darkvision | b8b7b90f809c36e29fe4d072c3ca58fff5333387c5e85baf91b082483518c102

Analysis

max time kernel
299s
max time network
301s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
25-10-2024 02:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8b7b90f809c36e29fe4d072c3ca58fff5333387c5e85baf91b082483518c102.exe
Size

604KB
MD5

96683133ad494eeb2dc33d1c68e02582
SHA1

e10ddd945f7fade315489cc40a5654ba5cb2c672
SHA256

b8b7b90f809c36e29fe4d072c3ca58fff5333387c5e85baf91b082483518c102
SHA512

391ac2ae9f0127931c496edf9b680347edd8dfd970986dbb8e505098e4423693537e0f724cccfed6c6789de170bb540b51d32676f7883a654313dd9009ba7a9b
SSDEEP

6144:yXFFYLsH/0r7Ys1MFNjNIeGVOn0i511Z1VxOBNq5+iZuo3LZoagvYXni4kEIlFJt:yLYgHsg5F0I11Z1pHbZv4u6lFuo

Score

10^/10

darkvision discovery persistence rat

Malware Config

Extracted

Family

darkvision

82.147.85.218

Signatures

DarkVision Rat
DarkVision Rat is a trojan written in C++.
rat darkvision

Blocklisted process makes network request 17 IoCs

flow	pid	Process
4	196	cmd.exe
7	1908	cmd.exe
10	4972	cmd.exe
13	2044	cmd.exe
19	3592	cmd.exe
22	876	cmd.exe
25	2408	cmd.exe
36	1444	cmd.exe
39	4352	cmd.exe
42	1116	cmd.exe
47	4456	cmd.exe
51	488	cmd.exe
54	3040	cmd.exe
57	1460	cmd.exe
60	1128	cmd.exe
63	4428	cmd.exe
66	4132	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
524	lcs

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\StartValue = "C:\\ProgramData\\psh\\lcs {DB324A97-B31B-4D9E-9903-E21DB623A349}"	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b8b7b90f809c36e29fe4d072c3ca58fff5333387c5e85baf91b082483518c102.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lcs

Suspicious behavior: MapViewOfSection 64 IoCs

pid	Process
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4144 wrote to memory of 524	4144	b8b7b90f809c36e29fe4d072c3ca58fff5333387c5e85baf91b082483518c102.exe	74
PID 4144 wrote to memory of 524	4144	b8b7b90f809c36e29fe4d072c3ca58fff5333387c5e85baf91b082483518c102.exe	74
PID 4144 wrote to memory of 524	4144	b8b7b90f809c36e29fe4d072c3ca58fff5333387c5e85baf91b082483518c102.exe	74
PID 524 wrote to memory of 5028	524	lcs	75
PID 524 wrote to memory of 5028	524	lcs	75
PID 524 wrote to memory of 956	524	lcs	76
PID 524 wrote to memory of 956	524	lcs	76
PID 524 wrote to memory of 196	524	lcs	77
PID 524 wrote to memory of 196	524	lcs	77
PID 524 wrote to memory of 5072	524	lcs	79
PID 524 wrote to memory of 5072	524	lcs	79
PID 524 wrote to memory of 2464	524	lcs	80
PID 524 wrote to memory of 2464	524	lcs	80
PID 524 wrote to memory of 1908	524	lcs	81
PID 524 wrote to memory of 1908	524	lcs	81
PID 524 wrote to memory of 3780	524	lcs	83
PID 524 wrote to memory of 3780	524	lcs	83
PID 524 wrote to memory of 4944	524	lcs	84
PID 524 wrote to memory of 4944	524	lcs	84
PID 524 wrote to memory of 4972	524	lcs	85
PID 524 wrote to memory of 4972	524	lcs	85
PID 524 wrote to memory of 2676	524	lcs	87
PID 524 wrote to memory of 2676	524	lcs	87
PID 524 wrote to memory of 4984	524	lcs	88
PID 524 wrote to memory of 4984	524	lcs	88
PID 524 wrote to memory of 2044	524	lcs	89
PID 524 wrote to memory of 2044	524	lcs	89
PID 524 wrote to memory of 4704	524	lcs	91
PID 524 wrote to memory of 4704	524	lcs	91
PID 524 wrote to memory of 4848	524	lcs	92
PID 524 wrote to memory of 4848	524	lcs	92
PID 524 wrote to memory of 3592	524	lcs	93
PID 524 wrote to memory of 3592	524	lcs	93
PID 524 wrote to memory of 3928	524	lcs	95
PID 524 wrote to memory of 3928	524	lcs	95
PID 524 wrote to memory of 316	524	lcs	96
PID 524 wrote to memory of 316	524	lcs	96
PID 524 wrote to memory of 876	524	lcs	97
PID 524 wrote to memory of 876	524	lcs	97
PID 524 wrote to memory of 2840	524	lcs	99
PID 524 wrote to memory of 2840	524	lcs	99
PID 524 wrote to memory of 4008	524	lcs	100
PID 524 wrote to memory of 4008	524	lcs	100
PID 524 wrote to memory of 2408	524	lcs	101
PID 524 wrote to memory of 2408	524	lcs	101
PID 524 wrote to memory of 3008	524	lcs	103
PID 524 wrote to memory of 3008	524	lcs	103
PID 524 wrote to memory of 3464	524	lcs	104
PID 524 wrote to memory of 3464	524	lcs	104
PID 524 wrote to memory of 1444	524	lcs	105
PID 524 wrote to memory of 1444	524	lcs	105
PID 524 wrote to memory of 3672	524	lcs	107
PID 524 wrote to memory of 3672	524	lcs	107
PID 524 wrote to memory of 3812	524	lcs	108
PID 524 wrote to memory of 3812	524	lcs	108
PID 524 wrote to memory of 4352	524	lcs	109
PID 524 wrote to memory of 4352	524	lcs	109
PID 524 wrote to memory of 4240	524	lcs	111
PID 524 wrote to memory of 4240	524	lcs	111
PID 524 wrote to memory of 4816	524	lcs	112
PID 524 wrote to memory of 4816	524	lcs	112
PID 524 wrote to memory of 1116	524	lcs	113
PID 524 wrote to memory of 1116	524	lcs	113
PID 524 wrote to memory of 1424	524	lcs	115

C:\Users\Admin\AppData\Local\Temp\b8b7b90f809c36e29fe4d072c3ca58fff5333387c5e85baf91b082483518c102.exe
"C:\Users\Admin\AppData\Local\Temp\b8b7b90f809c36e29fe4d072c3ca58fff5333387c5e85baf91b082483518c102.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4144
- C:\ProgramData\psh\lcs
  "C:\ProgramData\psh\lcs" {62A73DC5-B44C-41A5-95C2-BF9107E36D73}
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:524
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    - Adds Run key to start application
    PID:5028
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Adds Run key to start application
    PID:956
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Blocklisted process makes network request
    - Adds Run key to start application
    PID:196
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    - Adds Run key to start application
    PID:5072
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Adds Run key to start application
    PID:2464
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Blocklisted process makes network request
    - Adds Run key to start application
    PID:1908
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    - Adds Run key to start application
    PID:3780
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Adds Run key to start application
    PID:4944
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Blocklisted process makes network request
    - Adds Run key to start application
    PID:4972
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    - Adds Run key to start application
    PID:2676
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Adds Run key to start application
    PID:4984
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Blocklisted process makes network request
    - Adds Run key to start application
    PID:2044
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    - Adds Run key to start application
    PID:4704
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Adds Run key to start application
    PID:4848
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Blocklisted process makes network request
    - Adds Run key to start application
    PID:3592
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    - Adds Run key to start application
    PID:3928
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Adds Run key to start application
    PID:316
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Blocklisted process makes network request
    - Adds Run key to start application
    PID:876
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    - Adds Run key to start application
    PID:2840
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Adds Run key to start application
    PID:4008
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Blocklisted process makes network request
    - Adds Run key to start application
    PID:2408
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    - Adds Run key to start application
    PID:3008
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Adds Run key to start application
    PID:3464
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Blocklisted process makes network request
    - Adds Run key to start application
    PID:1444
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    - Adds Run key to start application
    PID:3672
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Adds Run key to start application
    PID:3812
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Blocklisted process makes network request
    - Adds Run key to start application
    PID:4352
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    - Adds Run key to start application
    PID:4240
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Adds Run key to start application
    PID:4816
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Blocklisted process makes network request
    PID:1116
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    - Adds Run key to start application
    PID:1424
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    PID:4876
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Blocklisted process makes network request
    - Adds Run key to start application
    PID:4456
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    - Adds Run key to start application
    PID:3112
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Adds Run key to start application
    PID:5016
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Blocklisted process makes network request
    - Adds Run key to start application
    PID:488
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    - Adds Run key to start application
    PID:984
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Adds Run key to start application
    PID:2956
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Blocklisted process makes network request
    PID:3040
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    - Adds Run key to start application
    PID:3588
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Adds Run key to start application
    PID:2112
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Blocklisted process makes network request
    - Adds Run key to start application
    PID:1460
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    - Adds Run key to start application
    PID:4860
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Adds Run key to start application
    PID:4864
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Blocklisted process makes network request
    PID:1128
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    - Adds Run key to start application
    PID:1440
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Adds Run key to start application
    PID:4100
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Blocklisted process makes network request
    - Adds Run key to start application
    PID:4428
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    - Adds Run key to start application
    PID:4924
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Adds Run key to start application
    PID:1576
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Blocklisted process makes network request
    - Adds Run key to start application
    PID:4132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\psh\lcs

