Analysis
-
max time kernel
133s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
20-01-2022 13:18
Static task
static1
Behavioral task
behavioral1
Sample
ad7507c90821598ae3ed6e8b6c3fdb36.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
ad7507c90821598ae3ed6e8b6c3fdb36.exe
Resource
win10v2004-en-20220112
General
-
Target
ad7507c90821598ae3ed6e8b6c3fdb36.exe
-
Size
1.3MB
-
MD5
ad7507c90821598ae3ed6e8b6c3fdb36
-
SHA1
b94839035eb055acacef724166489e2c0cb60eaa
-
SHA256
785ebbdf0f15d1bb1fd3bbe1fb5a3486dead09dae463c91368653510c3814aee
-
SHA512
ca43450c10e387a95ad6763e2f888096d7f87dc274bdb3f6720e4bc7fa3d214af72bc10a47f7ac2f00b44823511709ed1ad0f86201122bae3707c23463dff179
Malware Config
Signatures
-
DcRat 5 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
ad7507c90821598ae3ed6e8b6c3fdb36.exeDriversavesRuntimecommonReviewrefbroker.exeschtasks.exeschtasks.exeschtasks.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation ad7507c90821598ae3ed6e8b6c3fdb36.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\DriversavesRuntimecommon\\SppExtComObj.exe\"" DriversavesRuntimecommonReviewrefbroker.exe 2932 schtasks.exe 3872 schtasks.exe 3676 schtasks.exe -
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2932 464 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3872 464 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3676 464 schtasks.exe -
suricata: ET MALWARE DCRAT Activity (GET)
suricata: ET MALWARE DCRAT Activity (GET)
-
Executes dropped EXE 2 IoCs
Processes:
DriversavesRuntimecommonReviewrefbroker.exespoolsv.exepid process 3768 DriversavesRuntimecommonReviewrefbroker.exe 2652 spoolsv.exe -
Sets service image path in registry 2 TTPs
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ad7507c90821598ae3ed6e8b6c3fdb36.exeWScript.exeDriversavesRuntimecommonReviewrefbroker.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation ad7507c90821598ae3ed6e8b6c3fdb36.exe Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation DriversavesRuntimecommonReviewrefbroker.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
DriversavesRuntimecommonReviewrefbroker.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\DriversavesRuntimecommon\\SppExtComObj.exe\"" DriversavesRuntimecommonReviewrefbroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\System32\\adrclient\\spoolsv.exe\"" DriversavesRuntimecommonReviewrefbroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Users\\Default User\\Registry.exe\"" DriversavesRuntimecommonReviewrefbroker.exe -
Drops file in System32 directory 2 IoCs
Processes:
DriversavesRuntimecommonReviewrefbroker.exedescription ioc process File created C:\Windows\System32\adrclient\spoolsv.exe DriversavesRuntimecommonReviewrefbroker.exe File created C:\Windows\System32\adrclient\f3b6ecef712a24 DriversavesRuntimecommonReviewrefbroker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 2932 schtasks.exe 3872 schtasks.exe 3676 schtasks.exe -
Modifies data under HKEY_USERS 41 IoCs
Processes:
WaaSMedicAgent.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe -
Modifies registry class 1 IoCs
Processes:
ad7507c90821598ae3ed6e8b6c3fdb36.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings ad7507c90821598ae3ed6e8b6c3fdb36.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
DriversavesRuntimecommonReviewrefbroker.exespoolsv.exepid process 3768 DriversavesRuntimecommonReviewrefbroker.exe 2652 spoolsv.exe 2652 spoolsv.exe 2652 spoolsv.exe 2652 spoolsv.exe 2652 spoolsv.exe 2652 spoolsv.exe 2652 spoolsv.exe 2652 spoolsv.exe 2652 spoolsv.exe 2652 spoolsv.exe 2652 spoolsv.exe 2652 spoolsv.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
spoolsv.exepid process 2652 spoolsv.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
DriversavesRuntimecommonReviewrefbroker.exespoolsv.exedescription pid process Token: SeDebugPrivilege 3768 DriversavesRuntimecommonReviewrefbroker.exe Token: SeDebugPrivilege 2652 spoolsv.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
