Analysis
-
max time kernel
80s -
max time network
81s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
20-06-2021 23:03
Behavioral task
behavioral1
Sample
787F845B904FD7FC0F36F5CCAB9691C0.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
787F845B904FD7FC0F36F5CCAB9691C0.exe
Resource
win10v20210410
Errors
General
-
Target
787F845B904FD7FC0F36F5CCAB9691C0.exe
-
Size
1.5MB
-
MD5
787f845b904fd7fc0f36f5ccab9691c0
-
SHA1
d25cd2bf2986862d7c4d5923a144b5c6d11690ac
-
SHA256
a7629346a7228cd9b9d1db57a2d25c12c87506db851f43dd99fcb5e8f0e520ec
-
SHA512
05ab7acb67cd7852620a4e835ebaadbe1b709c01dd025e701be7ec04c63abc4b8e045f50911c6aa0f7253c3b1349a0174f08fd0f54b5d0fed9524c719c6135d3
Malware Config
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule behavioral1/memory/268-92-0x00000000004F0000-0x00000000004F2000-memory.dmp disable_win_def -
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Processes:
resource yara_rule \savesRefRuntimebrokersvc\savesRefRuntimebrokersvcwinIntoruntime.exe dcrat \savesRefRuntimebrokersvc\savesRefRuntimebrokersvcwinIntoruntime.exe dcrat C:\savesRefRuntimebrokersvc\savesRefRuntimebrokersvcwinIntoruntime.exe dcrat C:\savesRefRuntimebrokersvc\savesRefRuntimebrokersvcwinIntoruntime.exe dcrat C:\Documents and Settings\wininit.exe dcrat C:\Users\wininit.exe dcrat -
Executes dropped EXE 2 IoCs
Processes:
savesRefRuntimebrokersvcwinIntoruntime.exewininit.exepid process 1320 savesRefRuntimebrokersvcwinIntoruntime.exe 268 wininit.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 764 cmd.exe 764 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 ipinfo.io 8 ipinfo.io -
Drops file in System32 directory 6 IoCs
Processes:
savesRefRuntimebrokersvcwinIntoruntime.exedescription ioc process File created C:\Windows\System32\wbem\lsasrv\75a57c1bdf437c0c81ad56e81f43c7323ed35745 savesRefRuntimebrokersvcwinIntoruntime.exe File created C:\Windows\System32\spoolss\sppsvc.exe savesRefRuntimebrokersvcwinIntoruntime.exe File created C:\Windows\System32\spoolss\0a1fd5f707cd16ea89afd3d6db52b2da58214a6c savesRefRuntimebrokersvcwinIntoruntime.exe File created C:\Windows\System32\KBDBASH\services.exe savesRefRuntimebrokersvcwinIntoruntime.exe File created C:\Windows\System32\KBDBASH\c5b4cb5e9653cce737f29f72ba880dd4c4bab27d savesRefRuntimebrokersvcwinIntoruntime.exe File created C:\Windows\System32\wbem\lsasrv\WMIADAP.exe savesRefRuntimebrokersvcwinIntoruntime.exe -
Drops file in Windows directory 3 IoCs
Processes:
savesRefRuntimebrokersvcwinIntoruntime.exedescription ioc process File created C:\Windows\system\explorer.exe savesRefRuntimebrokersvcwinIntoruntime.exe File opened for modification C:\Windows\system\explorer.exe savesRefRuntimebrokersvcwinIntoruntime.exe File created C:\Windows\system\7a0fd90576e08807bde2cc57bcf9854bbce05fe3 savesRefRuntimebrokersvcwinIntoruntime.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1052 schtasks.exe 976 schtasks.exe 1964 schtasks.exe 1612 schtasks.exe 1640 schtasks.exe 720 schtasks.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
savesRefRuntimebrokersvcwinIntoruntime.exewininit.exepid process 1320 savesRefRuntimebrokersvcwinIntoruntime.exe 268 wininit.exe 268 wininit.exe 268 wininit.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
savesRefRuntimebrokersvcwinIntoruntime.exewininit.exeshutdown.exedescription pid process Token: SeDebugPrivilege 1320 savesRefRuntimebrokersvcwinIntoruntime.exe Token: SeDebugPrivilege 268 wininit.exe Token: SeShutdownPrivilege 1700 shutdown.exe Token: SeRemoteShutdownPrivilege 1700 shutdown.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
wininit.exepid process 268 wininit.exe -
Suspicious use of WriteProcessMemory 45 IoCs
Processes:
787F845B904FD7FC0F36F5CCAB9691C0.exeWScript.execmd.exesavesRefRuntimebrokersvcwinIntoruntime.execmd.exewininit.exedescription pid process target process PID 1096 wrote to memory of 2032 1096 787F845B904FD7FC0F36F5CCAB9691C0.exe WScript.exe PID 1096 wrote to memory of 2032 1096 787F845B904FD7FC0F36F5CCAB9691C0.exe WScript.exe PID 1096 wrote to memory of 2032 1096 787F845B904FD7FC0F36F5CCAB9691C0.exe WScript.exe PID 1096 wrote to memory of 2032 1096 787F845B904FD7FC0F36F5CCAB9691C0.exe WScript.exe PID 2032 wrote to memory of 764 2032 WScript.exe cmd.exe PID 2032 wrote to memory of 764 2032 WScript.exe cmd.exe PID 2032 wrote to memory of 764 2032 WScript.exe cmd.exe PID 2032 wrote to memory of 764 2032 WScript.exe cmd.exe PID 764 wrote to memory of 1320 764 cmd.exe savesRefRuntimebrokersvcwinIntoruntime.exe PID 764 wrote to memory of 1320 764 cmd.exe savesRefRuntimebrokersvcwinIntoruntime.exe PID 764 wrote to memory of 1320 764 cmd.exe savesRefRuntimebrokersvcwinIntoruntime.exe PID 764 wrote to memory of 1320 764 cmd.exe savesRefRuntimebrokersvcwinIntoruntime.exe PID 1320 wrote to memory of 1640 1320 savesRefRuntimebrokersvcwinIntoruntime.exe schtasks.exe PID 1320 wrote to memory of 1640 1320 savesRefRuntimebrokersvcwinIntoruntime.exe schtasks.exe PID 1320 wrote to memory of 1640 1320 savesRefRuntimebrokersvcwinIntoruntime.exe schtasks.exe PID 1320 wrote to memory of 720 1320 savesRefRuntimebrokersvcwinIntoruntime.exe schtasks.exe PID 1320 wrote to memory of 720 1320 savesRefRuntimebrokersvcwinIntoruntime.exe schtasks.exe PID 1320 wrote to memory of 720 1320 savesRefRuntimebrokersvcwinIntoruntime.exe schtasks.exe PID 1320 wrote to memory of 1052 1320 savesRefRuntimebrokersvcwinIntoruntime.exe schtasks.exe PID 1320 wrote to memory of 1052 1320 savesRefRuntimebrokersvcwinIntoruntime.exe schtasks.exe PID 1320 wrote to memory of 1052 1320 savesRefRuntimebrokersvcwinIntoruntime.exe schtasks.exe PID 1320 wrote to memory of 976 1320 savesRefRuntimebrokersvcwinIntoruntime.exe schtasks.exe PID 1320 wrote to memory of 976 1320 savesRefRuntimebrokersvcwinIntoruntime.exe schtasks.exe PID 1320 wrote to memory of 976 1320 savesRefRuntimebrokersvcwinIntoruntime.exe schtasks.exe PID 1320 wrote to memory of 1964 1320 savesRefRuntimebrokersvcwinIntoruntime.exe schtasks.exe PID 1320 wrote to memory of 1964 1320 savesRefRuntimebrokersvcwinIntoruntime.exe schtasks.exe PID 1320 wrote to memory of 1964 1320 savesRefRuntimebrokersvcwinIntoruntime.exe schtasks.exe PID 1320 wrote to memory of 1612 1320 savesRefRuntimebrokersvcwinIntoruntime.exe schtasks.exe PID 1320 wrote to memory of 1612 1320 savesRefRuntimebrokersvcwinIntoruntime.exe schtasks.exe PID 1320 wrote to memory of 1612 1320 savesRefRuntimebrokersvcwinIntoruntime.exe schtasks.exe PID 1320 wrote to memory of 1596 1320 savesRefRuntimebrokersvcwinIntoruntime.exe cmd.exe PID 1320 wrote to memory of 1596 1320 savesRefRuntimebrokersvcwinIntoruntime.exe cmd.exe PID 1320 wrote to memory of 1596 1320 savesRefRuntimebrokersvcwinIntoruntime.exe cmd.exe PID 1596 wrote to memory of 2028 1596 cmd.exe chcp.com PID 1596 wrote to memory of 2028 1596 cmd.exe chcp.com PID 1596 wrote to memory of 2028 1596 cmd.exe chcp.com PID 1596 wrote to memory of 1088 1596 cmd.exe PING.EXE PID 1596 wrote to memory of 1088 1596 cmd.exe PING.EXE PID 1596 wrote to memory of 1088 1596 cmd.exe PING.EXE PID 1596 wrote to memory of 268 1596 cmd.exe wininit.exe PID 1596 wrote to memory of 268 1596 cmd.exe wininit.exe PID 1596 wrote to memory of 268 1596 cmd.exe wininit.exe PID 268 wrote to memory of 1700 268 wininit.exe shutdown.exe PID 268 wrote to memory of 1700 268 wininit.exe shutdown.exe PID 268 wrote to memory of 1700 268 wininit.exe shutdown.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\787F845B904FD7FC0F36F5CCAB9691C0.exe"C:\Users\Admin\AppData\Local\Temp\787F845B904FD7FC0F36F5CCAB9691C0.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\savesRefRuntimebrokersvc\kyajHqpLZ.vbe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\savesRefRuntimebrokersvc\rnYPsMDbrJvA9KRVcvnGqwI.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\savesRefRuntimebrokersvc\savesRefRuntimebrokersvcwinIntoruntime.exe"C:\savesRefRuntimebrokersvc\savesRefRuntimebrokersvcwinIntoruntime.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\system\explorer.exe'" /rl HIGHEST /f5⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "sppsvc" /sc ONLOGON /tr "'C:\savesRefRuntimebrokersvc\sppsvc.exe'" /rl HIGHEST /f5⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "wininit" /sc ONLOGON /tr "'C:\Documents and Settings\wininit.exe'" /rl HIGHEST /f5⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\System32\spoolss\sppsvc.exe'" /rl HIGHEST /f5⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "services" /sc ONLOGON /tr "'C:\Windows\System32\KBDBASH\services.exe'" /rl HIGHEST /f5⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Windows\System32\wbem\lsasrv\WMIADAP.exe'" /rl HIGHEST /f5⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Tut0Db3K4S.bat"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650016⤵
-
C:\Windows\system32\PING.EXEping -n 5 localhost6⤵
- Runs ping.exe
-
C:\Documents and Settings\wininit.exe"C:\Documents and Settings\wininit.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\shutdown.exe"C:\Windows\System32\shutdown.exe" /s /t 07⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Documents and Settings\wininit.exeMD5
ed0551481fa342d10d1513feaeaa07f1
SHA1a7c1effe9f14d07d03d55285896d9ef1c8af62c6
SHA2561fc3e401a27c81159ca6515bf7746bcb78c20e5ad33d2922f4713ab4635d75b1
SHA51202e861571506262b7ba6f5d5671ee8759107554bc9799955f841580484cf3aaddc6219db2df6b355cabb79880149b8d6ff47f8e2caa4eec0ba1a2a93a08f6c65
-
C:\Users\Admin\AppData\Local\Temp\Tut0Db3K4S.batMD5
b145a56bc86bc91e03434fc791c012fe
SHA1ffd28bca93b6899e0db1e04693e1adec91621240
SHA256d01aa33f962942fff6dfe09a1ed277a1c65a4b5d31e837cd794ee4fddcc2d295
SHA51206a117ce5c8d8145a296a2b695680cde310fe9eccde450e2ef717ac8fdf8a3285738e036542dbd829822bb06a47506fca4198eb971b26c90a722cbd7ab7602aa
-
C:\Users\wininit.exeMD5
ed0551481fa342d10d1513feaeaa07f1
SHA1a7c1effe9f14d07d03d55285896d9ef1c8af62c6
SHA2561fc3e401a27c81159ca6515bf7746bcb78c20e5ad33d2922f4713ab4635d75b1
SHA51202e861571506262b7ba6f5d5671ee8759107554bc9799955f841580484cf3aaddc6219db2df6b355cabb79880149b8d6ff47f8e2caa4eec0ba1a2a93a08f6c65
-
C:\savesRefRuntimebrokersvc\kyajHqpLZ.vbeMD5
77392f6900492949787a7d7967eb10b6
SHA184767159f4baadbf75043355e691877e75fcdf12
SHA2562e5a321119df0fac677de8fc52c4ae82c87d64012ed1ef3c8ee39df96c2f5627
SHA5128ce6af44fc77636d0e5d2719ebb82144ea47dfd4bb798c7519a1bdfab3bc3723f9531629deb0fba25f298c471705347502ab5a0c8198c1c16a213a0a7f970fa5
-
C:\savesRefRuntimebrokersvc\rnYPsMDbrJvA9KRVcvnGqwI.batMD5
3bb4b3b2af3807680dfa1867b0290279
SHA11c13ea22c5b7b084ff2562f2289c222ab0897e93
