dcrat | 080f4cef3580490cb80d2994f7c760aac5a89119efb0ad74b452faf47d81ef92

Analysis

max time kernel
147s
max time network
152s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 10:02 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_080f4cef3580490cb80d2994f7c760aac5a89119efb0ad74b452faf47d81ef92.exe
Size

1.3MB
MD5

3238125d5b0e217b96771a01ea0b549e
SHA1

0d9c0ddce60ad1feb5faeda5b189a1763053f930
SHA256

080f4cef3580490cb80d2994f7c760aac5a89119efb0ad74b452faf47d81ef92
SHA512

88f2c39ad0eec7397e879731b6709de200d7d88a161de62c1ebf98f65f970e078454ebf23381919adc1d5e472d80c9c756b8f5159274ebefd549d2e7c063bbe5
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2956	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2956	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	2956	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2956	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2956	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	2956	schtasks.exe	35

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000016cab-10.dat	dcrat
behavioral1/memory/2724-13-0x0000000001040000-0x0000000001150000-memory.dmp	dcrat
behavioral1/memory/2720-35-0x0000000001220000-0x0000000001330000-memory.dmp	dcrat
behavioral1/memory/2908-399-0x00000000001F0000-0x0000000000300000-memory.dmp	dcrat
behavioral1/memory/756-459-0x0000000001320000-0x0000000001430000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2276	powershell.exe
2324	powershell.exe
2376	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2724	DllCommonsvc.exe
2720	lsm.exe
2308	lsm.exe
2924	lsm.exe
1916	lsm.exe
1984	lsm.exe
1816	lsm.exe
2908	lsm.exe
756	lsm.exe
1600	lsm.exe
2788	lsm.exe

Loads dropped DLL 2 IoCs

pid	Process
868	cmd.exe
868	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
12	raw.githubusercontent.com
22	raw.githubusercontent.com
26	raw.githubusercontent.com
33	raw.githubusercontent.com
37	raw.githubusercontent.com
4	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
29	raw.githubusercontent.com
9	raw.githubusercontent.com

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Cursors\audiodg.exe	DllCommonsvc.exe
File created	C:\Windows\Cursors\42af1c969fbb7b	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_080f4cef3580490cb80d2994f7c760aac5a89119efb0ad74b452faf47d81ef92.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2696	schtasks.exe
2104	schtasks.exe
2644	schtasks.exe
2756	schtasks.exe
1904	schtasks.exe
2636	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2724	DllCommonsvc.exe
2376	powershell.exe
2276	powershell.exe
2324	powershell.exe
2720	lsm.exe
2308	lsm.exe
2924	lsm.exe
1916	lsm.exe
1984	lsm.exe
1816	lsm.exe
2908	lsm.exe
756	lsm.exe
1600	lsm.exe
2788	lsm.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2724	DllCommonsvc.exe
Token: SeDebugPrivilege	2376	powershell.exe
Token: SeDebugPrivilege	2276	powershell.exe
Token: SeDebugPrivilege	2324	powershell.exe
Token: SeDebugPrivilege	2720	lsm.exe
Token: SeDebugPrivilege	2308	lsm.exe
Token: SeDebugPrivilege	2924	lsm.exe
Token: SeDebugPrivilege	1916	lsm.exe
Token: SeDebugPrivilege	1984	lsm.exe
Token: SeDebugPrivilege	1816	lsm.exe
Token: SeDebugPrivilege	2908	lsm.exe
Token: SeDebugPrivilege	756	lsm.exe
Token: SeDebugPrivilege	1600	lsm.exe
Token: SeDebugPrivilege	2788	lsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 2536	2272	JaffaCakes118_080f4cef3580490cb80d2994f7c760aac5a89119efb0ad74b452faf47d81ef92.exe	31
PID 2272 wrote to memory of 2536	2272	JaffaCakes118_080f4cef3580490cb80d2994f7c760aac5a89119efb0ad74b452faf47d81ef92.exe	31
PID 2272 wrote to memory of 2536	2272	JaffaCakes118_080f4cef3580490cb80d2994f7c760aac5a89119efb0ad74b452faf47d81ef92.exe	31
PID 2272 wrote to memory of 2536	2272	JaffaCakes118_080f4cef3580490cb80d2994f7c760aac5a89119efb0ad74b452faf47d81ef92.exe	31
PID 2536 wrote to memory of 868	2536	WScript.exe	32
PID 2536 wrote to memory of 868	2536	WScript.exe	32
PID 2536 wrote to memory of 868	2536	WScript.exe	32
PID 2536 wrote to memory of 868	2536	WScript.exe	32
PID 868 wrote to memory of 2724	868	cmd.exe	34
PID 868 wrote to memory of 2724	868	cmd.exe	34
PID 868 wrote to memory of 2724	868	cmd.exe	34
PID 868 wrote to memory of 2724	868	cmd.exe	34
PID 2724 wrote to memory of 2376	2724	DllCommonsvc.exe	42
PID 2724 wrote to memory of 2376	2724	DllCommonsvc.exe	42
PID 2724 wrote to memory of 2376	2724	DllCommonsvc.exe	42
PID 2724 wrote to memory of 2324	2724	DllCommonsvc.exe	43
PID 2724 wrote to memory of 2324	2724	DllCommonsvc.exe	43
PID 2724 wrote to memory of 2324	2724	DllCommonsvc.exe	43
PID 2724 wrote to memory of 2276	2724	DllCommonsvc.exe	44
PID 2724 wrote to memory of 2276	2724	DllCommonsvc.exe	44
PID 2724 wrote to memory of 2276	2724	DllCommonsvc.exe	44
PID 2724 wrote to memory of 2720	2724	DllCommonsvc.exe	48
PID 2724 wrote to memory of 2720	2724	DllCommonsvc.exe	48
PID 2724 wrote to memory of 2720	2724	DllCommonsvc.exe	48
PID 2720 wrote to memory of 1736	2720	lsm.exe	49
PID 2720 wrote to memory of 1736	2720	lsm.exe	49
PID 2720 wrote to memory of 1736	2720	lsm.exe	49
PID 1736 wrote to memory of 1744	1736	cmd.exe	51
PID 1736 wrote to memory of 1744	1736	cmd.exe	51
PID 1736 wrote to memory of 1744	1736	cmd.exe	51
PID 1736 wrote to memory of 2308	1736	cmd.exe	52
PID 1736 wrote to memory of 2308	1736	cmd.exe	52
PID 1736 wrote to memory of 2308	1736	cmd.exe	52
PID 2308 wrote to memory of 2456	2308	lsm.exe	53
PID 2308 wrote to memory of 2456	2308	lsm.exe	53
PID 2308 wrote to memory of 2456	2308	lsm.exe	53
PID 2456 wrote to memory of 2880	2456	cmd.exe	55
PID 2456 wrote to memory of 2880	2456	cmd.exe	55
PID 2456 wrote to memory of 2880	2456	cmd.exe	55
PID 2456 wrote to memory of 2924	2456	cmd.exe	56
PID 2456 wrote to memory of 2924	2456	cmd.exe	56
PID 2456 wrote to memory of 2924	2456	cmd.exe	56
PID 2924 wrote to memory of 2832	2924	lsm.exe	57
PID 2924 wrote to memory of 2832	2924	lsm.exe	57
PID 2924 wrote to memory of 2832	2924	lsm.exe	57
PID 2832 wrote to memory of 2952	2832	cmd.exe	59
PID 2832 wrote to memory of 2952	2832	cmd.exe	59
PID 2832 wrote to memory of 2952	2832	cmd.exe	59
PID 2832 wrote to memory of 1916	2832	cmd.exe	60
PID 2832 wrote to memory of 1916	2832	cmd.exe	60
PID 2832 wrote to memory of 1916	2832	cmd.exe	60
PID 1916 wrote to memory of 1016	1916	lsm.exe	61
PID 1916 wrote to memory of 1016	1916	lsm.exe	61
PID 1916 wrote to memory of 1016	1916	lsm.exe	61
PID 1016 wrote to memory of 1980	1016	cmd.exe	63
PID 1016 wrote to memory of 1980	1016	cmd.exe	63
PID 1016 wrote to memory of 1980	1016	cmd.exe	63
PID 1016 wrote to memory of 1984	1016	cmd.exe	64
PID 1016 wrote to memory of 1984	1016	cmd.exe	64
PID 1016 wrote to memory of 1984	1016	cmd.exe	64
PID 1984 wrote to memory of 2340	1984	lsm.exe	65
PID 1984 wrote to memory of 2340	1984	lsm.exe	65
PID 1984 wrote to memory of 2340	1984	lsm.exe	65
PID 2340 wrote to memory of 2200	2340	cmd.exe	67

