Analysis
-
max time kernel
138s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
22-07-2024 06:30
Behavioral task
behavioral1
Sample
05fc0bdf63407c4bf2aa13262366cec5.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
05fc0bdf63407c4bf2aa13262366cec5.exe
Resource
win10v2004-20240709-en
General
-
Target
05fc0bdf63407c4bf2aa13262366cec5.exe
-
Size
624KB
-
MD5
05fc0bdf63407c4bf2aa13262366cec5
-
SHA1
3c25001232633ced8c5dbd159793f5db7b9bd3c8
-
SHA256
7c00050f9a74c897dc0b917b07898b14150329571584ed3d7928d7c59b974c2b
-
SHA512
9513fb1767b3f7c480c86e9958df83e30f19f0b487f7e37b844266a968dfe9b4275e4fe3c11118a5ccace381d69e928dab61a32b113095b3a2f3f83bc6a821e4
-
SSDEEP
12288:aRZ+IoG/n9IQxW3OBsee2X+t4Rb/32N7QqcLCf8VIP9A2oxldxDZt:U2G/nvxW3Ww0t/32NCkC2o5xD7
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
portProviderRef.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:/Users/Admin/AppData/Local/\\RuntimeBroker.exe\"" portProviderRef.exe -
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3228 4240 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 748 4240 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4484 4240 schtasks.exe -
Processes:
resource yara_rule C:\browserperfMonitor\portProviderRef.exe dcrat behavioral2/memory/2728-12-0x0000000000EC0000-0x0000000000F16000-memory.dmp dcrat -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
05fc0bdf63407c4bf2aa13262366cec5.exeWScript.exeportProviderRef.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation 05fc0bdf63407c4bf2aa13262366cec5.exe Key value queried \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation portProviderRef.exe -
Executes dropped EXE 2 IoCs
Processes:
portProviderRef.exeRuntimeBroker.exepid process 2728 portProviderRef.exe 872 RuntimeBroker.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
portProviderRef.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:/Users/Admin/AppData/Local/\\RuntimeBroker.exe\"" portProviderRef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:/Users/Admin/AppData/Local/\\RuntimeBroker.exe\"" portProviderRef.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
Processes:
05fc0bdf63407c4bf2aa13262366cec5.exeportProviderRef.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000_Classes\Local Settings 05fc0bdf63407c4bf2aa13262366cec5.exe Key created \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000_Classes\Local Settings portProviderRef.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 3228 schtasks.exe 748 schtasks.exe 4484 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
portProviderRef.exeRuntimeBroker.exepid process 2728 portProviderRef.exe 872 RuntimeBroker.exe 872 RuntimeBroker.exe 872 RuntimeBroker.exe 872 RuntimeBroker.exe 872 RuntimeBroker.exe 872 RuntimeBroker.exe 872 RuntimeBroker.exe 872 RuntimeBroker.exe 872 RuntimeBroker.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RuntimeBroker.exepid process 872 RuntimeBroker.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
portProviderRef.exeRuntimeBroker.exedescription pid process Token: SeDebugPrivilege 2728 portProviderRef.exe Token: SeDebugPrivilege 872 RuntimeBroker.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
05fc0bdf63407c4bf2aa13262366cec5.exeWScript.execmd.exeportProviderRef.execmd.exedescription pid process target process PID 2464 wrote to memory of 2556 2464 05fc0bdf63407c4bf2aa13262366cec5.exe WScript.exe PID 2464 wrote to memory of 2556 2464 05fc0bdf63407c4bf2aa13262366cec5.exe WScript.exe PID 2464 wrote to memory of 2556 2464 05fc0bdf63407c4bf2aa13262366cec5.exe WScript.exe PID 2556 wrote to memory of 4868 2556 WScript.exe cmd.exe PID 2556 wrote to memory of 4868 2556 WScript.exe cmd.exe PID 2556 wrote to memory of 4868 2556 WScript.exe cmd.exe PID 4868 wrote to memory of 2728 4868 cmd.exe portProviderRef.exe PID 4868 wrote to memory of 2728 4868 cmd.exe portProviderRef.exe PID 2728 wrote to memory of 1088 2728 portProviderRef.exe cmd.exe PID 2728 wrote to memory of 1088 2728 portProviderRef.exe cmd.exe PID 1088 wrote to memory of 1384 1088 cmd.exe w32tm.exe PID 1088 wrote to memory of 1384 1088 cmd.exe w32tm.exe PID 1088 wrote to memory of 872 1088 cmd.exe RuntimeBroker.exe PID 1088 wrote to memory of 872 1088 cmd.exe RuntimeBroker.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\05fc0bdf63407c4bf2aa13262366cec5.exe"C:\Users\Admin\AppData\Local\Temp\05fc0bdf63407c4bf2aa13262366cec5.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\browserperfMonitor\vkP8jBMFLUV3sBPqx5nb72wkkbdxGy.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\browserperfMonitor\Djd9PDHmb.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\browserperfMonitor\portProviderRef.exe"C:\browserperfMonitor\portProviderRef.exe"4⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zK52lkeuoZ.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:1384
-
-
C:\Users\Admin\AppData\Local\RuntimeBroker.exe"C:/Users/Admin/AppData/Local/\RuntimeBroker.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:872
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:/Users/Admin/AppData/Local/\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:/Users/Admin/AppData/Local/\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4484
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
212B
MD5bd9710bb819e6393af51accf9d681b84
SHA1e04ab7d05ebc46b70dfb3abff15b3298c2713189
SHA256682c35e167838c336cd83e225aa077a43110785ab3cac0279fb360abfa78a186
SHA5129165d1a7374f0ac7b1aab4eb4a26921c64c94a91030ae7240a439a7a189af9b220d927c7f4e8d3b7347161216e4daf5c634743dac9b6d52795446f19a86b79a7
-
Filesize
43B
MD5e6c63fa184d2f4c5d38e9b525bfddb81
SHA1feb5e4b45154422a4e84dfcdc2279d3cb75901ff
SHA256ce100b5fc38b08ad9df71883aea94f49083eb8bbec1ddc7c3a5f3c6a7514ec5b
SHA512595fd643b0caaabb87fda59acd1fcd3bd953beb7b6e334e1724fd3d33fcc86d854e70d8bf080cac097eb3ddf180c95d0b9773f25aadfd66c1759adc5b2b7fe69
-
Filesize
315KB
MD50d11a32c038c7f303ad3c020717c007d
SHA1fffea33c9efe66d4c343d926e30aa114e5d5967d
SHA256246bbbec6cc0c1fa290496f764d38451b8f0b64d3ff08f587e0814fd49198757
SHA5121afd437ee901fa934a7c425bed6a95b4b3cd303c3383e99ded4d4ef38e0e758d82febbf2030a2a7b3af131f03e1bf8d9cedf326cc221ef57e733e5c97cb24ff7
-
Filesize
201B
MD5b7a2b70763db60fd1a9698cc2f1673b5
SHA1233ef75d111f6b43cc8d2cd0d9e84479d04d2e2e
SHA2562ed7cb88c0f405254bc9051c1fb58477bb7d046f59d94c7ec1fe7b03448751f7
SHA5121c8c757064e8b1ada32149a9d2d08ecf75d3936055c5f7d4d43dd82bcbfefbb00c1f038e02e935de6713ced80e6026c9185875f4402d760842bfc804edbef74b