ad7507c90821598ae3ed6e8b6c3fdb36.exeWScript.execmd.exeDriversavesRuntimecommonReviewrefbroker.exedescription pid process target process PID 3360 wrote to memory of 3436 3360 ad7507c90821598ae3ed6e8b6c3fdb36.exe WScript.exe PID 3360 wrote to memory of 3436 3360 ad7507c90821598ae3ed6e8b6c3fdb36.exe WScript.exe PID 3360 wrote to memory of 3436 3360 ad7507c90821598ae3ed6e8b6c3fdb36.exe WScript.exe PID 3360 wrote to memory of 3484 3360 ad7507c90821598ae3ed6e8b6c3fdb36.exe WScript.exe PID 3360 wrote to memory of 3484 3360 ad7507c90821598ae3ed6e8b6c3fdb36.exe WScript.exe PID 3360 wrote to memory of 3484 3360 ad7507c90821598ae3ed6e8b6c3fdb36.exe WScript.exe PID 3436 wrote to memory of 912 3436 WScript.exe cmd.exe PID 3436 wrote to memory of 912 3436 WScript.exe cmd.exe PID 3436 wrote to memory of 912 3436 WScript.exe cmd.exe PID 912 wrote to memory of 3768 912 cmd.exe DriversavesRuntimecommonReviewrefbroker.exe PID 912 wrote to memory of 3768 912 cmd.exe DriversavesRuntimecommonReviewrefbroker.exe PID 3768 wrote to memory of 2652 3768 DriversavesRuntimecommonReviewrefbroker.exe spoolsv.exe PID 3768 wrote to memory of 2652 3768 DriversavesRuntimecommonReviewrefbroker.exe spoolsv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad7507c90821598ae3ed6e8b6c3fdb36.exe"C:\Users\Admin\AppData\Local\Temp\ad7507c90821598ae3ed6e8b6c3fdb36.exe"1⤵
- DcRat
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\DriversavesRuntimecommon\OkPX18dWDtVLA0gJUAYq8tEymJIvb.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\DriversavesRuntimecommon\i8SeDW7.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\DriversavesRuntimecommon\DriversavesRuntimecommonReviewrefbroker.exe"C:\DriversavesRuntimecommon\DriversavesRuntimecommonReviewrefbroker.exe"4⤵
- DcRat
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\adrclient\spoolsv.exe"C:\Windows\System32\adrclient\spoolsv.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\DriversavesRuntimecommon\file.vbs"2⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\DriversavesRuntimecommon\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\adrclient\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Default User\Registry.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 79fb6385a1be29e4a75d9bad96454fec M47BRkgQTUyhsRmoBvSRng.0.1.0.0.01⤵
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\DriversavesRuntimecommon\DriversavesRuntimecommonReviewrefbroker.exeMD5
8daa2fddfdf7939d8f6af197a459086b
SHA1d8b3ade8c8f097cdcfc6e42c8a33f09d21fdf89b
SHA256f135db9a52b92622d288181553661b0e3ab9338c3f86173f906ff58acdbb8a9e
SHA5124c30dfb40aab28bb3972f165370ffdc3f6e9c3e8039d9659c717e5cb1fd33266d31f3fb030449a57f48796c9190186480daf832ed5dff42579278bb9dbcd8cc5
-
C:\DriversavesRuntimecommon\DriversavesRuntimecommonReviewrefbroker.exeMD5
8daa2fddfdf7939d8f6af197a459086b
SHA1d8b3ade8c8f097cdcfc6e42c8a33f09d21fdf89b
SHA256f135db9a52b92622d288181553661b0e3ab9338c3f86173f906ff58acdbb8a9e
SHA5124c30dfb40aab28bb3972f165370ffdc3f6e9c3e8039d9659c717e5cb1fd33266d31f3fb030449a57f48796c9190186480daf832ed5dff42579278bb9dbcd8cc5
-
C:\DriversavesRuntimecommon\OkPX18dWDtVLA0gJUAYq8tEymJIvb.vbeMD5
d71998b7f7a50d7f82c3cb8240b75ef1
SHA1278f6bc21583b6258b248c34a6b65cfcc752b4be
SHA256bb473710e90bc6be56e175b4fdb382aad5cdfd77571b313235db621ede9e6c41
SHA512c89201101b21d62a3327ab0365edeeaf1379d4c7bf6fe3449ee211707e82e8f8a78132ba8777bd935bc450684d63d8353540811dad0da76ae532a565d2919b7e
-
C:\DriversavesRuntimecommon\file.vbsMD5
677cc4360477c72cb0ce00406a949c61
SHA1b679e8c3427f6c5fc47c8ac46cd0e56c9424de05
SHA256f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b
SHA5127cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a
-
C:\DriversavesRuntimecommon\i8SeDW7.batMD5
39a43637ff068395e3f1cc29d619b61d
SHA17832b43422507b545276b0338362619529e7f964
SHA2566b74040331ca65b2959ced9dd6768cc93c7e22db31f603e9497ba88d1e5b0d79
SHA512b2a17cde1425cf59659fc941250134487f567b28a2ced716771a7152888739a2cbf61296625b9a9f21269fb2c81df3f2431d4239cb359c9bfea94685e4fb7dd7
-
C:\Windows\System32\adrclient\spoolsv.exeMD5
8daa2fddfdf7939d8f6af197a459086b
SHA1d8b3ade8c8f097cdcfc6e42c8a33f09d21fdf89b
SHA256f135db9a52b92622d288181553661b0e3ab9338c3f86173f906ff58acdbb8a9e
SHA5124c30dfb40aab28bb3972f165370ffdc3f6e9c3e8039d9659c717e5cb1fd33266d31f3fb030449a57f48796c9190186480daf832ed5dff42579278bb9dbcd8cc5
-
C:\Windows\System32\adrclient\spoolsv.exeMD5
8daa2fddfdf7939d8f6af197a459086b
SHA1d8b3ade8c8f097cdcfc6e42c8a33f09d21fdf89b
SHA256f135db9a52b92622d288181553661b0e3ab9338c3f86173f906ff58acdbb8a9e
SHA5124c30dfb40aab28bb3972f165370ffdc3f6e9c3e8039d9659c717e5cb1fd33266d31f3fb030449a57f48796c9190186480daf832ed5dff42579278bb9dbcd8cc5
-
memory/2652-142-0x0000000000EA0000-0x0000000000EB0000-memory.dmpFilesize
64KB
-
memory/3768-137-0x0000000000D60000-0x0000000000E5E000-memory.dmpFilesize
1016KB
-
memory/3768-138-0x000000001C250000-0x000000001C778000-memory.dmpFilesize
5.2MB
-
memory/3768-139-0x000000001BA10000-0x000000001BA12000-memory.dmpFilesize
8KB