darkvision | b8b7b90f809c36e29fe4d072c3ca58fff5333387c5e85baf91b082483518c102

Analysis

max time kernel
300s
max time network
300s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-10-2024 02:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8b7b90f809c36e29fe4d072c3ca58fff5333387c5e85baf91b082483518c102.exe
Size

604KB
MD5

96683133ad494eeb2dc33d1c68e02582
SHA1

e10ddd945f7fade315489cc40a5654ba5cb2c672
SHA256

b8b7b90f809c36e29fe4d072c3ca58fff5333387c5e85baf91b082483518c102
SHA512

391ac2ae9f0127931c496edf9b680347edd8dfd970986dbb8e505098e4423693537e0f724cccfed6c6789de170bb540b51d32676f7883a654313dd9009ba7a9b
SSDEEP

6144:yXFFYLsH/0r7Ys1MFNjNIeGVOn0i511Z1VxOBNq5+iZuo3LZoagvYXni4kEIlFJt:yLYgHsg5F0I11Z1pHbZv4u6lFuo

Score

10^/10

darkvision discovery persistence rat

Malware Config

Extracted

Family

darkvision

82.147.85.218

Signatures

DarkVision Rat
DarkVision Rat is a trojan written in C++.
rat darkvision

Blocklisted process makes network request 16 IoCs

flow	pid	Process
4	1372	cmd.exe
7	2356	cmd.exe
10	2080	cmd.exe
13	912	cmd.exe
16	1564	cmd.exe
19	2652	cmd.exe
22	2792	cmd.exe
25	760	cmd.exe
28	3048	cmd.exe
31	3008	cmd.exe
34	2756	cmd.exe
37	1852	cmd.exe
40	1608	cmd.exe
43	1668	cmd.exe
46	1428	cmd.exe
49	2980	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1868	lcs

Loads dropped DLL 1 IoCs

pid	Process
2128	b8b7b90f809c36e29fe4d072c3ca58fff5333387c5e85baf91b082483518c102.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	explorer.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b8b7b90f809c36e29fe4d072c3ca58fff5333387c5e85baf91b082483518c102.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lcs

Suspicious behavior: MapViewOfSection 64 IoCs

pid	Process
1868	lcs
1868	lcs
1868	lcs
1868	lcs
1868	lcs
1868	lcs
1868	lcs
1868	lcs
1868	lcs
1868	lcs
1868	lcs
1868	lcs
1868	lcs
1868	lcs
1868	lcs
1868	lcs
1868	lcs
1868	lcs
1868	lcs
1868	lcs
1868	lcs
1868	lcs
1868	lcs
1868	lcs
1868	lcs
1868	lcs
1868	lcs
1868	lcs
1868	lcs
1868	lcs
1868	lcs
1868	lcs
1868	lcs
1868	lcs
1868	lcs
1868	lcs
1868	lcs
1868	lcs
1868	lcs
1868	lcs
1868	lcs
1868	lcs
1868	lcs
1868	lcs
1868	lcs
1868	lcs
1868	lcs
1868	lcs
1868	lcs
1868	lcs
1868	lcs
1868	lcs
1868	lcs
1868	lcs
1868	lcs
1868	lcs
1868	lcs
1868	lcs
1868	lcs
1868	lcs
1868	lcs
1868	lcs
1868	lcs
1868	lcs

