b9fed63092fd3154e4326de6063a6f9e51fde3e330d29379926090b515587681

Analysis

max time kernel
148s
max time network
153s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
14/08/2024, 12:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

DarkWave boostrap.exe
Size

2.5MB
MD5

213a74d525e22d4529e75d30d3c1d45b
SHA1

fd978ec2732d96c9b10b15305d796b8492706a44
SHA256

b9fed63092fd3154e4326de6063a6f9e51fde3e330d29379926090b515587681
SHA512

00b0f94719dad2d19803f54e02253a7df0a1d93bd7504528fe751285475c2baedf975543c8174d95abe77e394746fb853880544fee071706e6005887e5458f5e
SSDEEP

49152:3BC9Nl4EO7xPfu+vUHAvrQB612eJany5NNcilnVfWRCD:xYNlaxuHArQMJJB7VVuRY

Score

9^/10

credential_access discovery evasion spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Disables Task Manager via registry modification
evasion

Executes dropped EXE 2 IoCs

pid	Process
4488	ChainRefBrokermonitorNet.exe
4208	winlogon.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Media Player\ja-JP\SearchUI.exe	ChainRefBrokermonitorNet.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\ja-JP\SearchUI.exe	ChainRefBrokermonitorNet.exe
File created	C:\Program Files (x86)\Windows Media Player\ja-JP\dab4d89cac03ec	ChainRefBrokermonitorNet.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\lsass.exe	ChainRefBrokermonitorNet.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\6203df4a6bafc7	ChainRefBrokermonitorNet.exe
File created	C:\Program Files (x86)\Windows Defender\winlogon.exe	ChainRefBrokermonitorNet.exe
File created	C:\Program Files (x86)\Windows Defender\cc11b995f2a76d	ChainRefBrokermonitorNet.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Logs\dosvc\services.exe	ChainRefBrokermonitorNet.exe
File created	C:\Windows\Logs\dosvc\c5b4cb5e9653cc	ChainRefBrokermonitorNet.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DarkWave boostrap.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1652	PING.EXE

