Overview

overview

10

Static

static

10

787F845B90...C0.exe

windows7_x64

787F845B90...C0.exe

windows10_x64

10

Analysis

  • max time kernel
    80s
  • max time network
    81s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    20-06-2021 23:03

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Remote task has failed: Machine shutdown
Report Analysis Logs

General

  • Target

    787F845B904FD7FC0F36F5CCAB9691C0.exe

  • Size

    1.5MB

  • MD5

    787f845b904fd7fc0f36f5ccab9691c0

  • SHA1

    d25cd2bf2986862d7c4d5923a144b5c6d11690ac

  • SHA256

    a7629346a7228cd9b9d1db57a2d25c12c87506db851f43dd99fcb5e8f0e520ec

  • SHA512

    05ab7acb67cd7852620a4e835ebaadbe1b709c01dd025e701be7ec04c63abc4b8e045f50911c6aa0f7253c3b1349a0174f08fd0f54b5d0fed9524c719c6135d3

Score
10/10
dcratxmriginfostealerminerratspywarestealer

Malware Config

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • DCRat Payload 6 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 6 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\787F845B904FD7FC0F36F5CCAB9691C0.exe
    "C:\Users\Admin\AppData\Local\Temp\787F845B904FD7FC0F36F5CCAB9691C0.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1096
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\savesRefRuntimebrokersvc\kyajHqpLZ.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2032
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\savesRefRuntimebrokersvc\rnYPsMDbrJvA9KRVcvnGqwI.bat" "
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:764
        • C:\savesRefRuntimebrokersvc\savesRefRuntimebrokersvcwinIntoruntime.exe
          "C:\savesRefRuntimebrokersvc\savesRefRuntimebrokersvcwinIntoruntime.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1320
          • C:\Windows\system32\schtasks.exe
            "schtasks" /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\system\explorer.exe'" /rl HIGHEST /f
            5⤵
            • Creates scheduled task(s)
            PID:1640
          • C:\Windows\system32\schtasks.exe
            "schtasks" /create /tn "sppsvc" /sc ONLOGON /tr "'C:\savesRefRuntimebrokersvc\sppsvc.exe'" /rl HIGHEST /f
            5⤵
            • Creates scheduled task(s)
            PID:720
          • C:\Windows\system32\schtasks.exe
            "schtasks" /create /tn "wininit" /sc ONLOGON /tr "'C:\Documents and Settings\wininit.exe'" /rl HIGHEST /f
            5⤵
            • Creates scheduled task(s)
            PID:1052
          • C:\Windows\system32\schtasks.exe
            "schtasks" /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\System32\spoolss\sppsvc.exe'" /rl HIGHEST /f
            5⤵
            • Creates scheduled task(s)
            PID:976
          • C:\Windows\system32\schtasks.exe
            "schtasks" /create /tn "services" /sc ONLOGON /tr "'C:\Windows\System32\KBDBASH\services.exe'" /rl HIGHEST /f
            5⤵
            • Creates scheduled task(s)
            PID:1964
          • C:\Windows\system32\schtasks.exe
            "schtasks" /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Windows\System32\wbem\lsasrv\WMIADAP.exe'" /rl HIGHEST /f
            5⤵
            • Creates scheduled task(s)
            PID:1612
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Tut0Db3K4S.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1596
            • C:\Windows\system32\chcp.com
              chcp 65001
              6⤵
                PID:2028
              • C:\Windows\system32\PING.EXE
                ping -n 5 localhost
                6⤵
                • Runs ping.exe
                PID:1088
              • C:\Documents and Settings\wininit.exe
                "C:\Documents and Settings\wininit.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:268
                • C:\Windows\System32\shutdown.exe
                  "C:\Windows\System32\shutdown.exe" /s /t 0
                  7⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1700
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x0
      1⤵
        PID:1168
      • C:\Windows\system32\LogonUI.exe
        "LogonUI.exe" /flags:0x1
        1⤵
          PID:800