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 1868	2128	b8b7b90f809c36e29fe4d072c3ca58fff5333387c5e85baf91b082483518c102.exe	31
PID 2128 wrote to memory of 1868	2128	b8b7b90f809c36e29fe4d072c3ca58fff5333387c5e85baf91b082483518c102.exe	31
PID 2128 wrote to memory of 1868	2128	b8b7b90f809c36e29fe4d072c3ca58fff5333387c5e85baf91b082483518c102.exe	31
PID 2128 wrote to memory of 1868	2128	b8b7b90f809c36e29fe4d072c3ca58fff5333387c5e85baf91b082483518c102.exe	31
PID 1868 wrote to memory of 1904	1868	lcs	32
PID 1868 wrote to memory of 1904	1868	lcs	32
PID 1868 wrote to memory of 1904	1868	lcs	32
PID 1868 wrote to memory of 1904	1868	lcs	32
PID 1868 wrote to memory of 2760	1868	lcs	33
PID 1868 wrote to memory of 2760	1868	lcs	33
PID 1868 wrote to memory of 2760	1868	lcs	33
PID 1868 wrote to memory of 2760	1868	lcs	33
PID 1868 wrote to memory of 1372	1868	lcs	34
PID 1868 wrote to memory of 1372	1868	lcs	34
PID 1868 wrote to memory of 1372	1868	lcs	34
PID 1868 wrote to memory of 1372	1868	lcs	34
PID 1868 wrote to memory of 2568	1868	lcs	36
PID 1868 wrote to memory of 2568	1868	lcs	36
PID 1868 wrote to memory of 2568	1868	lcs	36
PID 1868 wrote to memory of 2568	1868	lcs	36
PID 1868 wrote to memory of 640	1868	lcs	37
PID 1868 wrote to memory of 640	1868	lcs	37
PID 1868 wrote to memory of 640	1868	lcs	37
PID 1868 wrote to memory of 640	1868	lcs	37
PID 1868 wrote to memory of 2356	1868	lcs	38
PID 1868 wrote to memory of 2356	1868	lcs	38
PID 1868 wrote to memory of 2356	1868	lcs	38
PID 1868 wrote to memory of 2356	1868	lcs	38
PID 1868 wrote to memory of 2288	1868	lcs	40
PID 1868 wrote to memory of 2288	1868	lcs	40
PID 1868 wrote to memory of 2288	1868	lcs	40
PID 1868 wrote to memory of 2288	1868	lcs	40
PID 1868 wrote to memory of 2940	1868	lcs	41
PID 1868 wrote to memory of 2940	1868	lcs	41
PID 1868 wrote to memory of 2940	1868	lcs	41
PID 1868 wrote to memory of 2940	1868	lcs	41
PID 1868 wrote to memory of 2080	1868	lcs	42
PID 1868 wrote to memory of 2080	1868	lcs	42
PID 1868 wrote to memory of 2080	1868	lcs	42
PID 1868 wrote to memory of 2080	1868	lcs	42
PID 1868 wrote to memory of 1252	1868	lcs	44
PID 1868 wrote to memory of 1252	1868	lcs	44
PID 1868 wrote to memory of 1252	1868	lcs	44
PID 1868 wrote to memory of 1252	1868	lcs	44
PID 1868 wrote to memory of 1624	1868	lcs	45
PID 1868 wrote to memory of 1624	1868	lcs	45
PID 1868 wrote to memory of 1624	1868	lcs	45
PID 1868 wrote to memory of 1624	1868	lcs	45
PID 1868 wrote to memory of 912	1868	lcs	46
PID 1868 wrote to memory of 912	1868	lcs	46
PID 1868 wrote to memory of 912	1868	lcs	46
PID 1868 wrote to memory of 912	1868	lcs	46
PID 1868 wrote to memory of 2436	1868	lcs	48
PID 1868 wrote to memory of 2436	1868	lcs	48
PID 1868 wrote to memory of 2436	1868	lcs	48
PID 1868 wrote to memory of 2436	1868	lcs	48
PID 1868 wrote to memory of 532	1868	lcs	49
PID 1868 wrote to memory of 532	1868	lcs	49
PID 1868 wrote to memory of 532	1868	lcs	49
PID 1868 wrote to memory of 532	1868	lcs	49
PID 1868 wrote to memory of 1564	1868	lcs	50
PID 1868 wrote to memory of 1564	1868	lcs	50
PID 1868 wrote to memory of 1564	1868	lcs	50
PID 1868 wrote to memory of 1564	1868	lcs	50

C:\Users\Admin\AppData\Local\Temp\b8b7b90f809c36e29fe4d072c3ca58fff5333387c5e85baf91b082483518c102.exe
"C:\Users\Admin\AppData\Local\Temp\b8b7b90f809c36e29fe4d072c3ca58fff5333387c5e85baf91b082483518c102.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2128
- C:\ProgramData\psh\lcs
  "C:\ProgramData\psh\lcs" {62A73DC5-B44C-41A5-95C2-BF9107E36D73}
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1868
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    - Adds Run key to start application
    PID:1904
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Adds Run key to start application
    PID:2760
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Blocklisted process makes network request
    - Adds Run key to start application
    PID:1372
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    - Adds Run key to start application
    PID:2568
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Adds Run key to start application
    PID:640
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Blocklisted process makes network request
    - Adds Run key to start application
    PID:2356
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    - Adds Run key to start application
    PID:2288
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Adds Run key to start application
    PID:2940
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Blocklisted process makes network request
    PID:2080
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    - Adds Run key to start application
    PID:1252
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Adds Run key to start application
    PID:1624
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Blocklisted process makes network request
    - Adds Run key to start application
    PID:912
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    - Adds Run key to start application
    PID:2436
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Adds Run key to start application
    PID:532
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Blocklisted process makes network request
    - Adds Run key to start application
    PID:1564
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    - Adds Run key to start application
    PID:1964
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Adds Run key to start application
    PID:2268
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Blocklisted process makes network request
    - Adds Run key to start application
    PID:2652
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    - Adds Run key to start application
    PID:2616
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Adds Run key to start application
    PID:2860
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Blocklisted process makes network request
    - Adds Run key to start application
    PID:2792
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    - Adds Run key to start application
    PID:628
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Adds Run key to start application
    PID:2148
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Blocklisted process makes network request
    - Adds Run key to start application
    PID:760
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    - Adds Run key to start application
    PID:1656
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Adds Run key to start application
    PID:1312
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Blocklisted process makes network request
    - Adds Run key to start application
    PID:3048
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    PID:1888
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Adds Run key to start application
    PID:1680
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Blocklisted process makes network request
    - Adds Run key to start application
    PID:3008
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    - Adds Run key to start application
    PID:3052
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Adds Run key to start application
    PID:1848
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Blocklisted process makes network request
    PID:2756
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    PID:2716
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Adds Run key to start application
    PID:788
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Blocklisted process makes network request
    - Adds Run key to start application
    PID:1852
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    - Adds Run key to start application
    PID:2808
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Adds Run key to start application
    PID:2964
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Blocklisted process makes network request
    - Adds Run key to start application
    PID:1608
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    - Adds Run key to start application
    PID:952
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Adds Run key to start application
    PID:2520
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Blocklisted process makes network request
    - Adds Run key to start application
    PID:1668
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    - Adds Run key to start application
    PID:588
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Adds Run key to start application
    PID:2752
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Blocklisted process makes network request
    - Adds Run key to start application
    PID:1428
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    - Adds Run key to start application
    PID:1020
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Adds Run key to start application
    PID:3016
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Blocklisted process makes network request
    - Adds Run key to start application
    PID:2980
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    - Adds Run key to start application
    PID:2352
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Adds Run key to start application
    PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\ProgramData\psh\lcs

Filesize
604KB

MD5
96683133ad494eeb2dc33d1c68e02582

SHA1
e10ddd945f7fade315489cc40a5654ba5cb2c672

SHA256
b8b7b90f809c36e29fe4d072c3ca58fff5333387c5e85baf91b082483518c102

SHA512
391ac2ae9f0127931c496edf9b680347edd8dfd970986dbb8e505098e4423693537e0f724cccfed6c6789de170bb540b51d32676f7883a654313dd9009ba7a9b

Download Submit
memory/640-58-0x00000000003C0000-0x0000000000435000-memory.dmp

Filesize
468KB

Download
memory/640-65-0x00000000003C0000-0x0000000000435000-memory.dmp

Filesize
468KB

Download
memory/640-67-0x00000000003C0000-0x0000000000435000-memory.dmp

Filesize
468KB

Download
memory/1372-45-0x0000000000530000-0x00000000005A5000-memory.dmp

Filesize
468KB

Download
memory/1372-44-0x0000000000530000-0x00000000005A5000-memory.dmp

Filesize
468KB

Download
memory/1372-38-0x0000000000530000-0x00000000005A5000-memory.dmp

Filesize
468KB

Download
memory/1868-12-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/1868-33-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/1904-23-0x00000000002A0000-0x0000000000315000-memory.dmp

Filesize
468KB

Download
memory/1904-22-0x00000000002A0000-0x0000000000315000-memory.dmp

Filesize
468KB

Download
memory/1904-15-0x00000000002A0000-0x0000000000315000-memory.dmp

Filesize
468KB

Download
memory/1904-14-0x0000000000070000-0x0000000000072000-memory.dmp

Filesize
8KB

Download
memory/2128-10-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2128-9-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/2128-2-0x0000000000310000-0x000000000039E000-memory.dmp

Filesize
568KB

Download
memory/2128-1-0x0000000000580000-0x0000000000680000-memory.dmp

Filesize
1024KB

Download
memory/2128-3-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2356-77-0x00000000002A0000-0x0000000000315000-memory.dmp

Filesize
468KB

Download
memory/2356-76-0x00000000002A0000-0x0000000000315000-memory.dmp

Filesize
468KB

Download
memory/2568-48-0x0000000000330000-0x00000000003A5000-memory.dmp

Filesize
468KB

Download
memory/2568-56-0x0000000000330000-0x00000000003A5000-memory.dmp

Filesize
468KB

Download
memory/2568-55-0x0000000000330000-0x00000000003A5000-memory.dmp

Filesize
468KB

Download
memory/2760-35-0x00000000003E0000-0x0000000000455000-memory.dmp

Filesize
468KB

Download
memory/2760-32-0x00000000003E0000-0x0000000000455000-memory.dmp

Filesize
468KB

Download
memory/2760-25-0x00000000003E0000-0x0000000000455000-memory.dmp

Filesize
468KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads