Overview
overview
10Static
static
100b74a99460...69.exe
windows10-1703-x64
100b74a99460...69.exe
windows7-x64
100b74a99460...69.exe
windows10-2004-x64
10VinyLauncher.exe
windows10-1703-x64
10VinyLauncher.exe
windows7-x64
8VinyLauncher.exe
windows10-2004-x64
10a2719b1149...56.exe
windows10-1703-x64
10a2719b1149...56.exe
windows7-x64
10a2719b1149...56.exe
windows10-2004-x64
10e6b6a16d17...58.exe
windows10-1703-x64
10e6b6a16d17...58.exe
windows7-x64
10e6b6a16d17...58.exe
windows10-2004-x64
10tmp.exe
windows10-1703-x64
10tmp.exe
windows7-x64
10tmp.exe
windows10-2004-x64
10Resubmissions
26-12-2022 00:04
221226-acrmcafe2y 1026-12-2022 00:03
221226-acfvvafe2x 1026-12-2022 00:03
221226-ab851acc75 1026-12-2022 00:03
221226-ab3m8afe2w 1026-12-2022 00:02
221226-abs4sacc74 1026-12-2022 00:01
221226-abb59scc72 10Analysis
-
max time kernel
119s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2022 00:03
Behavioral task
behavioral1
Sample
0b74a99460e2b8051d917c392d1079a646435188b84d6998afed2c458bf83a69.exe
Resource
win10-20220812-en
Behavioral task
behavioral2
Sample
0b74a99460e2b8051d917c392d1079a646435188b84d6998afed2c458bf83a69.exe
Resource
win7-20220812-en
Behavioral task
behavioral3
Sample
0b74a99460e2b8051d917c392d1079a646435188b84d6998afed2c458bf83a69.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral4
Sample
VinyLauncher.exe
Resource
win10-20220901-en
Behavioral task
behavioral5
Sample
VinyLauncher.exe
Resource
win7-20221111-en
Behavioral task
behavioral6
Sample
VinyLauncher.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral7
Sample
a2719b1149f9c0b195701ccb3050b8bb6ae5facb1845f8b562bbe48b96c69a56.exe
Resource
win10-20220812-en
Behavioral task
behavioral8
Sample
a2719b1149f9c0b195701ccb3050b8bb6ae5facb1845f8b562bbe48b96c69a56.exe
Resource
win7-20221111-en
Behavioral task
behavioral9
Sample
a2719b1149f9c0b195701ccb3050b8bb6ae5facb1845f8b562bbe48b96c69a56.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral10
Sample
e6b6a16d17784fdcb240af7ff962b014d7d61d391a99293c8d2fad5dc2805458.exe
Resource
win10-20220812-en
Behavioral task
behavioral11
Sample
e6b6a16d17784fdcb240af7ff962b014d7d61d391a99293c8d2fad5dc2805458.exe
Resource
win7-20221111-en
Behavioral task
behavioral12
Sample
e6b6a16d17784fdcb240af7ff962b014d7d61d391a99293c8d2fad5dc2805458.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral13
Sample
tmp.exe
Resource
win10-20220812-en
Behavioral task
behavioral14
Sample
tmp.exe
Resource
win7-20221111-en
Behavioral task
behavioral15
Sample
tmp.exe
Resource
win10v2004-20220812-en
General
-
Target
a2719b1149f9c0b195701ccb3050b8bb6ae5facb1845f8b562bbe48b96c69a56.exe
-
Size
1.7MB
-
MD5
c090c2077f7c71e38f4b7fedfe0ef1e3
-
SHA1
2d01b3e7f9f80961aa6bada443a5d969bf88c052
-
SHA256
a2719b1149f9c0b195701ccb3050b8bb6ae5facb1845f8b562bbe48b96c69a56
-
SHA512
150d46cd92ab52985ee1cfa197ecfb50fe83c3d7070b99ffd187e72582b6b539e63edb990dc820882a900f446512c391557848568c35d57382abb48207e0d028
-
SSDEEP
24576:U2G/nvxW3Ww0tjWmsIUvGdf4wNKfgo9WB4E/rR9NVGIoUtcrneDa0kPs/MQdb6Of:UbA30jW9vgwrng9EIZyqa0esNnN5P
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 6 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2816 1952 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3436 1952 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 364 1952 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1936 1952 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1720 1952 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1836 1952 schtasks.exe -
