Analysis
-
max time kernel
157s -
max time network
148s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
02-12-2021 16:15
Static task
static1
General
-
Target
09e71e09b078cfd23e7e62bdf86f8592195b37cbb4effc9af00652f3ba7fad37.exe
-
Size
4.0MB
-
MD5
728f38d39c035cd7908cac6c22cb3f46
-
SHA1
55d9caf8c3e95a66bc57cd3e6732ec871792badd
-
SHA256
09e71e09b078cfd23e7e62bdf86f8592195b37cbb4effc9af00652f3ba7fad37
-
SHA512
12aae3711174f7007c56c13b638ff3a8ff6ce90f2657989024ce916a0c2cd8ccd344f7968f81dedf7f2a95bbeebb941c00818e68a8f5df4d88e901b62e5900c4
Malware Config
Signatures
-
XMRig Miner Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/576-138-0x0000000140000000-0x0000000140787000-memory.dmp xmrig behavioral1/memory/576-139-0x0000000140310068-mapping.dmp xmrig behavioral1/memory/576-141-0x0000000140000000-0x0000000140787000-memory.dmp xmrig -
Executes dropped EXE 2 IoCs
Processes:
runtimebroker64x.exesihost64.exepid process 776 runtimebroker64x.exe 2752 sihost64.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
runtimebroker64x.exedescription pid process target process PID 776 set thread context of 576 776 runtimebroker64x.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
09e71e09b078cfd23e7e62bdf86f8592195b37cbb4effc9af00652f3ba7fad37.exeruntimebroker64x.exeexplorer.exepid process 3060 09e71e09b078cfd23e7e62bdf86f8592195b37cbb4effc9af00652f3ba7fad37.exe 776 runtimebroker64x.exe 576 explorer.exe 576 explorer.exe 576 explorer.exe 576 explorer.exe 576 explorer.exe 576 explorer.exe 576 explorer.exe 576 explorer.exe 576 explorer.exe 576 explorer.exe 576 explorer.exe 576 explorer.exe 576 explorer.exe 576 explorer.exe 576 explorer.exe 576 explorer.exe 576 explorer.exe 576 explorer.exe 576 explorer.exe 576 explorer.exe 576 explorer.exe 576 explorer.exe 576 explorer.exe 576 explorer.exe 576 explorer.exe 576 explorer.exe 576 explorer.exe 576 explorer.exe 576 explorer.exe 576 explorer.exe 576 explorer.exe 576 explorer.exe 576 explorer.exe 576 explorer.exe 576 explorer.exe 576 explorer.exe 576 explorer.exe 576 explorer.exe 576 explorer.exe 576 explorer.exe 576 explorer.exe 576 explorer.exe 576 explorer.exe 576 explorer.exe 576 explorer.exe 576 explorer.exe 576 explorer.exe 576 explorer.exe 576 explorer.exe 576 explorer.exe 576 explorer.exe 576 explorer.exe 576 explorer.exe 576 explorer.exe 576 explorer.exe 576 explorer.exe 576 explorer.exe 576 explorer.exe 576 explorer.exe 576 explorer.exe 576 explorer.exe 576 explorer.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
09e71e09b078cfd23e7e62bdf86f8592195b37cbb4effc9af00652f3ba7fad37.exeruntimebroker64x.exeexplorer.exedescription pid process Token: SeDebugPrivilege 3060 09e71e09b078cfd23e7e62bdf86f8592195b37cbb4effc9af00652f3ba7fad37.exe Token: SeDebugPrivilege 776 runtimebroker64x.exe Token: SeLockMemoryPrivilege 576 explorer.exe Token: SeLockMemoryPrivilege 576 explorer.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
09e71e09b078cfd23e7e62bdf86f8592195b37cbb4effc9af00652f3ba7fad37.execmd.execmd.exeruntimebroker64x.exedescription pid process target process PID 3060 wrote to memory of 592 3060 09e71e09b078cfd23e7e62bdf86f8592195b37cbb4effc9af00652f3ba7fad37.exe cmd.exe PID 3060 wrote to memory of 592 3060 09e71e09b078cfd23e7e62bdf86f8592195b37cbb4effc9af00652f3ba7fad37.exe cmd.exe PID 592 wrote to memory of 1176 592 cmd.exe schtasks.exe PID 592 wrote to memory of 1176 592 cmd.exe schtasks.exe PID 3060 wrote to memory of 1484 3060 09e71e09b078cfd23e7e62bdf86f8592195b37cbb4effc9af00652f3ba7fad37.exe cmd.exe PID 3060 wrote to memory of 1484 3060 09e71e09b078cfd23e7e62bdf86f8592195b37cbb4effc9af00652f3ba7fad37.exe cmd.exe PID 1484 wrote to memory of 776 1484 cmd.exe runtimebroker64x.exe PID 1484 wrote to memory of 776 1484 cmd.exe runtimebroker64x.exe PID 776 wrote to memory of 2752 776 runtimebroker64x.exe sihost64.exe PID 776 wrote to memory of 2752 776 runtimebroker64x.exe sihost64.exe PID 776 wrote to memory of 576 776 runtimebroker64x.exe explorer.exe PID 776 wrote to memory of 576 776 runtimebroker64x.exe explorer.exe PID 776 wrote to memory of 576 776 runtimebroker64x.exe explorer.exe PID 776 wrote to memory of 576 776 runtimebroker64x.exe explorer.exe PID 776 wrote to memory of 576 776 runtimebroker64x.exe explorer.exe PID 776 wrote to memory of 576 776 runtimebroker64x.exe explorer.exe PID 776 wrote to memory of 576 776 runtimebroker64x.exe explorer.exe PID 776 wrote to memory of 576 776 runtimebroker64x.exe explorer.exe PID 776 wrote to memory of 576 776 runtimebroker64x.exe explorer.exe PID 776 wrote to memory of 576 776 runtimebroker64x.exe explorer.exe PID 776 wrote to memory of 576 776 runtimebroker64x.exe explorer.exe PID 776 wrote to memory of 576 776 runtimebroker64x.exe explorer.exe PID 776 wrote to memory of 576 776 runtimebroker64x.exe explorer.exe PID 776 wrote to memory of 576 776 runtimebroker64x.exe explorer.exe PID 776 wrote to memory of 576 776 runtimebroker64x.exe explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\09e71e09b078cfd23e7e62bdf86f8592195b37cbb4effc9af00652f3ba7fad37.exe"C:\Users\Admin\AppData\Local\Temp\09e71e09b078cfd23e7e62bdf86f8592195b37cbb4effc9af00652f3ba7fad37.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "runtimebroker64x" /tr "C:\Users\Admin\AppData\Roaming\MicrosoftEdge\runtimebroker64x.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "runtimebroker64x" /tr "C:\Users\Admin\AppData\Roaming\MicrosoftEdge\runtimebroker64x.exe"3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\cmd.exe"cmd" cmd /c "C:\Users\Admin\AppData\Roaming\MicrosoftEdge\runtimebroker64x.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\MicrosoftEdge\runtimebroker64x.exeC:\Users\Admin\AppData\Roaming\MicrosoftEdge\runtimebroker64x.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe"4⤵
- Executes dropped EXE
-
