Analysis
-
max time kernel
35s -
max time network
61s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
06-03-2021 14:22
Static task
static1
Behavioral task
behavioral1
Sample
nnneeeewww.exe
Resource
win10v20201028
General
-
Target
nnneeeewww.exe
-
Size
5.2MB
-
MD5
360bb48ef6acca7233580b6cb8b6a3a9
-
SHA1
baf21bee8e1ec86b4e0b99a19ff869d3be8de292
-
SHA256
c68964901508a7967bb32907bab8e273717e01d0c3195318a0fb6b0032157632
-
SHA512
0380b0d64c18c42123838bf40aa75c8145a9a7b44bb3578d5e8e86870fee8ff70da5f07edbd13ceb8060388b5d94a39cd12df927a138115e4c9cf2ea45da9d48
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
jaQVQp40C9Rgjj5Fe8OA.execrtperf.exeRuntimeBroker.exepid process 2504 jaQVQp40C9Rgjj5Fe8OA.exe 4028 crtperf.exe 1504 RuntimeBroker.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 18 ipinfo.io 19 ipinfo.io -
Drops file in Program Files directory 3 IoCs
Processes:
crtperf.exedescription ioc process File created C:\Program Files (x86)\Windows NT\Accessories\en-US\lsass.exe crtperf.exe File opened for modification C:\Program Files (x86)\Windows NT\Accessories\en-US\lsass.exe crtperf.exe File created C:\Program Files (x86)\Windows NT\Accessories\en-US\6203df4a6bafc7c328ee7f6f8ca0a8a838a8a1b9 crtperf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3224 schtasks.exe 2888 schtasks.exe 212 schtasks.exe 508 schtasks.exe -
Modifies registry class 2 IoCs
Processes:
nnneeeewww.exejaQVQp40C9Rgjj5Fe8OA.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings nnneeeewww.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings jaQVQp40C9Rgjj5Fe8OA.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
crtperf.exeRuntimeBroker.exepid process 4028 crtperf.exe 1504 RuntimeBroker.exe 1504 RuntimeBroker.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
crtperf.exeRuntimeBroker.exedescription pid process Token: SeDebugPrivilege 4028 crtperf.exe Token: SeDebugPrivilege 1504 RuntimeBroker.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
nnneeeewww.exeWScript.execmd.exejaQVQp40C9Rgjj5Fe8OA.exeWScript.execmd.execrtperf.exedescription pid process target process PID 648 wrote to memory of 3496 648 nnneeeewww.exe WScript.exe PID 648 wrote to memory of 3496 648 nnneeeewww.exe WScript.exe PID 648 wrote to memory of 3496 648 nnneeeewww.exe WScript.exe PID 3496 wrote to memory of 2076 3496 WScript.exe cmd.exe PID 3496 wrote to memory of 2076 3496 WScript.exe cmd.exe PID 3496 wrote to memory of 2076 3496 WScript.exe cmd.exe PID 2076 wrote to memory of 2504 2076 cmd.exe jaQVQp40C9Rgjj5Fe8OA.exe PID 2076 wrote to memory of 2504 2076 cmd.exe jaQVQp40C9Rgjj5Fe8OA.exe PID 2076 wrote to memory of 2504 2076 cmd.exe jaQVQp40C9Rgjj5Fe8OA.exe PID 2504 wrote to memory of 788 2504 jaQVQp40C9Rgjj5Fe8OA.exe WScript.exe PID 2504 wrote to memory of 788 2504 jaQVQp40C9Rgjj5Fe8OA.exe WScript.exe PID 2504 wrote to memory of 788 2504 jaQVQp40C9Rgjj5Fe8OA.exe WScript.exe PID 788 wrote to memory of 3808 788 WScript.exe cmd.exe PID 788 wrote to memory of 3808 788 WScript.exe cmd.exe PID 788 wrote to memory of 3808 788 WScript.exe cmd.exe PID 3808 wrote to memory of 4028 3808 cmd.exe crtperf.exe PID 3808 wrote to memory of 4028 3808 cmd.exe crtperf.exe PID 4028 wrote to memory of 3224 4028 crtperf.exe schtasks.exe PID 4028 wrote to memory of 3224 4028 crtperf.exe schtasks.exe PID 4028 wrote to memory of 2888 4028 crtperf.exe schtasks.exe PID 4028 wrote to memory of 2888 4028 crtperf.exe schtasks.exe PID 4028 wrote to memory of 212 4028 crtperf.exe schtasks.exe PID 4028 wrote to memory of 212 4028 crtperf.exe schtasks.exe PID 4028 wrote to memory of 508 4028 crtperf.exe schtasks.exe PID 4028 wrote to memory of 508 4028 crtperf.exe schtasks.exe PID 4028 wrote to memory of 1504 4028 crtperf.exe RuntimeBroker.exe PID 4028 wrote to memory of 1504 4028 crtperf.exe RuntimeBroker.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\nnneeeewww.exe"C:\Users\Admin\AppData\Local\Temp\nnneeeewww.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\commoncrt\NfKUs624zaQXoSl3DJsuBH6b5WLpx9.vbe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\commoncrt\pAdEW6pPvjofnCUEH20v1GuR6eanGF.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\commoncrt\jaQVQp40C9Rgjj5Fe8OA.exejaQVQp40C9Rgjj5Fe8OA.exe -p73efbcbe560b284fb9498be6d6b28e842ea7f4934⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\commoncrt\s6g1o5IBA9i15QiqUf4KpALskuHZAv.vbe"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\commoncrt\hDIsoexVqHKUCKmxG6mzKgOgUlXLNX.bat" "6⤵
- Suspicious use of WriteProcessMemory
-
C:\commoncrt\crtperf.exe"C:\commoncrt\crtperf.exe"7⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\lsass.exe'" /rl HIGHEST /f8⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "crtperf" /sc ONLOGON /tr "'C:\PerfLogs\crtperf.exe'" /rl HIGHEST /f8⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "dllhost" /sc ONLOGON /tr "'C:\ProgramData\Documents\dllhost.exe'" /rl HIGHEST /f8⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Boot\ro-RO\RuntimeBroker.exe'" /rl HIGHEST /f8⤵
- Creates scheduled task(s)
-
C:\Boot\ro-RO\RuntimeBroker.exe"C:\Boot\ro-RO\RuntimeBroker.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Boot\ro-RO\RuntimeBroker.exeMD5
438a5ba9f82c913cf3d1d1b92779c0eb
SHA1d9261f194ac5ae67e4363f555413fc1f6be7bdba
SHA256659c43df149031ed0949fededae6bd2a6160c575165961a3cb9c4d568e953ce3
SHA512710f1b4aba364ec4a75bf453360dbd41a644584a911376a45bf26c0b08cd52f69e1dfb6801a18d7ff3e8cf996f64330f941298fdfae9a18a67eb1a4c7393e7a3
-
C:\Boot\ro-RO\RuntimeBroker.exeMD5
438a5ba9f82c913cf3d1d1b92779c0eb
SHA1d9261f194ac5ae67e4363f555413fc1f6be7bdba
SHA256659c43df149031ed0949fededae6bd2a6160c575165961a3cb9c4d568e953ce3
SHA512710f1b4aba364ec4a75bf453360dbd41a644584a911376a45bf26c0b08cd52f69e1dfb6801a18d7ff3e8cf996f64330f941298fdfae9a18a67eb1a4c7393e7a3
-
C:\commoncrt\NfKUs624zaQXoSl3DJsuBH6b5WLpx9.vbeMD5
804866ce16200d32a1019893b53d32d7
SHA1fa77f544aaf9cfbab2ba762a1d30432217abf71d
SHA256a6ed52f5e59d0af7380c5ed81255615b4106c024130769d7a36c523093baeda4
SHA5128c2c9f2b91e2fbae6400725264cf1b269cd8d6f79876fcf2e0524514217e113efdea3887ea53f48d0f196d23774e8f39cf229da9f0b90f6785a76c1050599510
-
C:\commoncrt\crtperf.exeMD5
438a5ba9f82c913cf3d1d1b92779c0eb
SHA1d9261f194ac5ae67e4363f555413fc1f6be7bdba
SHA256659c43df149031ed0949fededae6bd2a6160c575165961a3cb9c4d568e953ce3
SHA512710f1b4aba364ec4a75bf453360dbd41a644584a911376a45bf26c0b08cd52f69e1dfb6801a18d7ff3e8cf996f64330f941298fdfae9a18a67eb1a4c7393e7a3
-
C:\commoncrt\crtperf.exeMD5
438a5ba9f82c913cf3d1d1b92779c0eb
SHA1d9261f194ac5ae67e4363f555413fc1f6be7bdba
SHA256659c43df149031ed0949fededae6bd2a6160c575165961a3cb9c4d568e953ce3
SHA512710f1b4aba364ec4a75bf453360dbd41a644584a911376a45bf26c0b08cd52f69e1dfb6801a18d7ff3e8cf996f64330f941298fdfae9a18a67eb1a4c7393e7a3
-
C:\commoncrt\hDIsoexVqHKUCKmxG6mzKgOgUlXLNX.batMD5
e573d5582c49ff522d91609451481e6d
SHA1640824dadcede6d72ff999dbddb13e21f8d1d8e7
SHA256f82859f7c17ef4fb6639cb5427e434e6b87c92e419bc9c4548c0e7d637a0d670
SHA51243c41a28474660848d1b470ab7caf10a206b8a8502d4daa8221401d3883a465c72828398237209665fa203aff886d37aa321ea54c4a332689e6bb533a6fdc949
-
C:\commoncrt\jaQVQp40C9Rgjj5Fe8OA.exeMD5
06461bc3be1e5138def7ddb7ea68e958
SHA1a234c9952d34a0db30102404d0e08e62ae2c21cf
SHA256449aaa3f15d5eae3c77b03e8118b6183a7b6b163a13ab93e8ec98adde297caed
SHA5126059479859b979b69ab4bd01bf9fb6c1a00331c54a66cb43d3f35a8a099b65dff1ed01158bd4e6c76bd45f9b9db3d0cd495dd5d09cd60f8c22b706541d69d955
-
C:\commoncrt\jaQVQp40C9Rgjj5Fe8OA.exeMD5
06461bc3be1e5138def7ddb7ea68e958
SHA1a234c9952d34a0db30102404d0e08e62ae2c21cf
SHA256449aaa3f15d5eae3c77b03e8118b6183a7b6b163a13ab93e8ec98adde297caed
SHA5126059479859b979b69ab4bd01bf9fb6c1a00331c54a66cb43d3f35a8a099b65dff1ed01158bd4e6c76bd45f9b9db3d0cd495dd5d09cd60f8c22b706541d69d955
-
C:\commoncrt\pAdEW6pPvjofnCUEH20v1GuR6eanGF.batMD5
a8df6c84fe7ba033e7013f5827f3b6fe
SHA13cb090124280d8eb205d7d262337e145993eba30
SHA256b5e68b5b417fe7062b49107fa8b1d908075a8def5dc764f71820cad9c232a121
SHA512326d725ac5744efd1a63e8bcb829c332d4bc0ea158aeac10cfcbd9de0934bd5d313ef35ea66ae59cc8832f482e4376d0b21ac5afb766f226611aa3a4d469131a
-
C:\commoncrt\s6g1o5IBA9i15QiqUf4KpALskuHZAv.vbeMD5
11be5f2ee4abaccbf4ffa714494b86cc
SHA107f6fa377258c7404efdd7793c1b1637a69d3eeb
SHA256a7e27661c96469ff37738b10bd4a639f0242050fe94a0efa4775b8bdb079a6b9
SHA51251fd36c016df8739cdb522f3ffc2be387b8286f751b2381bef084bc99995a10b3342fd356525db76445b70bff82275c1bff9aabcfeef5f0ce15088c757efae7c
-
memory/212-36-0x0000000000000000-mapping.dmp
-
memory/508-37-0x0000000000000000-mapping.dmp
-
memory/788-23-0x0000000000000000-mapping.dmp
-
memory/1504-41-0x00007FF850360000-0x00007FF850D4C000-memory.dmpFilesize
9.9MB
-
memory/1504-38-0x0000000000000000-mapping.dmp
-
memory/1504-44-0x0000015779F02000-0x0000015779F03000-memory.dmpFilesize
4KB
-
memory/1504-45-0x0000015777F10000-0x0000015777F11000-memory.dmpFilesize
4KB
-
memory/2076-19-0x0000000000000000-mapping.dmp
-
memory/2504-20-0x0000000000000000-mapping.dmp
-
memory/2888-35-0x0000000000000000-mapping.dmp
-
memory/3224-34-0x0000000000000000-mapping.dmp
-
memory/3496-4-0x0000000000000000-mapping.dmp
-
memory/3808-26-0x0000000000000000-mapping.dmp
-
memory/4028-33-0x0000026D7ED00000-0x0000026D7ED02000-memory.dmpFilesize
8KB
-
memory/4028-31-0x0000026D637C0000-0x0000026D637C1000-memory.dmpFilesize
4KB
-
memory/4028-30-0x00007FF850360000-0x00007FF850D4C000-memory.dmpFilesize
9.9MB
-
memory/4028-27-0x0000000000000000-mapping.dmp