Overview
overview
10Static
static
102222-main/Build.exe
windows7-x64
102222-main/Build.exe
windows10-2004-x64
102222-main/...se.dll
windows7-x64
12222-main/...se.dll
windows10-2004-x64
2222-main/OTC.dll
windows7-x64
12222-main/OTC.dll
windows10-2004-x64
12222-main/OTC2.dll
windows7-x64
12222-main/OTC2.dll
windows10-2004-x64
12222-main/aurora.dll
windows7-x64
12222-main/aurora.dll
windows10-2004-x64
12222-main/...ty.dll
windows7-x64
32222-main/...ty.dll
windows10-2004-x64
32222-main/gan.exe
windows7-x64
62222-main/gan.exe
windows10-2004-x64
102222-main/mySThe.exe
windows7-x64
102222-main/mySThe.exe
windows10-2004-x64
102222-main/myporno.exe
windows7-x64
72222-main/myporno.exe
windows10-2004-x64
102222-main/pandora.dll
windows7-x64
32222-main/pandora.dll
windows10-2004-x64
32222-main/pass.exe
windows7-x64
102222-main/pass.exe
windows10-2004-x64
102222-main/petya.exe
windows7-x64
62222-main/petya.exe
windows10-2004-x64
62222-main/sheyhST.exe
windows7-x64
102222-main/sheyhST.exe
windows10-2004-x64
102222-main/...io.exe
windows7-x64
62222-main/...io.exe
windows10-2004-x64
72222-main/test.exe
windows7-x64
32222-main/test.exe
windows10-2004-x64
72222-main/token.exe
windows7-x64
62222-main/token.exe
windows10-2004-x64
6Analysis
-
max time kernel
128s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
11-03-2024 18:51
Behavioral task
behavioral1
Sample
2222-main/Build.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2222-main/Build.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
2222-main/NanoSense.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
2222-main/NanoSense.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
2222-main/OTC.dll
Resource
win7-20231129-en
Behavioral task
behavioral6
Sample
2222-main/OTC.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
2222-main/OTC2.dll
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
2222-main/OTC2.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
2222-main/aurora.dll
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
2222-main/aurora.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral11
Sample
2222-main/fatality.dll
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
2222-main/fatality.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
2222-main/gan.exe
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
2222-main/gan.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
2222-main/mySThe.exe
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
2222-main/mySThe.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral17
Sample
2222-main/myporno.exe
Resource
win7-20231129-en
Behavioral task
behavioral18
Sample
2222-main/myporno.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral19
Sample
2222-main/pandora.dll
Resource
win7-20240215-en
Behavioral task
behavioral20
Sample
2222-main/pandora.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral21
Sample
2222-main/pass.exe
Resource
win7-20240221-en
Behavioral task
behavioral22
Sample
2222-main/pass.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral23
Sample
2222-main/petya.exe
Resource
win7-20240221-en
Behavioral task
behavioral24
Sample
2222-main/petya.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral25
Sample
2222-main/sheyhST.exe
Resource
win7-20240221-en
Behavioral task
behavioral26
Sample
2222-main/sheyhST.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral27
Sample
2222-main/stpastio.exe
Resource
win7-20240221-en
Behavioral task
behavioral28
Sample
2222-main/stpastio.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral29
Sample
2222-main/test.exe
Resource
win7-20240221-en
Behavioral task
behavioral30
Sample
2222-main/test.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral31
Sample
2222-main/token.exe
Resource
win7-20231129-en
Behavioral task
behavioral32
Sample
2222-main/token.exe
Resource
win10v2004-20240226-en
General
-
Target
2222-main/Build.exe
-
Size
1.8MB
-
MD5
9886d20dd6f3d896861cc5f8ea0ca84b
