dcrat | d96fbfdd304486a3398779aa2ee2e2002bbf06d6d2bffdce9760920f562981b7

Analysis

max time kernel
481s
max time network
444s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
07-12-2024 12:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LoaderDLL.exe
Size

1.9MB
MD5

07dc286fdef5740f2a0e86b5c87f9f2b
SHA1

7bb10a6f0189ab43c444c6742bbe896c1885628d
SHA256

d96fbfdd304486a3398779aa2ee2e2002bbf06d6d2bffdce9760920f562981b7
SHA512

184ba034767e116d269b5622bdf254e92b0dd98e4a6b5060887b662b2163e1b0312882dd724129a81f2ac41202c61d84a1333ca773ea6972a4b791dd04c18a83
SSDEEP

24576:u2G/nvxW3WieCnmGOFV7TB6vfEVJLlozLwVRc2QX9s7kJb0vwSXkhBo:ubA3jn4tB6vfIJaHolQqkd0vYhi

Score

10^/10

dcrat discovery evasion infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00280000000451b2-12.dat	dcrat
behavioral1/memory/5096-16-0x0000000000BD0000-0x0000000000D6E000-memory.dmp	dcrat

Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	LoaderDLL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	LoaderDLL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	LoaderDLL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	LoaderDLL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	LoaderDLL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	LoaderDLL.exe

Executes dropped EXE 13 IoCs

pid	Process
5096	Exploreer.exe
3796	Exploreer.exe
4452	Exploreer.exe
956	Exploreer.exe
3228	Exploreer.exe
4412	Exploreer.exe
3812	Exploreer.exe
1736	Exploreer.exe
2436	Exploreer.exe
4052	Exploreer.exe
4888	Exploreer.exe
2180	Exploreer.exe
5060	Exploreer.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Exploreer.exe	LoaderDLL.exe
File created	C:\Windows\SysWOW64\aqigp7y2h0Y4lDn0tpFkyDV.vbe	LoaderDLL.exe
File created	C:\Windows\SysWOW64\__tmp_rar_sfx_access_check_240746203	LoaderDLL.exe
File created	C:\Windows\SysWOW64\__tmp_rar_sfx_access_check_240748750	LoaderDLL.exe
File created	C:\Windows\SysWOW64\__tmp_rar_sfx_access_check_240758578	LoaderDLL.exe
File created	C:\Windows\SysWOW64\__tmp_rar_sfx_access_check_240761187	LoaderDLL.exe
File opened for modification	C:\Windows\SysWOW64\6PMCVrjY.bat	LoaderDLL.exe
File created	C:\Windows\SysWOW64\6PMCVrjY.bat	LoaderDLL.exe
File created	C:\Windows\SysWOW64\Exploreer.exe	LoaderDLL.exe
File opened for modification	C:\Windows\SysWOW64\aqigp7y2h0Y4lDn0tpFkyDV.vbe	LoaderDLL.exe
File created	C:\Windows\SysWOW64\__tmp_rar_sfx_access_check_240849343	LoaderDLL.exe
File created	C:\Windows\SysWOW64\__tmp_rar_sfx_access_check_240613953	LoaderDLL.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LoaderDLL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LoaderDLL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LoaderDLL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LoaderDLL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LoaderDLL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LoaderDLL.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings	LoaderDLL.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings	LoaderDLL.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings	LoaderDLL.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings	LoaderDLL.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings	LoaderDLL.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings	LoaderDLL.exe

