1

Filesize
1.4MB

MD5
1b93a5673962dfc0eca248ed04854c81

SHA1
304fb38ba7e7c139f3e2c286877691cb5bbe2c9e

SHA256
536023e0acffac5ef9614636ac87e3fc6be8ceeae2a8687af9b716fce6f7d718

SHA512
1d032d4e3bb4134e8a46ac6bfefa45d63647f5a3476310fae9a16a65d70f71709690d0e63b9c8f5b5d1eb8513855f898549693e2c5ec488696a9a1643b9154ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bits.ps1

Filesize
380KB

MD5
2632d0766b6e40d3269abf9a8065e678

SHA1
41fb8a838918228f05c96a6a69b4818d690c6a35

SHA256
6da93350aa7110388ac8101a1ea19091ecf57e33011063a12e05508d99ac0993

SHA512
60c7c71915a80f3a5556aae654823861f48a7e6d3f2dde2247925365ea186876017ef6968683cc20f208227153dd86cae20794c4c5d891dc0f373c5a3317d1c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bits.ps1

Filesize
957KB

MD5
f75984c4accc4716ffc38f7337551c4f

SHA1
3523769b75c57a5c04ee47bff1318faa52cb833d

SHA256
5d02699b89ae5bb6b6a7c441de3c5c50a1c29a0ea6b1d17d67789946917e997d

SHA512
494446bad9e7237ab0a1863fb2cf209a6d4c4d59d7197b9ece0746890f258f9abf60b5666a35fe3a1ea77f4fcb5c692fff545afad0dba35134e7485dd7956a1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bits.ps1

Filesize
644KB

MD5
0ceb3b45855a5d46fb31c06d3abc2728

SHA1
ef77144df6876b5b3f36d39994dc3b427967ebac

SHA256
ec9272ec5281bc8d55e2473649833a5def245c07dea323b69455c0b4a372a57f

SHA512
373849b02d1a89dbe8fdbdd9cc927354ed60e5ece4d75f37b52c564c9241b70d6237379d3da51295f35961d7ece795faabe2c6afe742090c9942503708d0dd05

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wlj5qyxy.r5u.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/116-17-0x000002889CDC0000-0x000002889CDE2000-memory.dmp

Filesize
136KB

Download
memory/116-18-0x00007FFCB1360000-0x00007FFCB1E21000-memory.dmp

Filesize
10.8MB

Download
memory/116-7-0x00007FFCB1363000-0x00007FFCB1365000-memory.dmp

Filesize
8KB

Download
memory/116-20-0x00007FFCB1360000-0x00007FFCB1E21000-memory.dmp

Filesize
10.8MB

Download
memory/116-35-0x00007FFCB1360000-0x00007FFCB1E21000-memory.dmp

Filesize
10.8MB

Download