-
SHA1
96ab3affa0279d5795a29f3e1ecae37546b8bb11
-
SHA256
56ec9503792bc40353a2f197bb3a6561325d66dfe914573a9fea9ccdedd98929
-
SHA512
02272f3a85b44fa8e6806356492109474c57c2d7da7f55cba4d93e4983162ed48582a73723d06689c9e89e87ba6ed8c30e409676669af0d8604d23288cfe8079
-
SSDEEP
49152:UbA30gth6l+eGtUvcx+GXJsVXu6jFKpveKB:Ubkth6l8x+GX4erpvzB
Malware Config
Signatures
-
DcRat 5 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
description ioc pid Process Key value queried \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation Build.exe 3408 schtasks.exe 4420 schtasks.exe 4456 schtasks.exe 1488 schtasks.exe -
Modifies WinLogon for persistence 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\conhost.exe\"" Connections Rontime Broker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\conhost.exe\", \"C:\\Windows\\System32\\twinapi.appcore\\taskhostw.exe\"" Connections Rontime Broker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\conhost.exe\", \"C:\\Windows\\System32\\twinapi.appcore\\taskhostw.exe\", \"C:\\Windows\\appcompat\\encapsulation\\RuntimeBroker.exe\"" Connections Rontime Broker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Documents and Settings\\conhost.exe\", \"C:\\Windows\\System32\\twinapi.appcore\\taskhostw.exe\", \"C:\\Windows\\appcompat\\encapsulation\\RuntimeBroker.exe\", \"C:\\Documents and Settings\\services.exe\"" Connections Rontime Broker.exe -
resource yara_rule behavioral2/files/0x0007000000023247-10.dat dcrat behavioral2/memory/3616-12-0x00000000000C0000-0x0000000000242000-memory.dmp dcrat behavioral2/files/0x000700000002325a-31.dat dcrat -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation Build.exe Key value queried \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation Connections Rontime Broker.exe -
Executes dropped EXE 2 IoCs
pid Process 3616 Connections Rontime Broker.exe 1916 RuntimeBroker.exe -
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Documents and Settings\\conhost.exe\"" Connections Rontime Broker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Windows\\System32\\twinapi.appcore\\taskhostw.exe\"" Connections Rontime Broker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Windows\\System32\\twinapi.appcore\\taskhostw.exe\"" Connections Rontime Broker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\appcompat\\encapsulation\\RuntimeBroker.exe\"" Connections Rontime Broker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\appcompat\\encapsulation\\RuntimeBroker.exe\"" Connections Rontime Broker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Documents and Settings\\services.exe\"" Connections Rontime Broker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Documents and Settings\\services.exe\"" Connections Rontime Broker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Documents and Settings\\conhost.exe\"" Connections Rontime Broker.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\System32\twinapi.appcore\taskhostw.exe Connections Rontime Broker.exe File created C:\Windows\System32\twinapi.appcore\ea9f0e6c9e2dcd4dfacdaf29ba21541fb815a988 Connections Rontime Broker.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\appcompat\encapsulation\RuntimeBroker.exe Connections Rontime Broker.exe File created C:\Windows\appcompat\encapsulation\9e8d7a4ca61bd92aff00cc37a7a4d62a2cac998d Connections Rontime Broker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4420 schtasks.exe 4456 schtasks.exe 1488 schtasks.exe 3408 schtasks.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings Build.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3616 Connections Rontime Broker.exe 3616 Connections Rontime Broker.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3616 Connections Rontime Broker.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 4180 wrote to memory of 440 4180 Build.exe 91 PID 4180 wrote to memory of 440 4180 Build.exe 91 PID 4180 wrote to memory of 440 4180 Build.exe 91 PID 440 wrote to memory of 1496 440 WScript.exe 94 PID 440 wrote to memory of 1496 440 WScript.exe 94 PID 440 wrote to memory of 1496 440 WScript.exe 94 PID 1496 wrote to memory of 3616 1496 cmd.exe 98 PID 1496 wrote to memory of 3616 1496 cmd.exe 98 PID 3616 wrote to memory of 3408 3616 Connections Rontime Broker.exe 101 PID 3616 wrote to memory of 3408 3616 Connections Rontime Broker.exe 101 PID 3616 wrote to memory of 4420 3616 Connections Rontime Broker.exe 104 PID 3616 wrote to memory of 4420 3616 Connections Rontime Broker.exe 104 PID 3616 wrote to memory of 4456 3616 Connections Rontime Broker.exe 106 PID 3616 wrote to memory of 4456 3616 Connections Rontime Broker.exe 106 PID 3616 wrote to memory of 1488 3616 Connections Rontime Broker.exe 108 PID 3616 wrote to memory of 1488 3616 Connections Rontime Broker.exe 108 PID 3616 wrote to memory of 1916 3616 Connections Rontime Broker.exe 110 PID 3616 wrote to memory of 1916 3616 Connections Rontime Broker.exe 110 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2222-main\Build.exe"C:\Users\Admin\AppData\Local\Temp\2222-main\Build.exe"1⤵
- DcRat
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4180 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\RGVgokWnd3UKKWqTX.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:440 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\cjuB81eCuBzfe2WUkLAq9D9a.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\Connections Rontime Broker.exe"C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\Connections Rontime Broker.exe"4⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "conhost" /sc ONLOGON /tr "'C:\Documents and Settings\conhost.exe'" /rl HIGHEST /f5⤵
- DcRat
- Creates scheduled task(s)
PID:3408
-
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\System32\twinapi.appcore\taskhostw.exe'" /rl HIGHEST /f5⤵
- DcRat
- Creates scheduled task(s)
PID:4420
-
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\appcompat\encapsulation\RuntimeBroker.exe'" /rl HIGHEST /f5⤵
- DcRat
- Creates scheduled task(s)
PID:4456
-
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "services" /sc ONLOGON /tr "'C:\Documents and Settings\services.exe'" /rl HIGHEST /f5⤵
- DcRat
- Creates scheduled task(s)
PID:1488
-
-
C:\Windows\appcompat\encapsulation\RuntimeBroker.exe"C:\Windows\appcompat\encapsulation\RuntimeBroker.exe"5⤵
- Executes dropped EXE
PID:1916
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\Connections Rontime Broker.exe
Filesize1.5MB
MD5413be497be904c09aa8bfe8f0182a949
SHA19c5a69c83dbe2629290823d33c0afbce6d37f7bf
SHA2566cba34b2db52a921c97910d0e3122239c726c993b1d8c0e208f21502cfe20e21
SHA51201d60225abe49efdade7ca5c79c0c73c22931c837bc4d67703b273c84bc76903d749f75c39e4b17d29a343b53ab77a1b4c90ad9f86a08468a7d0c627439f7bee
-
C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\RGVgokWnd3UKKWqTX.vbe
Filesize273B
MD5559cdf34199c7353804d3d3550ccc3a3
SHA143da9eae85816d75b10f537452a9b5c2ef9ae1f6
SHA256c1475bfc785af561b6954cd740f44083bbdb6e15b1dabbc2249e35b5eae82108
SHA512a4431b8817a1464f54f01bc223f01c4673521e99289c010a4158d25bbe542a735b59d6a6de406e2a0efb3ed20de5958cf6bea5acb14069b9f690b0cde619c86c
-
C:\Users\Admin\AppData\Roaming\AppData\Roaming\AppData\Roaming\Microsoft\Network\Connections\Pbk\cjuB81eCuBzfe2WUkLAq9D9a.bat
Filesize108B
MD5d5f5523af702e22a702e95fadf058335
SHA1e495f695eed69a9af60dd6303b20ce0df82cadbb
SHA2565ae2bbf6e9576cb737edef26860e3f843c13b78cd77ed31ebb5578d80dbbcac3
SHA512f0fbc8757d2083e8ea93f059d0fad236c2e45f8db67c6cf11801a225bee758f0761c5eac2d468c646adcf86028f3317931e704778cc5f2d971403873c3de82b6
-
Filesize
833KB
MD5f947ecce0506d3b47f920c9e7d53c0b1
SHA19ba390f4adf3a66531b3c98028edc6fbffeea54d
SHA256da497cdcf03238e1ca3f83c767ee5931950141f6af7385714674e886d70c3273
SHA51290fd9c76541df344a99c21d8dfecd3b467755b69ab5e550efb2095820c37943c77e04c7275cc130d205a17f58577a325bbc4c98eb886136caf88419ea36e7c23