C:\Windows\explorer.exeC:\Windows\explorer.exe bsjqdsgfph1 Xji3FXYfqqI2timPThbgZueMNpSES88mLhMz2ywydJQKdDfd51MUAGcZ+8CiY/eWSp0aN2gplT4NdxBcWRue+M1Jpa0OJpGvqnNi/CnIRVBtwYcUcBsTgJlURiqnaO0woILJyz0/0D0hJDZynRQ08qFq5P7/mbUB8II5CjRnh9NHfqCnnlw3RFcA8Z2LbiFadHSPio9cwS2aQjdkPVHBZAKU2n9xqm7rcBx5TMMAyEjRsdDYLMfmxpPDS7CwfGIxZjlwbzdxRwQIMxNxbs51UKMXSMHHCcOx+8aW4ZlO8qkDAH3hfPQAc0kllEA2DI5VL1XJgHoZtXYR1kI83nuYGjD9EAoHG29TcNPUPSC06OX+ik6/te/jCtGrEUOkA6mMzzArmAi3dt62G9e0ZRNwbPMxstE0K7SVu2ZKFLBIR5r1WoiVpBdcmeO4s0+5L8WnjvesBddnCVrPjdOU21U+MA==4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\MicrosoftEdge\runtimebroker64x.exeMD5
728f38d39c035cd7908cac6c22cb3f46
SHA155d9caf8c3e95a66bc57cd3e6732ec871792badd
SHA25609e71e09b078cfd23e7e62bdf86f8592195b37cbb4effc9af00652f3ba7fad37
SHA51212aae3711174f7007c56c13b638ff3a8ff6ce90f2657989024ce916a0c2cd8ccd344f7968f81dedf7f2a95bbeebb941c00818e68a8f5df4d88e901b62e5900c4
-
C:\Users\Admin\AppData\Roaming\MicrosoftEdge\runtimebroker64x.exeMD5
728f38d39c035cd7908cac6c22cb3f46
SHA155d9caf8c3e95a66bc57cd3e6732ec871792badd
SHA25609e71e09b078cfd23e7e62bdf86f8592195b37cbb4effc9af00652f3ba7fad37
SHA51212aae3711174f7007c56c13b638ff3a8ff6ce90f2657989024ce916a0c2cd8ccd344f7968f81dedf7f2a95bbeebb941c00818e68a8f5df4d88e901b62e5900c4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exeMD5
9ffb415e287a7ae2f14ab0c7387b2b1d
SHA1b4f83a40c8d02012ca97d04f68d6c26381c32da6
SHA25606328631b2b0a279cc61136ac7e3e0d98cd5acff70013c1b41781504c21a2957
SHA5127ccf979d4ca65589049067fdd5f01a53a2f90f7174b5d9df62aa1f3b601844a26e9bca9cb940d1f87b3fafb754a5adf2b73afee727a129e9dc133f740dc7ed4a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exeMD5
9ffb415e287a7ae2f14ab0c7387b2b1d
SHA1b4f83a40c8d02012ca97d04f68d6c26381c32da6
SHA25606328631b2b0a279cc61136ac7e3e0d98cd5acff70013c1b41781504c21a2957
SHA5127ccf979d4ca65589049067fdd5f01a53a2f90f7174b5d9df62aa1f3b601844a26e9bca9cb940d1f87b3fafb754a5adf2b73afee727a129e9dc133f740dc7ed4a
-
memory/576-141-0x0000000140000000-0x0000000140787000-memory.dmpFilesize
7.5MB
-
memory/576-138-0x0000000140000000-0x0000000140787000-memory.dmpFilesize
7.5MB
-
memory/576-146-0x00000000028E0000-0x0000000002900000-memory.dmpFilesize
128KB
-
memory/576-145-0x00000000028C0000-0x00000000028E0000-memory.dmpFilesize
128KB
-
memory/576-144-0x0000000002890000-0x00000000028B0000-memory.dmpFilesize
128KB
-
memory/576-143-0x00000000009F0000-0x00000000009F2000-memory.dmpFilesize
8KB
-
memory/576-142-0x00000000009F0000-0x00000000009F2000-memory.dmpFilesize
8KB
-
memory/576-140-0x00000000009C0000-0x00000000009E0000-memory.dmpFilesize
128KB
-
memory/576-139-0x0000000140310068-mapping.dmp
-
memory/592-122-0x0000000000000000-mapping.dmp
-
memory/776-131-0x000000001C720000-0x000000001C722000-memory.dmpFilesize
8KB
-
memory/776-125-0x0000000000000000-mapping.dmp
-
memory/1176-123-0x0000000000000000-mapping.dmp
-
memory/1484-124-0x0000000000000000-mapping.dmp
-
memory/2752-137-0x000000001C160000-0x000000001C162000-memory.dmpFilesize
8KB
-
memory/2752-135-0x00000000001D0000-0x00000000001D1000-memory.dmpFilesize
4KB
-
memory/2752-132-0x0000000000000000-mapping.dmp
-
memory/3060-120-0x00000000010A0000-0x00000000010A1000-memory.dmpFilesize
4KB
-
memory/3060-118-0x0000000000380000-0x0000000000381000-memory.dmpFilesize
4KB
-
memory/3060-121-0x000000001C580000-0x000000001C582000-memory.dmpFilesize
8KB