bc2612aeae58ca2f8eaee44f3da03e34fac8a6c95f5afc083d188587c684f349

General

Target

bc2612aeae58ca2f8eaee44f3da03e34fac8a6c95f5afc083d188587c684f349.exe
Size

2.9MB
MD5

27ac58d73248ebb72b350a1d0642e866
SHA1

88697d4f4d6e00a8ff29083a1a97c8d150f8939b
SHA256

bc2612aeae58ca2f8eaee44f3da03e34fac8a6c95f5afc083d188587c684f349
SHA512

db8c968b3415d02868bc0fb01cb6104504a058c3f6dd1769a8e56bb1c47ed830e2b8d8e9873cd6fbfd15dfff4d46999f1562cb06c8427d9b007108ad1793f998

Score

10^/10

evasion suricata trojan

Malware Config

Signatures

suricata: ET MALWARE DCRat Initial CnC Activity
suricata: ET MALWARE DCRat Initial CnC Activity
suricata
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Executes dropped EXE 1 IoCs

Processes:

RuntimeBroker32.exe

pid process

1780 RuntimeBroker32.exe

pid	process
1780	RuntimeBroker32.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

bc2612aeae58ca2f8eaee44f3da03e34fac8a6c95f5afc083d188587c684f349.exeRuntimeBroker32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	bc2612aeae58ca2f8eaee44f3da03e34fac8a6c95f5afc083d188587c684f349.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	bc2612aeae58ca2f8eaee44f3da03e34fac8a6c95f5afc083d188587c684f349.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RuntimeBroker32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RuntimeBroker32.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

bc2612aeae58ca2f8eaee44f3da03e34fac8a6c95f5afc083d188587c684f349.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	bc2612aeae58ca2f8eaee44f3da03e34fac8a6c95f5afc083d188587c684f349.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

bc2612aeae58ca2f8eaee44f3da03e34fac8a6c95f5afc083d188587c684f349.exeRuntimeBroker32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bc2612aeae58ca2f8eaee44f3da03e34fac8a6c95f5afc083d188587c684f349.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker32.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

bc2612aeae58ca2f8eaee44f3da03e34fac8a6c95f5afc083d188587c684f349.exeRuntimeBroker32.exe

pid process

2584 bc2612aeae58ca2f8eaee44f3da03e34fac8a6c95f5afc083d188587c684f349.exe
1780 RuntimeBroker32.exe

pid	process
2584	bc2612aeae58ca2f8eaee44f3da03e34fac8a6c95f5afc083d188587c684f349.exe
1780	RuntimeBroker32.exe

Drops file in Program Files directory 3 IoCs

Processes:

bc2612aeae58ca2f8eaee44f3da03e34fac8a6c95f5afc083d188587c684f349.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\ja\svchost32.exe	bc2612aeae58ca2f8eaee44f3da03e34fac8a6c95f5afc083d188587c684f349.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\svchost32.exe	bc2612aeae58ca2f8eaee44f3da03e34fac8a6c95f5afc083d188587c684f349.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\TextConv\en-US\svchost32.exe	bc2612aeae58ca2f8eaee44f3da03e34fac8a6c95f5afc083d188587c684f349.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3276 1780 WerFault.exe RuntimeBroker32.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

bc2612aeae58ca2f8eaee44f3da03e34fac8a6c95f5afc083d188587c684f349.exeRuntimeBroker32.exe

pid process

2584 bc2612aeae58ca2f8eaee44f3da03e34fac8a6c95f5afc083d188587c684f349.exe
1780 RuntimeBroker32.exe

pid	pid_target	process	target process
3276	1780	WerFault.exe	RuntimeBroker32.exe

pid	process
2584	bc2612aeae58ca2f8eaee44f3da03e34fac8a6c95f5afc083d188587c684f349.exe
1780	RuntimeBroker32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

bc2612aeae58ca2f8eaee44f3da03e34fac8a6c95f5afc083d188587c684f349.exeRuntimeBroker32.exe

description	pid	process
Token: SeDebugPrivilege	2584	bc2612aeae58ca2f8eaee44f3da03e34fac8a6c95f5afc083d188587c684f349.exe
Token: SeDebugPrivilege	1780	RuntimeBroker32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

bc2612aeae58ca2f8eaee44f3da03e34fac8a6c95f5afc083d188587c684f349.exe

description	pid	process	target process
PID 2584 wrote to memory of 1780	2584	bc2612aeae58ca2f8eaee44f3da03e34fac8a6c95f5afc083d188587c684f349.exe	RuntimeBroker32.exe
PID 2584 wrote to memory of 1780	2584	bc2612aeae58ca2f8eaee44f3da03e34fac8a6c95f5afc083d188587c684f349.exe	RuntimeBroker32.exe
PID 2584 wrote to memory of 1780	2584	bc2612aeae58ca2f8eaee44f3da03e34fac8a6c95f5afc083d188587c684f349.exe	RuntimeBroker32.exe

C:\Users\Admin\AppData\Local\Temp\bc2612aeae58ca2f8eaee44f3da03e34fac8a6c95f5afc083d188587c684f349.exe
"C:\Users\Admin\AppData\Local\Temp\bc2612aeae58ca2f8eaee44f3da03e34fac8a6c95f5afc083d188587c684f349.exe"
1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2584

C:\PerfLogs\RuntimeBroker32.exe
"C:\PerfLogs\RuntimeBroker32.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1780 -s 1612
3⤵
- Program crash
PID:3276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1780 -ip 1780
1⤵
PID:3620

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

3

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

4

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\RuntimeBroker32.exe
Filesize
2.9MB

MD5
27ac58d73248ebb72b350a1d0642e866

SHA1
88697d4f4d6e00a8ff29083a1a97c8d150f8939b

SHA256
bc2612aeae58ca2f8eaee44f3da03e34fac8a6c95f5afc083d188587c684f349

SHA512
db8c968b3415d02868bc0fb01cb6104504a058c3f6dd1769a8e56bb1c47ed830e2b8d8e9873cd6fbfd15dfff4d46999f1562cb06c8427d9b007108ad1793f998

Download Submit
C:\PerfLogs\RuntimeBroker32.exe
Filesize
2.9MB

MD5
27ac58d73248ebb72b350a1d0642e866

SHA1
88697d4f4d6e00a8ff29083a1a97c8d150f8939b

SHA256
bc2612aeae58ca2f8eaee44f3da03e34fac8a6c95f5afc083d188587c684f349

SHA512
db8c968b3415d02868bc0fb01cb6104504a058c3f6dd1769a8e56bb1c47ed830e2b8d8e9873cd6fbfd15dfff4d46999f1562cb06c8427d9b007108ad1793f998

Download Submit
memory/1780-136-0x0000000000000000-mapping.dmp

Download
memory/1780-141-0x0000000000C30000-0x000000000146A000-memory.dmp

Filesize
8.2MB

Download
memory/1780-142-0x0000000077DF0000-0x0000000077F93000-memory.dmp

Filesize
1.6MB

Download
memory/2584-132-0x0000000077DF0000-0x0000000077F93000-memory.dmp

Filesize
1.6MB

Download
memory/2584-133-0x0000000000F40000-0x000000000177A000-memory.dmp

Filesize
8.2MB

Download
memory/2584-134-0x0000000005DF0000-0x0000000005E82000-memory.dmp

Filesize
584KB

Download
memory/2584-135-0x0000000006440000-0x00000000069E4000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads