Analysis
-
max time kernel
130s -
max time network
186s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
20-06-2021 22:32
Behavioral task
behavioral1
Sample
787F845B904FD7FC0F36F5CCAB9691C0.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
787F845B904FD7FC0F36F5CCAB9691C0.exe
Resource
win10v20210408
General
-
Target
787F845B904FD7FC0F36F5CCAB9691C0.exe
-
Size
1.5MB
-
MD5
787f845b904fd7fc0f36f5ccab9691c0
-
SHA1
d25cd2bf2986862d7c4d5923a144b5c6d11690ac
-
SHA256
a7629346a7228cd9b9d1db57a2d25c12c87506db851f43dd99fcb5e8f0e520ec
-
SHA512
05ab7acb67cd7852620a4e835ebaadbe1b709c01dd025e701be7ec04c63abc4b8e045f50911c6aa0f7253c3b1349a0174f08fd0f54b5d0fed9524c719c6135d3
Malware Config
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule behavioral1/memory/1656-86-0x0000000000430000-0x0000000000432000-memory.dmp disable_win_def -
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Processes:
resource yara_rule \savesRefRuntimebrokersvc\savesRefRuntimebrokersvcwinIntoruntime.exe dcrat C:\savesRefRuntimebrokersvc\savesRefRuntimebrokersvcwinIntoruntime.exe dcrat \savesRefRuntimebrokersvc\savesRefRuntimebrokersvcwinIntoruntime.exe dcrat C:\savesRefRuntimebrokersvc\savesRefRuntimebrokersvcwinIntoruntime.exe dcrat C:\PerfLogs\Admin\winlogon.exe dcrat C:\PerfLogs\Admin\winlogon.exe dcrat -
Executes dropped EXE 2 IoCs
Processes:
savesRefRuntimebrokersvcwinIntoruntime.exewinlogon.exepid process 268 savesRefRuntimebrokersvcwinIntoruntime.exe 1656 winlogon.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 1316 cmd.exe 1316 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 ipinfo.io 8 ipinfo.io -
Drops file in System32 directory 5 IoCs
Processes:
savesRefRuntimebrokersvcwinIntoruntime.exedescription ioc process File opened for modification C:\Windows\System32\gpprefcl\dwm.exe savesRefRuntimebrokersvcwinIntoruntime.exe File created C:\Windows\System32\gpprefcl\6cb0b6c459d5d3455a3da700e713f2e2529862ff savesRefRuntimebrokersvcwinIntoruntime.exe File created C:\Windows\System32\wbem\portabledeviceapi\WMIADAP.exe savesRefRuntimebrokersvcwinIntoruntime.exe File created C:\Windows\System32\wbem\portabledeviceapi\75a57c1bdf437c0c81ad56e81f43c7323ed35745 savesRefRuntimebrokersvcwinIntoruntime.exe File created C:\Windows\System32\gpprefcl\dwm.exe savesRefRuntimebrokersvcwinIntoruntime.exe -
Drops file in Program Files directory 2 IoCs
Processes:
savesRefRuntimebrokersvcwinIntoruntime.exedescription ioc process File created C:\Program Files\Google\conhost.exe savesRefRuntimebrokersvcwinIntoruntime.exe File created C:\Program Files\Google\088424020bedd6b28ac7fd22ee35dcd7322895ce savesRefRuntimebrokersvcwinIntoruntime.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1660 schtasks.exe 1888 schtasks.exe 1456 schtasks.exe 932 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
savesRefRuntimebrokersvcwinIntoruntime.exewinlogon.exepid process 268 savesRefRuntimebrokersvcwinIntoruntime.exe 1656 winlogon.exe 1656 winlogon.exe 1656 winlogon.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
winlogon.exepid process 1656 winlogon.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
savesRefRuntimebrokersvcwinIntoruntime.exewinlogon.exedescription pid process Token: SeDebugPrivilege 268 savesRefRuntimebrokersvcwinIntoruntime.exe Token: SeDebugPrivilege 1656 winlogon.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
winlogon.exepid process 1656 winlogon.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
787F845B904FD7FC0F36F5CCAB9691C0.exeWScript.execmd.exesavesRefRuntimebrokersvcwinIntoruntime.exedescription pid process target process PID 1732 wrote to memory of 1800 1732 787F845B904FD7FC0F36F5CCAB9691C0.exe WScript.exe PID 1732 wrote to memory of 1800 1732 787F845B904FD7FC0F36F5CCAB9691C0.exe WScript.exe PID 1732 wrote to memory of 1800 1732 787F845B904FD7FC0F36F5CCAB9691C0.exe WScript.exe PID 1732 wrote to memory of 1800 1732 787F845B904FD7FC0F36F5CCAB9691C0.exe WScript.exe PID 1800 wrote to memory of 1316 1800 WScript.exe cmd.exe PID 1800 wrote to memory of 1316 1800 WScript.exe cmd.exe PID 1800 wrote to memory of 1316 1800 WScript.exe cmd.exe PID 1800 wrote to memory of 1316 1800 WScript.exe cmd.exe PID 1316 wrote to memory of 268 1316 cmd.exe savesRefRuntimebrokersvcwinIntoruntime.exe PID 1316 wrote to memory of 268 1316 cmd.exe savesRefRuntimebrokersvcwinIntoruntime.exe PID 1316 wrote to memory of 268 1316 cmd.exe savesRefRuntimebrokersvcwinIntoruntime.exe PID 1316 wrote to memory of 268 1316 cmd.exe savesRefRuntimebrokersvcwinIntoruntime.exe PID 268 wrote to memory of 1660 268 savesRefRuntimebrokersvcwinIntoruntime.exe schtasks.exe PID 268 wrote to memory of 1660 268 savesRefRuntimebrokersvcwinIntoruntime.exe schtasks.exe PID 268 wrote to memory of 1660 268 savesRefRuntimebrokersvcwinIntoruntime.exe schtasks.exe PID 268 wrote to memory of 1888 268 savesRefRuntimebrokersvcwinIntoruntime.exe schtasks.exe PID 268 wrote to memory of 1888 268 savesRefRuntimebrokersvcwinIntoruntime.exe schtasks.exe PID 268 wrote to memory of 1888 268 savesRefRuntimebrokersvcwinIntoruntime.exe schtasks.exe PID 268 wrote to memory of 1456 268 savesRefRuntimebrokersvcwinIntoruntime.exe schtasks.exe PID 268 wrote to memory of 1456 268 savesRefRuntimebrokersvcwinIntoruntime.exe schtasks.exe PID 268 wrote to memory of 1456 268 savesRefRuntimebrokersvcwinIntoruntime.exe schtasks.exe PID 268 wrote to memory of 932 268 savesRefRuntimebrokersvcwinIntoruntime.exe schtasks.exe PID 268 wrote to memory of 932 268 savesRefRuntimebrokersvcwinIntoruntime.exe schtasks.exe PID 268 wrote to memory of 932 268 savesRefRuntimebrokersvcwinIntoruntime.exe schtasks.exe PID 268 wrote to memory of 1656 268 savesRefRuntimebrokersvcwinIntoruntime.exe winlogon.exe PID 268 wrote to memory of 1656 268 savesRefRuntimebrokersvcwinIntoruntime.exe winlogon.exe PID 268 wrote to memory of 1656 268 savesRefRuntimebrokersvcwinIntoruntime.exe winlogon.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\787F845B904FD7FC0F36F5CCAB9691C0.exe"C:\Users\Admin\AppData\Local\Temp\787F845B904FD7FC0F36F5CCAB9691C0.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\savesRefRuntimebrokersvc\kyajHqpLZ.vbe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\savesRefRuntimebrokersvc\rnYPsMDbrJvA9KRVcvnGqwI.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\savesRefRuntimebrokersvc\savesRefRuntimebrokersvcwinIntoruntime.exe"C:\savesRefRuntimebrokersvc\savesRefRuntimebrokersvcwinIntoruntime.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\gpprefcl\dwm.exe'" /rl HIGHEST /f5⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "winlogon" /sc ONLOGON /tr "'C:\PerfLogs\Admin\winlogon.exe'" /rl HIGHEST /f5⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Google\conhost.exe'" /rl HIGHEST /f5⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Windows\System32\wbem\portabledeviceapi\WMIADAP.exe'" /rl HIGHEST /f5⤵
- Creates scheduled task(s)
-
C:\PerfLogs\Admin\winlogon.exe"C:\PerfLogs\Admin\winlogon.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PerfLogs\Admin\winlogon.exeMD5
ed0551481fa342d10d1513feaeaa07f1
SHA1a7c1effe9f14d07d03d55285896d9ef1c8af62c6
SHA2561fc3e401a27c81159ca6515bf7746bcb78c20e5ad33d2922f4713ab4635d75b1
SHA51202e861571506262b7ba6f5d5671ee8759107554bc9799955f841580484cf3aaddc6219db2df6b355cabb79880149b8d6ff47f8e2caa4eec0ba1a2a93a08f6c65
-
C:\PerfLogs\Admin\winlogon.exeMD5
ed0551481fa342d10d1513feaeaa07f1
SHA1a7c1effe9f14d07d03d55285896d9ef1c8af62c6
SHA2561fc3e401a27c81159ca6515bf7746bcb78c20e5ad33d2922f4713ab4635d75b1
SHA51202e861571506262b7ba6f5d5671ee8759107554bc9799955f841580484cf3aaddc6219db2df6b355cabb79880149b8d6ff47f8e2caa4eec0ba1a2a93a08f6c65
-
C:\savesRefRuntimebrokersvc\kyajHqpLZ.vbeMD5
77392f6900492949787a7d7967eb10b6
SHA184767159f4baadbf75043355e691877e75fcdf12
SHA2562e5a321119df0fac677de8fc52c4ae82c87d64012ed1ef3c8ee39df96c2f5627
SHA5128ce6af44fc77636d0e5d2719ebb82144ea47dfd4bb798c7519a1bdfab3bc3723f9531629deb0fba25f298c471705347502ab5a0c8198c1c16a213a0a7f970fa5
-
C:\savesRefRuntimebrokersvc\rnYPsMDbrJvA9KRVcvnGqwI.batMD5
3bb4b3b2af3807680dfa1867b0290279
SHA11c13ea22c5b7b084ff2562f2289c222ab0897e93
SHA256799a39579ea7c43e5dc9dbfafc22d3e563fa8692c5bf97442bd788bda03d95d5
SHA512eadd2cf766c4dce412e0f25f936bedd97fd71f031e52c0f09196571979211fd6d817fa2f4758e1677d4d9efa06b2dc0e9bcb838434eb19c0af2d8fafe983445b
-
C:\savesRefRuntimebrokersvc\savesRefRuntimebrokersvcwinIntoruntime.exeMD5
ed0551481fa342d10d1513feaeaa07f1
SHA1a7c1effe9f14d07d03d55285896d9ef1c8af62c6
SHA2561fc3e401a27c81159ca6515bf7746bcb78c20e5ad33d2922f4713ab4635d75b1
SHA51202e861571506262b7ba6f5d5671ee8759107554bc9799955f841580484cf3aaddc6219db2df6b355cabb79880149b8d6ff47f8e2caa4eec0ba1a2a93a08f6c65
-
C:\savesRefRuntimebrokersvc\savesRefRuntimebrokersvcwinIntoruntime.exeMD5
ed0551481fa342d10d1513feaeaa07f1
SHA1a7c1effe9f14d07d03d55285896d9ef1c8af62c6
SHA2561fc3e401a27c81159ca6515bf7746bcb78c20e5ad33d2922f4713ab4635d75b1
SHA51202e861571506262b7ba6f5d5671ee8759107554bc9799955f841580484cf3aaddc6219db2df6b355cabb79880149b8d6ff47f8e2caa4eec0ba1a2a93a08f6c65
-
\savesRefRuntimebrokersvc\savesRefRuntimebrokersvcwinIntoruntime.exeMD5
ed0551481fa342d10d1513feaeaa07f1
SHA1a7c1effe9f14d07d03d55285896d9ef1c8af62c6
SHA2561fc3e401a27c81159ca6515bf7746bcb78c20e5ad33d2922f4713ab4635d75b1
SHA51202e861571506262b7ba6f5d5671ee8759107554bc9799955f841580484cf3aaddc6219db2df6b355cabb79880149b8d6ff47f8e2caa4eec0ba1a2a93a08f6c65
-
\savesRefRuntimebrokersvc\savesRefRuntimebrokersvcwinIntoruntime.exeMD5
ed0551481fa342d10d1513feaeaa07f1
SHA1a7c1effe9f14d07d03d55285896d9ef1c8af62c6
SHA2561fc3e401a27c81159ca6515bf7746bcb78c20e5ad33d2922f4713ab4635d75b1
SHA51202e861571506262b7ba6f5d5671ee8759107554bc9799955f841580484cf3aaddc6219db2df6b355cabb79880149b8d6ff47f8e2caa4eec0ba1a2a93a08f6c65
-
memory/268-69-0x0000000000000000-mapping.dmp
-
memory/268-71-0x0000000001100000-0x0000000001101000-memory.dmpFilesize
4KB
-
memory/268-73-0x000000001B090000-0x000000001B092000-memory.dmpFilesize
8KB
-
memory/932-77-0x0000000000000000-mapping.dmp
-
memory/1316-65-0x0000000000000000-mapping.dmp
-
memory/1456-76-0x0000000000000000-mapping.dmp
-
memory/1656-86-0x0000000000430000-0x0000000000432000-memory.dmpFilesize
8KB
-
memory/1656-87-0x0000000000A20000-0x0000000000A24000-memory.dmpFilesize
16KB
-
memory/1656-78-0x0000000000000000-mapping.dmp
-
memory/1656-91-0x0000000000A60000-0x0000000000A61000-memory.dmpFilesize
4KB
-
memory/1656-90-0x0000000000A50000-0x0000000000A52000-memory.dmpFilesize
8KB
-
memory/1656-81-0x0000000000E60000-0x0000000000E61000-memory.dmpFilesize
4KB
-
memory/1656-89-0x0000000000A40000-0x0000000000A41000-memory.dmpFilesize
4KB
-
memory/1656-85-0x0000000000420000-0x0000000000425000-memory.dmpFilesize
20KB
-
memory/1656-83-0x0000000000A80000-0x0000000000A82000-memory.dmpFilesize
8KB
-
memory/1656-88-0x0000000000A30000-0x0000000000A32000-memory.dmpFilesize
8KB
-
memory/1656-84-0x00000000005C0000-0x00000000005C6000-memory.dmpFilesize
24KB
-
memory/1660-74-0x0000000000000000-mapping.dmp
-
memory/1732-60-0x0000000075971000-0x0000000075973000-memory.dmpFilesize
8KB
-
memory/1800-61-0x0000000000000000-mapping.dmp
-
memory/1888-75-0x0000000000000000-mapping.dmp