SHA256799a39579ea7c43e5dc9dbfafc22d3e563fa8692c5bf97442bd788bda03d95d5
SHA512eadd2cf766c4dce412e0f25f936bedd97fd71f031e52c0f09196571979211fd6d817fa2f4758e1677d4d9efa06b2dc0e9bcb838434eb19c0af2d8fafe983445b
-
C:\savesRefRuntimebrokersvc\savesRefRuntimebrokersvcwinIntoruntime.exeMD5
ed0551481fa342d10d1513feaeaa07f1
SHA1a7c1effe9f14d07d03d55285896d9ef1c8af62c6
SHA2561fc3e401a27c81159ca6515bf7746bcb78c20e5ad33d2922f4713ab4635d75b1
SHA51202e861571506262b7ba6f5d5671ee8759107554bc9799955f841580484cf3aaddc6219db2df6b355cabb79880149b8d6ff47f8e2caa4eec0ba1a2a93a08f6c65
-
C:\savesRefRuntimebrokersvc\savesRefRuntimebrokersvcwinIntoruntime.exeMD5
ed0551481fa342d10d1513feaeaa07f1
SHA1a7c1effe9f14d07d03d55285896d9ef1c8af62c6
SHA2561fc3e401a27c81159ca6515bf7746bcb78c20e5ad33d2922f4713ab4635d75b1
SHA51202e861571506262b7ba6f5d5671ee8759107554bc9799955f841580484cf3aaddc6219db2df6b355cabb79880149b8d6ff47f8e2caa4eec0ba1a2a93a08f6c65
-
\savesRefRuntimebrokersvc\savesRefRuntimebrokersvcwinIntoruntime.exeMD5
ed0551481fa342d10d1513feaeaa07f1
SHA1a7c1effe9f14d07d03d55285896d9ef1c8af62c6
SHA2561fc3e401a27c81159ca6515bf7746bcb78c20e5ad33d2922f4713ab4635d75b1
SHA51202e861571506262b7ba6f5d5671ee8759107554bc9799955f841580484cf3aaddc6219db2df6b355cabb79880149b8d6ff47f8e2caa4eec0ba1a2a93a08f6c65
-
\savesRefRuntimebrokersvc\savesRefRuntimebrokersvcwinIntoruntime.exeMD5
ed0551481fa342d10d1513feaeaa07f1
SHA1a7c1effe9f14d07d03d55285896d9ef1c8af62c6
SHA2561fc3e401a27c81159ca6515bf7746bcb78c20e5ad33d2922f4713ab4635d75b1
SHA51202e861571506262b7ba6f5d5671ee8759107554bc9799955f841580484cf3aaddc6219db2df6b355cabb79880149b8d6ff47f8e2caa4eec0ba1a2a93a08f6c65
-
memory/268-90-0x00000000002A0000-0x00000000002A6000-memory.dmpFilesize
24KB
-
memory/268-89-0x000000001AFC0000-0x000000001AFC2000-memory.dmpFilesize
8KB
-
memory/268-95-0x0000000000770000-0x0000000000771000-memory.dmpFilesize
4KB
-
memory/268-97-0x0000000001F50000-0x0000000001F51000-memory.dmpFilesize
4KB
-
memory/268-85-0x0000000000000000-mapping.dmp
-
memory/268-94-0x0000000000740000-0x0000000000742000-memory.dmpFilesize
8KB
-
memory/268-96-0x0000000001F40000-0x0000000001F42000-memory.dmpFilesize
8KB
-
memory/268-93-0x0000000000520000-0x0000000000524000-memory.dmpFilesize
16KB
-
memory/268-92-0x00000000004F0000-0x00000000004F2000-memory.dmpFilesize
8KB
-
memory/268-91-0x0000000000510000-0x0000000000515000-memory.dmpFilesize
20KB
-
memory/268-87-0x00000000002B0000-0x00000000002B1000-memory.dmpFilesize
4KB
-
memory/720-75-0x0000000000000000-mapping.dmp
-
memory/764-65-0x0000000000000000-mapping.dmp
-
memory/800-102-0x0000000002820000-0x0000000002821000-memory.dmpFilesize
4KB
-
memory/976-77-0x0000000000000000-mapping.dmp
-
memory/1052-76-0x0000000000000000-mapping.dmp
-
memory/1088-83-0x0000000000000000-mapping.dmp
-
memory/1096-60-0x0000000075201000-0x0000000075203000-memory.dmpFilesize
8KB
-
memory/1168-99-0x000007FEFBC41000-0x000007FEFBC43000-memory.dmpFilesize
8KB
-
memory/1168-100-0x00000000027C0000-0x00000000027C1000-memory.dmpFilesize
4KB
-
memory/1320-69-0x0000000000000000-mapping.dmp
-
memory/1320-71-0x00000000010D0000-0x00000000010D1000-memory.dmpFilesize
4KB
-
memory/1320-73-0x000000001AFA0000-0x000000001AFA2000-memory.dmpFilesize
8KB
-
memory/1596-80-0x0000000000000000-mapping.dmp
-
memory/1612-79-0x0000000000000000-mapping.dmp
-
memory/1640-74-0x0000000000000000-mapping.dmp
-
memory/1700-98-0x0000000000000000-mapping.dmp
-
memory/1964-78-0x0000000000000000-mapping.dmp
-
memory/2028-82-0x0000000000000000-mapping.dmp
-
memory/2032-61-0x0000000000000000-mapping.dmp