Analysis
-
max time kernel
130s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
20-06-2021 22:32
Behavioral task
behavioral1
Sample
787F845B904FD7FC0F36F5CCAB9691C0.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
787F845B904FD7FC0F36F5CCAB9691C0.exe
Resource
win10v20210408
General
-
Target
787F845B904FD7FC0F36F5CCAB9691C0.exe
-
Size
1.5MB
-
MD5
787f845b904fd7fc0f36f5ccab9691c0
-
SHA1
d25cd2bf2986862d7c4d5923a144b5c6d11690ac
-
SHA256
a7629346a7228cd9b9d1db57a2d25c12c87506db851f43dd99fcb5e8f0e520ec
-
SHA512
05ab7acb67cd7852620a4e835ebaadbe1b709c01dd025e701be7ec04c63abc4b8e045f50911c6aa0f7253c3b1349a0174f08fd0f54b5d0fed9524c719c6135d3
Malware Config
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule behavioral2/memory/3488-142-0x0000000001510000-0x0000000001512000-memory.dmp disable_win_def -
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Processes:
resource yara_rule C:\savesRefRuntimebrokersvc\savesRefRuntimebrokersvcwinIntoruntime.exe dcrat C:\savesRefRuntimebrokersvc\savesRefRuntimebrokersvcwinIntoruntime.exe dcrat C:\Windows\System32\thumbcache\slui.exe dcrat C:\Windows\System32\thumbcache\slui.exe dcrat -
Executes dropped EXE 2 IoCs
Processes:
savesRefRuntimebrokersvcwinIntoruntime.exeslui.exepid process 2860 savesRefRuntimebrokersvcwinIntoruntime.exe 3488 slui.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 14 ipinfo.io 15 ipinfo.io -
Drops file in System32 directory 3 IoCs
Processes:
savesRefRuntimebrokersvcwinIntoruntime.exedescription ioc process File opened for modification C:\Windows\System32\thumbcache\slui.exe savesRefRuntimebrokersvcwinIntoruntime.exe File created C:\Windows\System32\thumbcache\a29f4157103644af5692ebfddf35f6dff4e237da savesRefRuntimebrokersvcwinIntoruntime.exe File created C:\Windows\System32\thumbcache\slui.exe savesRefRuntimebrokersvcwinIntoruntime.exe -
Drops file in Program Files directory 2 IoCs
Processes:
savesRefRuntimebrokersvcwinIntoruntime.exedescription ioc process File created C:\Program Files\Microsoft Office\root\Client\conhost.exe savesRefRuntimebrokersvcwinIntoruntime.exe File created C:\Program Files\Microsoft Office\root\Client\088424020bedd6b28ac7fd22ee35dcd7322895ce savesRefRuntimebrokersvcwinIntoruntime.exe -
Drops file in Windows directory 2 IoCs
Processes:
savesRefRuntimebrokersvcwinIntoruntime.exedescription ioc process File created C:\Windows\WindowsShell\explorer.exe savesRefRuntimebrokersvcwinIntoruntime.exe File created C:\Windows\WindowsShell\7a0fd90576e08807bde2cc57bcf9854bbce05fe3 savesRefRuntimebrokersvcwinIntoruntime.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2340 schtasks.exe 4092 schtasks.exe 3356 schtasks.exe 3200 schtasks.exe -
Modifies registry class 2 IoCs
Processes:
787F845B904FD7FC0F36F5CCAB9691C0.exesavesRefRuntimebrokersvcwinIntoruntime.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings 787F845B904FD7FC0F36F5CCAB9691C0.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings savesRefRuntimebrokersvcwinIntoruntime.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
savesRefRuntimebrokersvcwinIntoruntime.exeslui.exepid process 2860 savesRefRuntimebrokersvcwinIntoruntime.exe 3488 slui.exe 3488 slui.exe 3488 slui.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
slui.exepid process 3488 slui.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
savesRefRuntimebrokersvcwinIntoruntime.exeslui.exedescription pid process Token: SeDebugPrivilege 2860 savesRefRuntimebrokersvcwinIntoruntime.exe Token: SeDebugPrivilege 3488 slui.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
slui.exepid process 3488 slui.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
787F845B904FD7FC0F36F5CCAB9691C0.exeWScript.execmd.exesavesRefRuntimebrokersvcwinIntoruntime.execmd.exedescription pid process target process PID 652 wrote to memory of 3856 652 787F845B904FD7FC0F36F5CCAB9691C0.exe WScript.exe PID 652 wrote to memory of 3856 652 787F845B904FD7FC0F36F5CCAB9691C0.exe WScript.exe PID 652 wrote to memory of 3856 652 787F845B904FD7FC0F36F5CCAB9691C0.exe WScript.exe PID 3856 wrote to memory of 776 3856 WScript.exe cmd.exe PID 3856 wrote to memory of 776 3856 WScript.exe cmd.exe PID 3856 wrote to memory of 776 3856 WScript.exe cmd.exe PID 776 wrote to memory of 2860 776 cmd.exe savesRefRuntimebrokersvcwinIntoruntime.exe PID 776 wrote to memory of 2860 776 cmd.exe savesRefRuntimebrokersvcwinIntoruntime.exe PID 2860 wrote to memory of 2340 2860 savesRefRuntimebrokersvcwinIntoruntime.exe schtasks.exe PID 2860 wrote to memory of 2340 2860 savesRefRuntimebrokersvcwinIntoruntime.exe schtasks.exe PID 2860 wrote to memory of 4092 2860 savesRefRuntimebrokersvcwinIntoruntime.exe schtasks.exe PID 2860 wrote to memory of 4092 2860 savesRefRuntimebrokersvcwinIntoruntime.exe schtasks.exe PID 2860 wrote to memory of 3356 2860 savesRefRuntimebrokersvcwinIntoruntime.exe schtasks.exe PID 2860 wrote to memory of 3356 2860 savesRefRuntimebrokersvcwinIntoruntime.exe schtasks.exe PID 2860 wrote to memory of 3200 2860 savesRefRuntimebrokersvcwinIntoruntime.exe schtasks.exe PID 2860 wrote to memory of 3200 2860 savesRefRuntimebrokersvcwinIntoruntime.exe schtasks.exe PID 2860 wrote to memory of 2324 2860 savesRefRuntimebrokersvcwinIntoruntime.exe cmd.exe PID 2860 wrote to memory of 2324 2860 savesRefRuntimebrokersvcwinIntoruntime.exe cmd.exe PID 2324 wrote to memory of 744 2324 cmd.exe chcp.com PID 2324 wrote to memory of 744 2324 cmd.exe chcp.com PID 2324 wrote to memory of 4044 2324 cmd.exe PING.EXE PID 2324 wrote to memory of 4044 2324 cmd.exe PING.EXE PID 2324 wrote to memory of 3488 2324 cmd.exe slui.exe PID 2324 wrote to memory of 3488 2324 cmd.exe slui.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\787F845B904FD7FC0F36F5CCAB9691C0.exe"C:\Users\Admin\AppData\Local\Temp\787F845B904FD7FC0F36F5CCAB9691C0.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\savesRefRuntimebrokersvc\kyajHqpLZ.vbe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\savesRefRuntimebrokersvc\rnYPsMDbrJvA9KRVcvnGqwI.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\savesRefRuntimebrokersvc\savesRefRuntimebrokersvcwinIntoruntime.exe"C:\savesRefRuntimebrokersvc\savesRefRuntimebrokersvcwinIntoruntime.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "slui" /sc ONLOGON /tr "'C:\Windows\System32\thumbcache\slui.exe'" /rl HIGHEST /f5⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\WindowsShell\explorer.exe'" /rl HIGHEST /f5⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f5⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\root\Client\conhost.exe'" /rl HIGHEST /f5⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uRKTj1oKgu.bat"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650016⤵
-
C:\Windows\system32\PING.EXEping -n 5 localhost6⤵
- Runs ping.exe
-
C:\Windows\System32\thumbcache\slui.exe"C:\Windows\System32\thumbcache\slui.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\uRKTj1oKgu.batMD5
ff54012c47ae9c9f236137e38587fca0
SHA12857ccad29bf99eed8fed5d911e196472a6ca738
SHA256a13babe04b160e7e4a0bb26c43cb2c9d00b02eb9256e3a10db1e765ba10a6c35