Processes:
resource yara_rule C:\ServerReview\bridgeProviderref.exe dcrat C:\ServerReview\bridgeProviderref.exe dcrat behavioral9/memory/1308-139-0x0000000000BC0000-0x0000000000D38000-memory.dmp dcrat C:\Users\Default\RuntimeBroker.exe dcrat C:\Users\Default User\RuntimeBroker.exe dcrat -
Executes dropped EXE 2 IoCs
Processes:
bridgeProviderref.exeRuntimeBroker.exepid process 1308 bridgeProviderref.exe 1560 RuntimeBroker.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a2719b1149f9c0b195701ccb3050b8bb6ae5facb1845f8b562bbe48b96c69a56.exeWScript.exebridgeProviderref.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation a2719b1149f9c0b195701ccb3050b8bb6ae5facb1845f8b562bbe48b96c69a56.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation bridgeProviderref.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3436 schtasks.exe 364 schtasks.exe 1936 schtasks.exe 1720 schtasks.exe 1836 schtasks.exe 2816 schtasks.exe -
Modifies registry class 1 IoCs
Processes:
a2719b1149f9c0b195701ccb3050b8bb6ae5facb1845f8b562bbe48b96c69a56.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings a2719b1149f9c0b195701ccb3050b8bb6ae5facb1845f8b562bbe48b96c69a56.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
bridgeProviderref.exeRuntimeBroker.exepid process 1308 bridgeProviderref.exe 1560 RuntimeBroker.exe 1560 RuntimeBroker.exe 1560 RuntimeBroker.exe 1560 RuntimeBroker.exe 1560 RuntimeBroker.exe 1560 RuntimeBroker.exe 1560 RuntimeBroker.exe 1560 RuntimeBroker.exe 1560 RuntimeBroker.exe 1560 RuntimeBroker.exe 1560 RuntimeBroker.exe 1560 RuntimeBroker.exe 1560 RuntimeBroker.exe 1560 RuntimeBroker.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RuntimeBroker.exepid process 1560 RuntimeBroker.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
bridgeProviderref.exeRuntimeBroker.exedescription pid process Token: SeDebugPrivilege 1308 bridgeProviderref.exe Token: SeDebugPrivilege 1560 RuntimeBroker.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RuntimeBroker.exepid process 1560 RuntimeBroker.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
a2719b1149f9c0b195701ccb3050b8bb6ae5facb1845f8b562bbe48b96c69a56.exeWScript.execmd.exebridgeProviderref.exedescription pid process target process PID 4172 wrote to memory of 2016 4172 a2719b1149f9c0b195701ccb3050b8bb6ae5facb1845f8b562bbe48b96c69a56.exe WScript.exe PID 4172 wrote to memory of 2016 4172 a2719b1149f9c0b195701ccb3050b8bb6ae5facb1845f8b562bbe48b96c69a56.exe WScript.exe PID 4172 wrote to memory of 2016 4172 a2719b1149f9c0b195701ccb3050b8bb6ae5facb1845f8b562bbe48b96c69a56.exe WScript.exe PID 2016 wrote to memory of 4756 2016 WScript.exe cmd.exe PID 2016 wrote to memory of 4756 2016 WScript.exe cmd.exe PID 2016 wrote to memory of 4756 2016 WScript.exe cmd.exe PID 4756 wrote to memory of 1308 4756 cmd.exe bridgeProviderref.exe PID 4756 wrote to memory of 1308 4756 cmd.exe bridgeProviderref.exe PID 1308 wrote to memory of 1560 1308 bridgeProviderref.exe RuntimeBroker.exe PID 1308 wrote to memory of 1560 1308 bridgeProviderref.exe RuntimeBroker.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a2719b1149f9c0b195701ccb3050b8bb6ae5facb1845f8b562bbe48b96c69a56.exe"C:\Users\Admin\AppData\Local\Temp\a2719b1149f9c0b195701ccb3050b8bb6ae5facb1845f8b562bbe48b96c69a56.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ServerReview\MzalesUHq9EVa0XF.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ServerReview\sWa1toVd2dh5viFItIPl1K.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\ServerReview\bridgeProviderref.exe"C:\ServerReview\bridgeProviderref.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Default User\RuntimeBroker.exe"C:\Users\Default User\RuntimeBroker.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ServerReview\MzalesUHq9EVa0XF.vbeFilesize
211B
MD5fb66d6d565dce17c5007b0a7e4df8b73
SHA11a968335d68201d39ce11439b434721c7c28cdde
SHA256141fbc97b724eda2dedcba78ca1d5f340a817c56e338c5bf8624afa2477e7736
SHA512d7c160c69e06862cdc9e626d27c757f267ca75a888ec71ab8ccbaf237173c463f58d79e6775232684e452a4e0910110c318b5ee0f39657590cdbb1c1da6f9fcc
-
C:\ServerReview\bridgeProviderref.exeFilesize
1.4MB
MD58734e10de083db53ee35a423e7d7c9a9
SHA1eed4e041b8b2e235d5200cdc39fd63ead9989f0f
SHA2563687ba9aef354b3bd04ca7af044d1fcbcd0c643df76c7038dffc51c9a0d17620
SHA512627d249a5fc80c5d8c9cdf78a079be7430ac154fae4147afedb833b79c3f89ddc08ad63da50a09b817e8248eeb0ab58d56d6f730b1df30deae9b3f4b39d33e51
-
C:\ServerReview\bridgeProviderref.exeFilesize
1.4MB
MD58734e10de083db53ee35a423e7d7c9a9
SHA1eed4e041b8b2e235d5200cdc39fd63ead9989f0f
SHA2563687ba9aef354b3bd04ca7af044d1fcbcd0c643df76c7038dffc51c9a0d17620
SHA512627d249a5fc80c5d8c9cdf78a079be7430ac154fae4147afedb833b79c3f89ddc08ad63da50a09b817e8248eeb0ab58d56d6f730b1df30deae9b3f4b39d33e51
-
C:\ServerReview\sWa1toVd2dh5viFItIPl1K.batFilesize
39B
MD5dbba88d93e1a4c249cd8c44bd99cf3d3
SHA175bf459416022380605880066cc0bef81966b4f8
SHA256e8f43b3eb90675247331fbba6091b365bf672bf4096de426af3ac9c627c23462
SHA51238f65e02dfc2b95aaf626040dac731b7e997aba3873cd832bac29e39e7afcfc52b9b46ea5cde943a5fa55889a45cddaaa753fea071822d4c9060e00c89706b52
-
C:\Users\Default User\RuntimeBroker.exeFilesize
1.4MB
MD58734e10de083db53ee35a423e7d7c9a9
SHA1eed4e041b8b2e235d5200cdc39fd63ead9989f0f
SHA2563687ba9aef354b3bd04ca7af044d1fcbcd0c643df76c7038dffc51c9a0d17620
SHA512627d249a5fc80c5d8c9cdf78a079be7430ac154fae4147afedb833b79c3f89ddc08ad63da50a09b817e8248eeb0ab58d56d6f730b1df30deae9b3f4b39d33e51
-
C:\Users\Default\RuntimeBroker.exeFilesize
1.4MB
MD58734e10de083db53ee35a423e7d7c9a9
SHA1eed4e041b8b2e235d5200cdc39fd63ead9989f0f
SHA2563687ba9aef354b3bd04ca7af044d1fcbcd0c643df76c7038dffc51c9a0d17620
SHA512627d249a5fc80c5d8c9cdf78a079be7430ac154fae4147afedb833b79c3f89ddc08ad63da50a09b817e8248eeb0ab58d56d6f730b1df30deae9b3f4b39d33e51
-
memory/1308-136-0x0000000000000000-mapping.dmp
-
memory/1308-139-0x0000000000BC0000-0x0000000000D38000-memory.dmpFilesize
1.5MB
-
memory/1308-140-0x0000000002E40000-0x0000000002E90000-memory.dmpFilesize
320KB
-
memory/1308-141-0x000000001D150000-0x000000001D678000-memory.dmpFilesize
5.2MB
-
memory/1308-142-0x00007FF870140000-0x00007FF870C01000-memory.dmpFilesize
10.8MB
-
memory/1308-146-0x00007FF870140000-0x00007FF870C01000-memory.dmpFilesize
10.8MB
-
memory/1560-143-0x0000000000000000-mapping.dmp
-
memory/1560-147-0x00007FF870140000-0x00007FF870C01000-memory.dmpFilesize
10.8MB
-
memory/1560-148-0x000000001E930000-0x000000001EAF2000-memory.dmpFilesize
1.8MB
-
memory/1560-149-0x00007FF870140000-0x00007FF870C01000-memory.dmpFilesize
10.8MB
-
memory/2016-132-0x0000000000000000-mapping.dmp
-
memory/4756-135-0x0000000000000000-mapping.dmp