dcrat | 0043be0527169c370619ab57df3eefb66f7742e90449cfc952489d70fdbca59a

Resubmissions

11-01-2025 22:42

250111-2m5qhavqar 10

11-01-2025 22:39

250111-2lgbhsvpdp 10

11-01-2025 22:29

250111-2effmssnft 10

Analysis

max time kernel
608s
max time network
610s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-01-2025 22:29

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

DCRatBuild.exe
Size

3.7MB
MD5

072756d824448388227ca413cf9b30fb
SHA1

3774a14ae84e955c57a35f82da833d46cea22ed3
SHA256

0043be0527169c370619ab57df3eefb66f7742e90449cfc952489d70fdbca59a
SHA512

2a3953faddf9b6037a0a34499ac11011e4c22d931ba9e4ab174b0ebd7e1c1bade9546a6b970f6280402905159b42bcdc60c92a91e8dd39cd9ff14ddf73638a4d
SSDEEP

98304:yQpUIa1ishqq/x4XR09rQVkREwySMEX+y:xpUIa0KFl9rnRHPZXF

Score

10^/10

dcrat discovery evasion execution infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Mozilla Firefox\\browser\\features\\System.exe\""	reviewdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Mozilla Firefox\\browser\\features\\System.exe\", \"C:\\Users\\All Users\\Oracle\\Java\\.oracle_jre_usage\\RuntimeBroker.exe\""	reviewdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Mozilla Firefox\\browser\\features\\System.exe\", \"C:\\Users\\All Users\\Oracle\\Java\\.oracle_jre_usage\\RuntimeBroker.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\smss.exe\""	reviewdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Mozilla Firefox\\browser\\features\\System.exe\", \"C:\\Users\\All Users\\Oracle\\Java\\.oracle_jre_usage\\RuntimeBroker.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\smss.exe\", \"C:\\comdll\\SppExtComObj.exe\""	reviewdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Mozilla Firefox\\browser\\features\\System.exe\", \"C:\\Users\\All Users\\Oracle\\Java\\.oracle_jre_usage\\RuntimeBroker.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\smss.exe\", \"C:\\comdll\\SppExtComObj.exe\", \"C:\\comdll\\upfc.exe\""	reviewdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Mozilla Firefox\\browser\\features\\System.exe\", \"C:\\Users\\All Users\\Oracle\\Java\\.oracle_jre_usage\\RuntimeBroker.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\smss.exe\", \"C:\\comdll\\SppExtComObj.exe\", \"C:\\comdll\\upfc.exe\", \"C:\\comdll\\reviewdll.exe\""	reviewdll.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3728	powershell.exe
2124	powershell.exe
672	powershell.exe
1472	powershell.exe
1880	powershell.exe
4616	powershell.exe

Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	DCRatBuild.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	reviewdll.exe

Executes dropped EXE 2 IoCs

pid	Process
1164	reviewdll.exe
3964	smss.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\BitLockerDiscoveryVolumeContents\\smss.exe\""	reviewdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\comdll\\SppExtComObj.exe\""	reviewdll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\comdll\\upfc.exe\""	reviewdll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\Mozilla Firefox\\browser\\features\\System.exe\""	reviewdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\Mozilla Firefox\\browser\\features\\System.exe\""	reviewdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\All Users\\Oracle\\Java\\.oracle_jre_usage\\RuntimeBroker.exe\""	reviewdll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\BitLockerDiscoveryVolumeContents\\smss.exe\""	reviewdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reviewdll = "\"C:\\comdll\\reviewdll.exe\""	reviewdll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\All Users\\Oracle\\Java\\.oracle_jre_usage\\RuntimeBroker.exe\""	reviewdll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\comdll\\SppExtComObj.exe\""	reviewdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\comdll\\upfc.exe\""	reviewdll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reviewdll = "\"C:\\comdll\\reviewdll.exe\""	reviewdll.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSCD1C16B8BD12140CC94D8372C32F262BB.TMP	csc.exe
File created	\??\c:\Windows\System32\enb1sa.exe	csc.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\ModifiableWindowsApps\sihost.exe	reviewdll.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\System.exe	reviewdll.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\27d1bcfc3c54e0	reviewdll.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\BitLockerDiscoveryVolumeContents\smss.exe	reviewdll.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\69ddcba757bf72	reviewdll.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DCRatBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
540	PING.EXE

