Analysis
-
max time kernel
56s -
max time network
107s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
20-06-2021 23:03
Behavioral task
behavioral1
Sample
787F845B904FD7FC0F36F5CCAB9691C0.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
787F845B904FD7FC0F36F5CCAB9691C0.exe
Resource
win10v20210410
General
-
Target
787F845B904FD7FC0F36F5CCAB9691C0.exe
-
Size
1.5MB
-
MD5
787f845b904fd7fc0f36f5ccab9691c0
-
SHA1
d25cd2bf2986862d7c4d5923a144b5c6d11690ac
-
SHA256
a7629346a7228cd9b9d1db57a2d25c12c87506db851f43dd99fcb5e8f0e520ec
-
SHA512
05ab7acb67cd7852620a4e835ebaadbe1b709c01dd025e701be7ec04c63abc4b8e045f50911c6aa0f7253c3b1349a0174f08fd0f54b5d0fed9524c719c6135d3
Malware Config
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule behavioral2/memory/2312-140-0x0000000003050000-0x0000000003052000-memory.dmp disable_win_def -
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Processes:
resource yara_rule C:\savesRefRuntimebrokersvc\savesRefRuntimebrokersvcwinIntoruntime.exe dcrat C:\savesRefRuntimebrokersvc\savesRefRuntimebrokersvcwinIntoruntime.exe dcrat C:\Windows\System32\iaspolcy\slui.exe dcrat C:\Windows\System32\iaspolcy\slui.exe dcrat -
Executes dropped EXE 2 IoCs
Processes:
savesRefRuntimebrokersvcwinIntoruntime.exeslui.exepid process 2908 savesRefRuntimebrokersvcwinIntoruntime.exe 2312 slui.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 16 ipinfo.io 17 ipinfo.io -
Drops file in System32 directory 11 IoCs
Processes:
savesRefRuntimebrokersvcwinIntoruntime.exedescription ioc process File created C:\Windows\System32\Microsoft.Bluetooth.Profiles.Gatt.Interface\a29f4157103644af5692ebfddf35f6dff4e237da savesRefRuntimebrokersvcwinIntoruntime.exe File created C:\Windows\SysWOW64\dsauth\ebf1f9fa8afd6d1932bd65bc4cc3af89a4c8e228 savesRefRuntimebrokersvcwinIntoruntime.exe File created C:\Windows\System32\mapi32\a29f4157103644af5692ebfddf35f6dff4e237da savesRefRuntimebrokersvcwinIntoruntime.exe File created C:\Windows\System32\updatepolicy\5b884080fd4f94e2695da25c503f9e33b9605b83 savesRefRuntimebrokersvcwinIntoruntime.exe File created C:\Windows\System32\Microsoft.Bluetooth.Profiles.Gatt.Interface\slui.exe savesRefRuntimebrokersvcwinIntoruntime.exe File created C:\Windows\System32\iaspolcy\a29f4157103644af5692ebfddf35f6dff4e237da savesRefRuntimebrokersvcwinIntoruntime.exe File created C:\Windows\System32\updatepolicy\fontdrvhost.exe savesRefRuntimebrokersvcwinIntoruntime.exe File created C:\Windows\SysWOW64\dsauth\cmd.exe savesRefRuntimebrokersvcwinIntoruntime.exe File created C:\Windows\System32\mapi32\slui.exe savesRefRuntimebrokersvcwinIntoruntime.exe File created C:\Windows\System32\iaspolcy\slui.exe savesRefRuntimebrokersvcwinIntoruntime.exe File opened for modification C:\Windows\System32\iaspolcy\slui.exe savesRefRuntimebrokersvcwinIntoruntime.exe -
Drops file in Program Files directory 2 IoCs
Processes:
savesRefRuntimebrokersvcwinIntoruntime.exedescription ioc process File created C:\Program Files\Windows Portable Devices\spoolsv.exe savesRefRuntimebrokersvcwinIntoruntime.exe File created C:\Program Files\Windows Portable Devices\f3b6ecef712a24f33798f5d2fb3790c3d9b894c4 savesRefRuntimebrokersvcwinIntoruntime.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 988 schtasks.exe 3948 schtasks.exe 516 schtasks.exe 728 schtasks.exe 2416 schtasks.exe 3272 schtasks.exe -
Kills process with taskkill 4 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 2288 taskkill.exe 2908 taskkill.exe 1080 taskkill.exe 1208 taskkill.exe -
Modifies registry class 1 IoCs
Processes:
787F845B904FD7FC0F36F5CCAB9691C0.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings 787F845B904FD7FC0F36F5CCAB9691C0.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
savesRefRuntimebrokersvcwinIntoruntime.exeslui.exepid process 2908 savesRefRuntimebrokersvcwinIntoruntime.exe 2312 slui.exe 2312 slui.exe 2312 slui.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
savesRefRuntimebrokersvcwinIntoruntime.exeslui.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exedescription pid process Token: SeDebugPrivilege 2908 savesRefRuntimebrokersvcwinIntoruntime.exe Token: SeDebugPrivilege 2312 slui.exe Token: SeDebugPrivilege 2288 taskkill.exe Token: SeDebugPrivilege 2908 taskkill.exe Token: SeDebugPrivilege 1080 taskkill.exe Token: SeDebugPrivilege 1208 taskkill.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
slui.exepid process 2312 slui.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
787F845B904FD7FC0F36F5CCAB9691C0.exeWScript.execmd.exesavesRefRuntimebrokersvcwinIntoruntime.exeslui.execmd.exedescription pid process target process PID 4016 wrote to memory of 1472 4016 787F845B904FD7FC0F36F5CCAB9691C0.exe WScript.exe PID 4016 wrote to memory of 1472 4016 787F845B904FD7FC0F36F5CCAB9691C0.exe WScript.exe PID 4016 wrote to memory of 1472 4016 787F845B904FD7FC0F36F5CCAB9691C0.exe WScript.exe PID 1472 wrote to memory of 3292 1472 WScript.exe cmd.exe PID 1472 wrote to memory of 3292 1472 WScript.exe cmd.exe PID 1472 wrote to memory of 3292 1472 WScript.exe cmd.exe PID 3292 wrote to memory of 2908 3292 cmd.exe savesRefRuntimebrokersvcwinIntoruntime.exe PID 3292 wrote to memory of 2908 3292 cmd.exe savesRefRuntimebrokersvcwinIntoruntime.exe PID 2908 wrote to memory of 3948 2908 savesRefRuntimebrokersvcwinIntoruntime.exe schtasks.exe PID 2908 wrote to memory of 3948 2908 savesRefRuntimebrokersvcwinIntoruntime.exe schtasks.exe PID 2908 wrote to memory of 516 2908 savesRefRuntimebrokersvcwinIntoruntime.exe schtasks.exe PID 2908 wrote to memory of 516 2908 savesRefRuntimebrokersvcwinIntoruntime.exe schtasks.exe PID 2908 wrote to memory of 728 2908 savesRefRuntimebrokersvcwinIntoruntime.exe schtasks.exe PID 2908 wrote to memory of 728 2908 savesRefRuntimebrokersvcwinIntoruntime.exe schtasks.exe PID 2908 wrote to memory of 2416 2908 savesRefRuntimebrokersvcwinIntoruntime.exe schtasks.exe PID 2908 wrote to memory of 2416 2908 savesRefRuntimebrokersvcwinIntoruntime.exe schtasks.exe PID 2908 wrote to memory of 3272 2908 savesRefRuntimebrokersvcwinIntoruntime.exe schtasks.exe PID 2908 wrote to memory of 3272 2908 savesRefRuntimebrokersvcwinIntoruntime.exe schtasks.exe PID 2908 wrote to memory of 988 2908 savesRefRuntimebrokersvcwinIntoruntime.exe schtasks.exe PID 2908 wrote to memory of 988 2908 savesRefRuntimebrokersvcwinIntoruntime.exe schtasks.exe PID 2908 wrote to memory of 2312 2908 savesRefRuntimebrokersvcwinIntoruntime.exe slui.exe PID 2908 wrote to memory of 2312 2908 savesRefRuntimebrokersvcwinIntoruntime.exe slui.exe PID 2312 wrote to memory of 3244 2312 slui.exe cmd.exe PID 2312 wrote to memory of 3244 2312 slui.exe cmd.exe PID 3244 wrote to memory of 2288 3244 cmd.exe taskkill.exe PID 3244 wrote to memory of 2288 3244 cmd.exe taskkill.exe PID 3244 wrote to memory of 2908 3244 cmd.exe taskkill.exe PID 3244 wrote to memory of 2908 3244 cmd.exe taskkill.exe PID 3244 wrote to memory of 1080 3244 cmd.exe taskkill.exe PID 3244 wrote to memory of 1080 3244 cmd.exe taskkill.exe PID 3244 wrote to memory of 1208 3244 cmd.exe taskkill.exe PID 3244 wrote to memory of 1208 3244 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\787F845B904FD7FC0F36F5CCAB9691C0.exe"C:\Users\Admin\AppData\Local\Temp\787F845B904FD7FC0F36F5CCAB9691C0.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\savesRefRuntimebrokersvc\kyajHqpLZ.vbe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\savesRefRuntimebrokersvc\rnYPsMDbrJvA9KRVcvnGqwI.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\savesRefRuntimebrokersvc\savesRefRuntimebrokersvcwinIntoruntime.exe"C:\savesRefRuntimebrokersvc\savesRefRuntimebrokersvcwinIntoruntime.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "slui" /sc ONLOGON /tr "'C:\Windows\System32\iaspolcy\slui.exe'" /rl HIGHEST /f5⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\updatepolicy\fontdrvhost.exe'" /rl HIGHEST /f5⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "slui" /sc ONLOGON /tr "'C:\Windows\System32\Microsoft.Bluetooth.Profiles.Gatt.Interface\slui.exe'" /rl HIGHEST /f5⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f5⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\SysWOW64\dsauth\cmd.exe'" /rl HIGHEST /f5⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "slui" /sc ONLOGON /tr "'C:\Windows\System32\mapi32\slui.exe'" /rl HIGHEST /f5⤵
- Creates scheduled task(s)
-
C:\Windows\System32\iaspolcy\slui.exe"C:\Windows\System32\iaspolcy\slui.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /f /im crss.exe & taskkill /f /im wininit.exe & taskkill /f /im winlogon.exe & taskkill /f /im svchost.exe6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im crss.exe7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im wininit.exe7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im winlogon.exe7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im svchost.exe7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\System32\iaspolcy\slui.exeMD5
ed0551481fa342d10d1513feaeaa07f1
SHA1a7c1effe9f14d07d03d55285896d9ef1c8af62c6
SHA2561fc3e401a27c81159ca6515bf7746bcb78c20e5ad33d2922f4713ab4635d75b1
SHA51202e861571506262b7ba6f5d5671ee8759107554bc9799955f841580484cf3aaddc6219db2df6b355cabb79880149b8d6ff47f8e2caa4eec0ba1a2a93a08f6c65
-
C:\Windows\System32\iaspolcy\slui.exeMD5
ed0551481fa342d10d1513feaeaa07f1
SHA1a7c1effe9f14d07d03d55285896d9ef1c8af62c6
SHA2561fc3e401a27c81159ca6515bf7746bcb78c20e5ad33d2922f4713ab4635d75b1