SHA512d5ae6d3fb19703a85e3f3269bd55d6b004bda0875efa48ba1496e116cbdf20f2f14cd6c7fbdeeb132ea1a46082dd24c88435157661b5aaf92a10debc07bce8be
-
C:\Windows\System32\thumbcache\slui.exeMD5
ed0551481fa342d10d1513feaeaa07f1
SHA1a7c1effe9f14d07d03d55285896d9ef1c8af62c6
SHA2561fc3e401a27c81159ca6515bf7746bcb78c20e5ad33d2922f4713ab4635d75b1
SHA51202e861571506262b7ba6f5d5671ee8759107554bc9799955f841580484cf3aaddc6219db2df6b355cabb79880149b8d6ff47f8e2caa4eec0ba1a2a93a08f6c65
-
C:\Windows\System32\thumbcache\slui.exeMD5
ed0551481fa342d10d1513feaeaa07f1
SHA1a7c1effe9f14d07d03d55285896d9ef1c8af62c6
SHA2561fc3e401a27c81159ca6515bf7746bcb78c20e5ad33d2922f4713ab4635d75b1
SHA51202e861571506262b7ba6f5d5671ee8759107554bc9799955f841580484cf3aaddc6219db2df6b355cabb79880149b8d6ff47f8e2caa4eec0ba1a2a93a08f6c65
-
C:\savesRefRuntimebrokersvc\kyajHqpLZ.vbeMD5
77392f6900492949787a7d7967eb10b6
SHA184767159f4baadbf75043355e691877e75fcdf12
SHA2562e5a321119df0fac677de8fc52c4ae82c87d64012ed1ef3c8ee39df96c2f5627
SHA5128ce6af44fc77636d0e5d2719ebb82144ea47dfd4bb798c7519a1bdfab3bc3723f9531629deb0fba25f298c471705347502ab5a0c8198c1c16a213a0a7f970fa5
-
C:\savesRefRuntimebrokersvc\rnYPsMDbrJvA9KRVcvnGqwI.batMD5
3bb4b3b2af3807680dfa1867b0290279
SHA11c13ea22c5b7b084ff2562f2289c222ab0897e93
SHA256799a39579ea7c43e5dc9dbfafc22d3e563fa8692c5bf97442bd788bda03d95d5
SHA512eadd2cf766c4dce412e0f25f936bedd97fd71f031e52c0f09196571979211fd6d817fa2f4758e1677d4d9efa06b2dc0e9bcb838434eb19c0af2d8fafe983445b
-
C:\savesRefRuntimebrokersvc\savesRefRuntimebrokersvcwinIntoruntime.exeMD5
ed0551481fa342d10d1513feaeaa07f1
SHA1a7c1effe9f14d07d03d55285896d9ef1c8af62c6
SHA2561fc3e401a27c81159ca6515bf7746bcb78c20e5ad33d2922f4713ab4635d75b1
SHA51202e861571506262b7ba6f5d5671ee8759107554bc9799955f841580484cf3aaddc6219db2df6b355cabb79880149b8d6ff47f8e2caa4eec0ba1a2a93a08f6c65
-
C:\savesRefRuntimebrokersvc\savesRefRuntimebrokersvcwinIntoruntime.exeMD5
ed0551481fa342d10d1513feaeaa07f1
SHA1a7c1effe9f14d07d03d55285896d9ef1c8af62c6
SHA2561fc3e401a27c81159ca6515bf7746bcb78c20e5ad33d2922f4713ab4635d75b1
SHA51202e861571506262b7ba6f5d5671ee8759107554bc9799955f841580484cf3aaddc6219db2df6b355cabb79880149b8d6ff47f8e2caa4eec0ba1a2a93a08f6c65
-
memory/744-132-0x0000000000000000-mapping.dmp
-
memory/776-119-0x0000000000000000-mapping.dmp
-
memory/2324-130-0x0000000000000000-mapping.dmp
-
memory/2340-126-0x0000000000000000-mapping.dmp
-
memory/2860-123-0x0000000000080000-0x0000000000081000-memory.dmpFilesize
4KB
-
memory/2860-120-0x0000000000000000-mapping.dmp
-
memory/2860-125-0x000000001AE10000-0x000000001AE12000-memory.dmpFilesize
8KB
-
memory/3200-129-0x0000000000000000-mapping.dmp
-
memory/3356-128-0x0000000000000000-mapping.dmp
-
memory/3488-143-0x0000000002E10000-0x0000000002E14000-memory.dmpFilesize
16KB
-
memory/3488-134-0x0000000000000000-mapping.dmp
-
memory/3488-139-0x000000001BB30000-0x000000001BB32000-memory.dmpFilesize
8KB
-
memory/3488-140-0x0000000001500000-0x0000000001506000-memory.dmpFilesize
24KB
-
memory/3488-141-0x0000000002E30000-0x0000000002E35000-memory.dmpFilesize
20KB
-
memory/3488-142-0x0000000001510000-0x0000000001512000-memory.dmpFilesize
8KB
-
memory/3488-144-0x0000000002E20000-0x0000000002E22000-memory.dmpFilesize
8KB
-
memory/3488-145-0x0000000002E50000-0x0000000002E51000-memory.dmpFilesize
4KB
-
memory/3488-146-0x0000000002E60000-0x0000000002E62000-memory.dmpFilesize
8KB
-
memory/3488-147-0x0000000003010000-0x0000000003011000-memory.dmpFilesize
4KB
-
memory/3856-116-0x0000000000000000-mapping.dmp
-
memory/4044-133-0x0000000000000000-mapping.dmp
-
memory/4092-127-0x0000000000000000-mapping.dmp