discordrat | fc4c55249b5a21fdc781db6f092f7a311524ff88db4751f7b3b5f70f66211fdc

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01/03/2025, 00:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Eac.exe
Size

35KB
MD5

d5affa7d70893d1d29f8d2d0e8e49499
SHA1

0ffe0701303974ef2edd8638abf92a86648e1b68
SHA256

fc4c55249b5a21fdc781db6f092f7a311524ff88db4751f7b3b5f70f66211fdc
SHA512

7361d3ef71a514766538d9b17b6d3c21f4ace1c90a2b102d3729ac3844b72104621267445e162d54201b2341e2f2a7da0e791804b6c0804149fdd1152578044f
SSDEEP

768:GhvFDyd1WrXkxINeeXJMmA2K3kqgjPQ1YeIqC33QBI:Wxyd87kxVeXJMmA2K3ktjwYeLB

Score

10^/10

discordrat defense_evasion persistence rat rootkit stealer themida trojan upx

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMxODM5MDk2Mzc1NTk0NjEwNQ.GMbt-o.TS0FjWTfQgQvuTYGA3oI5R4a4Nq2WGb7J8TJCA
server_id
1328216936206831626

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	fontdrivehost.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	fontdrivehost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	fontdrivehost.exe

Executes dropped EXE 5 IoCs

pid	Process
2460	Pub.exe
1528	Built.exe
1284	Built.exe
1164	Process not Found
2708	fontdrivehost.exe

Loads dropped DLL 15 IoCs

pid	Process
2544	Eac.exe
2544	Eac.exe
1284	Built.exe
1284	Built.exe
1284	Built.exe
1284	Built.exe
1284	Built.exe
1284	Built.exe
1284	Built.exe
2544	Eac.exe
2008	WerFault.exe
2008	WerFault.exe
2008	WerFault.exe
2008	WerFault.exe
2008	WerFault.exe

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x000600000001903b-132.dat	themida
behavioral1/memory/2460-135-0x0000000140000000-0x0000000142264000-memory.dmp	themida
behavioral1/files/0x0006000000005b6c-282.dat	themida
behavioral1/memory/2708-289-0x000000013FB10000-0x0000000140620000-memory.dmp	themida
behavioral1/memory/2708-290-0x000000013FB10000-0x0000000140620000-memory.dmp	themida
behavioral1/memory/2708-300-0x000000013FB10000-0x0000000140620000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrivehost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\fontdrivehost.exe	7z.exe
File opened for modification	C:\Windows\system32\fontdrivehost.exe	7z.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2708	fontdrivehost.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0005000000019cad-217.dat	upx
behavioral1/memory/1284-219-0x000007FEF5E60000-0x000007FEF6448000-memory.dmp	upx

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\Setup\Windows Defender.rar	Eac.exe
File created	C:\Windows\Setup\Windows\Windows Defender.exe	7z.exe
File created	C:\Windows\Setup\fontdrivehost.rar	Eac.exe
File opened for modification	C:\Windows\Setup	Eac.exe
File created	C:\Windows\Setup\Windows\Pub.exe	7z.exe
File opened for modification	C:\Windows\Setup\Windows\Pub.exe	7z.exe
File opened for modification	C:\Windows\Setup\Windows\Windows Defender.exe	7z.exe
File opened for modification	C:\Windows\system32	Eac.exe
File created	C:\Windows\Setup\Mapper.rar	Eac.exe
File created	C:\Windows\Setup\Pub.rar	Eac.exe
File created	C:\Windows\Setup\Windows\Built.exe	7z.exe
File opened for modification	C:\Windows\Setup\Windows\Built.exe	7z.exe

Modifies system certificate store 2 TTPs 5 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Eac.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Eac.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Eac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Eac.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Eac.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeRestorePrivilege	2688	7z.exe
Token: 35	2688	7z.exe
Token: SeSecurityPrivilege	2688	7z.exe
Token: SeSecurityPrivilege	2688	7z.exe
Token: SeRestorePrivilege	2972	7z.exe
Token: 35	2972	7z.exe
Token: SeSecurityPrivilege	2972	7z.exe
Token: SeSecurityPrivilege	2972	7z.exe
Token: SeRestorePrivilege	888	7z.exe
Token: 35	888	7z.exe
Token: SeSecurityPrivilege	888	7z.exe
Token: SeSecurityPrivilege	888	7z.exe
Token: SeRestorePrivilege	1564	7z.exe
Token: 35	1564	7z.exe
Token: SeSecurityPrivilege	1564	7z.exe
Token: SeSecurityPrivilege	1564	7z.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 1720	2544	Eac.exe	32
PID 2544 wrote to memory of 1720	2544	Eac.exe	32
PID 2544 wrote to memory of 1720	2544	Eac.exe	32
PID 2544 wrote to memory of 2688	2544	Eac.exe	34
PID 2544 wrote to memory of 2688	2544	Eac.exe	34
PID 2544 wrote to memory of 2688	2544	Eac.exe	34
PID 2544 wrote to memory of 2460	2544	Eac.exe	36
PID 2544 wrote to memory of 2460	2544	Eac.exe	36
PID 2544 wrote to memory of 2460	2544	Eac.exe	36
PID 2544 wrote to memory of 2972	2544	Eac.exe	37
PID 2544 wrote to memory of 2972	2544	Eac.exe	37
PID 2544 wrote to memory of 2972	2544	Eac.exe	37
PID 2544 wrote to memory of 1528	2544	Eac.exe	39
PID 2544 wrote to memory of 1528	2544	Eac.exe	39
PID 2544 wrote to memory of 1528	2544	Eac.exe	39
PID 1528 wrote to memory of 1284	1528	Built.exe	40
PID 1528 wrote to memory of 1284	1528	Built.exe	40
PID 1528 wrote to memory of 1284	1528	Built.exe	40
PID 2544 wrote to memory of 888	2544	Eac.exe	41
PID 2544 wrote to memory of 888	2544	Eac.exe	41
PID 2544 wrote to memory of 888	2544	Eac.exe	41
PID 2544 wrote to memory of 1564	2544	Eac.exe	43
PID 2544 wrote to memory of 1564	2544	Eac.exe	43
PID 2544 wrote to memory of 1564	2544	Eac.exe	43
PID 2544 wrote to memory of 2708	2544	Eac.exe	45
PID 2544 wrote to memory of 2708	2544	Eac.exe	45
PID 2544 wrote to memory of 2708	2544	Eac.exe	45
PID 2708 wrote to memory of 2008	2708	fontdrivehost.exe	46
PID 2708 wrote to memory of 2008	2708	fontdrivehost.exe	46
PID 2708 wrote to memory of 2008	2708	fontdrivehost.exe	46

C:\Users\Admin\AppData\Local\Temp\Eac.exe
"C:\Users\Admin\AppData\Local\Temp\Eac.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Windows\Setup\7zip.exe" /S
  2⤵
  PID:1720
- C:\Program Files\7-Zip\7z.exe
  "C:\Program Files\7-Zip\7z.exe" x "C:\Windows\Setup\Mapper.rar" -o"C:\Windows\Setup\Windows" -p123 -y
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2688
- C:\Windows\Setup\Windows\Pub.exe
  "C:\Windows\Setup\Windows\Pub.exe"
  2⤵
  - Executes dropped EXE
  PID:2460
- C:\Program Files\7-Zip\7z.exe
  "C:\Program Files\7-Zip\7z.exe" x "C:\Windows\Setup\Pub.rar" -o"C:\Windows\Setup\Windows" -p123 -y
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2972
- C:\Windows\Setup\Windows\Built.exe
  "C:\Windows\Setup\Windows\Built.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1528
- - C:\Windows\Setup\Windows\Built.exe
    "C:\Windows\Setup\Windows\Built.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1284
- C:\Program Files\7-Zip\7z.exe
  "C:\Program Files\7-Zip\7z.exe" x "C:\Windows\Setup\Windows Defender.rar" -o"C:\Windows\Setup\Windows" -p123 -y
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:888
- C:\Program Files\7-Zip\7z.exe
  "C:\Program Files\7-Zip\7z.exe" x "C:\Windows\Setup\fontdrivehost.rar" -o"C:\Windows\system32" -p123 -y
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1564
- C:\Windows\system32\fontdrivehost.exe
  "C:\Windows\system32\fontdrivehost.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2708 -s 604
    3⤵
    - Loads dropped DLL
    PID:2008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
71KB

MD5
83142242e97b8953c386f988aa694e4a

SHA1
833ed12fc15b356136dcdd27c61a50f59c5c7d50

SHA256
d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

SHA512
bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5e02a54a4a7aa0646bfe994326bee60e

SHA1
876413a4a50cfb14f3f21112c0c25a7f645ac8ac

SHA256
236716d01b08ef8035e6a59e3d1d9050172ee890975b7c9aafbfc1882f95f264

SHA512
7182f8a4e2705e8f83c150f1900473241a0a614cc34154694223ddaf539d8410854c70c845d653588570faca2e7b4078fd9069d00925ae2bd607d81e2203266e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCE97.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCF98.tmp

Filesize
183KB

MD5
109cab5505f5e065b63d01361467a83b

SHA1
4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

SHA256
ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

SHA512
753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15282\api-ms-win-core-file-l1-2-0.dll

Filesize
21KB

MD5
1c58526d681efe507deb8f1935c75487

SHA1
0e6d328faf3563f2aae029bc5f2272fb7a742672

SHA256
ef13dce8f71173315dfc64ab839b033ab19a968ee15230e9d4d2c9d558efeee2

SHA512
8edb9a0022f417648e2ece9e22c96e2727976332025c3e7d8f15bcf6d7d97e680d1bf008eb28e2e0bd57787dcbb71d38b2deb995b8edc35fa6852ab1d593f3d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15282\api-ms-win-core-file-l2-1-0.dll

Filesize
18KB

MD5
bfffa7117fd9b1622c66d949bac3f1d7

SHA1
402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2

SHA256
1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e

SHA512
b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15282\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
724223109e49cb01d61d63a8be926b8f

SHA1
072a4d01e01dbbab7281d9bd3add76f9a3c8b23b

SHA256
4e975f618df01a492ae433dff0dd713774d47568e44c377ceef9e5b34aad1210

SHA512
19b0065b894dc66c30a602c9464f118e7f84d83010e74457d48e93aaca4422812b093b15247b24d5c398b42ef0319108700543d13f156067b169ccfb4d7b6b7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15282\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
21KB

MD5
517eb9e2cb671ae49f99173d7f7ce43f

SHA1
4ccf38fed56166ddbf0b7efb4f5314c1f7d3b7ab

SHA256
57cc66bf0909c430364d35d92b64eb8b6a15dc201765403725fe323f39e8ac54

SHA512
492be2445b10f6bfe6c561c1fc6f5d1af6d1365b7449bc57a8f073b44ae49c88e66841f5c258b041547fcd33cbdcb4eb9dd3e24f0924db32720e51651e9286be

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15282\api-ms-win-core-timezone-l1-1-0.dll

Filesize
21KB

MD5
d12403ee11359259ba2b0706e5e5111c

SHA1
03cc7827a30fd1dee38665c0cc993b4b533ac138

SHA256
f60e1751a6ac41f08e46480bf8e6521b41e2e427803996b32bdc5e78e9560781

SHA512
9004f4e59835af57f02e8d9625814db56f0e4a98467041da6f1367ef32366ad96e0338d48fff7cc65839a24148e2d9989883bcddc329d9f4d27cae3f843117d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15282\python311.dll

Filesize
1.6MB

MD5
bb46b85029b543b70276ad8e4c238799

SHA1
123bdcd9eebcac1ec0fd2764a37e5e5476bb0c1c

SHA256
72c24e1db1ba4df791720a93ca9502d77c3738eebf8b9092a5d82aa8d80121d0

SHA512
5e993617509c1cf434938d6a467eb0494e04580ad242535a04937f7c174d429da70a6e71792fc3de69e103ffc5d9de51d29001a4df528cfffefdaa2cef4eaf31

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15282\ucrtbase.dll

Filesize
992KB

MD5
0e0bac3d1dcc1833eae4e3e4cf83c4ef

SHA1
4189f4459c54e69c6d3155a82524bda7549a75a6

SHA256
8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

SHA512
a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

Download Submit
C:\Windows\Setup\Mapper.rar

Filesize
8.4MB

MD5
f71f2cfb88da09f9189152a136e2a73a

SHA1
32cfe27b688d40f9f5e6ad83b677a5bb11e2c774

SHA256
74b0e83103ac9c6dbf376c557e60cbb75ef14c2805af7aad387c83a55f908e9d

SHA512
cfda37b3c7d72cd14912c5bdbbf0cc459ad84431a6dd53cec8e69bdfddaba0fd393cb501bbe362474a1bcc645b438579226ab924814ce034a8dc5fdd91dc6f77

Download Submit
C:\Windows\Setup\Pub.rar

Filesize
7.5MB

MD5
66e659d033e32611f383d9b29953432b

SHA1
4c9f21ad2244656591b8c1aa0a81b7fd42278aa5

SHA256
86953b9c75edbf77c12d2307ee18d07f35e0067a3860f10e0702dd0205b6fb23

SHA512
3556d7263bcd442c8fea6ae6b562331bbc9fcabd948e108c91cfe72fb279f44ddce174d3ff130ab794926473916179ba0ec0e49401d23ddee5c287907d4d4d43

Download Submit
C:\Windows\Setup\Windows Defender.rar

Filesize
256KB

MD5
6872d940d990cb9253555f0b17e23022

SHA1
1ac72a9c302a064bd7746c8e79a2441410bf3706

SHA256
7eba13167ce5b6ef6862320bf14d8fa9b33a85a1ea3f718910372460be18e546

SHA512
6946d43aa67e3d5e83251e34c8a84ca91afb55c20c24afa90fef3d938ed641b86131bc14552b8861ca8e658889223b880c7c498b8787df65cf54888205824c11

Download Submit
C:\Windows\Setup\fontdrivehost.rar

Filesize
3.9MB

MD5
9e20d978775f346de27ec55dc091a952

SHA1
fe20bd0ae9e7a5b5367f7ffc04b4ca6a8951c733

SHA256
bc4b71621b6c225e5fca8d9b227c691b856164af79a08c51a747e177656bd548

SHA512
9a5c0f22641687745d1cdf3c637f3fab5248cb4b80c4f1bee02e5e1f8201ac5c13309b66039c0502d70585b08f87f941ec24509e84cc680f85ae4a09843a2db5

Download Submit
\Windows\Setup\Windows\Built.exe

Filesize
7.7MB

MD5
0dac6f3979353afe030ed5fd5a1d2804

SHA1
cfe4fab4f59d86c97bfea9a1448c0f5a7e59025d

SHA256
62182a243eab225e7e83c5187249137f2e768d14e53b7cac711b860f4a68abfe

SHA512
b94af303ae7c97f29e3a60e4f95e473b5c8cd5690028955b6afd3c8aee3561c20a9d5d982d73c71a00f37c914a31d4d5fe4d0302d09b59b90874be75f53a6784

Download Submit
\Windows\Setup\Windows\Pub.exe

Filesize
8.7MB

MD5
06a621ee6a8f12065b1ed848656b1d70

SHA1
cb6da87de8d58af02562d7f4380d6f1921d67234

SHA256
fb402bab58e2ee836e9707ca475292f4df8bc14fcbfe638e55efbe02ec0f1d27

SHA512
5d28f0df41daae34122d880f0122591cc954fa577ec2b150a1cfad8bf80cb35bc379ee82870ae14014f1fbe6cc798cc4dbdae9e7745e74228e02cf362104ae10

Download Submit
\Windows\System32\fontdrivehost.exe

Filesize
3.9MB

MD5
98bcde2d6a4f8a20cd81a473daad8b38

SHA1
8a095502dfa1df02b53b8caa106e34496b3c378d

SHA256
b8e525ff163b21c3d85358d1bdb7f6f7c8b4ff2cf9d6b7502a5beb925e7245b7

SHA512
b590e89391d8ba3c613097adf89cf475fc06a8926e2d762a866aed6fd29781e576ed42d1e415d8d2d1dc0abf6e1f494c658bd0e0d6614b5907ebfb4aabd660ae

Download Submit
memory/1284-219-0x000007FEF5E60000-0x000007FEF6448000-memory.dmp

Filesize
5.9MB

Download
memory/2460-135-0x0000000140000000-0x0000000142264000-memory.dmp

Filesize
34.4MB

Download
memory/2544-285-0x000000013FB10000-0x0000000140620000-memory.dmp

Filesize
11.1MB

Download
memory/2544-296-0x000000013FB10000-0x0000000140620000-memory.dmp

Filesize
11.1MB

Download
memory/2708-286-0x000000013FB10000-0x0000000140620000-memory.dmp

Filesize
11.1MB

Download
memory/2708-289-0x000000013FB10000-0x0000000140620000-memory.dmp

Filesize
11.1MB

Download
memory/2708-290-0x000000013FB10000-0x0000000140620000-memory.dmp

Filesize
11.1MB

Download
memory/2708-298-0x000000013FB10000-0x0000000140620000-memory.dmp

Filesize
11.1MB

Download
memory/2708-300-0x000000013FB10000-0x0000000140620000-memory.dmp

Filesize
11.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads