Analysis
-
max time kernel
117s -
max time network
120s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
13-01-2022 11:04
Static task
static1
Behavioral task
behavioral1
Sample
6e0fc3d593968917c8ed6ea577195296.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
6e0fc3d593968917c8ed6ea577195296.exe
Resource
win10-en-20211208
General
-
Target
6e0fc3d593968917c8ed6ea577195296.exe
-
Size
970KB
-
MD5
6e0fc3d593968917c8ed6ea577195296
-
SHA1
b0225393df8ed257ade0d6cb95ca14f0a92f4ea4
-
SHA256
a233b4b4782811424b0b5b166b0985417e834da2b776e72d3c7e5064dee1e9e5
-
SHA512
1e92bc275a185c7faa4db5b02aef12f14d30389f0daa4951a1866cf789964eedd30e272016906f8037f27d2cd62bfa3c63ff7433752a7d78187b80d08d8f8503
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
RuntimeBroker.exepid process 1888 RuntimeBroker.exe -
Drops startup file 1 IoCs
Processes:
RuntimeBroker.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\new driver.lnk RuntimeBroker.exe -
Loads dropped DLL 1 IoCs
Processes:
RegAsm.exepid process 280 RegAsm.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
6e0fc3d593968917c8ed6ea577195296.exedescription pid process target process PID 1288 set thread context of 280 1288 6e0fc3d593968917c8ed6ea577195296.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RegAsm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
RegAsm.exepid process 280 RegAsm.exe 280 RegAsm.exe 280 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
RegAsm.exeRuntimeBroker.exedescription pid process Token: SeDebugPrivilege 280 RegAsm.exe Token: 35 1888 RuntimeBroker.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
6e0fc3d593968917c8ed6ea577195296.exeRegAsm.exedescription pid process target process PID 1288 wrote to memory of 280 1288 6e0fc3d593968917c8ed6ea577195296.exe RegAsm.exe PID 1288 wrote to memory of 280 1288 6e0fc3d593968917c8ed6ea577195296.exe RegAsm.exe PID 1288 wrote to memory of 280 1288 6e0fc3d593968917c8ed6ea577195296.exe RegAsm.exe PID 1288 wrote to memory of 280 1288 6e0fc3d593968917c8ed6ea577195296.exe RegAsm.exe PID 1288 wrote to memory of 280 1288 6e0fc3d593968917c8ed6ea577195296.exe RegAsm.exe PID 1288 wrote to memory of 280 1288 6e0fc3d593968917c8ed6ea577195296.exe RegAsm.exe PID 1288 wrote to memory of 280 1288 6e0fc3d593968917c8ed6ea577195296.exe RegAsm.exe PID 1288 wrote to memory of 280 1288 6e0fc3d593968917c8ed6ea577195296.exe RegAsm.exe PID 1288 wrote to memory of 280 1288 6e0fc3d593968917c8ed6ea577195296.exe RegAsm.exe PID 1288 wrote to memory of 280 1288 6e0fc3d593968917c8ed6ea577195296.exe RegAsm.exe PID 1288 wrote to memory of 280 1288 6e0fc3d593968917c8ed6ea577195296.exe RegAsm.exe PID 1288 wrote to memory of 280 1288 6e0fc3d593968917c8ed6ea577195296.exe RegAsm.exe PID 280 wrote to memory of 1888 280 RegAsm.exe RuntimeBroker.exe PID 280 wrote to memory of 1888 280 RegAsm.exe RuntimeBroker.exe PID 280 wrote to memory of 1888 280 RegAsm.exe RuntimeBroker.exe PID 280 wrote to memory of 1888 280 RegAsm.exe RuntimeBroker.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6e0fc3d593968917c8ed6ea577195296.exe"C:\Users\Admin\AppData\Local\Temp\6e0fc3d593968917c8ed6ea577195296.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe#cmd2⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exeMD5
d66ffec81fd167adfb0505744f4df31e
SHA17e9fbbf1d04316334ee46cfa923330dc63b3155b
SHA2565d33fd8f8ccea2910f1c0139e788b01c2fd3418f3956452a6db7a8aefeebc915
SHA512227a7f30d8e02460c6a5798b26edc60e3fead6059407287fe696f5bcc63a3e4aab43f7b5e58ef6f26c4498cbad50371af3b3e302c8c3cf9dd90d8302072a3a84
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exeMD5
d66ffec81fd167adfb0505744f4df31e
SHA17e9fbbf1d04316334ee46cfa923330dc63b3155b
SHA2565d33fd8f8ccea2910f1c0139e788b01c2fd3418f3956452a6db7a8aefeebc915
SHA512227a7f30d8e02460c6a5798b26edc60e3fead6059407287fe696f5bcc63a3e4aab43f7b5e58ef6f26c4498cbad50371af3b3e302c8c3cf9dd90d8302072a3a84
-
\Users\Admin\AppData\Local\Temp\RuntimeBroker.exeMD5
d66ffec81fd167adfb0505744f4df31e
SHA17e9fbbf1d04316334ee46cfa923330dc63b3155b
SHA2565d33fd8f8ccea2910f1c0139e788b01c2fd3418f3956452a6db7a8aefeebc915
SHA512227a7f30d8e02460c6a5798b26edc60e3fead6059407287fe696f5bcc63a3e4aab43f7b5e58ef6f26c4498cbad50371af3b3e302c8c3cf9dd90d8302072a3a84
-
memory/280-63-0x000000000041C70E-mapping.dmp
-
memory/280-67-0x0000000000090000-0x00000000000B2000-memory.dmpFilesize
136KB
-
memory/280-59-0x0000000000090000-0x00000000000B2000-memory.dmpFilesize
136KB
-
memory/280-60-0x0000000000090000-0x00000000000B2000-memory.dmpFilesize
136KB
-
memory/280-61-0x0000000000090000-0x00000000000B2000-memory.dmpFilesize
136KB
-
memory/280-74-0x0000000004C00000-0x0000000004C01000-memory.dmpFilesize
4KB
-
memory/280-64-0x0000000000090000-0x00000000000B2000-memory.dmpFilesize
136KB
-
memory/280-58-0x0000000000090000-0x00000000000B2000-memory.dmpFilesize
136KB
-
memory/280-70-0x0000000000090000-0x00000000000B2000-memory.dmpFilesize
136KB
-
memory/280-72-0x0000000000090000-0x00000000000B2000-memory.dmpFilesize
136KB
-
memory/280-73-0x0000000000090000-0x00000000000B2000-memory.dmpFilesize
136KB
-
memory/1288-54-0x00000000002D0000-0x00000000003C8000-memory.dmpFilesize
992KB
-
memory/1288-57-0x0000000004A10000-0x0000000004A11000-memory.dmpFilesize
4KB
-
memory/1288-56-0x0000000075D61000-0x0000000075D63000-memory.dmpFilesize
8KB
-
memory/1288-55-0x00000000002D0000-0x00000000003C8000-memory.dmpFilesize
992KB
-
memory/1888-76-0x0000000000000000-mapping.dmp