Analysis
-
max time kernel
117s -
max time network
154s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
26-09-2021 15:13
Behavioral task
behavioral1
Sample
ba5dc0fc7d1677527cf809bfca28e2b6.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
ba5dc0fc7d1677527cf809bfca28e2b6.exe
Resource
win10v20210408
General
-
Target
ba5dc0fc7d1677527cf809bfca28e2b6.exe
-
Size
1.1MB
-
MD5
ba5dc0fc7d1677527cf809bfca28e2b6
-
SHA1
df8452d50e4fa2171379bfd499132a08dd725368
-
SHA256
b1712ed2922c7af304903adfc55fc79a8a097f06b2fb98072ebfb3b44fbd3ad1
-
SHA512
dcda78f331a588286d6f5a1fc2e4ccc680a178e8bf621f20f00a4cb0973f8d67cc66535334908e97a3845664ce1ee9c619fdb06515c31939a84c9c28424a622e
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 7 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 460 4064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 396 4064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1196 4064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1308 4064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1488 4064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1568 4064 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1740 4064 schtasks.exe -
Processes:
resource yara_rule C:\odt\RuntimeBroker.exe dcrat C:\odt\RuntimeBroker.exe dcrat -
Executes dropped EXE 1 IoCs
Processes:
RuntimeBroker.exepid process 2032 RuntimeBroker.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 7 IoCs
Processes:
ba5dc0fc7d1677527cf809bfca28e2b6.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Windows\\System32\\rasmbmgr\\audiodg.exe\"" ba5dc0fc7d1677527cf809bfca28e2b6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\Windows.Mirage.Internal\\RuntimeBroker.exe\"" ba5dc0fc7d1677527cf809bfca28e2b6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Boot\\nb-NO\\wininit.exe\"" ba5dc0fc7d1677527cf809bfca28e2b6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\wshom\\dwm.exe\"" ba5dc0fc7d1677527cf809bfca28e2b6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\odt\\RuntimeBroker.exe\"" ba5dc0fc7d1677527cf809bfca28e2b6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\odt\\WmiPrvSE.exe\"" ba5dc0fc7d1677527cf809bfca28e2b6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Program Files (x86)\\Windows Defender\\Offline\\taskhostw.exe\"" ba5dc0fc7d1677527cf809bfca28e2b6.exe -
Drops file in System32 directory 7 IoCs
Processes:
ba5dc0fc7d1677527cf809bfca28e2b6.exedescription ioc process File created C:\Windows\System32\wshom\dwm.exe ba5dc0fc7d1677527cf809bfca28e2b6.exe File opened for modification C:\Windows\System32\wshom\dwm.exe ba5dc0fc7d1677527cf809bfca28e2b6.exe File created C:\Windows\System32\wshom\6cb0b6c459d5d3455a3da700e713f2e2529862ff ba5dc0fc7d1677527cf809bfca28e2b6.exe File created C:\Windows\System32\rasmbmgr\audiodg.exe ba5dc0fc7d1677527cf809bfca28e2b6.exe File created C:\Windows\System32\rasmbmgr\42af1c969fbb7b2ae36b0e06bea61fc9a154b4af ba5dc0fc7d1677527cf809bfca28e2b6.exe File created C:\Windows\System32\Windows.Mirage.Internal\RuntimeBroker.exe ba5dc0fc7d1677527cf809bfca28e2b6.exe File created C:\Windows\System32\Windows.Mirage.Internal\9e8d7a4ca61bd92aff00cc37a7a4d62a2cac998d ba5dc0fc7d1677527cf809bfca28e2b6.exe -
Drops file in Program Files directory 2 IoCs
Processes:
ba5dc0fc7d1677527cf809bfca28e2b6.exedescription ioc process File created C:\Program Files (x86)\Windows Defender\Offline\taskhostw.exe ba5dc0fc7d1677527cf809bfca28e2b6.exe File created C:\Program Files (x86)\Windows Defender\Offline\ea9f0e6c9e2dcd4dfacdaf29ba21541fb815a988 ba5dc0fc7d1677527cf809bfca28e2b6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1488 schtasks.exe 1568 schtasks.exe 1740 schtasks.exe 460 schtasks.exe 396 schtasks.exe 1196 schtasks.exe 1308 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
ba5dc0fc7d1677527cf809bfca28e2b6.exeRuntimeBroker.exepid process 620 ba5dc0fc7d1677527cf809bfca28e2b6.exe 620 ba5dc0fc7d1677527cf809bfca28e2b6.exe 620 ba5dc0fc7d1677527cf809bfca28e2b6.exe 620 ba5dc0fc7d1677527cf809bfca28e2b6.exe 2032 RuntimeBroker.exe 2032 RuntimeBroker.exe 2032 RuntimeBroker.exe 2032 RuntimeBroker.exe 2032 RuntimeBroker.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RuntimeBroker.exepid process 2032 RuntimeBroker.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
ba5dc0fc7d1677527cf809bfca28e2b6.exeRuntimeBroker.exedescription pid process Token: SeDebugPrivilege 620 ba5dc0fc7d1677527cf809bfca28e2b6.exe Token: SeDebugPrivilege 2032 RuntimeBroker.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
ba5dc0fc7d1677527cf809bfca28e2b6.exedescription pid process target process PID 620 wrote to memory of 2032 620 ba5dc0fc7d1677527cf809bfca28e2b6.exe RuntimeBroker.exe PID 620 wrote to memory of 2032 620 ba5dc0fc7d1677527cf809bfca28e2b6.exe RuntimeBroker.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ba5dc0fc7d1677527cf809bfca28e2b6.exe"C:\Users\Admin\AppData\Local\Temp\ba5dc0fc7d1677527cf809bfca28e2b6.exe"1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\odt\RuntimeBroker.exe"C:\odt\RuntimeBroker.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\wshom\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\odt\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\Offline\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\System32\rasmbmgr\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\Windows.Mirage.Internal\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Boot\nb-NO\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\odt\RuntimeBroker.exeMD5
ba5dc0fc7d1677527cf809bfca28e2b6
SHA1df8452d50e4fa2171379bfd499132a08dd725368
SHA256b1712ed2922c7af304903adfc55fc79a8a097f06b2fb98072ebfb3b44fbd3ad1
SHA512dcda78f331a588286d6f5a1fc2e4ccc680a178e8bf621f20f00a4cb0973f8d67cc66535334908e97a3845664ce1ee9c619fdb06515c31939a84c9c28424a622e
-
C:\odt\RuntimeBroker.exeMD5
ba5dc0fc7d1677527cf809bfca28e2b6
SHA1df8452d50e4fa2171379bfd499132a08dd725368
SHA256b1712ed2922c7af304903adfc55fc79a8a097f06b2fb98072ebfb3b44fbd3ad1
SHA512dcda78f331a588286d6f5a1fc2e4ccc680a178e8bf621f20f00a4cb0973f8d67cc66535334908e97a3845664ce1ee9c619fdb06515c31939a84c9c28424a622e
-
memory/620-114-0x0000000000100000-0x0000000000101000-memory.dmpFilesize
4KB
-
memory/620-116-0x000000001AEE0000-0x000000001AEE2000-memory.dmpFilesize
8KB
-
memory/2032-117-0x0000000000000000-mapping.dmp
-
memory/2032-122-0x000000001B802000-0x000000001B803000-memory.dmpFilesize
4KB
-
memory/2032-123-0x000000001B803000-0x000000001B804000-memory.dmpFilesize
4KB