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_080f4cef3580490cb80d2994f7c760aac5a89119efb0ad74b452faf47d81ef92.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_080f4cef3580490cb80d2994f7c760aac5a89119efb0ad74b452faf47d81ef92.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:868
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2724
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2376
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2324
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2276
    - - C:\providercommon\lsm.exe
        
        "C:\providercommon\lsm.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2720
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SRNviAgREO.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1736
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1744
        
        C:\providercommon\lsm.exe
        
        "C:\providercommon\lsm.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uMS4yFj28m.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2880
        
        C:\providercommon\lsm.exe
        
        "C:\providercommon\lsm.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wHaMzi6eYE.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2952
        
        C:\providercommon\lsm.exe
        
        "C:\providercommon\lsm.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z6HXYUNDfk.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1016
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1980
        
        C:\providercommon\lsm.exe
        
        "C:\providercommon\lsm.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QHkN6qNcbm.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2200
        
        C:\providercommon\lsm.exe
        
        "C:\providercommon\lsm.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1816
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UQ4uSu8U9J.bat"
        16⤵
        
        PID:2104
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1712
        
        C:\providercommon\lsm.exe
        
        "C:\providercommon\lsm.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2908
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OyPKZ08zKl.bat"
        18⤵
        
        PID:1812
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1952
        
        C:\providercommon\lsm.exe
        
        "C:\providercommon\lsm.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:756
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UMOyPGkKXB.bat"
        20⤵
        
        PID:2408
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1364
        
        C:\providercommon\lsm.exe
        
        "C:\providercommon\lsm.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1600
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DJG58brWjr.bat"
        22⤵
        
        PID:2744
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2608
        
        C:\providercommon\lsm.exe
        
        "C:\providercommon\lsm.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LZh5ueQJla.bat"
        24⤵
        
        PID:1476
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\providercommon\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Windows\Cursors\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\Cursors\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Windows\Cursors\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

Network

DNS

raw.githubusercontent.com

lsm.exe

Remote address:

8.8.8.8:53

Request

raw.githubusercontent.com

IN A

Response

raw.githubusercontent.com

IN A

185.199.109.133

raw.githubusercontent.com

IN A

185.199.111.133

raw.githubusercontent.com

IN A

185.199.110.133

raw.githubusercontent.com

IN A

185.199.108.133

185.199.109.133:443

raw.githubusercontent.com

tls

lsm.exe

787 B
4.1kB
10
10
185.199.109.133:443

raw.githubusercontent.com

tls

lsm.exe

741 B
4.1kB
9
10
185.199.109.133:443

raw.githubusercontent.com

tls

lsm.exe

741 B
4.1kB
9
10
185.199.109.133:443

raw.githubusercontent.com

tls

lsm.exe

741 B
4.1kB
9
10
185.199.109.133:443

raw.githubusercontent.com

tls

lsm.exe

747 B
4.2kB
9
11
185.199.109.133:443

raw.githubusercontent.com

tls

lsm.exe

747 B
4.2kB
9
11
185.199.109.133:443

raw.githubusercontent.com

tls

lsm.exe

741 B
4.1kB
9
10
185.199.109.133:443

raw.githubusercontent.com

tls

lsm.exe

747 B
4.2kB
9
11
185.199.109.133:443

raw.githubusercontent.com

tls

lsm.exe

741 B
4.1kB
9
10
185.199.109.133:443

raw.githubusercontent.com

tls

lsm.exe

741 B
4.1kB
9
10

8.8.8.8:53

raw.githubusercontent.com

dns

lsm.exe

71 B
135 B
1
1

DNS Request

raw.githubusercontent.com

DNS Response

185.199.109.133

185.199.111.133

185.199.110.133

185.199.108.133

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4ec8922db362f61198b2df826e30d6c1

SHA1
9b606268b5b7202d4d8b4754ef5b767224c25164

SHA256
5f814d8fba4d422f701118d23fa96a0b9547d8c1d53bacf8c895b28883e1d339

SHA512
9a605f01ef7f92415afa725d84b701fb1f4743c64d1f1d343c5dfde4e30ae00214647fec856ea69bb5d85bf75662938acda36ad6f9fa5be9f6b59408f59342e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4416674e519f350e4181b548bf0f9703

SHA1
8b38fe7cb32fd56900cff50ecef09648de47a98d

SHA256
47d500e83ef189d3b6bc2871e17d09f48d1ed38f648399ecbbe54a99047b697b

SHA512
b96245b3c1ce415c7b55f89e7edd00a408cb6df05016e6eb737ca530666ce902cc9f67ce2b1b4d70661a05557b547942cf2ac7957e3b9680c40ae7e1efd36774

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6fc35852c3c2446a728cc2b34b832ddc

SHA1
dca018f19bd73b0b84e0040c88ec265046c89055

SHA256
b106124a5b31dfbf0ac8b4559070f4c22c9d7621d02303537ccfcb1e02d9977b

SHA512
22baef0083727e4783b3dcfe7ed16cdecf401539b72a031297b3ebd98ad39e58dbe239a0ee5b9dd4885d33cd615442a3101375fa3c4baf01cc2b52c52d1df0a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ab258b3dbb3d8e77df153e2fc4cc291b

SHA1
c50b119d1f0b3015a07dbad8c183957676f9150f

SHA256
357fe92c017179eb74b6e6bd23f024b3282b67fe7a3390eb45618a7255fe9c3d

SHA512
28c26cb4dd95db37f1124c60a645b0beb3d482d0bc5da46db477bf1a20a4463430f8b0c39bfc98ab29243936268bbb2c0fdce4da0d2b60b3ffd599cbff497be1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
191ba7327ac5e7fcfd59195aae62fb1d

SHA1
b6486a91ab07080bcbba9ddab5e4aa46188a6484

SHA256
7781e58f1e86855caa25adda02cfe737f18ef2b3b3fb1ce452289a720098085a

SHA512
1307c4b4ed4af2aad6d8b8d07ab47657fd964433bf6865c8fc16fe0548ba844710e61793e3b88bc64801e12385503b6c34461713676da8d71bba5679b610ae91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4c8f2ce8af45b969528eac2d0dbe2920

SHA1
ada09017bf10fdebcd5cfe447cb0dba684ed9745

SHA256
ed46fb8ba21aa73b8507b9ea2831bb7c4e6cbade432eef88d60e5160df75e3bc

SHA512
749242e19db844870bd9665333590411dcf0910846378e9c3f244beac9894cf50f9510111364453f025b5cb221edd1806939e2e1dde7a9444ed9041e3083fed3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3ec28c1880530f72a4781b2fec6cf9ca

SHA1
4437b7a5b9b5a155cfd252bf9398bbbe69e3c1c1

SHA256
3c4bf7522c970becdff9c4a720cc2db835a81b530100026e15f86678a09d43a1

SHA512
016c89af1dd1882650626903500402aebd3c6e823a065c2da6a75b2bcfbceb16b8752fb373a79d0ddac0043d14bc9144c2b7bc57e4a95e446eb69e5e2902fc12

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
13e52af29eb0984b54ec80ffb2a1a775

SHA1
56d54da37309fa1ed7e33c5500009c7e7bbccd6a

SHA256
a945ed0e45ee19812e1a025d5c0585dcfb05fda9ee6e8f3927f734f981408f4c

SHA512
fb41ed8e3223bfe78227e0ffae13d07687294b28a717230bdceee54ab5e37b52e634bb0adb6d7e90e3ce93b88ee5b1e45d663c25020567f78270ab914f3de6be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
61d15a6577047afaa91efcf2175f8566

SHA1
29dfde01b5729bcdb6ace8ba2c9b59525fddb7b5

SHA256
860e403e7121e6427e31b02fbbfd132ba1d368bc21a52cd47856c0b8aac79f02

SHA512
e579e0d6aa0c955eb03b90728bd33ed85c8085cb7fa59f8c490a3ff284d63163e2d6fa8b3ceaf899c0292ad321dcf2eefa1f228d834732e041c8e46429c19b63

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab33BF.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DJG58brWjr.bat

Filesize
190B

MD5
3154c4d9b94c2a05e6ee8adcbef45d88

SHA1
2f4e1e036118904c9937642ed77fd5f93fee6ca0

SHA256
156cd463f8fafc9ebc1e0cf30fc80b9c6b68429c5cfbabd5a1b2c3405dd6d242

SHA512
8137d75107504699bae4a123b06e7f6057f1867851aa435b9f3e766dc911f99e56c991a8dd3582284fab018d98de678b105b89d7faaa45e9679f750d9f115d1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\LZh5ueQJla.bat

Filesize
190B

MD5
ab86bd4e35235fc9a5c3d74ab8ccc963

SHA1
9ac98546681ee2b0f2b58a56d2b77bdc09a87166

SHA256
0786443d8f0f81a1ea55baf9178b5da09dcdfe0dbc15d46ca52ea6776ec11f4d

SHA512
ce509a1d6ed8528ae3204d5b8e8d4824da5f7758f96e6b67fc75736aba9a0e22ddb2abb7361eab2ddd2def0cdc27c8bd7a79d51c9dc23d59918c45dcd364add4

Download Submit
C:\Users\Admin\AppData\Local\Temp\OyPKZ08zKl.bat

Filesize
190B

MD5
538485267288151f373375175025500d

SHA1
cd4e258b59b27dffd241a248683e6dffc959c7bf

SHA256
a4bc3e0335408bc651d66e4a6f9e0216dcde2a2fdba71df8590b536ca8b63c94

SHA512
77d9c4d7ea39f87a3e442f7828f2ba8ae04f726c6b191f860892c49b6cfef75aa579b91c490c3118a65226e2339bda011f2a675d46175b6d0349a1e75c307edc

Download Submit
C:\Users\Admin\AppData\Local\Temp\QHkN6qNcbm.bat

Filesize
190B

MD5
45347d2bbc6ed10c007eda0d1f08b4ca

SHA1
568ee56c27917477bd4ec96a488eaf62e7e5d1ca

SHA256
9cb1e92a3f06e52355cd7da5567f2bc34758d9a625bf4c40db7536b8c65234b0

SHA512
29be70645a18147ed3701eb4033be711dccb6cbf7303d8ddd0d0cca0317c356e3ddf84625f1c2418e81d9d99c4aa036b2a99ae84047a607cb67016546ee7d4b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\SRNviAgREO.bat

Filesize
190B

MD5
dd34fcadf1dd1b55a42b365b1342150c

SHA1
85b7835b795960982830ddd5535265b06715b0f5

SHA256
adb1e6c779bc0719ffd77117f2d7447262e320f5c57c50890e21235f6b168dcd

SHA512
8bb316eb6a62f3904f86ae7142c1076d60ae1b2b09abd4ff0337b2ff9d433d28af153cd37f3f9039561b8ef72d039f3fbf374fd935704a25e2274149650db866

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3420.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMOyPGkKXB.bat

Filesize
190B

MD5
c676bce82783731abc3a6612f11a7bf0

SHA1
b99d3239a01940a1c6daf59ea3a590b617e32fc8

SHA256
c9ea61f9f9281326fb7852aa07260c0c8f506187d26e33d0d41e55330075443f

SHA512
4ea99c51157ca4bc5496c38f467c50a585f5e2db51bfa797e9ff168db1203904900db1d3cd16425b2dccd11dd0cb71e45c2d9600ed95dbc12107f049a5b7d609

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQ4uSu8U9J.bat

Filesize
190B

MD5
ae8756e6c1496eae8811619bd9cf91f3

SHA1
0fe91f7906129d55372dd84e77865aecca4c445d

SHA256
72814cf2270e0beebcc9c76d7f3b2e6a61431b15576b83ed3d4177613c42feaa

SHA512
2e2d09b8b144d61918a957e89e9b6668044d358092ca5d49e88839ba789c5a35ad63c27417906cb2bb429cfaeffff4eb136880519e1d61e355b9c6f8f7c16f46

Download Submit
C:\Users\Admin\AppData\Local\Temp\uMS4yFj28m.bat

Filesize
190B

MD5
9b2fced64a07a0f918d2e4c1dfc83252

SHA1
d721176f1073017c3ddd29a466ae5d8e4023c89d

SHA256
39f47f7358892c8039bb3cc1559bbaca425a1dc4ad8587158bf7b6639ad935ff

SHA512
084ac8d43b1453a29fd065cc402d35d28d843b93e575541ae55665d4b6b69cd6b02b1dcef4feda632d47fe54f5483742e835671bfefac7cca8a16e4040354cf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\wHaMzi6eYE.bat

Filesize
190B

MD5
8840490a54c9d64172c094a106d5b8f8

SHA1
9e2501aef5c09dbfbccbf8d346dc300546a197d1

SHA256
092067c432dcf42ee98ce1b6224b3fae773981a89d8479ad6eefaa440a44e32c

SHA512
f57217a30b8dc5a14bded2f3304b5146f7987fadec19853235a62be46c190a6aff9df93cf558cb8630b4e6391753af6460e832213ced7f8899a719018b7a5444

Download Submit
C:\Users\Admin\AppData\Local\Temp\z6HXYUNDfk.bat

Filesize
190B

MD5
1c3c63337a2aa7915bd30f248b4080bf

SHA1
828a34b44ba10797ca196d1271b3421e18842879

SHA256
082ba463d54be020295b1a4668a1fc8c114809552404b1e25e4f6ed6878a69e1

SHA512
f3f861a2a798b5c7c20d07f7b1acd8b384fbea2a8635162412d22bb6b98dea19fa6a9a6f56007e8269989d9f1bbfc68249ab2fd271101f1e99b3dfa3d2cc1e31

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
778158e3210dc695832186d3a36188ea

SHA1
94f0020ae2c7e7f8472cdfb190e43fff0bf23567

SHA256
013d6cb6d111cb29461ca1502f3e4b61411402116939f512564ca787e621e6c6

SHA512
4904b0cb36ba08aee2b6e8e34f17bc244386e2ca5dcf128a260e751109757a1947de7778da581a90c08954d7992d4c8747b7e1b342045fb1124d315ed7578874

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/756-459-0x0000000001320000-0x0000000001430000-memory.dmp

Filesize
1.1MB

Download
memory/2376-29-0x0000000002270000-0x0000000002278000-memory.dmp

Filesize
32KB

Download
memory/2376-28-0x000000001B460000-0x000000001B742000-memory.dmp

Filesize
2.9MB

Download
memory/2720-45-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/2720-35-0x0000000001220000-0x0000000001330000-memory.dmp

Filesize
1.1MB

Download
memory/2724-13-0x0000000001040000-0x0000000001150000-memory.dmp

Filesize
1.1MB

Download
memory/2724-16-0x0000000000260000-0x000000000026C000-memory.dmp

Filesize
48KB

Download
memory/2724-14-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/2724-15-0x0000000000280000-0x000000000028C000-memory.dmp

Filesize
48KB

Download
memory/2724-17-0x0000000000270000-0x000000000027C000-memory.dmp

Filesize
48KB

Download
memory/2908-399-0x00000000001F0000-0x0000000000300000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.