c68964901508a7967bb32907bab8e273717e01d0c3195318a0fb6b0032157632

Analysis

max time kernel
35s
max time network
61s
platform
windows10_x64
resource
win10v20201028
submitted
06-03-2021 14:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

nnneeeewww.exe
Size

5.2MB
MD5

360bb48ef6acca7233580b6cb8b6a3a9
SHA1

baf21bee8e1ec86b4e0b99a19ff869d3be8de292
SHA256

c68964901508a7967bb32907bab8e273717e01d0c3195318a0fb6b0032157632
SHA512

0380b0d64c18c42123838bf40aa75c8145a9a7b44bb3578d5e8e86870fee8ff70da5f07edbd13ceb8060388b5d94a39cd12df927a138115e4c9cf2ea45da9d48

Score

8^/10

spyware

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

jaQVQp40C9Rgjj5Fe8OA.execrtperf.exeRuntimeBroker.exe

pid process

2504 jaQVQp40C9Rgjj5Fe8OA.exe
4028 crtperf.exe
1504 RuntimeBroker.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

18 ipinfo.io
19 ipinfo.io

pid	process
2504	jaQVQp40C9Rgjj5Fe8OA.exe
4028	crtperf.exe
1504	RuntimeBroker.exe

flow	ioc
18	ipinfo.io
19	ipinfo.io

Drops file in Program Files directory 3 IoCs

Processes:

crtperf.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\lsass.exe	crtperf.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\en-US\lsass.exe	crtperf.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\6203df4a6bafc7c328ee7f6f8ca0a8a838a8a1b9	crtperf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

3224 schtasks.exe
2888 schtasks.exe
212 schtasks.exe
508 schtasks.exe

pid	process
3224	schtasks.exe
2888	schtasks.exe
212	schtasks.exe
508	schtasks.exe

Modifies registry class 2 IoCs

Processes:

nnneeeewww.exejaQVQp40C9Rgjj5Fe8OA.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	nnneeeewww.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	jaQVQp40C9Rgjj5Fe8OA.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

crtperf.exeRuntimeBroker.exe

pid process

4028 crtperf.exe
1504 RuntimeBroker.exe
1504 RuntimeBroker.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

crtperf.exeRuntimeBroker.exe

description pid process

Token: SeDebugPrivilege 4028 crtperf.exe
Token: SeDebugPrivilege 1504 RuntimeBroker.exe

pid	process
4028	crtperf.exe
1504	RuntimeBroker.exe
1504	RuntimeBroker.exe

description	pid	process
Token: SeDebugPrivilege	4028	crtperf.exe
Token: SeDebugPrivilege	1504	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

nnneeeewww.exeWScript.execmd.exejaQVQp40C9Rgjj5Fe8OA.exeWScript.execmd.execrtperf.exe

description	pid	process	target process
PID 648 wrote to memory of 3496	648	nnneeeewww.exe	WScript.exe
PID 648 wrote to memory of 3496	648	nnneeeewww.exe	WScript.exe
PID 648 wrote to memory of 3496	648	nnneeeewww.exe	WScript.exe
PID 3496 wrote to memory of 2076	3496	WScript.exe	cmd.exe
PID 3496 wrote to memory of 2076	3496	WScript.exe	cmd.exe
PID 3496 wrote to memory of 2076	3496	WScript.exe	cmd.exe
PID 2076 wrote to memory of 2504	2076	cmd.exe	jaQVQp40C9Rgjj5Fe8OA.exe
PID 2076 wrote to memory of 2504	2076	cmd.exe	jaQVQp40C9Rgjj5Fe8OA.exe
PID 2076 wrote to memory of 2504	2076	cmd.exe	jaQVQp40C9Rgjj5Fe8OA.exe
PID 2504 wrote to memory of 788	2504	jaQVQp40C9Rgjj5Fe8OA.exe	WScript.exe
PID 2504 wrote to memory of 788	2504	jaQVQp40C9Rgjj5Fe8OA.exe	WScript.exe
PID 2504 wrote to memory of 788	2504	jaQVQp40C9Rgjj5Fe8OA.exe	WScript.exe
PID 788 wrote to memory of 3808	788	WScript.exe	cmd.exe
PID 788 wrote to memory of 3808	788	WScript.exe	cmd.exe
PID 788 wrote to memory of 3808	788	WScript.exe	cmd.exe
PID 3808 wrote to memory of 4028	3808	cmd.exe	crtperf.exe
PID 3808 wrote to memory of 4028	3808	cmd.exe	crtperf.exe
PID 4028 wrote to memory of 3224	4028	crtperf.exe	schtasks.exe
PID 4028 wrote to memory of 3224	4028	crtperf.exe	schtasks.exe
PID 4028 wrote to memory of 2888	4028	crtperf.exe	schtasks.exe
PID 4028 wrote to memory of 2888	4028	crtperf.exe	schtasks.exe
PID 4028 wrote to memory of 212	4028	crtperf.exe	schtasks.exe
PID 4028 wrote to memory of 212	4028	crtperf.exe	schtasks.exe
PID 4028 wrote to memory of 508	4028	crtperf.exe	schtasks.exe
PID 4028 wrote to memory of 508	4028	crtperf.exe	schtasks.exe
PID 4028 wrote to memory of 1504	4028	crtperf.exe	RuntimeBroker.exe
PID 4028 wrote to memory of 1504	4028	crtperf.exe	RuntimeBroker.exe

C:\Users\Admin\AppData\Local\Temp\nnneeeewww.exe
"C:\Users\Admin\AppData\Local\Temp\nnneeeewww.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:648

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\commoncrt\NfKUs624zaQXoSl3DJsuBH6b5WLpx9.vbe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\commoncrt\pAdEW6pPvjofnCUEH20v1GuR6eanGF.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:2076

C:\commoncrt\jaQVQp40C9Rgjj5Fe8OA.exe
jaQVQp40C9Rgjj5Fe8OA.exe -p73efbcbe560b284fb9498be6d6b28e842ea7f493
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2504

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\commoncrt\s6g1o5IBA9i15QiqUf4KpALskuHZAv.vbe"
5⤵
- Suspicious use of WriteProcessMemory
PID:788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\commoncrt\hDIsoexVqHKUCKmxG6mzKgOgUlXLNX.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:3808

C:\commoncrt\crtperf.exe
"C:\commoncrt\crtperf.exe"
7⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4028

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\lsass.exe'" /rl HIGHEST /f
8⤵
- Creates scheduled task(s)
PID:3224

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "crtperf" /sc ONLOGON /tr "'C:\PerfLogs\crtperf.exe'" /rl HIGHEST /f
8⤵
- Creates scheduled task(s)
PID:2888

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "dllhost" /sc ONLOGON /tr "'C:\ProgramData\Documents\dllhost.exe'" /rl HIGHEST /f
8⤵
- Creates scheduled task(s)
PID:212

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Boot\ro-RO\RuntimeBroker.exe'" /rl HIGHEST /f
8⤵
- Creates scheduled task(s)
PID:508

C:\Boot\ro-RO\RuntimeBroker.exe
"C:\Boot\ro-RO\RuntimeBroker.exe"
8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1504

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Boot\ro-RO\RuntimeBroker.exe
MD5
438a5ba9f82c913cf3d1d1b92779c0eb

SHA1
d9261f194ac5ae67e4363f555413fc1f6be7bdba

SHA256
659c43df149031ed0949fededae6bd2a6160c575165961a3cb9c4d568e953ce3

SHA512
710f1b4aba364ec4a75bf453360dbd41a644584a911376a45bf26c0b08cd52f69e1dfb6801a18d7ff3e8cf996f64330f941298fdfae9a18a67eb1a4c7393e7a3

Download Submit
C:\Boot\ro-RO\RuntimeBroker.exe
MD5
438a5ba9f82c913cf3d1d1b92779c0eb

SHA1
d9261f194ac5ae67e4363f555413fc1f6be7bdba

SHA256
659c43df149031ed0949fededae6bd2a6160c575165961a3cb9c4d568e953ce3

SHA512
710f1b4aba364ec4a75bf453360dbd41a644584a911376a45bf26c0b08cd52f69e1dfb6801a18d7ff3e8cf996f64330f941298fdfae9a18a67eb1a4c7393e7a3

Download Submit
C:\commoncrt\NfKUs624zaQXoSl3DJsuBH6b5WLpx9.vbe
MD5
804866ce16200d32a1019893b53d32d7

SHA1
fa77f544aaf9cfbab2ba762a1d30432217abf71d

SHA256
a6ed52f5e59d0af7380c5ed81255615b4106c024130769d7a36c523093baeda4

SHA512
8c2c9f2b91e2fbae6400725264cf1b269cd8d6f79876fcf2e0524514217e113efdea3887ea53f48d0f196d23774e8f39cf229da9f0b90f6785a76c1050599510

Download Submit
C:\commoncrt\crtperf.exe
MD5
438a5ba9f82c913cf3d1d1b92779c0eb

SHA1
d9261f194ac5ae67e4363f555413fc1f6be7bdba

SHA256
659c43df149031ed0949fededae6bd2a6160c575165961a3cb9c4d568e953ce3

SHA512
710f1b4aba364ec4a75bf453360dbd41a644584a911376a45bf26c0b08cd52f69e1dfb6801a18d7ff3e8cf996f64330f941298fdfae9a18a67eb1a4c7393e7a3

Download Submit
C:\commoncrt\crtperf.exe
MD5
438a5ba9f82c913cf3d1d1b92779c0eb

SHA1
d9261f194ac5ae67e4363f555413fc1f6be7bdba

SHA256
659c43df149031ed0949fededae6bd2a6160c575165961a3cb9c4d568e953ce3

SHA512
710f1b4aba364ec4a75bf453360dbd41a644584a911376a45bf26c0b08cd52f69e1dfb6801a18d7ff3e8cf996f64330f941298fdfae9a18a67eb1a4c7393e7a3

Download Submit
C:\commoncrt\hDIsoexVqHKUCKmxG6mzKgOgUlXLNX.bat
MD5
e573d5582c49ff522d91609451481e6d

SHA1
640824dadcede6d72ff999dbddb13e21f8d1d8e7

SHA256
f82859f7c17ef4fb6639cb5427e434e6b87c92e419bc9c4548c0e7d637a0d670

SHA512
43c41a28474660848d1b470ab7caf10a206b8a8502d4daa8221401d3883a465c72828398237209665fa203aff886d37aa321ea54c4a332689e6bb533a6fdc949

Download Submit
C:\commoncrt\jaQVQp40C9Rgjj5Fe8OA.exe
MD5
06461bc3be1e5138def7ddb7ea68e958

SHA1
a234c9952d34a0db30102404d0e08e62ae2c21cf

SHA256
449aaa3f15d5eae3c77b03e8118b6183a7b6b163a13ab93e8ec98adde297caed

SHA512
6059479859b979b69ab4bd01bf9fb6c1a00331c54a66cb43d3f35a8a099b65dff1ed01158bd4e6c76bd45f9b9db3d0cd495dd5d09cd60f8c22b706541d69d955

Download Submit
C:\commoncrt\jaQVQp40C9Rgjj5Fe8OA.exe
MD5
06461bc3be1e5138def7ddb7ea68e958

SHA1
a234c9952d34a0db30102404d0e08e62ae2c21cf

SHA256
449aaa3f15d5eae3c77b03e8118b6183a7b6b163a13ab93e8ec98adde297caed

SHA512
6059479859b979b69ab4bd01bf9fb6c1a00331c54a66cb43d3f35a8a099b65dff1ed01158bd4e6c76bd45f9b9db3d0cd495dd5d09cd60f8c22b706541d69d955

Download Submit
C:\commoncrt\pAdEW6pPvjofnCUEH20v1GuR6eanGF.bat
MD5
a8df6c84fe7ba033e7013f5827f3b6fe

SHA1
3cb090124280d8eb205d7d262337e145993eba30

SHA256
b5e68b5b417fe7062b49107fa8b1d908075a8def5dc764f71820cad9c232a121

SHA512
326d725ac5744efd1a63e8bcb829c332d4bc0ea158aeac10cfcbd9de0934bd5d313ef35ea66ae59cc8832f482e4376d0b21ac5afb766f226611aa3a4d469131a

Download Submit
C:\commoncrt\s6g1o5IBA9i15QiqUf4KpALskuHZAv.vbe
MD5
11be5f2ee4abaccbf4ffa714494b86cc

SHA1
07f6fa377258c7404efdd7793c1b1637a69d3eeb

SHA256
a7e27661c96469ff37738b10bd4a639f0242050fe94a0efa4775b8bdb079a6b9

SHA512
51fd36c016df8739cdb522f3ffc2be387b8286f751b2381bef084bc99995a10b3342fd356525db76445b70bff82275c1bff9aabcfeef5f0ce15088c757efae7c

Download Submit
memory/212-36-0x0000000000000000-mapping.dmp

Download
memory/508-37-0x0000000000000000-mapping.dmp

Download
memory/788-23-0x0000000000000000-mapping.dmp

Download
memory/1504-41-0x00007FF850360000-0x00007FF850D4C000-memory.dmp

Filesize
9.9MB

Download
memory/1504-38-0x0000000000000000-mapping.dmp

Download
memory/1504-44-0x0000015779F02000-0x0000015779F03000-memory.dmp

Filesize
4KB

Download
memory/1504-45-0x0000015777F10000-0x0000015777F11000-memory.dmp

Filesize
4KB

Download
memory/2076-19-0x0000000000000000-mapping.dmp

Download
memory/2504-20-0x0000000000000000-mapping.dmp

Download
memory/2888-35-0x0000000000000000-mapping.dmp

Download
memory/3224-34-0x0000000000000000-mapping.dmp

Download
memory/3496-4-0x0000000000000000-mapping.dmp

Download
memory/3808-26-0x0000000000000000-mapping.dmp

Download
memory/4028-33-0x0000026D7ED00000-0x0000026D7ED02000-memory.dmp

Filesize
8KB

Download
memory/4028-31-0x0000026D637C0000-0x0000026D637C1000-memory.dmp

Filesize
4KB

Download
memory/4028-30-0x00007FF850360000-0x00007FF850D4C000-memory.dmp

Filesize
9.9MB

Download
memory/4028-27-0x0000000000000000-mapping.dmp

Download