dcrat | 0145e3cc95012c04f60888391fcc255eac7e297e7ec53ae459c1eae04177c137

General

Target

0145e3cc95012c04f60888391fcc255eac7e297e7ec53ae459c1eae04177c137N.exe
Size

682KB
MD5

1168a01289281e9d8b30172e06548dc0
SHA1

22a7fa48bffde7640a4476f8c2531e7695ad609b
SHA256

0145e3cc95012c04f60888391fcc255eac7e297e7ec53ae459c1eae04177c137
SHA512

49110a24c2071b5e71a3d362740d27115ae5d6803fdbf64eadb49612cbba5d0daed57442e943c26b8e3bbaac6f061008a2363974484af30de84a183ab966a19a
SSDEEP

12288:hqnO3mwJNoGFAgHCRvp1i/fjqJRYFInDrX/xTU3JgXDV6blx1wgtra7B:h+O3mwJnCRvEMxnDVSwgY

Score

10^/10

dcrat evasion infostealer persistence rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 10 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	2004	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2004	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	2004	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	2004	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2004	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2004	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	2004	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2004	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	2004	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	916	2004	schtasks.exe	30

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0145e3cc95012c04f60888391fcc255eac7e297e7ec53ae459c1eae04177c137N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0145e3cc95012c04f60888391fcc255eac7e297e7ec53ae459c1eae04177c137N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0145e3cc95012c04f60888391fcc255eac7e297e7ec53ae459c1eae04177c137N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1688-1-0x0000000000FE0000-0x0000000001092000-memory.dmp	dcrat
behavioral1/files/0x00050000000195a7-17.dat	dcrat
behavioral1/files/0x000700000001998d-42.dat	dcrat
behavioral1/files/0x0008000000016d0c-64.dat	dcrat
behavioral1/files/0x000b000000016d3f-75.dat	dcrat
behavioral1/files/0x00060000000195a7-97.dat	dcrat
behavioral1/files/0x00090000000195ab-118.dat	dcrat
behavioral1/files/0x000c0000000195ab-142.dat	dcrat
behavioral1/memory/1572-155-0x00000000013D0000-0x0000000001482000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
1572	services.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\apds\\winlogon.exe\""	0145e3cc95012c04f60888391fcc255eac7e297e7ec53ae459c1eae04177c137N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Documents and Settings\\dwm.exe\""	0145e3cc95012c04f60888391fcc255eac7e297e7ec53ae459c1eae04177c137N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0145e3cc95012c04f60888391fcc255eac7e297e7ec53ae459c1eae04177c137N = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Admin\\0145e3cc95012c04f60888391fcc255eac7e297e7ec53ae459c1eae04177c137N.exe\""	0145e3cc95012c04f60888391fcc255eac7e297e7ec53ae459c1eae04177c137N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\System32\\cmutil\\services.exe\""	0145e3cc95012c04f60888391fcc255eac7e297e7ec53ae459c1eae04177c137N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\PerfLogs\\Admin\\explorer.exe\""	0145e3cc95012c04f60888391fcc255eac7e297e7ec53ae459c1eae04177c137N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0145e3cc95012c04f60888391fcc255eac7e297e7ec53ae459c1eae04177c137N = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\b57cea75-775c-491d-a857-e9d93995dfc5\\0145e3cc95012c04f60888391fcc255eac7e297e7ec53ae459c1eae04177c137N.exe\""	0145e3cc95012c04f60888391fcc255eac7e297e7ec53ae459c1eae04177c137N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0145e3cc95012c04f60888391fcc255eac7e297e7ec53ae459c1eae04177c137N = "\"C:\\MSOCache\\All Users\\0145e3cc95012c04f60888391fcc255eac7e297e7ec53ae459c1eae04177c137N.exe\""	0145e3cc95012c04f60888391fcc255eac7e297e7ec53ae459c1eae04177c137N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\PerfLogs\\Admin\\services.exe\""	0145e3cc95012c04f60888391fcc255eac7e297e7ec53ae459c1eae04177c137N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\System32\\C_20108\\services.exe\""	0145e3cc95012c04f60888391fcc255eac7e297e7ec53ae459c1eae04177c137N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\System32\\diskmgmt\\services.exe\""	0145e3cc95012c04f60888391fcc255eac7e297e7ec53ae459c1eae04177c137N.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0145e3cc95012c04f60888391fcc255eac7e297e7ec53ae459c1eae04177c137N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0145e3cc95012c04f60888391fcc255eac7e297e7ec53ae459c1eae04177c137N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe

Drops file in System32 directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\C_20108\RCXA862.tmp	0145e3cc95012c04f60888391fcc255eac7e297e7ec53ae459c1eae04177c137N.exe
File opened for modification	C:\Windows\System32\diskmgmt\services.exe	0145e3cc95012c04f60888391fcc255eac7e297e7ec53ae459c1eae04177c137N.exe
File opened for modification	C:\Windows\System32\apds\RCXB288.tmp	0145e3cc95012c04f60888391fcc255eac7e297e7ec53ae459c1eae04177c137N.exe
File opened for modification	C:\Windows\System32\cmutil\RCXBD0C.tmp	0145e3cc95012c04f60888391fcc255eac7e297e7ec53ae459c1eae04177c137N.exe
File created	C:\Windows\System32\C_20108\services.exe	0145e3cc95012c04f60888391fcc255eac7e297e7ec53ae459c1eae04177c137N.exe
File created	C:\Windows\System32\diskmgmt\c5b4cb5e9653cce737f29f72ba880dd4c4bab27d	0145e3cc95012c04f60888391fcc255eac7e297e7ec53ae459c1eae04177c137N.exe
File created	C:\Windows\System32\apds\cc11b995f2a76da408ea6a601e682e64743153ad	0145e3cc95012c04f60888391fcc255eac7e297e7ec53ae459c1eae04177c137N.exe
File opened for modification	C:\Windows\System32\cmutil\RCXBCFB.tmp	0145e3cc95012c04f60888391fcc255eac7e297e7ec53ae459c1eae04177c137N.exe
File opened for modification	C:\Windows\System32\C_20108\services.exe	0145e3cc95012c04f60888391fcc255eac7e297e7ec53ae459c1eae04177c137N.exe
File created	C:\Windows\System32\diskmgmt\services.exe	0145e3cc95012c04f60888391fcc255eac7e297e7ec53ae459c1eae04177c137N.exe
File opened for modification	C:\Windows\System32\C_20108\RCXA8D0.tmp	0145e3cc95012c04f60888391fcc255eac7e297e7ec53ae459c1eae04177c137N.exe
File opened for modification	C:\Windows\System32\diskmgmt\RCXADF2.tmp	0145e3cc95012c04f60888391fcc255eac7e297e7ec53ae459c1eae04177c137N.exe
File opened for modification	C:\Windows\System32\cmutil\services.exe	0145e3cc95012c04f60888391fcc255eac7e297e7ec53ae459c1eae04177c137N.exe
File created	C:\Windows\System32\C_20108\c5b4cb5e9653cce737f29f72ba880dd4c4bab27d	0145e3cc95012c04f60888391fcc255eac7e297e7ec53ae459c1eae04177c137N.exe
File created	C:\Windows\System32\cmutil\c5b4cb5e9653cce737f29f72ba880dd4c4bab27d	0145e3cc95012c04f60888391fcc255eac7e297e7ec53ae459c1eae04177c137N.exe
File opened for modification	C:\Windows\System32\diskmgmt\RCXAD84.tmp	0145e3cc95012c04f60888391fcc255eac7e297e7ec53ae459c1eae04177c137N.exe
File opened for modification	C:\Windows\System32\apds\RCXB287.tmp	0145e3cc95012c04f60888391fcc255eac7e297e7ec53ae459c1eae04177c137N.exe
File opened for modification	C:\Windows\System32\apds\winlogon.exe	0145e3cc95012c04f60888391fcc255eac7e297e7ec53ae459c1eae04177c137N.exe
File created	C:\Windows\System32\apds\winlogon.exe	0145e3cc95012c04f60888391fcc255eac7e297e7ec53ae459c1eae04177c137N.exe
File created	C:\Windows\System32\cmutil\services.exe	0145e3cc95012c04f60888391fcc255eac7e297e7ec53ae459c1eae04177c137N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 10 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2848	schtasks.exe
3004	schtasks.exe
1132	schtasks.exe
916	schtasks.exe
2928	schtasks.exe
2484	schtasks.exe
3068	schtasks.exe
2940	schtasks.exe
2480	schtasks.exe
2812	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1688	0145e3cc95012c04f60888391fcc255eac7e297e7ec53ae459c1eae04177c137N.exe
1572	services.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1688	0145e3cc95012c04f60888391fcc255eac7e297e7ec53ae459c1eae04177c137N.exe
Token: SeDebugPrivilege	1572	services.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 2468	1688	0145e3cc95012c04f60888391fcc255eac7e297e7ec53ae459c1eae04177c137N.exe	41
PID 1688 wrote to memory of 2468	1688	0145e3cc95012c04f60888391fcc255eac7e297e7ec53ae459c1eae04177c137N.exe	41
PID 1688 wrote to memory of 2468	1688	0145e3cc95012c04f60888391fcc255eac7e297e7ec53ae459c1eae04177c137N.exe	41
PID 2468 wrote to memory of 612	2468	cmd.exe	43
PID 2468 wrote to memory of 612	2468	cmd.exe	43
PID 2468 wrote to memory of 612	2468	cmd.exe	43
PID 2468 wrote to memory of 1572	2468	cmd.exe	44
PID 2468 wrote to memory of 1572	2468	cmd.exe	44
PID 2468 wrote to memory of 1572	2468	cmd.exe	44

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0145e3cc95012c04f60888391fcc255eac7e297e7ec53ae459c1eae04177c137N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0145e3cc95012c04f60888391fcc255eac7e297e7ec53ae459c1eae04177c137N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0145e3cc95012c04f60888391fcc255eac7e297e7ec53ae459c1eae04177c137N.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0145e3cc95012c04f60888391fcc255eac7e297e7ec53ae459c1eae04177c137N.exe
"C:\Users\Admin\AppData\Local\Temp\0145e3cc95012c04f60888391fcc255eac7e297e7ec53ae459c1eae04177c137N.exe"
1⤵
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1688
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cLENWROvOz.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:612
- - C:\Windows\System32\C_20108\services.exe
    "C:\Windows\System32\C_20108\services.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\System32\C_20108\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\PerfLogs\Admin\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\System32\diskmgmt\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0145e3cc95012c04f60888391fcc255eac7e297e7ec53ae459c1eae04177c137N" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\b57cea75-775c-491d-a857-e9d93995dfc5\0145e3cc95012c04f60888391fcc255eac7e297e7ec53ae459c1eae04177c137N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\apds\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Documents and Settings\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0145e3cc95012c04f60888391fcc255eac7e297e7ec53ae459c1eae04177c137N" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\Admin\0145e3cc95012c04f60888391fcc255eac7e297e7ec53ae459c1eae04177c137N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0145e3cc95012c04f60888391fcc255eac7e297e7ec53ae459c1eae04177c137N" /sc ONLOGON /tr "'C:\MSOCache\All Users\0145e3cc95012c04f60888391fcc255eac7e297e7ec53ae459c1eae04177c137N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\System32\cmutil\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\PerfLogs\Admin\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\0145e3cc95012c04f60888391fcc255eac7e297e7ec53ae459c1eae04177c137N.exe

Filesize
682KB

MD5
bedbf4c766f8bca13e03747a85f34fd0

SHA1
620395e7d1d74ed2ca5040337ff478f6aecf7651

SHA256
742636c2fea7624ddf419452265e2775624992553ff54d11d9bf9ebe92087683

SHA512
03a1284ad92b0cc55b2d3cc31e9dae4c0568262e0d47fad3f1ca175dc377747c48cbd30e56c348b42c71b6bf7ccfc8983afe2108a8bd93031a7883c52b94a52f

Download Submit
C:\PerfLogs\Admin\services.exe

Filesize
682KB

MD5
566d6565a1ec10ed81854128b0e46ce4

SHA1
6cc877cc61c87ffc49767c839d6c0949a954d631

SHA256
f1e4064a148e807288234d669b2d6c540e7d332c4200af5e027a89e06b9419fe

SHA512
eabbe6138076c105f6f7ddce5cb9d35f764bf4d3f88e505ce2a6aefd3bb132f98b62f46d4da7acdceb12e353f7de3455702a19eaaa983d8a6ba78b04b793cb82

Download Submit
C:\Users\Admin\AppData\Local\Temp\b57cea75-775c-491d-a857-e9d93995dfc5\0145e3cc95012c04f60888391fcc255eac7e297e7ec53ae459c1eae04177c137N.exe