Modifies registry key 1 TTPs 10 IoCs

Modify Registry

T1112

pid	Process
5072	reg.exe
1340	reg.exe
1704	reg.exe
1100	reg.exe
2988	reg.exe
1844	reg.exe
1112	reg.exe
4624	reg.exe
3440	reg.exe
3612	reg.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3784	Notepad.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
116	7zFM.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	5096	Exploreer.exe
Token: SeDebugPrivilege	3796	Exploreer.exe
Token: SeDebugPrivilege	4452	Exploreer.exe
Token: SeDebugPrivilege	956	Exploreer.exe
Token: SeDebugPrivilege	3228	Exploreer.exe
Token: SeRestorePrivilege	116	7zFM.exe
Token: 35	116	7zFM.exe
Token: SeSecurityPrivilege	116	7zFM.exe
Token: SeDebugPrivilege	4412	Exploreer.exe
Token: SeDebugPrivilege	3812	Exploreer.exe
Token: SeDebugPrivilege	1736	Exploreer.exe
Token: SeDebugPrivilege	2436	Exploreer.exe
Token: SeDebugPrivilege	4052	Exploreer.exe
Token: SeDebugPrivilege	4888	Exploreer.exe
Token: SeDebugPrivilege	2180	Exploreer.exe
Token: SeDebugPrivilege	5060	Exploreer.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
116	7zFM.exe
116	7zFM.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3000	LoaderDLL.exe
4012	LoaderDLL.exe
1460	LoaderDLL.exe
1740	LoaderDLL.exe
3468	LoaderDLL.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1120 wrote to memory of 1092	1120	LoaderDLL.exe	81
PID 1120 wrote to memory of 1092	1120	LoaderDLL.exe	81
PID 1120 wrote to memory of 1092	1120	LoaderDLL.exe	81
PID 1092 wrote to memory of 4744	1092	WScript.exe	82
PID 1092 wrote to memory of 4744	1092	WScript.exe	82
PID 1092 wrote to memory of 4744	1092	WScript.exe	82
PID 4744 wrote to memory of 5096	4744	cmd.exe	84
PID 4744 wrote to memory of 5096	4744	cmd.exe	84
PID 4744 wrote to memory of 4624	4744	cmd.exe	86
PID 4744 wrote to memory of 4624	4744	cmd.exe	86
PID 4744 wrote to memory of 4624	4744	cmd.exe	86
PID 3000 wrote to memory of 1804	3000	LoaderDLL.exe	103
PID 3000 wrote to memory of 1804	3000	LoaderDLL.exe	103
PID 3000 wrote to memory of 1804	3000	LoaderDLL.exe	103
PID 1804 wrote to memory of 2516	1804	WScript.exe	104
PID 1804 wrote to memory of 2516	1804	WScript.exe	104
PID 1804 wrote to memory of 2516	1804	WScript.exe	104
PID 2516 wrote to memory of 3796	2516	cmd.exe	107
PID 2516 wrote to memory of 3796	2516	cmd.exe	107
PID 4012 wrote to memory of 1808	4012	LoaderDLL.exe	108
PID 4012 wrote to memory of 1808	4012	LoaderDLL.exe	108
PID 4012 wrote to memory of 1808	4012	LoaderDLL.exe	108
PID 2516 wrote to memory of 1340	2516	cmd.exe	110
PID 2516 wrote to memory of 1340	2516	cmd.exe	110
PID 2516 wrote to memory of 1340	2516	cmd.exe	110
PID 1808 wrote to memory of 4068	1808	WScript.exe	112
PID 1808 wrote to memory of 4068	1808	WScript.exe	112
PID 1808 wrote to memory of 4068	1808	WScript.exe	112
PID 4068 wrote to memory of 4452	4068	cmd.exe	114
PID 4068 wrote to memory of 4452	4068	cmd.exe	114
PID 4068 wrote to memory of 3440	4068	cmd.exe	115
PID 4068 wrote to memory of 3440	4068	cmd.exe	115
PID 4068 wrote to memory of 3440	4068	cmd.exe	115
PID 1460 wrote to memory of 2032	1460	LoaderDLL.exe	117
PID 1460 wrote to memory of 2032	1460	LoaderDLL.exe	117
PID 1460 wrote to memory of 2032	1460	LoaderDLL.exe	117
PID 2032 wrote to memory of 728	2032	WScript.exe	119
PID 2032 wrote to memory of 728	2032	WScript.exe	119
PID 2032 wrote to memory of 728	2032	WScript.exe	119
PID 728 wrote to memory of 956	728	cmd.exe	121
PID 728 wrote to memory of 956	728	cmd.exe	121
PID 1740 wrote to memory of 2348	1740	LoaderDLL.exe	122
PID 1740 wrote to memory of 2348	1740	LoaderDLL.exe	122
PID 1740 wrote to memory of 2348	1740	LoaderDLL.exe	122
PID 728 wrote to memory of 3612	728	cmd.exe	123
PID 728 wrote to memory of 3612	728	cmd.exe	123
PID 728 wrote to memory of 3612	728	cmd.exe	123
PID 2348 wrote to memory of 4280	2348	WScript.exe	124
PID 2348 wrote to memory of 4280	2348	WScript.exe	124
PID 2348 wrote to memory of 4280	2348	WScript.exe	124
PID 4280 wrote to memory of 3228	4280	cmd.exe	126
PID 4280 wrote to memory of 3228	4280	cmd.exe	126
PID 4280 wrote to memory of 1704	4280	cmd.exe	127
PID 4280 wrote to memory of 1704	4280	cmd.exe	127
PID 4280 wrote to memory of 1704	4280	cmd.exe	127
PID 3580 wrote to memory of 1100	3580	cmd.exe	132
PID 3580 wrote to memory of 1100	3580	cmd.exe	132
PID 2516 wrote to memory of 2988	2516	cmd.exe	138
PID 2516 wrote to memory of 2988	2516	cmd.exe	138
PID 3688 wrote to memory of 1844	3688	cmd.exe	141
PID 3688 wrote to memory of 1844	3688	cmd.exe	141
PID 2352 wrote to memory of 1112	2352	cmd.exe	149
PID 2352 wrote to memory of 1112	2352	cmd.exe	149
PID 3468 wrote to memory of 3008	3468	LoaderDLL.exe	153