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Scheduled Task

        1
        T1053

        Persistence

        Scheduled Task

        1
        T1053

        Privilege Escalation

        Scheduled Task

        1
        T1053

        Defense Evasion

        Credential Access

        Credentials in Files

        2
        T1081

        Discovery

        System Information Discovery

        1
        T1082

        Remote System Discovery

        1
        T1018

        Lateral Movement

        Collection

        Data from Local System

        2
        T1005

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Documents and Settings\wininit.exe
          MD5

          ed0551481fa342d10d1513feaeaa07f1

          SHA1

          a7c1effe9f14d07d03d55285896d9ef1c8af62c6

          SHA256

          1fc3e401a27c81159ca6515bf7746bcb78c20e5ad33d2922f4713ab4635d75b1

          SHA512

          02e861571506262b7ba6f5d5671ee8759107554bc9799955f841580484cf3aaddc6219db2df6b355cabb79880149b8d6ff47f8e2caa4eec0ba1a2a93a08f6c65

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\Tut0Db3K4S.bat
          MD5

          b145a56bc86bc91e03434fc791c012fe

          SHA1

          ffd28bca93b6899e0db1e04693e1adec91621240

          SHA256

          d01aa33f962942fff6dfe09a1ed277a1c65a4b5d31e837cd794ee4fddcc2d295

          SHA512

          06a117ce5c8d8145a296a2b695680cde310fe9eccde450e2ef717ac8fdf8a3285738e036542dbd829822bb06a47506fca4198eb971b26c90a722cbd7ab7602aa

          Download Submit
        • C:\Users\wininit.exe
          MD5

          ed0551481fa342d10d1513feaeaa07f1

          SHA1

          a7c1effe9f14d07d03d55285896d9ef1c8af62c6

          SHA256

          1fc3e401a27c81159ca6515bf7746bcb78c20e5ad33d2922f4713ab4635d75b1

          SHA512

          02e861571506262b7ba6f5d5671ee8759107554bc9799955f841580484cf3aaddc6219db2df6b355cabb79880149b8d6ff47f8e2caa4eec0ba1a2a93a08f6c65

          Download Submit
        • C:\savesRefRuntimebrokersvc\kyajHqpLZ.vbe
          MD5

          77392f6900492949787a7d7967eb10b6

          SHA1

          84767159f4baadbf75043355e691877e75fcdf12

          SHA256

          2e5a321119df0fac677de8fc52c4ae82c87d64012ed1ef3c8ee39df96c2f5627

          SHA512

          8ce6af44fc77636d0e5d2719ebb82144ea47dfd4bb798c7519a1bdfab3bc3723f9531629deb0fba25f298c471705347502ab5a0c8198c1c16a213a0a7f970fa5

          Download Submit
        • C:\savesRefRuntimebrokersvc\rnYPsMDbrJvA9KRVcvnGqwI.bat
          MD5

          3bb4b3b2af3807680dfa1867b0290279

          SHA1

          1c13ea22c5b7b084ff2562f2289c222ab0897e93

          SHA256

          799a39579ea7c43e5dc9dbfafc22d3e563fa8692c5bf97442bd788bda03d95d5

          SHA512

          eadd2cf766c4dce412e0f25f936bedd97fd71f031e52c0f09196571979211fd6d817fa2f4758e1677d4d9efa06b2dc0e9bcb838434eb19c0af2d8fafe983445b

          Download Submit
        • C:\savesRefRuntimebrokersvc\savesRefRuntimebrokersvcwinIntoruntime.exe
          MD5

          ed0551481fa342d10d1513feaeaa07f1

          SHA1

          a7c1effe9f14d07d03d55285896d9ef1c8af62c6

          SHA256

          1fc3e401a27c81159ca6515bf7746bcb78c20e5ad33d2922f4713ab4635d75b1

          SHA512

          02e861571506262b7ba6f5d5671ee8759107554bc9799955f841580484cf3aaddc6219db2df6b355cabb79880149b8d6ff47f8e2caa4eec0ba1a2a93a08f6c65

          Download Submit
        • C:\savesRefRuntimebrokersvc\savesRefRuntimebrokersvcwinIntoruntime.exe
          MD5

          ed0551481fa342d10d1513feaeaa07f1

          SHA1

          a7c1effe9f14d07d03d55285896d9ef1c8af62c6

          SHA256

          1fc3e401a27c81159ca6515bf7746bcb78c20e5ad33d2922f4713ab4635d75b1

          SHA512

          02e861571506262b7ba6f5d5671ee8759107554bc9799955f841580484cf3aaddc6219db2df6b355cabb79880149b8d6ff47f8e2caa4eec0ba1a2a93a08f6c65

          Download Submit
        • \savesRefRuntimebrokersvc\savesRefRuntimebrokersvcwinIntoruntime.exe
          MD5

          ed0551481fa342d10d1513feaeaa07f1

          SHA1

          a7c1effe9f14d07d03d55285896d9ef1c8af62c6

          SHA256

          1fc3e401a27c81159ca6515bf7746bcb78c20e5ad33d2922f4713ab4635d75b1

          SHA512

          02e861571506262b7ba6f5d5671ee8759107554bc9799955f841580484cf3aaddc6219db2df6b355cabb79880149b8d6ff47f8e2caa4eec0ba1a2a93a08f6c65

          Download Submit
        • \savesRefRuntimebrokersvc\savesRefRuntimebrokersvcwinIntoruntime.exe
          MD5

          ed0551481fa342d10d1513feaeaa07f1

          SHA1

          a7c1effe9f14d07d03d55285896d9ef1c8af62c6

          SHA256

          1fc3e401a27c81159ca6515bf7746bcb78c20e5ad33d2922f4713ab4635d75b1

          SHA512

          02e861571506262b7ba6f5d5671ee8759107554bc9799955f841580484cf3aaddc6219db2df6b355cabb79880149b8d6ff47f8e2caa4eec0ba1a2a93a08f6c65

          Download Submit
        • memory/268-90-0x00000000002A0000-0x00000000002A6000-memory.dmp
          Filesize

          24KB

          Download
        • memory/268-89-0x000000001AFC0000-0x000000001AFC2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/268-95-0x0000000000770000-0x0000000000771000-memory.dmp
          Filesize

          4KB

          Download
        • memory/268-97-0x0000000001F50000-0x0000000001F51000-memory.dmp
          Filesize

          4KB

          Download
        • memory/268-85-0x0000000000000000-mapping.dmp
          Download
        • memory/268-94-0x0000000000740000-0x0000000000742000-memory.dmp
          Filesize

          8KB

          Download
        • memory/268-96-0x0000000001F40000-0x0000000001F42000-memory.dmp
          Filesize

          8KB

          Download
        • memory/268-93-0x0000000000520000-0x0000000000524000-memory.dmp
          Filesize

          16KB

          Download
        • memory/268-92-0x00000000004F0000-0x00000000004F2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/268-91-0x0000000000510000-0x0000000000515000-memory.dmp
          Filesize

          20KB

          Download
        • memory/268-87-0x00000000002B0000-0x00000000002B1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/720-75-0x0000000000000000-mapping.dmp
          Download
        • memory/764-65-0x0000000000000000-mapping.dmp
          Download
        • memory/800-102-0x0000000002820000-0x0000000002821000-memory.dmp
          Filesize

          4KB

          Download
        • memory/976-77-0x0000000000000000-mapping.dmp
          Download
        • memory/1052-76-0x0000000000000000-mapping.dmp
          Download
        • memory/1088-83-0x0000000000000000-mapping.dmp
          Download
        • memory/1096-60-0x0000000075201000-0x0000000075203000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1168-99-0x000007FEFBC41000-0x000007FEFBC43000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1168-100-0x00000000027C0000-0x00000000027C1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1320-69-0x0000000000000000-mapping.dmp
          Download
        • memory/1320-71-0x00000000010D0000-0x00000000010D1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1320-73-0x000000001AFA0000-0x000000001AFA2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1596-80-0x0000000000000000-mapping.dmp
          Download
        • memory/1612-79-0x0000000000000000-mapping.dmp
          Download
        • memory/1640-74-0x0000000000000000-mapping.dmp
          Download
        • memory/1700-98-0x0000000000000000-mapping.dmp
          Download
        • memory/1964-78-0x0000000000000000-mapping.dmp
          Download
        • memory/2028-82-0x0000000000000000-mapping.dmp
          Download
        • memory/2032-61-0x0000000000000000-mapping.dmp
          Download