SHA51202e861571506262b7ba6f5d5671ee8759107554bc9799955f841580484cf3aaddc6219db2df6b355cabb79880149b8d6ff47f8e2caa4eec0ba1a2a93a08f6c65
-
C:\savesRefRuntimebrokersvc\kyajHqpLZ.vbeMD5
77392f6900492949787a7d7967eb10b6
SHA184767159f4baadbf75043355e691877e75fcdf12
SHA2562e5a321119df0fac677de8fc52c4ae82c87d64012ed1ef3c8ee39df96c2f5627
SHA5128ce6af44fc77636d0e5d2719ebb82144ea47dfd4bb798c7519a1bdfab3bc3723f9531629deb0fba25f298c471705347502ab5a0c8198c1c16a213a0a7f970fa5
-
C:\savesRefRuntimebrokersvc\rnYPsMDbrJvA9KRVcvnGqwI.batMD5
3bb4b3b2af3807680dfa1867b0290279
SHA11c13ea22c5b7b084ff2562f2289c222ab0897e93
SHA256799a39579ea7c43e5dc9dbfafc22d3e563fa8692c5bf97442bd788bda03d95d5
SHA512eadd2cf766c4dce412e0f25f936bedd97fd71f031e52c0f09196571979211fd6d817fa2f4758e1677d4d9efa06b2dc0e9bcb838434eb19c0af2d8fafe983445b
-
C:\savesRefRuntimebrokersvc\savesRefRuntimebrokersvcwinIntoruntime.exeMD5
ed0551481fa342d10d1513feaeaa07f1
SHA1a7c1effe9f14d07d03d55285896d9ef1c8af62c6
SHA2561fc3e401a27c81159ca6515bf7746bcb78c20e5ad33d2922f4713ab4635d75b1
SHA51202e861571506262b7ba6f5d5671ee8759107554bc9799955f841580484cf3aaddc6219db2df6b355cabb79880149b8d6ff47f8e2caa4eec0ba1a2a93a08f6c65
-
C:\savesRefRuntimebrokersvc\savesRefRuntimebrokersvcwinIntoruntime.exeMD5
ed0551481fa342d10d1513feaeaa07f1
SHA1a7c1effe9f14d07d03d55285896d9ef1c8af62c6
SHA2561fc3e401a27c81159ca6515bf7746bcb78c20e5ad33d2922f4713ab4635d75b1
SHA51202e861571506262b7ba6f5d5671ee8759107554bc9799955f841580484cf3aaddc6219db2df6b355cabb79880149b8d6ff47f8e2caa4eec0ba1a2a93a08f6c65
-
memory/516-127-0x0000000000000000-mapping.dmp
-
memory/728-128-0x0000000000000000-mapping.dmp
-
memory/988-131-0x0000000000000000-mapping.dmp
-
memory/1080-149-0x0000000000000000-mapping.dmp
-
memory/1208-150-0x0000000000000000-mapping.dmp
-
memory/1472-116-0x0000000000000000-mapping.dmp
-
memory/2288-147-0x0000000000000000-mapping.dmp
-
memory/2312-143-0x00000000030B0000-0x00000000030B1000-memory.dmpFilesize
4KB
-
memory/2312-141-0x0000000003080000-0x0000000003084000-memory.dmpFilesize
16KB
-
memory/2312-132-0x0000000000000000-mapping.dmp
-
memory/2312-145-0x000000001BD70000-0x000000001BD71000-memory.dmpFilesize
4KB
-
memory/2312-144-0x00000000030C0000-0x00000000030C2000-memory.dmpFilesize
8KB
-
memory/2312-137-0x000000001BDA0000-0x000000001BDA2000-memory.dmpFilesize
8KB
-
memory/2312-138-0x0000000003030000-0x0000000003036000-memory.dmpFilesize
24KB
-
memory/2312-140-0x0000000003050000-0x0000000003052000-memory.dmpFilesize
8KB
-
memory/2312-139-0x00000000030A0000-0x00000000030A5000-memory.dmpFilesize
20KB
-
memory/2312-142-0x0000000003090000-0x0000000003092000-memory.dmpFilesize
8KB
-
memory/2416-129-0x0000000000000000-mapping.dmp
-
memory/2908-125-0x000000001B020000-0x000000001B022000-memory.dmpFilesize
8KB
-
memory/2908-123-0x0000000000310000-0x0000000000311000-memory.dmpFilesize
4KB
-
memory/2908-148-0x0000000000000000-mapping.dmp
-
memory/2908-120-0x0000000000000000-mapping.dmp
-
memory/3244-146-0x0000000000000000-mapping.dmp
-
memory/3272-130-0x0000000000000000-mapping.dmp
-
memory/3292-119-0x0000000000000000-mapping.dmp
-
memory/3948-126-0x0000000000000000-mapping.dmp