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings	DarkWave boostrap.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings	ChainRefBrokermonitorNet.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
208	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1652	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4488	ChainRefBrokermonitorNet.exe
4488	ChainRefBrokermonitorNet.exe
4488	ChainRefBrokermonitorNet.exe
4488	ChainRefBrokermonitorNet.exe
4488	ChainRefBrokermonitorNet.exe
4488	ChainRefBrokermonitorNet.exe
4488	ChainRefBrokermonitorNet.exe
4488	ChainRefBrokermonitorNet.exe
4488	ChainRefBrokermonitorNet.exe
4488	ChainRefBrokermonitorNet.exe
4488	ChainRefBrokermonitorNet.exe
4488	ChainRefBrokermonitorNet.exe
4488	ChainRefBrokermonitorNet.exe
4488	ChainRefBrokermonitorNet.exe
4488	ChainRefBrokermonitorNet.exe
4488	ChainRefBrokermonitorNet.exe
4488	ChainRefBrokermonitorNet.exe
4488	ChainRefBrokermonitorNet.exe
4488	ChainRefBrokermonitorNet.exe
4488	ChainRefBrokermonitorNet.exe
4488	ChainRefBrokermonitorNet.exe
4488	ChainRefBrokermonitorNet.exe
4488	ChainRefBrokermonitorNet.exe
4488	ChainRefBrokermonitorNet.exe
4488	ChainRefBrokermonitorNet.exe
4488	ChainRefBrokermonitorNet.exe
4488	ChainRefBrokermonitorNet.exe
4488	ChainRefBrokermonitorNet.exe
4488	ChainRefBrokermonitorNet.exe
4488	ChainRefBrokermonitorNet.exe
4488	ChainRefBrokermonitorNet.exe
4488	ChainRefBrokermonitorNet.exe
4488	ChainRefBrokermonitorNet.exe
4488	ChainRefBrokermonitorNet.exe
4488	ChainRefBrokermonitorNet.exe
4488	ChainRefBrokermonitorNet.exe
4488	ChainRefBrokermonitorNet.exe
4488	ChainRefBrokermonitorNet.exe
4488	ChainRefBrokermonitorNet.exe
4488	ChainRefBrokermonitorNet.exe
4488	ChainRefBrokermonitorNet.exe
4488	ChainRefBrokermonitorNet.exe
4488	ChainRefBrokermonitorNet.exe
4488	ChainRefBrokermonitorNet.exe
4488	ChainRefBrokermonitorNet.exe
4488	ChainRefBrokermonitorNet.exe
4488	ChainRefBrokermonitorNet.exe
4488	ChainRefBrokermonitorNet.exe
4488	ChainRefBrokermonitorNet.exe
4488	ChainRefBrokermonitorNet.exe
4488	ChainRefBrokermonitorNet.exe
4488	ChainRefBrokermonitorNet.exe
4488	ChainRefBrokermonitorNet.exe
4488	ChainRefBrokermonitorNet.exe
4488	ChainRefBrokermonitorNet.exe
4488	ChainRefBrokermonitorNet.exe
4488	ChainRefBrokermonitorNet.exe
4488	ChainRefBrokermonitorNet.exe
4488	ChainRefBrokermonitorNet.exe
4488	ChainRefBrokermonitorNet.exe
4488	ChainRefBrokermonitorNet.exe
4488	ChainRefBrokermonitorNet.exe
4488	ChainRefBrokermonitorNet.exe
4488	ChainRefBrokermonitorNet.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4488	ChainRefBrokermonitorNet.exe
Token: SeDebugPrivilege	4208	winlogon.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 4892 wrote to memory of 1340	4892	DarkWave boostrap.exe	73
PID 4892 wrote to memory of 1340	4892	DarkWave boostrap.exe	73
PID 4892 wrote to memory of 1340	4892	DarkWave boostrap.exe	73
PID 1340 wrote to memory of 5112	1340	WScript.exe	74
PID 1340 wrote to memory of 5112	1340	WScript.exe	74
PID 1340 wrote to memory of 5112	1340	WScript.exe	74
PID 5112 wrote to memory of 208	5112	cmd.exe	76
PID 5112 wrote to memory of 208	5112	cmd.exe	76
PID 5112 wrote to memory of 208	5112	cmd.exe	76
PID 5112 wrote to memory of 4488	5112	cmd.exe	77
PID 5112 wrote to memory of 4488	5112	cmd.exe	77
PID 4488 wrote to memory of 4372	4488	ChainRefBrokermonitorNet.exe	78
PID 4488 wrote to memory of 4372	4488	ChainRefBrokermonitorNet.exe	78
PID 4372 wrote to memory of 2024	4372	cmd.exe	80
PID 4372 wrote to memory of 2024	4372	cmd.exe	80
PID 4372 wrote to memory of 1652	4372	cmd.exe	81
PID 4372 wrote to memory of 1652	4372	cmd.exe	81
PID 4372 wrote to memory of 4208	4372	cmd.exe	82
PID 4372 wrote to memory of 4208	4372	cmd.exe	82

C:\Users\Admin\AppData\Local\Temp\DarkWave boostrap.exe
"C:\Users\Admin\AppData\Local\Temp\DarkWave boostrap.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4892
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\msnet\FamJL3jtoTyFrda82Yb0JY9iJmI8NT2x1zWl.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1340
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\msnet\hAgbALGNeQRptwxVZmIkdLB2.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5112
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:208
  - - C:\msnet\ChainRefBrokermonitorNet.exe
      "C:\msnet/ChainRefBrokermonitorNet.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4488
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hWinb08XbK.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4372
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2024
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1652
      - C:\Program Files (x86)\Windows Defender\winlogon.exe
        
        "C:\Program Files (x86)\Windows Defender\winlogon.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hWinb08XbK.bat

Filesize
180B

MD5
dd3f43607a828d2d0622fe6bb30e215e

SHA1
65e7ecfa094f4d8285d2b6c071b679943b3e490f

SHA256
6c7f31ec8d8cb47c8116fe5a0b4d7c44d887af0cba88d2dd91e1da498ac7e214

SHA512
517e03659b1daebec02c67c5702745f1fd246d4af1314cc45ae81261f968a18928a93c387e77741bea7500a3af4e3efb36549454c9942b1a0611b49c73957adf

Download Submit
C:\msnet\ChainRefBrokermonitorNet.exe

Filesize
2.2MB

MD5
7d5fce6d7240cf2da41113707dfca138

SHA1
184af9016ed6bb147116224bb09597d207387f5f

SHA256
a93150d90eff860ca9660bd13a663dac1027a0c7dc22c3ee839bafcce4984bfa

SHA512
3ed02ab90f78d2cc8e40923595c8148802122bd89bc076fd66e8efde7ad00a5a07d08cb3618a04c1d98003dcdb4dc5c24d51a035eaaae7ee9fdbe5b9700ea0a2

Download Submit
C:\msnet\FamJL3jtoTyFrda82Yb0JY9iJmI8NT2x1zWl.vbe

Filesize
208B

MD5
bb402dd37ccddf3aeb62319d6d8441e7

SHA1
8440a6578d443dccb0a0ad858c3751a7b094818e

SHA256
52a94c6eefa163f00c62cab0fc4b90b8bc766aa9a0c40ca3d191b441fdd4ab21

SHA512
440f56ae851e2446b5ff78475da3b2f5627fd9a38d7e988ed1cf76452029a844ba862abc76e7a1bef9eb40de0e3cb8ffca5ff046ca68193c8621ada843126107

Download Submit
C:\msnet\hAgbALGNeQRptwxVZmIkdLB2.bat

Filesize
203B

MD5
cd40d9fbf7b77f6d592f67d8f4d655ce

SHA1
e166c7455e1554e014e461d05f60c318b5c370ee

SHA256
6834e359b444d07121bc7822bcbe95c3b08069f515d4ccc71b233b36d45b67d7

SHA512
18aa58f6f04ffe7f2d4a00e160b92920282f84eb0f674c749d23184f3aa677fd79bc4a9ecb679d03df3663ca6b4cfc4d1a2d77727460179492398976a6d1eb33

Download Submit
memory/4208-64-0x000000001BFC0000-0x000000001C07F000-memory.dmp

Filesize
764KB

Download
memory/4488-23-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/4488-20-0x000000001B4B0000-0x000000001B4CC000-memory.dmp

Filesize
112KB

Download
memory/4488-21-0x000000001B520000-0x000000001B570000-memory.dmp

Filesize
320KB

Download
memory/4488-18-0x0000000001050000-0x000000000105E000-memory.dmp

Filesize
56KB

Download
memory/4488-25-0x000000001B4D0000-0x000000001B4E8000-memory.dmp

Filesize
96KB

Download
memory/4488-27-0x0000000002A70000-0x0000000002A80000-memory.dmp

Filesize
64KB

Download
memory/4488-29-0x0000000002A80000-0x0000000002A8E000-memory.dmp

Filesize
56KB

Download
memory/4488-31-0x000000001B990000-0x000000001B9A8000-memory.dmp

Filesize
96KB

Download
memory/4488-33-0x0000000002AC0000-0x0000000002ACC000-memory.dmp

Filesize
48KB

Download
memory/4488-50-0x000000001BBB0000-0x000000001BC6F000-memory.dmp

Filesize
764KB

Download
memory/4488-16-0x0000000002A90000-0x0000000002AB6000-memory.dmp

Filesize
152KB

Download
memory/4488-14-0x0000000000610000-0x000000000084C000-memory.dmp

Filesize
2.2MB

Download