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "157"	LogonUI.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	DCRatBuild.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	reviewdll.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2140	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
540	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1164	reviewdll.exe
1164	reviewdll.exe
1164	reviewdll.exe
1164	reviewdll.exe
1164	reviewdll.exe
1164	reviewdll.exe
1164	reviewdll.exe
1164	reviewdll.exe
1164	reviewdll.exe
1164	reviewdll.exe
1164	reviewdll.exe
1164	reviewdll.exe
1164	reviewdll.exe
1164	reviewdll.exe
1164	reviewdll.exe
1164	reviewdll.exe
1164	reviewdll.exe
1164	reviewdll.exe
1164	reviewdll.exe
1164	reviewdll.exe
1164	reviewdll.exe
1164	reviewdll.exe
1164	reviewdll.exe
1164	reviewdll.exe
1164	reviewdll.exe
1164	reviewdll.exe
1164	reviewdll.exe
1164	reviewdll.exe
1164	reviewdll.exe
1164	reviewdll.exe
1164	reviewdll.exe
1164	reviewdll.exe
1164	reviewdll.exe
1164	reviewdll.exe
1164	reviewdll.exe
1164	reviewdll.exe
1164	reviewdll.exe
1164	reviewdll.exe
1164	reviewdll.exe
1164	reviewdll.exe
1164	reviewdll.exe
1164	reviewdll.exe
1164	reviewdll.exe
1164	reviewdll.exe
1164	reviewdll.exe
1164	reviewdll.exe
1164	reviewdll.exe
1164	reviewdll.exe
1164	reviewdll.exe
1164	reviewdll.exe
1164	reviewdll.exe
1164	reviewdll.exe
1164	reviewdll.exe
1164	reviewdll.exe
1164	reviewdll.exe
1164	reviewdll.exe
1164	reviewdll.exe
1164	reviewdll.exe
1164	reviewdll.exe
1164	reviewdll.exe
1164	reviewdll.exe
1164	reviewdll.exe
1164	reviewdll.exe
1164	reviewdll.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3964	smss.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	1164	reviewdll.exe
Token: SeDebugPrivilege	1472	powershell.exe
Token: SeDebugPrivilege	1880	powershell.exe
Token: SeDebugPrivilege	4616	powershell.exe
Token: SeDebugPrivilege	2124	powershell.exe
Token: SeDebugPrivilege	672	powershell.exe
Token: SeDebugPrivilege	3728	powershell.exe
Token: SeDebugPrivilege	3964	smss.exe
Token: 33	1560	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1560	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3964	smss.exe
3964	smss.exe
3024	LogonUI.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 216 wrote to memory of 3176	216	DCRatBuild.exe	84
PID 216 wrote to memory of 3176	216	DCRatBuild.exe	84
PID 216 wrote to memory of 3176	216	DCRatBuild.exe	84
PID 3176 wrote to memory of 4644	3176	WScript.exe	85
PID 3176 wrote to memory of 4644	3176	WScript.exe	85
PID 3176 wrote to memory of 4644	3176	WScript.exe	85
PID 4644 wrote to memory of 2140	4644	cmd.exe	87
PID 4644 wrote to memory of 2140	4644	cmd.exe	87
PID 4644 wrote to memory of 2140	4644	cmd.exe	87
PID 4644 wrote to memory of 1164	4644	cmd.exe	88
PID 4644 wrote to memory of 1164	4644	cmd.exe	88
PID 1164 wrote to memory of 1708	1164	reviewdll.exe	90
PID 1164 wrote to memory of 1708	1164	reviewdll.exe	90
PID 1708 wrote to memory of 2196	1708	csc.exe	92
PID 1708 wrote to memory of 2196	1708	csc.exe	92
PID 1164 wrote to memory of 3728	1164	reviewdll.exe	93
PID 1164 wrote to memory of 3728	1164	reviewdll.exe	93
PID 1164 wrote to memory of 2124	1164	reviewdll.exe	94
PID 1164 wrote to memory of 2124	1164	reviewdll.exe	94
PID 1164 wrote to memory of 672	1164	reviewdll.exe	95
PID 1164 wrote to memory of 672	1164	reviewdll.exe	95
PID 1164 wrote to memory of 1472	1164	reviewdll.exe	96
PID 1164 wrote to memory of 1472	1164	reviewdll.exe	96
PID 1164 wrote to memory of 4616	1164	reviewdll.exe	97
PID 1164 wrote to memory of 4616	1164	reviewdll.exe	97
PID 1164 wrote to memory of 1880	1164	reviewdll.exe	98
PID 1164 wrote to memory of 1880	1164	reviewdll.exe	98
PID 1164 wrote to memory of 2736	1164	reviewdll.exe	104
PID 1164 wrote to memory of 2736	1164	reviewdll.exe	104
PID 2736 wrote to memory of 3432	2736	cmd.exe	107
PID 2736 wrote to memory of 3432	2736	cmd.exe	107
PID 2736 wrote to memory of 540	2736	cmd.exe	108
PID 2736 wrote to memory of 540	2736	cmd.exe	108
PID 2736 wrote to memory of 3964	2736	cmd.exe	109
PID 2736 wrote to memory of 3964	2736	cmd.exe	109

C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:216
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\comdll\4exWDwzwdGdIoLb6OOTKDeE5vKnmRp2hJNj7qr4y3yRCw2tu43CBSny6KK.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3176
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\comdll\4j9mXD4SFtpK7TbDoMbaMV7rHFTx27gv5loxd61ax9TZaUUhHC.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4644
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2140
  - - C:\comdll\reviewdll.exe
      "C:\comdll/reviewdll.exe"
      4⤵
      Modifies WinLogon for persistence
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1164
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\w1eyunii\w1eyunii.cmdline"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1708
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7D6D.tmp" "c:\Windows\System32\CSCD1C16B8BD12140CC94D8372C32F262BB.TMP"
        6⤵
        
        PID:2196
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\browser\features\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3728
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Oracle\Java\.oracle_jre_usage\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2124
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\BitLockerDiscoveryVolumeContents\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:672
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\comdll\SppExtComObj.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1472
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\comdll\upfc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4616
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\comdll\reviewdll.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1880
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eeMd6dR9vm.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2736
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:3432
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:540
      - C:\Windows\BitLockerDiscoveryVolumeContents\smss.exe
        
        "C:\Windows\BitLockerDiscoveryVolumeContents\smss.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3964

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x340 0x490
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1560

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3959855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2979eabc783eaca50de7be23dd4eafcf

SHA1
d709ce5f3a06b7958a67e20870bfd95b83cad2ea

SHA256
006cca90e78fbb571532a83082ac6712721a34ea4b21f490058ffb3f521f4903

SHA512
92bc433990572d9427d0c93eef9bd1cc23fa00ed60dd0c9c983d87d3421e02ce3f156c6f88fe916ef6782dbf185cbce083bc0094f8c527f302be6a37d1c53aba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7D6D.tmp

Filesize
1KB

MD5
17baa7850268726598232231bae50948

SHA1
b7033d202fb7c6c6d8d3ca28febae3e75df2a8bc

SHA256
1c6095e89a655fd75347d9ea76411e53074bc349bb191c5e567a3d2e7ce0ac12

SHA512
51542082456266797b10be39d9215639fd8773ced2f5180fcd6834e4457c6d34def9b86110ce5111c7060bdc5c43d6b71bf5b02e2684b027bd82df7bfc1fe4cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lmg23zo0.h5i.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\eeMd6dR9vm.bat

Filesize
180B

MD5
70cb881a326749e3a286fb243db7cdc9

SHA1
2bd178427bbc44d3a6113f747a062735db1dd072

SHA256
751b88c93fd82f8024e4cd1c955e03a926235af899fd86d1f72d57b5a8f513d3

SHA512
196c60b95171441907887d22b9a45ca9fc6555cf4298f3a6be280bbb9368fd92451a4715c106ae07a9d6c08d8583fffb81ddb94890337a77ffb9ecba3df49778

Download Submit
C:\comdll\4exWDwzwdGdIoLb6OOTKDeE5vKnmRp2hJNj7qr4y3yRCw2tu43CBSny6KK.vbe

Filesize
234B

MD5
46d7e19eabaed1a2f85b8a8424dac416

SHA1
e06d990343b40ba693a9d791bc32822758e9e460

SHA256
a3ee2e31da36005b292231d790c3103560ca7e9aa2f106ce8357b28e480d17fe

SHA512
e99691e90149c41c00f4cb7c1b0839ce4c5bc3cee49f6275887404d3807e0c0af04901b7813231576e2cd1226aeb3a6c025bdee7d67bfc35cd7e33cf33b78a49

Download Submit
C:\comdll\4j9mXD4SFtpK7TbDoMbaMV7rHFTx27gv5loxd61ax9TZaUUhHC.bat

Filesize
187B

MD5
eb4292c364e92458c77e875e2c7df7da

SHA1
b53e0db95ddb58ecf519ede0d7a976a52516eaed

SHA256
3ab7ad885c7422ef507d9878ea1b371c9b0c7e6bf3f93dd0a576c8d3bc850280

SHA512
0fb3aeae473d6a6a805ed580833d6b6dd5a8e3c81500b2c054a3d6c22e75425118f18f8ea8a81daac2c4979e75ecff6979bd1c2b5becf88982b8d04abf9fae01

Download Submit
C:\comdll\reviewdll.exe

Filesize
3.4MB

MD5
278bb3a4ab923948a0c4f83edd2dee9c

SHA1
8852d6a67748a8656ddf19cee916b155044680bd

SHA256
b8046f1e47f1673806a5b2938f5194e2984a7c385a13ff8c9daeb378e5d66793

SHA512
8b8db76161204c482474b010b2a5605d5d4e9543d67c4dac1d643860351e12eabeca733fbfc30011447aff660be27e3d80d48e88548408c4a8645e5bcb94c26c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\w1eyunii\w1eyunii.0.cs

Filesize
392B

MD5
4503cee4e7ad3787fe12fb37317fc234

SHA1
32279c2d61df3d3f050f16044628ab3d8fc16aab

SHA256
5c5da899a6ecbb1e15ee1268ec100daf57ee797c835b508d9a17a0336d8130a8

SHA512
ee96117c911289177b36c461a7d0d11da97fef30d635aeeeec8d705564b3a4ba43da821343923200d005fa2667649ca71ae04481da9e24964f497f821ef8b52a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\w1eyunii\w1eyunii.cmdline

Filesize
235B

MD5
edb0d730ef0ab0736f70143a6f4ddb96

SHA1
01b5806cd605a6a17ded02f317fc51ae46faf256

SHA256
a0bd521d614edff59f69fc12f9d94be44ab1d9684202b7e1532c677c4281dc6d

SHA512
f4f01ae96d67bd71a5606248efa4be837a97af3372705f23b9e84a90f88a54f4279af8f376314fd28071d941e3bdfb53f3b7322c235d310a930aca78a88c33e1

Download Submit
\??\c:\Windows\System32\CSCD1C16B8BD12140CC94D8372C32F262BB.TMP

Filesize
1KB

MD5
5984679060d0fc54eba47cead995f65a

SHA1
f72bbbba060ac80ac6abedc7b8679e8963f63ebf

SHA256
4104fdf5499f0aa7dd161568257acae002620ec385f2ede2072d4f550ecff433

SHA512
bc8aadfabe5dbb4e3ea5e07a5ccbddd363400005675acda3e9cb414dc75fb0ba74f41b4a6baf34d42f85a9ae0af7d2418420c78b0c643f7243fe93a49b8140b5

Download Submit
memory/1164-25-0x0000000003110000-0x0000000003120000-memory.dmp

Filesize
64KB

Download
memory/1164-33-0x000000001BE10000-0x000000001BE26000-memory.dmp

Filesize
88KB

Download
memory/1164-38-0x000000001BC60000-0x000000001BC6E000-memory.dmp

Filesize
56KB

Download
memory/1164-40-0x000000001BC70000-0x000000001BC80000-memory.dmp

Filesize
64KB

Download
memory/1164-42-0x000000001BCA0000-0x000000001BCB0000-memory.dmp

Filesize
64KB

Download
memory/1164-44-0x000000001C1C0000-0x000000001C21A000-memory.dmp

Filesize
360KB

Download
memory/1164-46-0x000000001BE50000-0x000000001BE5E000-memory.dmp

Filesize
56KB

Download
memory/1164-48-0x000000001BE60000-0x000000001BE70000-memory.dmp

Filesize
64KB

Download
memory/1164-50-0x000000001BE70000-0x000000001BE7E000-memory.dmp

Filesize
56KB

Download
memory/1164-52-0x000000001C420000-0x000000001C438000-memory.dmp

Filesize
96KB

Download
memory/1164-54-0x000000001BE80000-0x000000001BE8C000-memory.dmp

Filesize
48KB

Download
memory/1164-56-0x000000001C490000-0x000000001C4DE000-memory.dmp

Filesize
312KB

Download
memory/1164-35-0x000000001BE30000-0x000000001BE42000-memory.dmp

Filesize
72KB

Download
memory/1164-36-0x000000001C6F0000-0x000000001CC18000-memory.dmp

Filesize
5.2MB

Download
memory/1164-31-0x0000000003130000-0x0000000003140000-memory.dmp

Filesize
64KB

Download
memory/1164-29-0x000000001BC80000-0x000000001BC92000-memory.dmp

Filesize
72KB

Download
memory/1164-27-0x0000000003120000-0x000000000312E000-memory.dmp

Filesize
56KB

Download
memory/1164-12-0x0000000000C60000-0x0000000000FC6000-memory.dmp

Filesize
3.4MB

Download
memory/1164-23-0x00000000017C0000-0x00000000017D0000-memory.dmp

Filesize
64KB

Download
memory/1164-21-0x000000001BC40000-0x000000001BC58000-memory.dmp

Filesize
96KB

Download
memory/1164-19-0x00000000017A0000-0x00000000017B0000-memory.dmp

Filesize
64KB

Download
memory/1164-17-0x000000001BDC0000-0x000000001BE10000-memory.dmp

Filesize
320KB

Download
memory/1164-16-0x000000001BC20000-0x000000001BC3C000-memory.dmp

Filesize
112KB

Download
memory/1164-14-0x0000000001790000-0x000000000179E000-memory.dmp

Filesize
56KB

Download
memory/2124-103-0x000002C5D24E0000-0x000002C5D2502000-memory.dmp

Filesize
136KB

Download
memory/3964-178-0x000000001F000000-0x000000001F115000-memory.dmp

Filesize
1.1MB

Download
memory/3964-254-0x000000001D180000-0x000000001D1A6000-memory.dmp

Filesize
152KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads