dcrat | 7d5f078d2720427aefe6c66d7ce90a63331634f49d94a37ed5225acf2876155b

Analysis

max time kernel
53s
max time network
55s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
01-07-2024 10:36

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

cheker.exe
Size

16.0MB
MD5

4073368212b724b12a562b0dbf74e2d0
SHA1

8dca0faf07d074922992f723c3ff101628c26a8a
SHA256

7d5f078d2720427aefe6c66d7ce90a63331634f49d94a37ed5225acf2876155b
SHA512

c7e90e489c960271e6fafac6f838b231eaa7884b5e6d1b93e10e55fd075c988c78b2f8d4d8649a6aeab5be5341a9665d4ca03302bc8bd796cc30962f7be58afe
SSDEEP

393216:I4wP0hDEpTfheUmFQlZd7MhYRFC+QD3xs6DXwTuKvn:a0hYpTflFZlAYvUXXKn

Score

10^/10

dcrat evasion infostealer persistence ransomware rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "winlocker.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "winlocker.exe"	reg.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\drive injector.exe	dcrat
C:\Users\Admin\AppData\Local\Temp\Xroblox.exe	dcrat
C:\Users\Admin\AppData\Local\Temp\appdata.exe	dcrat
C:\Users\Admin\AppData\Local\Temp\robloxClient.exe	dcrat

Disables RegEdit via registry modification 1 IoCs
evasion

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" reg.exe
Disables Task Manager via registry modification
evasion

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	reg.exe

Drops startup file 3 IoCs

Processes:

kiler.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kiler.url	kiler.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kiler.exe	kiler.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kiler.exe	kiler.exe

Executes dropped EXE 7 IoCs

Processes:

Xroblox.exeappdata.exedriveinjector.exeinjector.exerobloxClient.exewindrive.exekiler.exe

pid process

4604 Xroblox.exe
3420 appdata.exe
1392 driveinjector.exe
2384 injector.exe
3640 robloxClient.exe
4608 windrive.exe
4768 kiler.exe
Loads dropped DLL 2 IoCs

Processes:

injector.exekiler.exe

pid process

2384 injector.exe
4768 kiler.exe

pid	process
4604	Xroblox.exe
3420	appdata.exe
1392	driveinjector.exe
2384	injector.exe
3640	robloxClient.exe
4608	windrive.exe
4768	kiler.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

kiler.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\kiler.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\kiler.exe\" .."	kiler.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kiler.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\kiler.exe\" .."	kiler.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

WScript.exe

description	ioc	process
File opened (read-only)	\??\M:	WScript.exe
File opened (read-only)	\??\P:	WScript.exe
File opened (read-only)	\??\R:	WScript.exe
File opened (read-only)	\??\S:	WScript.exe
File opened (read-only)	\??\W:	WScript.exe
File opened (read-only)	\??\X:	WScript.exe
File opened (read-only)	\??\E:	WScript.exe
File opened (read-only)	\??\H:	WScript.exe
File opened (read-only)	\??\I:	WScript.exe
File opened (read-only)	\??\K:	WScript.exe
File opened (read-only)	\??\V:	WScript.exe
File opened (read-only)	\??\A:	WScript.exe
File opened (read-only)	\??\G:	WScript.exe
File opened (read-only)	\??\J:	WScript.exe
File opened (read-only)	\??\N:	WScript.exe
File opened (read-only)	\??\T:	WScript.exe
File opened (read-only)	\??\Z:	WScript.exe
File opened (read-only)	\??\B:	WScript.exe
File opened (read-only)	\??\L:	WScript.exe
File opened (read-only)	\??\O:	WScript.exe
File opened (read-only)	\??\Q:	WScript.exe
File opened (read-only)	\??\U:	WScript.exe
File opened (read-only)	\??\Y:	WScript.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs
ransomware

Defacement
T1491

Modify Registry
T1112

Processes:

reg.exe

description ioc process

Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = " " reg.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2948 timeout.exe
Kills process with taskkill 5 IoCs
evasion

Processes:

TASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exetaskkill.exe

pid process

4900 TASKKILL.exe
2336 TASKKILL.exe
3592 TASKKILL.exe
1708 TASKKILL.exe
2852 taskkill.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = " "	reg.exe

pid	process
2948	timeout.exe

pid	process
4900	TASKKILL.exe
2336	TASKKILL.exe
3592	TASKKILL.exe
1708	TASKKILL.exe
2852	taskkill.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe

Modifies registry class 5 IoCs

Processes:

cheker.exeappdata.exerobloxClient.exeXroblox.exedriveinjector.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings	cheker.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings	appdata.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings	robloxClient.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings	Xroblox.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings	driveinjector.exe

Modifies registry key 1 TTPs 7 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid process

2996 reg.exe
1496 reg.exe
944 reg.exe
2292 reg.exe
4004 reg.exe
2736 reg.exe
2892 reg.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

4332 schtasks.exe

pid	process
2996	reg.exe
1496	reg.exe
944	reg.exe
2292	reg.exe
4004	reg.exe
2736	reg.exe
2892	reg.exe

pid	process
4332	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

injector.exe

pid	process
2384	injector.exe
2384	injector.exe
2384	injector.exe
2384	injector.exe
2384	injector.exe
2384	injector.exe
2384	injector.exe
2384	injector.exe
2384	injector.exe
2384	injector.exe
2384	injector.exe
2384	injector.exe
2384	injector.exe
2384	injector.exe
2384	injector.exe
2384	injector.exe
2384	injector.exe
2384	injector.exe
2384	injector.exe
2384	injector.exe
2384	injector.exe
2384	injector.exe
2384	injector.exe
2384	injector.exe
2384	injector.exe
2384	injector.exe
2384	injector.exe
2384	injector.exe
2384	injector.exe
2384	injector.exe
2384	injector.exe
2384	injector.exe
2384	injector.exe
2384	injector.exe
2384	injector.exe
2384	injector.exe
2384	injector.exe
2384	injector.exe
2384	injector.exe
2384	injector.exe
2384	injector.exe
2384	injector.exe
2384	injector.exe
2384	injector.exe
2384	injector.exe
2384	injector.exe
2384	injector.exe
2384	injector.exe
2384	injector.exe
2384	injector.exe
2384	injector.exe
2384	injector.exe
2384	injector.exe
2384	injector.exe
2384	injector.exe
2384	injector.exe
2384	injector.exe
2384	injector.exe
2384	injector.exe
2384	injector.exe
2384	injector.exe
2384	injector.exe
2384	injector.exe
2384	injector.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

WScript.exeinjector.exeTASKKILL.exeTASKKILL.exeshutdown.exekiler.exeTASKKILL.exeTASKKILL.exe

description	pid	process
Token: SeShutdownPrivilege	3576	WScript.exe
Token: SeCreatePagefilePrivilege	3576	WScript.exe
Token: SeDebugPrivilege	2384	injector.exe
Token: SeDebugPrivilege	4900	TASKKILL.exe
Token: SeDebugPrivilege	2336	TASKKILL.exe
Token: SeShutdownPrivilege	2652	shutdown.exe
Token: SeRemoteShutdownPrivilege	2652	shutdown.exe
Token: SeDebugPrivilege	4768	kiler.exe
Token: SeDebugPrivilege	1708	TASKKILL.exe
Token: SeDebugPrivilege	3592	TASKKILL.exe
Token: 33	4768	kiler.exe
Token: SeIncBasePriorityPrivilege	4768	kiler.exe
Token: 33	4768	kiler.exe
Token: SeIncBasePriorityPrivilege	4768	kiler.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

500 LogonUI.exe

pid	process
500	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cheker.exedriveinjector.exeXroblox.exeappdata.exeinjector.exerobloxClient.exewindrive.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4804 wrote to memory of 4604	4804	cheker.exe	Xroblox.exe
PID 4804 wrote to memory of 4604	4804	cheker.exe	Xroblox.exe
PID 4804 wrote to memory of 4604	4804	cheker.exe	Xroblox.exe
PID 4804 wrote to memory of 3420	4804	cheker.exe	appdata.exe
PID 4804 wrote to memory of 3420	4804	cheker.exe	appdata.exe
PID 4804 wrote to memory of 3420	4804	cheker.exe	appdata.exe
PID 4804 wrote to memory of 1392	4804	cheker.exe	driveinjector.exe
PID 4804 wrote to memory of 1392	4804	cheker.exe	driveinjector.exe
PID 4804 wrote to memory of 1392	4804	cheker.exe	driveinjector.exe
PID 4804 wrote to memory of 2384	4804	cheker.exe	injector.exe
PID 4804 wrote to memory of 2384	4804	cheker.exe	injector.exe
PID 4804 wrote to memory of 2384	4804	cheker.exe	injector.exe
PID 4804 wrote to memory of 3640	4804	cheker.exe	robloxClient.exe
PID 4804 wrote to memory of 3640	4804	cheker.exe	robloxClient.exe
PID 4804 wrote to memory of 3640	4804	cheker.exe	robloxClient.exe
PID 4804 wrote to memory of 3576	4804	cheker.exe	WScript.exe
PID 4804 wrote to memory of 3576	4804	cheker.exe	WScript.exe
PID 1392 wrote to memory of 1068	1392	driveinjector.exe	WScript.exe
PID 1392 wrote to memory of 1068	1392	driveinjector.exe	WScript.exe
PID 1392 wrote to memory of 1068	1392	driveinjector.exe	WScript.exe
PID 4604 wrote to memory of 592	4604	Xroblox.exe	WScript.exe
PID 4604 wrote to memory of 592	4604	Xroblox.exe	WScript.exe
PID 4604 wrote to memory of 592	4604	Xroblox.exe	WScript.exe
PID 3420 wrote to memory of 4488	3420	appdata.exe	WScript.exe
PID 3420 wrote to memory of 4488	3420	appdata.exe	WScript.exe
PID 3420 wrote to memory of 4488	3420	appdata.exe	WScript.exe
PID 2384 wrote to memory of 2336	2384	injector.exe	TASKKILL.exe
PID 2384 wrote to memory of 2336	2384	injector.exe	TASKKILL.exe
PID 2384 wrote to memory of 2336	2384	injector.exe	TASKKILL.exe
PID 2384 wrote to memory of 4900	2384	injector.exe	TASKKILL.exe
PID 2384 wrote to memory of 4900	2384	injector.exe	TASKKILL.exe
PID 2384 wrote to memory of 4900	2384	injector.exe	TASKKILL.exe
PID 3640 wrote to memory of 2580	3640	robloxClient.exe	WScript.exe
PID 3640 wrote to memory of 2580	3640	robloxClient.exe	WScript.exe
PID 3640 wrote to memory of 2580	3640	robloxClient.exe	WScript.exe
PID 4804 wrote to memory of 368	4804	cheker.exe	cmd.exe
PID 4804 wrote to memory of 368	4804	cheker.exe	cmd.exe
PID 4804 wrote to memory of 2928	4804	cheker.exe	cmd.exe
PID 4804 wrote to memory of 2928	4804	cheker.exe	cmd.exe
PID 4804 wrote to memory of 4608	4804	cheker.exe	windrive.exe
PID 4804 wrote to memory of 4608	4804	cheker.exe	windrive.exe
PID 4804 wrote to memory of 4608	4804	cheker.exe	windrive.exe
PID 4608 wrote to memory of 4724	4608	windrive.exe	cmd.exe
PID 4608 wrote to memory of 4724	4608	windrive.exe	cmd.exe
PID 368 wrote to memory of 3796	368	cmd.exe	reg.exe
PID 368 wrote to memory of 3796	368	cmd.exe	reg.exe
PID 4724 wrote to memory of 2948	4724	cmd.exe	timeout.exe
PID 4724 wrote to memory of 2948	4724	cmd.exe	timeout.exe
PID 2928 wrote to memory of 944	2928	cmd.exe	reg.exe
PID 2928 wrote to memory of 944	2928	cmd.exe	reg.exe
PID 368 wrote to memory of 2276	368	cmd.exe	reg.exe
PID 368 wrote to memory of 2276	368	cmd.exe	reg.exe
PID 2928 wrote to memory of 2652	2928	cmd.exe	shutdown.exe
PID 2928 wrote to memory of 2652	2928	cmd.exe	shutdown.exe
PID 368 wrote to memory of 3500	368	cmd.exe	reg.exe
PID 368 wrote to memory of 3500	368	cmd.exe	reg.exe
PID 4724 wrote to memory of 2660	4724	cmd.exe	reg.exe
PID 4724 wrote to memory of 2660	4724	cmd.exe	reg.exe
PID 368 wrote to memory of 192	368	cmd.exe	rundll32.exe
PID 368 wrote to memory of 192	368	cmd.exe	rundll32.exe
PID 4724 wrote to memory of 216	4724	cmd.exe	reg.exe
PID 4724 wrote to memory of 216	4724	cmd.exe	reg.exe
PID 2928 wrote to memory of 2292	2928	cmd.exe	reg.exe
PID 2928 wrote to memory of 2292	2928	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\cheker.exe
"C:\Users\Admin\AppData\Local\Temp\cheker.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4804

C:\Users\Admin\AppData\Local\Temp\Xroblox.exe
"C:\Users\Admin\AppData\Local\Temp\Xroblox.exe"
2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4604

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\BlockproviderComponentweb\LzYuX9pzQxeIw.vbe"
3⤵
PID:592

C:\Users\Admin\AppData\Local\Temp\appdata.exe
"C:\Users\Admin\AppData\Local\Temp\appdata.exe"
2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3420

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\BlockproviderComponentweb\FlrU2Sw3hI88Kq0oMKFqlJBcKKk7.vbe"
3⤵
PID:4488

C:\Users\Admin\AppData\Local\Temp\driveinjector.exe
"C:\Users\Admin\AppData\Local\Temp\driveinjector.exe"
2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1392

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProviderwebRuntimebrokerDll\AzoUH9rmryPf4YVykgERWga1ZsG.vbe"
3⤵
PID:1068

C:\Users\Admin\AppData\Local\Temp\injector.exe
"C:\Users\Admin\AppData\Local\Temp\injector.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2384

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /IM wscript.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2336

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /IM cmd.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4900

C:\Users\Admin\AppData\Local\Temp\kiler.exe
"C:\Users\Admin\AppData\Local\Temp\kiler.exe"
3⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4768

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /IM wscript.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1708

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /IM cmd.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3592

C:\Windows\SysWOW64\taskkill.exe
taskkill /f im Wireshark.exe
4⤵
- Kills process with taskkill
PID:2852

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
4⤵
PID:4544

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Local\Temp\kiler.exe
4⤵
- Scheduled Task/Job: Scheduled Task
PID:4332

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 5 & Del "C:\Users\Admin\AppData\Local\Temp\injector.exe"
3⤵
PID:1624

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 5
4⤵
PID:5048

C:\Users\Admin\AppData\Local\Temp\robloxClient.exe
"C:\Users\Admin\AppData\Local\Temp\robloxClient.exe"
2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3640

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\BlockproviderComponentweb\rLN2CzC2BGDm0saFwwqZ.vbe"
3⤵
PID:2580

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\startoff.vbs"
2⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:3576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\start.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:368

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d " " /f
3⤵
- Sets desktop wallpaper using registry
PID:3796

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop" /v WallPaperStyle /t REG_SZ /d 2 /f
3⤵
PID:2276

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d 0 /f
3⤵
PID:3500

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
PID:192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\123.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:2928

C:\Windows\system32\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
3⤵
- Modifies registry key
PID:944

C:\Windows\system32\shutdown.exe
shutdown /r /t 30
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2652

C:\Windows\system32\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f
3⤵
- Disables RegEdit via registry modification
- Modifies registry key
PID:2292

C:\Windows\system32\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableCMD /t REG_DWORD /d 1 /f
3⤵
- Modifies registry key
PID:4004

C:\Windows\system32\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NO winKeys /t REG_DWORD /d 1 /f
3⤵
- Modifies registry key
PID:2736

C:\Windows\system32\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NO Drives /t REG_DWORD /d 1 /f
3⤵
- Modifies registry key
PID:2892

C:\Windows\system32\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HidePowerOptions /t REG_DWORD /d 1 /f
3⤵
- Modifies registry key
PID:2996

C:\Windows\system32\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v No ViewOnDrive /t REG_DWORD /d 1 /f
3⤵
- Modifies registry key
PID:1496

C:\Windows\system32\rundll32.exe
rundll32 mouse,disable
3⤵
PID:4756

C:\Users\Admin\AppData\Local\Temp\windrive.exe
"C:\Users\Admin\AppData\Local\Temp\windrive.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4608

C:\Windows\System32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\A4AC.tmp\A4AD.tmp\A4AE.bat C:\Users\Admin\AppData\Local\Temp\windrive.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:4724

C:\Windows\system32\timeout.exe
timeout 0
4⤵
- Delays execution with timeout.exe
PID:2948

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d "winlocker.exe" /f
4⤵
- Modifies WinLogon for persistence
PID:2660

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d "winlocker.exe" /f
4⤵
- Modifies WinLogon for persistence
PID:216

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x200
1⤵
PID:1556

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3aed055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:500

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\BlockproviderComponentweb\LzYuX9pzQxeIw.vbe
Filesize
224B

MD5
ac65a75f2ee29bca1ced3f4279f35192

SHA1
905f99dc033b80377da593dfaa03ca9dea86521b

SHA256
b0ebc32dafa29a57b91c73ac0b89242da68d40cd470c262d4cc0361ba0cd8b95

SHA512
8ddfbc73ce949e48b270fd1717fe42d035c54d14cbb17f1764e98ae17305d26bc246deb254b0d439f314133e574b6c2bd8b1f1611cbf07eecbb569251f4c6206

Download Submit
C:\ProviderwebRuntimebrokerDll\AzoUH9rmryPf4YVykgERWga1ZsG.vbe
Filesize
227B

MD5
4a854cad3f93b3e5c68443bedd1f8de1

SHA1
b71b93f98f49c7d334a09c80bac424db005913de

SHA256
c21e88d44eb247ab02667e37de05d2e10ecc27bdfdc0f380778494570b5377db

SHA512
b5a0db320eeecb1ab7c72376d3cf42f1c2c9aa659456dcad1f66696b6d0c0b83daa46b04e993d69aa7f0ac8ad4324a1a86e3e3d7dbd41d39d8e727e80a6c7541

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\123.bat
Filesize
2KB

MD5
6dc1223fd2f2355f7519ef05b3573579

SHA1
6750ee8463f6be825bf33de91d6211b66b1c52cb

SHA256
c0b8d34c1fcdc4da9ea3881a517dee2b83cf45d519a87363dbc9c564ecb2c5ea

SHA512
a5348d646f981acacda3385fb770eedf83799d5aa370beebcf9fc2721f6af8fb36f9992b7e8a23c94804f616a763dfd06be2eff21dbdd6b387b36b181d5958a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\A4AC.tmp\A4AD.tmp\A4AE.bat
Filesize
15KB

MD5
0d55ae276ab5546c2ec30fb4eb175fff

SHA1
d6613f6ff4ca80fbca37a2e6afdc91db3bc769fb

SHA256
803ec9b0c408c8e8b6138fbeaed42a203420fbd67ee88c454dd1b27da967c2cc

SHA512
17b2d9d878513d92b263f6ec69d29b9dddf5dcce32fc30869018c11acf558cc8be08a69371f5d4edbbd461223f00e74c80e9457dd51fe52932b7e4e1a7bf8733

Download Submit
C:\Users\Admin\AppData\Local\Temp\BlockproviderComponentweb\rLN2CzC2BGDm0saFwwqZ.vbe
Filesize
214B

MD5
c6e17f78ef2cab853baa01a81f114972

SHA1
246165f27b7d3d2ac642c5230f7ca09e39dd36a6

SHA256
25f85a5bcaed5fadfba4b5368f224468e602e8991225b1fc2176cec26672cd81

SHA512
84384b504dfceb204d15b8961f25ac40b6747014a4a4eb7b1ed2948c5d90e36db782c11d034f18f8cf18e53d3c6635d7d0fc6bb43866a464a24e02695dc13061

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xroblox.exe
Filesize
3.1MB

MD5
918f850b87799087aab3391985a3c81a

SHA1
9ff3cb6d0d3694d10acdda212826b9ffb7759f78

SHA256
fb1ad76b6875612578539b3bf70c93438165465dd6b4cd128a692cfed974e5f7

SHA512
ca1abdfc6a2007f516c46d8446c76e0e02c1087ceb38827e41c84f352b17175a7c4ffac18cc2283a7fb690324685a2acb1b310f234f755aafa1bcdc645bbbf1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\appdata.exe
Filesize
3.1MB

MD5
84d84c88f059dcc80c8b8269bda163d0

SHA1
94ca3cdba45a6961a19162cfc9eaa85a65be21ea

SHA256
0813184d94537f7f52e27a48733ce01ab3f8a40c807f8b1e3e876a0857270b98

SHA512
778ee47a7ee2967ffaa101d2de287be8545adfbd26e1d7f9944d8b3f5c238751bb48aa73f64ea1d1180692b383792281504bd6d54ec9446f2396fed4090255fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\drive injector.exe
Filesize
3.1MB

MD5
3a8e20e9b2e9f923d8c7f73e0a4cf725

SHA1
300070b3025f282e63af63a4751762e6309dbd95

SHA256
7d0a7d85531fa4e95cad06073ce5fc918c1a1607f8b7c3da9ea0d765d3ab9dad

SHA512
8892c7cce62bd29d40b66415a1847fec2cf75c181ec3ddcc8e628db4775cf2fb5de0505eb61ce44c36813462c48a18945ed53f9bf7c2734a202194ed3c932d8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\injector.exe
Filesize
249KB

MD5
8bb7f3314ffb6329e0a2e94489df2579

SHA1
33abb1c5671a8a08e45712a7417ccba94cac8f61

SHA256
77d822158965fe6c07d02d6fd22590f2fd5b67b0fb2f1f0b080bf8f627687c63

SHA512
1ca4b92ded899e01550f0fbb362842692137f72e63301453880fb39e342d9b8be98c35b53cb50821009c33fe3a2ab986ecfdf4dee80e04f31669f20e2caa1193

Download Submit
C:\Users\Admin\AppData\Local\Temp\robloxClient.exe
Filesize
3.1MB

MD5
7d43fffdbeb71e7ff79251ebf8b558a7

SHA1
00ef8701369d0308bc50876e75db78f803cccaa0

SHA256
3cb7f2e31e0d726f91631cdc0a44e8c97282e48a23a76521346df13f159d6e16

SHA512
78971890e29f929bd9913ebbfff5f324590b82582be168427e939f123d9f9f1ee264643b0489deb12711e41d58e6bfd0678ab63fcfc4a945a01909aad8b04da4

Download Submit
C:\Users\Admin\AppData\Local\Temp\start.bat
Filesize
312B

MD5
bf3c10d1ff785241b7e56be626373c80

SHA1
5e6ce808736f6ddcd125b56a26bd1c97a26cfc00

SHA256
2f17cc457f3b453cbcf569e35016a889bcadf7f2baf3e299929af9a3669aaed2

SHA512
0eb72f6ff4e40668df62166efd7fefa62ab8164e380bbd76ace82e6c8f0d51f1f999e768d77716456aa090ed4e97749ae388d17cc4f78cc589ba08165abbcf78

Download Submit
C:\Users\Admin\AppData\Local\Temp\startcheat.mp3
Filesize
83KB

MD5
4843241a72238329e13f2497733fd70c

SHA1
c6b6fcc361bbcf17e9d05868deec5700b9e1d048

SHA256
3c6de7e0e9b3781a9bbf710553efaacbd61afd486034a1a633e571fdb02f4348

SHA512
f302d7b69c6a9eced6770ca2e6da3119c3bdf9c2a6a90657814cf0b5ddc52f3c336a4c5e45152443bb6d6f3fa777e3d99c82a3c090c6fa5b4b377f5aa0e1ba20

Download Submit
C:\Users\Admin\AppData\Local\Temp\startoff.vbs
Filesize
122B

MD5
f65c8c5a951686b035bded7c3ad3cb8c

SHA1
0fe23a2d14d0d04a4e824cacb086cd379577f4e3

SHA256
408aee75addf93eb1e790c4615622bb90a639b0862598ad387f948dda533534b

SHA512
b9adc1e916730b36f34149a0063eec2d5ce296490fd84b44ea57cef4567cae9849def5b2d27a9327c607d4d859595b2b4cfb3a1aeb6245137170867f35a5c010

Download Submit
C:\Users\Admin\AppData\Local\Temp\windrive.exe
Filesize
108KB

MD5
3a0f22f80c3edce0174f14cb35b896d1

SHA1
a3bb47e6ffe48fc8f72f1e32a30098ddf33f5009

SHA256
86a96776f970cbe6b71d1bcadfb4fcf2d430f99b99a0db914829656b7ee00044

SHA512
d9d3311ab81930f0de6ff0be8c854747fe885613fb1540305588611de49e40ea39b8879d5418f4123d5bf39915810b08ffae7a3f7d916ce76fe93a1c728fb054

Download Submit
C:\Users\Admin\AppData\Roaming\BlockproviderComponentweb\FlrU2Sw3hI88Kq0oMKFqlJBcKKk7.vbe
Filesize
215B

MD5
f31a6303fa711859b55f1823d797c287

SHA1
8a56aaf8ed61bbee69334a1bdb6330351c448102

SHA256
32eaa92211f658207acdfa9cf61ffb6ec96330e6918d35943c3562a8323bcc37

SHA512
a9e9b9ebe96e79cc49e441896eb80af50aafd378c9f52cf5bfd50feae7b2a54369ceb47fe186a054ee1f30e70bf0507189de71c871a55c05e9a92d0c2ac12d02

Download Submit
\Users\Admin\AppData\Local\Temp\VERSION.DLL
Filesize
18KB

MD5
4c7d34c4224a4e95dd23d61798e11180

SHA1
f4d38146721ed1c285805b4f0602a66d9fdb994a

SHA256
8b97c55c15fe91680955611cd4a562c9c47eedfbedb514ff52992c029f15e86a

SHA512
2c8589d8f38c7e56fd6b416b9ce44a51e62fd79c6fdc87c32d8a53f5cee9ae70a2ae2f91dfc324e47dc1dfcbb9e764fd1583ff8eee2f4b500a38bc224b2cac41

Download Submit

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads