Analysis Overview
SHA256
59a1ffbe89d8bc07dd149159ed01c65254f8940f9fa39bf30cb8b76b6b2e72eb
Threat Level: Known bad
The file 59a1ffbe89d8bc07dd149159ed01c65254f8940f9fa39bf30cb8b76b6b2e72ebN was found to be: Known bad.
Malicious Activity Summary
DcRat
Dcrat family
Luminosity family
Luminosity
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Scheduled Task/Job: Scheduled Task
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-06 21:57
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-06 21:57
Reported
2024-11-06 21:59
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
118s
Command Line
Signatures
DcRat
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\59a1ffbe89d8bc07dd149159ed01c65254f8940f9fa39bf30cb8b76b6b2e72ebN.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Dcrat family
Luminosity
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\59a1ffbe89d8bc07dd149159ed01c65254f8940f9fa39bf30cb8b76b6b2e72ebN.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Luminosity family
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\59a1ffbe89d8bc07dd149159ed01c65254f8940f9fa39bf30cb8b76b6b2e72ebN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Client Monitor = "\"C:\\Program Files (x86)\\Client\\client.exe\" -a /a" | C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\59a1ffbe89d8bc07dd149159ed01c65254f8940f9fa39bf30cb8b76b6b2e72ebN.exe
"C:\Users\Admin\AppData\Local\Temp\59a1ffbe89d8bc07dd149159ed01c65254f8940f9fa39bf30cb8b76b6b2e72ebN.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c echo.
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c exec.bat
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NonInteractive -WindowStyle Hidden -ExecutionPolicy Bypass -File ".\bits.ps1"
C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe
"C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc onlogon /tn "Client Monitor" /rl highest /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | heroscrypt.no-ip.biz | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | heroscrypt.no-ip.biz | udp |
| US | 8.8.8.8:53 | heroscrypt.no-ip.biz | udp |
| US | 8.8.8.8:53 | heroscrypt.no-ip.biz | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | heroscrypt.no-ip.biz | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | heroscrypt.no-ip.biz | udp |
| US | 8.8.8.8:53 | heroscrypt.no-ip.biz | udp |
| US | 8.8.8.8:53 | heroscrypt.no-ip.biz | udp |
| US | 8.8.8.8:53 | heroscrypt.no-ip.biz | udp |
| US | 8.8.8.8:53 | heroscrypt.no-ip.biz | udp |
| US | 8.8.8.8:53 | heroscrypt.no-ip.biz | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | heroscrypt.no-ip.biz | udp |
| US | 8.8.8.8:53 | heroscrypt.no-ip.biz | udp |
| US | 8.8.8.8:53 | heroscrypt.no-ip.biz | udp |
| US | 8.8.8.8:53 | heroscrypt.no-ip.biz | udp |
| US | 8.8.8.8:53 | heroscrypt.no-ip.biz | udp |
| US | 8.8.8.8:53 | heroscrypt.no-ip.biz | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | heroscrypt.no-ip.biz | udp |
| US | 8.8.8.8:53 | heroscrypt.no-ip.biz | udp |
| US | 8.8.8.8:53 | heroscrypt.no-ip.biz | udp |
| US | 8.8.8.8:53 | heroscrypt.no-ip.biz | udp |
| US | 8.8.8.8:53 | heroscrypt.no-ip.biz | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\exec.bat
| MD5 | 368e0f2c003376d3bdae1c71dd85ec70 |
| SHA1 | e5fa7b58cad7f5df6e3a7c2abeec16365ae17827 |
| SHA256 | 84ab0b7013c706781f6839235d7d59cfad0874e4cc415aeaa4bf86a8dd99b0d9 |
| SHA512 | e3e2c9035fca632d04fd411c394301598e6b964d2ebd79db4fcf19816dd876ed23c51831382202d8f5335a0e4a8721d683c377bb1706e4faa4001387f843d553 |
memory/3860-7-0x00007FFBFD203000-0x00007FFBFD205000-memory.dmp
memory/3860-8-0x000002089D530000-0x000002089D552000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uaqc5ffx.d04.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3860-18-0x00007FFBFD200000-0x00007FFBFDCC1000-memory.dmp
memory/3860-19-0x00007FFBFD200000-0x00007FFBFDCC1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bits.ps1
| MD5 | c22f01d9e3f9f075b6efda752f805b3b |
| SHA1 | fd89725060a0ffc6b5af2123ecaa49c31636e6d1 |
| SHA256 | f08acf718371e1412b70ec7480a4444d09152e979edb1c79510df49694015be9 |
| SHA512 | 07b9709f5b5099050aaa0019d340abd112c0cc6ff8207468925e06e024ceaa783ef1f631e9ea661a39e62392e3840e7dcc317361886a53ad1b7d65cea4e646ca |
C:\Users\Admin\AppData\Local\Temp\68282014\68282014.exe
| MD5 | 981a6297ee4c59b81dcf9b482c7cc475 |
| SHA1 | 9c822ad8e6b94702d1a7df13346dafab7d2a331f |
| SHA256 | 51551aa5a6310cf993733df09696c8d05e532d5d9e79a243d469ef855a4eeae4 |
| SHA512 | 8d3615d544f4342d21d51b089107a7c7480da88cefe1019ae152c18807b54d6af7161772886df31309361f47b63596586ae9976dbe7420fc6c1eedc90fffbd4a |
memory/3532-29-0x0000000074A32000-0x0000000074A33000-memory.dmp
memory/3532-30-0x0000000074A30000-0x0000000074FE1000-memory.dmp
memory/3860-31-0x00007FFBFD200000-0x00007FFBFDCC1000-memory.dmp
memory/3532-32-0x0000000074A30000-0x0000000074FE1000-memory.dmp
memory/3532-35-0x0000000074A32000-0x0000000074A33000-memory.dmp
memory/3532-36-0x0000000074A30000-0x0000000074FE1000-memory.dmp