Analysis
-
max time kernel
148s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 22:18
Static task
static1
Behavioral task
behavioral1
Sample
bc2612aeae58ca2f8eaee44f3da03e34fac8a6c95f5afc083d188587c684f349.exe
Resource
win7-20220414-en
General
-
Target
bc2612aeae58ca2f8eaee44f3da03e34fac8a6c95f5afc083d188587c684f349.exe
-
Size
2.9MB
-
MD5
27ac58d73248ebb72b350a1d0642e866
-
SHA1
88697d4f4d6e00a8ff29083a1a97c8d150f8939b
-
SHA256
bc2612aeae58ca2f8eaee44f3da03e34fac8a6c95f5afc083d188587c684f349
-
SHA512
db8c968b3415d02868bc0fb01cb6104504a058c3f6dd1769a8e56bb1c47ed830e2b8d8e9873cd6fbfd15dfff4d46999f1562cb06c8427d9b007108ad1793f998
Malware Config
Signatures
-
suricata: ET MALWARE DCRat Initial CnC Activity
suricata: ET MALWARE DCRat Initial CnC Activity
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
RuntimeBroker32.exepid process 1780 RuntimeBroker32.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
bc2612aeae58ca2f8eaee44f3da03e34fac8a6c95f5afc083d188587c684f349.exeRuntimeBroker32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion bc2612aeae58ca2f8eaee44f3da03e34fac8a6c95f5afc083d188587c684f349.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion bc2612aeae58ca2f8eaee44f3da03e34fac8a6c95f5afc083d188587c684f349.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion RuntimeBroker32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion RuntimeBroker32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
bc2612aeae58ca2f8eaee44f3da03e34fac8a6c95f5afc083d188587c684f349.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation bc2612aeae58ca2f8eaee44f3da03e34fac8a6c95f5afc083d188587c684f349.exe -
Processes:
bc2612aeae58ca2f8eaee44f3da03e34fac8a6c95f5afc083d188587c684f349.exeRuntimeBroker32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bc2612aeae58ca2f8eaee44f3da03e34fac8a6c95f5afc083d188587c684f349.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RuntimeBroker32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
bc2612aeae58ca2f8eaee44f3da03e34fac8a6c95f5afc083d188587c684f349.exeRuntimeBroker32.exepid process 2584 bc2612aeae58ca2f8eaee44f3da03e34fac8a6c95f5afc083d188587c684f349.exe 1780 RuntimeBroker32.exe -
Drops file in Program Files directory 3 IoCs
Processes:
bc2612aeae58ca2f8eaee44f3da03e34fac8a6c95f5afc083d188587c684f349.exedescription ioc process File opened for modification C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\ja\svchost32.exe bc2612aeae58ca2f8eaee44f3da03e34fac8a6c95f5afc083d188587c684f349.exe File opened for modification C:\Program Files (x86)\Windows Portable Devices\svchost32.exe bc2612aeae58ca2f8eaee44f3da03e34fac8a6c95f5afc083d188587c684f349.exe File opened for modification C:\Program Files\Common Files\microsoft shared\TextConv\en-US\svchost32.exe bc2612aeae58ca2f8eaee44f3da03e34fac8a6c95f5afc083d188587c684f349.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3276 1780 WerFault.exe RuntimeBroker32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
bc2612aeae58ca2f8eaee44f3da03e34fac8a6c95f5afc083d188587c684f349.exeRuntimeBroker32.exepid process 2584 bc2612aeae58ca2f8eaee44f3da03e34fac8a6c95f5afc083d188587c684f349.exe 1780 RuntimeBroker32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
bc2612aeae58ca2f8eaee44f3da03e34fac8a6c95f5afc083d188587c684f349.exeRuntimeBroker32.exedescription pid process Token: SeDebugPrivilege 2584 bc2612aeae58ca2f8eaee44f3da03e34fac8a6c95f5afc083d188587c684f349.exe Token: SeDebugPrivilege 1780 RuntimeBroker32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
bc2612aeae58ca2f8eaee44f3da03e34fac8a6c95f5afc083d188587c684f349.exedescription pid process target process PID 2584 wrote to memory of 1780 2584 bc2612aeae58ca2f8eaee44f3da03e34fac8a6c95f5afc083d188587c684f349.exe RuntimeBroker32.exe PID 2584 wrote to memory of 1780 2584 bc2612aeae58ca2f8eaee44f3da03e34fac8a6c95f5afc083d188587c684f349.exe RuntimeBroker32.exe PID 2584 wrote to memory of 1780 2584 bc2612aeae58ca2f8eaee44f3da03e34fac8a6c95f5afc083d188587c684f349.exe RuntimeBroker32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc2612aeae58ca2f8eaee44f3da03e34fac8a6c95f5afc083d188587c684f349.exe"C:\Users\Admin\AppData\Local\Temp\bc2612aeae58ca2f8eaee44f3da03e34fac8a6c95f5afc083d188587c684f349.exe"1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\PerfLogs\RuntimeBroker32.exe"C:\PerfLogs\RuntimeBroker32.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1780 -s 16123⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1780 -ip 17801⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PerfLogs\RuntimeBroker32.exeFilesize
2.9MB
MD527ac58d73248ebb72b350a1d0642e866
SHA188697d4f4d6e00a8ff29083a1a97c8d150f8939b
SHA256bc2612aeae58ca2f8eaee44f3da03e34fac8a6c95f5afc083d188587c684f349
SHA512db8c968b3415d02868bc0fb01cb6104504a058c3f6dd1769a8e56bb1c47ed830e2b8d8e9873cd6fbfd15dfff4d46999f1562cb06c8427d9b007108ad1793f998
-
C:\PerfLogs\RuntimeBroker32.exeFilesize
2.9MB
MD527ac58d73248ebb72b350a1d0642e866
SHA188697d4f4d6e00a8ff29083a1a97c8d150f8939b
SHA256bc2612aeae58ca2f8eaee44f3da03e34fac8a6c95f5afc083d188587c684f349
SHA512db8c968b3415d02868bc0fb01cb6104504a058c3f6dd1769a8e56bb1c47ed830e2b8d8e9873cd6fbfd15dfff4d46999f1562cb06c8427d9b007108ad1793f998
-
memory/1780-136-0x0000000000000000-mapping.dmp
-
memory/1780-141-0x0000000000C30000-0x000000000146A000-memory.dmpFilesize
8.2MB
-
memory/1780-142-0x0000000077DF0000-0x0000000077F93000-memory.dmpFilesize
1.6MB
-
memory/2584-132-0x0000000077DF0000-0x0000000077F93000-memory.dmpFilesize
1.6MB
-
memory/2584-133-0x0000000000F40000-0x000000000177A000-memory.dmpFilesize
8.2MB
-
memory/2584-134-0x0000000005DF0000-0x0000000005E82000-memory.dmpFilesize
584KB
-
memory/2584-135-0x0000000006440000-0x00000000069E4000-memory.dmpFilesize
5.6MB