Filesize
604KB

MD5
96683133ad494eeb2dc33d1c68e02582

SHA1
e10ddd945f7fade315489cc40a5654ba5cb2c672

SHA256
b8b7b90f809c36e29fe4d072c3ca58fff5333387c5e85baf91b082483518c102

SHA512
391ac2ae9f0127931c496edf9b680347edd8dfd970986dbb8e505098e4423693537e0f724cccfed6c6789de170bb540b51d32676f7883a654313dd9009ba7a9b

Download Submit
memory/196-45-0x00000245E1E60000-0x00000245E1ED5000-memory.dmp

Filesize
468KB

Download
memory/196-36-0x00000245E1E60000-0x00000245E1ED5000-memory.dmp

Filesize
468KB

Download
memory/196-43-0x00000245E1E60000-0x00000245E1ED5000-memory.dmp

Filesize
468KB

Download
memory/524-32-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/524-12-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/524-11-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/956-34-0x000001E592270000-0x000001E5922E5000-memory.dmp

Filesize
468KB

Download
memory/956-31-0x000001E592270000-0x000001E5922E5000-memory.dmp

Filesize
468KB

Download
memory/956-24-0x000001E592270000-0x000001E5922E5000-memory.dmp

Filesize
468KB

Download
memory/1908-68-0x000002543B920000-0x000002543B995000-memory.dmp

Filesize
468KB

Download
memory/1908-75-0x000002543B920000-0x000002543B995000-memory.dmp

Filesize
468KB

Download
memory/1908-76-0x000002543B920000-0x000002543B995000-memory.dmp

Filesize
468KB

Download
memory/2464-57-0x000002B96BD60000-0x000002B96BDD5000-memory.dmp

Filesize
468KB

Download
memory/2464-64-0x000002B96BD60000-0x000002B96BDD5000-memory.dmp

Filesize
468KB

Download
memory/2464-66-0x000002B96BD60000-0x000002B96BDD5000-memory.dmp

Filesize
468KB

Download
memory/4144-9-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/4144-1-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/4144-10-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/4144-3-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/4144-2-0x0000000000720000-0x00000000007AE000-memory.dmp

Filesize
568KB

Download
memory/5028-22-0x0000000002DA0000-0x0000000002E15000-memory.dmp

Filesize
468KB

Download
memory/5028-21-0x0000000002DA0000-0x0000000002E15000-memory.dmp

Filesize
468KB

Download
memory/5028-14-0x0000000002DA0000-0x0000000002E15000-memory.dmp

Filesize
468KB

Download
memory/5028-13-0x0000000000F40000-0x0000000000F42000-memory.dmp

Filesize
8KB

Download
memory/5072-47-0x0000000002B70000-0x0000000002BE5000-memory.dmp

Filesize
468KB

Download
memory/5072-54-0x0000000002B70000-0x0000000002BE5000-memory.dmp

Filesize
468KB

Download
memory/5072-55-0x0000000002B70000-0x0000000002BE5000-memory.dmp

Filesize
468KB

Download

pid	Process
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs

pid	Process
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

pid	Process
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs
524	lcs