Analysis
-
max time kernel
95s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
29-03-2023 00:06
Behavioral task
behavioral1
Sample
B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe
Resource
win10v2004-20230220-en
General
-
Target
B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe
-
Size
1.1MB
-
MD5
8d491e642b1402ee5bf8d1417c437da1
-
SHA1
cddc7a2610d738c4ddf11c1bf008e045741138d4
-
SHA256
b76961ad3762546d1b341cbc337ac3d8a5f8def28d190ff6c7595066b4eedc72
-
SHA512
a4dd0758bcb48344172d8a2deab3999fc3c1a7172a2cc4a437510222bdf7db4aaed80852c562c1e773d5fd0c45a531bc37e52ee5130ac72f4ebc0323a7563377
-
SSDEEP
24576:AJ8kuxCAZLI3rjRUfM+7HeWhUsus8k9bYUE/oXc02+4:Zdqi7j3E/oM0R
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 6 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3268 4116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4776 4116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3016 4116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4196 4116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1320 4116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1936 4116 schtasks.exe -
Processes:
resource yara_rule behavioral2/memory/3500-133-0x00000000004A0000-0x00000000005C2000-memory.dmp dcrat C:\Users\sihost.exe dcrat C:\Recovery\WindowsRE\RuntimeBroker.exe dcrat C:\Recovery\WindowsRE\RuntimeBroker.exe dcrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe -
Executes dropped EXE 1 IoCs
Processes:
RuntimeBroker.exepid process 3852 RuntimeBroker.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190 = "\"C:\\odt\\B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe\"" B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\PerfLogs\\sihost.exe\"" B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\DmNotificationBroker\\RuntimeBroker.exe\"" B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Windows\\System32\\wbem\\ppcRsopCompSchema\\unsecapp.exe\"" B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Documents and Settings\\sihost.exe\"" B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe -
Drops file in System32 directory 4 IoCs
Processes:
B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exedescription ioc process File created C:\Windows\System32\DmNotificationBroker\RuntimeBroker.exe B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe File created C:\Windows\System32\DmNotificationBroker\9e8d7a4ca61bd92aff00cc37a7a4d62a2cac998d B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe File created C:\Windows\System32\wbem\ppcRsopCompSchema\unsecapp.exe B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe File created C:\Windows\System32\wbem\ppcRsopCompSchema\29c1c3cc0f76855c7e7456076a4ffc27e4947119 B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3268 schtasks.exe 4776 schtasks.exe 3016 schtasks.exe 4196 schtasks.exe 1320 schtasks.exe 1936 schtasks.exe -
Modifies registry class 1 IoCs
Processes:
B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exeRuntimeBroker.exepid process 3500 B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe 3852 RuntimeBroker.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exeRuntimeBroker.exedescription pid process Token: SeDebugPrivilege 3500 B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe Token: SeDebugPrivilege 3852 RuntimeBroker.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.execmd.exedescription pid process target process PID 3500 wrote to memory of 4736 3500 B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe cmd.exe PID 3500 wrote to memory of 4736 3500 B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe cmd.exe PID 4736 wrote to memory of 312 4736 cmd.exe chcp.com PID 4736 wrote to memory of 312 4736 cmd.exe chcp.com PID 4736 wrote to memory of 224 4736 cmd.exe w32tm.exe PID 4736 wrote to memory of 224 4736 cmd.exe w32tm.exe PID 4736 wrote to memory of 3852 4736 cmd.exe RuntimeBroker.exe PID 4736 wrote to memory of 3852 4736 cmd.exe RuntimeBroker.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe"C:\Users\Admin\AppData\Local\Temp\B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3500 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FwdOhaSqLE.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:312
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:224
-
C:\Recovery\WindowsRE\RuntimeBroker.exe"C:\Recovery\WindowsRE\RuntimeBroker.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\PerfLogs\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\DmNotificationBroker\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\System32\wbem\ppcRsopCompSchema\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Documents and Settings\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190" /sc ONLOGON /tr "'C:\odt\B76961AD3762546D1B341CBC337AC3D8A5F8DEF28D190.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1936
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Recovery\WindowsRE\RuntimeBroker.exeFilesize
1.1MB
MD58d491e642b1402ee5bf8d1417c437da1
SHA1cddc7a2610d738c4ddf11c1bf008e045741138d4
SHA256b76961ad3762546d1b341cbc337ac3d8a5f8def28d190ff6c7595066b4eedc72
SHA512a4dd0758bcb48344172d8a2deab3999fc3c1a7172a2cc4a437510222bdf7db4aaed80852c562c1e773d5fd0c45a531bc37e52ee5130ac72f4ebc0323a7563377
-
C:\Recovery\WindowsRE\RuntimeBroker.exeFilesize
1.1MB
MD58d491e642b1402ee5bf8d1417c437da1
SHA1cddc7a2610d738c4ddf11c1bf008e045741138d4
SHA256b76961ad3762546d1b341cbc337ac3d8a5f8def28d190ff6c7595066b4eedc72
SHA512a4dd0758bcb48344172d8a2deab3999fc3c1a7172a2cc4a437510222bdf7db4aaed80852c562c1e773d5fd0c45a531bc37e52ee5130ac72f4ebc0323a7563377
-
C:\Users\Admin\AppData\Local\Temp\FwdOhaSqLE.batFilesize
255B
MD57a3207c8978ebe5a93df76024e8bd415
SHA19eef60c1f199e47220d225c96e498297bd74d56a
SHA256d0a668c5342a130e9809d14414c1c913f92a50cc10a95efb4019da7e70c4a62e
SHA512ae57e16a64ce8df92310773fc3e8a7ff54fba76e32c6b39e168adc66a09b34814fac36a6de6e07b2d8e2e43de18daa4342681273c812b04e6ab99a3fcd71d52a
-
C:\Users\sihost.exeFilesize
1.1MB
MD58d491e642b1402ee5bf8d1417c437da1
SHA1cddc7a2610d738c4ddf11c1bf008e045741138d4
SHA256b76961ad3762546d1b341cbc337ac3d8a5f8def28d190ff6c7595066b4eedc72
SHA512a4dd0758bcb48344172d8a2deab3999fc3c1a7172a2cc4a437510222bdf7db4aaed80852c562c1e773d5fd0c45a531bc37e52ee5130ac72f4ebc0323a7563377
-
memory/3500-133-0x00000000004A0000-0x00000000005C2000-memory.dmpFilesize
1.1MB
-
memory/3500-134-0x000000001B110000-0x000000001B120000-memory.dmpFilesize
64KB