C:\Users\Admin\AppData\Local\Temp\LoaderDLL.exe
"C:\Users\Admin\AppData\Local\Temp\LoaderDLL.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1120
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\System32\aqigp7y2h0Y4lDn0tpFkyDV.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1092
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\System32\6PMCVrjY.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4744
  - - C:\Windows\SysWOW64\Exploreer.exe
      "C:\Windows\System32\Exploreer.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:5096
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:4624

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4720

C:\Users\Admin\AppData\Local\Temp\LoaderDLL.exe
"C:\Users\Admin\AppData\Local\Temp\LoaderDLL.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\System32\aqigp7y2h0Y4lDn0tpFkyDV.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1804
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\System32\6PMCVrjY.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2516
  - - C:\Windows\SysWOW64\Exploreer.exe
      "C:\Windows\System32\Exploreer.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3796
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:1340

C:\Users\Admin\AppData\Local\Temp\LoaderDLL.exe
"C:\Users\Admin\AppData\Local\Temp\LoaderDLL.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4012
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\System32\aqigp7y2h0Y4lDn0tpFkyDV.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\System32\6PMCVrjY.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4068
  - - C:\Windows\SysWOW64\Exploreer.exe
      "C:\Windows\System32\Exploreer.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4452
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:3440

C:\Users\Admin\Desktop\LoaderDLL.exe
"C:\Users\Admin\Desktop\LoaderDLL.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1460
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\System32\aqigp7y2h0Y4lDn0tpFkyDV.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\System32\6PMCVrjY.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:728
  - - C:\Windows\SysWOW64\Exploreer.exe
      "C:\Windows\System32\Exploreer.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:956
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:3612

C:\Users\Admin\Desktop\LoaderDLL.exe
"C:\Users\Admin\Desktop\LoaderDLL.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\System32\aqigp7y2h0Y4lDn0tpFkyDV.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\System32\6PMCVrjY.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4280
  - - C:\Windows\SysWOW64\Exploreer.exe
      "C:\Windows\System32\Exploreer.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3228
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:1704

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\LoaderDLL.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\6PMCVrjY.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:3580
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:1100

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\aqigp7y2h0Y4lDn0tpFkyDV.vbe"
1⤵
PID:896

C:\Users\Admin\Desktop\Exploreer.exe
"C:\Users\Admin\Desktop\Exploreer.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4412

C:\Users\Admin\Desktop\Exploreer.exe
"C:\Users\Admin\Desktop\Exploreer.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\6PMCVrjY.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:2988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\6PMCVrjY.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:3688
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:1844

C:\Users\Admin\Desktop\Exploreer.exe
"C:\Users\Admin\Desktop\Exploreer.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1736

C:\Users\Admin\Desktop\Exploreer.exe
"C:\Users\Admin\Desktop\Exploreer.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2436

C:\Users\Admin\Desktop\Exploreer.exe
"C:\Users\Admin\Desktop\Exploreer.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4052

C:\Users\Admin\Desktop\Exploreer.exe
"C:\Users\Admin\Desktop\Exploreer.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4888

C:\Users\Admin\Desktop\Exploreer.exe
"C:\Users\Admin\Desktop\Exploreer.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2180

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\6PMCVrjY.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:1112

C:\Windows\System32\Notepad.exe
"C:\Windows\System32\Notepad.exe" C:\Users\Admin\Desktop\aqigp7y2h0Y4lDn0tpFkyDV.vbe
1⤵
- Opens file in notepad (likely ransom note)
PID:3784

C:\Users\Admin\Desktop\LoaderDLL.exe
"C:\Users\Admin\Desktop\LoaderDLL.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3468
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\System32\aqigp7y2h0Y4lDn0tpFkyDV.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3008
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\System32\6PMCVrjY.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4324
  - - C:\Windows\SysWOW64\Exploreer.exe
      "C:\Windows\System32\Exploreer.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:5060
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:5072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Exploreer.exe.log

Filesize
1KB

MD5
ff7ce793bcf47827eb5d4b597959a841

SHA1
5af4410d4ae6fff5f90030556de31a3dfe620845

SHA256
3cd72e1b802edf5156a5cb51a21acce032fc7ba0fe6a500027674d833373e0f8

SHA512
ec106eb5dfc3b27d4dc9ac08f77a5afe1a2aa7cba75f648b4c417ad89b78c7e469f6a18ac1f42acbc821d8a07bef0ae067a4f3ff0dc0b71c54379d8877947de6

Download Submit
C:\Windows\SysWOW64\6PMCVrjY.bat

Filesize
147B

MD5
5af84305f2de25d11804c61e0ed2cfdc

SHA1
ea549da376036d95c722f5d2facfe0251e155dab

SHA256
864bfd16bd15fe2e22fc413bf41093fd77aa94b452492e56e567f59048a582b4

SHA512
fbe11949d5c607e47c6968842cec8ccc57769c7f5f61f28f7e5e12d0f8e73f9bafe048ee012c344c6e506c1cc02dbbb28b96323269d01bc2d7daa85b9f738bf0

Download Submit
C:\Windows\SysWOW64\Exploreer.exe

Filesize
1.6MB

MD5
bdbabf0854f633090f1d7d158107f0e6

SHA1
ce28d0dd90c1594912c9ad586568fc01e70efbd6

SHA256
dc8667fa2ae8c4b9a3656863da1fa585154cfc2f7b418ac95dff798057f7387b

SHA512
b2c10ffc59441f15951266f5c1e22cdfbb7dba223f7297d8cb67eff63446d5b0226ff381c5bb4f1ba66e059a994640e678bcf2ca3dbb523e5db8bde4e1389726

Download Submit
C:\Windows\SysWOW64\aqigp7y2h0Y4lDn0tpFkyDV.vbe

Filesize
201B

MD5
17b42e1d6313d231cfac9cfe6335a948

SHA1
3a804667af17571a6cf049abb50dc0488f03b39f

SHA256
840078dc79592ea5d16345a07a23634d57cbe5a0130647ecb7143bda933a04c9

SHA512
1ca74afc164674facb2b919253080179f4334ae2da1b5f85ab43b5de889b122c70f0c526bb6bb5a673c34ddc2d47fab52898b5f488bbeb87137649f84a1c973c

Download Submit
memory/5096-15-0x00007FFBE6BB3000-0x00007FFBE6BB5000-memory.dmp

Filesize
8KB

Download
memory/5096-16-0x0000000000BD0000-0x0000000000D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5096-17-0x0000000002F60000-0x0000000002F6E000-memory.dmp

Filesize
56KB

Download