Filesize
682KB

MD5
2ec73449384f68ef49b5be33ec00d0dd

SHA1
1710e408b794c0982cc1a24270d8b75ce05874ff

SHA256
b7d62e34bd713040b3f1cfa4d47b748d54d53dab30a7a52dc8f73477063e7904

SHA512
08b5c8685c7a2aae767db26652d93beef56cafd714dd999569c11b6954dc02c96f97ea10fe88b3bb2ae789269875a30b5733bb32cfbf5622c61673c1716074c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cLENWROvOz.bat

Filesize
204B

MD5
d34d8af2db97d8de8c081a632df92ab6

SHA1
e68416a844520cc2f75567a7b3f8c641e0887728

SHA256
974c71b15ec4bade5147ca776c9234e59049fed960c32aa468450a12b990bc7f

SHA512
707b8f9c6be929bc5e4d6d39f3fd04b344e5652999631aa051be61644d8367391e7abef9c4a2082541d6a685bd6d90c17c17010919c1bf0fc42181f5d60d0931

Download Submit
C:\Users\dwm.exe

Filesize
682KB

MD5
5b353014c45b712faf461df2fcb51c91

SHA1
a289aeb205873e330efb2ccceaa0c29b196550ed

SHA256
7220bc62e20e11e88ece34cfeb621bdb5713b8ff835bb6d12355797a780afb5b

SHA512
04e662a7af57959065080416a10ede32843f126ff355fde87f8d064d2d52c47b65de05921dffc54255f89bd07d24421186371c0a7534cff509cac6d4b4c1297c

Download Submit
C:\Windows\System32\C_20108\services.exe

Filesize
682KB

MD5
78a5fe6e2acc6f83f1dc3d182a6b678a

SHA1
563326ff1085e9be2447e88cd669843fe3194675

SHA256
6cfd2678ce4aebcb423362552d3b9c573f04677b47b1ff191df928d72124043b

SHA512
c1f55a297c54b24b7a33b7da2ccb00909775a0048d1a3474c4ad374d17b41d15a7f166c9481a3714bf9d572f657791993d632eef9166b78ffefc62641cda203d

Download Submit
C:\Windows\System32\apds\winlogon.exe

Filesize
682KB

MD5
1168a01289281e9d8b30172e06548dc0

SHA1
22a7fa48bffde7640a4476f8c2531e7695ad609b

SHA256
0145e3cc95012c04f60888391fcc255eac7e297e7ec53ae459c1eae04177c137

SHA512
49110a24c2071b5e71a3d362740d27115ae5d6803fdbf64eadb49612cbba5d0daed57442e943c26b8e3bbaac6f061008a2363974484af30de84a183ab966a19a

Download Submit
C:\Windows\System32\diskmgmt\services.exe

Filesize
682KB

MD5
275e877280706ab011bde4129da408c3

SHA1
3b85b34e57d41f47e0e4175eb69076c643d0254b

SHA256
236f9dba1db27f21bf6eaa8a4baec978c702d7a13e33315c32c022a9353797be

SHA512
93a625c84ca488ca4faabba8c8dc6564f70c2c043a3062b0c15ac1b5dbcb7a09b4893c24263542655664b085dd9f2fe0b2a811d375889898808ceb0c2301139b

Download Submit
memory/1572-155-0x00000000013D0000-0x0000000001482000-memory.dmp

Filesize
712KB

Download
memory/1688-5-0x0000000000380000-0x000000000038C000-memory.dmp

Filesize
48KB

Download
memory/1688-0-0x000007FEF5A63000-0x000007FEF5A64000-memory.dmp

Filesize
4KB

Download
memory/1688-8-0x00000000003C0000-0x00000000003CC000-memory.dmp

Filesize
48KB

Download
memory/1688-6-0x00000000003A0000-0x00000000003AA000-memory.dmp

Filesize
40KB

Download
memory/1688-4-0x0000000000350000-0x000000000035C000-memory.dmp

Filesize
48KB

Download
memory/1688-3-0x0000000000340000-0x0000000000350000-memory.dmp

Filesize
64KB

Download
memory/1688-2-0x000007FEF5A60000-0x000007FEF644C000-memory.dmp

Filesize
9.9MB

Download
memory/1688-145-0x000007FEF5A63000-0x000007FEF5A64000-memory.dmp

Filesize
4KB

Download
memory/1688-1-0x0000000000FE0000-0x0000000001092000-memory.dmp

Filesize
712KB

Download
memory/1688-152-0x000007FEF5A60000-0x000007FEF644C000-memory.dmp

Filesize
9.9MB

Download
memory/1688-7-0x0000000000360000-0x0000000000368000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads