Analysis
-
max time kernel
151s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
22-09-2022 17:42
Behavioral task
behavioral1
Sample
HEUR-Trojan.Win32.Generic-3424a8c9c995896f9d6fe3bb4a164d0d8675a781f9f9c32286a5472ce8e9e50e.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
HEUR-Trojan.Win32.Generic-3424a8c9c995896f9d6fe3bb4a164d0d8675a781f9f9c32286a5472ce8e9e50e.exe
Resource
win10v2004-20220812-en
General
-
Target
HEUR-Trojan.Win32.Generic-3424a8c9c995896f9d6fe3bb4a164d0d8675a781f9f9c32286a5472ce8e9e50e.exe
-
Size
37KB
-
MD5
5c0e12b00990af8e6a82dee0c0e09d95
-
SHA1
cf2be3ad4715d73a3d55c26f8eb972de163b255d
-
SHA256
3424a8c9c995896f9d6fe3bb4a164d0d8675a781f9f9c32286a5472ce8e9e50e
-
SHA512
2cc6d4a725e1b21d1c0e7108c7103b17d6150add109bf4d3ce964e00210c3d7880b660c6a57e9c5695316fb60490328acc252232b63196cf76598c76b70c2ed2
-
SSDEEP
384:BcOmK3hUidksXR21cGMy8PIU5fHkFlacPZrAF+rMRTyN/0L+EcoinblneHQM3epY:6OmK3bLGv8PIU58KcBrM+rMRa8NubGt
Malware Config
Extracted
njrat
im523
HacKed
192.168.0.161:2478
0a477f3e02d48d76a648160656e258c9
-
reg_key
0a477f3e02d48d76a648160656e258c9
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Runtime Broker.exepid process 1820 Runtime Broker.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
Runtime Broker.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0a477f3e02d48d76a648160656e258c9.exe Runtime Broker.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0a477f3e02d48d76a648160656e258c9.exe Runtime Broker.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Runtime Broker.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\0a477f3e02d48d76a648160656e258c9 = "\"C:\\Windows\\Runtime Broker.exe\" .." Runtime Broker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\0a477f3e02d48d76a648160656e258c9 = "\"C:\\Windows\\Runtime Broker.exe\" .." Runtime Broker.exe -
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
Runtime Broker.exedescription ioc process File created C:\autorun.inf Runtime Broker.exe File opened for modification C:\autorun.inf Runtime Broker.exe File created D:\autorun.inf Runtime Broker.exe -
Drops file in Windows directory 3 IoCs
Processes:
HEUR-Trojan.Win32.Generic-3424a8c9c995896f9d6fe3bb4a164d0d8675a781f9f9c32286a5472ce8e9e50e.exeRuntime Broker.exedescription ioc process File created C:\Windows\Runtime Broker.exe HEUR-Trojan.Win32.Generic-3424a8c9c995896f9d6fe3bb4a164d0d8675a781f9f9c32286a5472ce8e9e50e.exe File opened for modification C:\Windows\Runtime Broker.exe HEUR-Trojan.Win32.Generic-3424a8c9c995896f9d6fe3bb4a164d0d8675a781f9f9c32286a5472ce8e9e50e.exe File opened for modification C:\Windows\Runtime Broker.exe Runtime Broker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 848 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Runtime Broker.exepid process 1820 Runtime Broker.exe 1820 Runtime Broker.exe 1820 Runtime Broker.exe 1820 Runtime Broker.exe 1820 Runtime Broker.exe 1820 Runtime Broker.exe 1820 Runtime Broker.exe 1820 Runtime Broker.exe 1820 Runtime Broker.exe 1820 Runtime Broker.exe 1820 Runtime Broker.exe 1820 Runtime Broker.exe 1820 Runtime Broker.exe 1820 Runtime Broker.exe 1820 Runtime Broker.exe 1820 Runtime Broker.exe 1820 Runtime Broker.exe 1820 Runtime Broker.exe 1820 Runtime Broker.exe 1820 Runtime Broker.exe 1820 Runtime Broker.exe 1820 Runtime Broker.exe 1820 Runtime Broker.exe 1820 Runtime Broker.exe 1820 Runtime Broker.exe 1820 Runtime Broker.exe 1820 Runtime Broker.exe 1820 Runtime Broker.exe 1820 Runtime Broker.exe 1820 Runtime Broker.exe 1820 Runtime Broker.exe 1820 Runtime Broker.exe 1820 Runtime Broker.exe 1820 Runtime Broker.exe 1820 Runtime Broker.exe 1820 Runtime Broker.exe 1820 Runtime Broker.exe 1820 Runtime Broker.exe 1820 Runtime Broker.exe 1820 Runtime Broker.exe 1820 Runtime Broker.exe 1820 Runtime Broker.exe 1820 Runtime Broker.exe 1820 Runtime Broker.exe 1820 Runtime Broker.exe 1820 Runtime Broker.exe 1820 Runtime Broker.exe 1820 Runtime Broker.exe 1820 Runtime Broker.exe 1820 Runtime Broker.exe 1820 Runtime Broker.exe 1820 Runtime Broker.exe 1820 Runtime Broker.exe 1820 Runtime Broker.exe 1820 Runtime Broker.exe 1820 Runtime Broker.exe 1820 Runtime Broker.exe 1820 Runtime Broker.exe 1820 Runtime Broker.exe 1820 Runtime Broker.exe 1820 Runtime Broker.exe 1820 Runtime Broker.exe 1820 Runtime Broker.exe 1820 Runtime Broker.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Runtime Broker.exepid process 1820 Runtime Broker.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
Processes:
Runtime Broker.exetaskkill.exedescription pid process Token: SeDebugPrivilege 1820 Runtime Broker.exe Token: SeDebugPrivilege 848 taskkill.exe Token: 33 1820 Runtime Broker.exe Token: SeIncBasePriorityPrivilege 1820 Runtime Broker.exe Token: 33 1820 Runtime Broker.exe Token: SeIncBasePriorityPrivilege 1820 Runtime Broker.exe Token: 33 1820 Runtime Broker.exe Token: SeIncBasePriorityPrivilege 1820 Runtime Broker.exe Token: 33 1820 Runtime Broker.exe Token: SeIncBasePriorityPrivilege 1820 Runtime Broker.exe Token: 33 1820 Runtime Broker.exe Token: SeIncBasePriorityPrivilege 1820 Runtime Broker.exe Token: 33 1820 Runtime Broker.exe Token: SeIncBasePriorityPrivilege 1820 Runtime Broker.exe Token: 33 1820 Runtime Broker.exe Token: SeIncBasePriorityPrivilege 1820 Runtime Broker.exe Token: 33 1820 Runtime Broker.exe Token: SeIncBasePriorityPrivilege 1820 Runtime Broker.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
HEUR-Trojan.Win32.Generic-3424a8c9c995896f9d6fe3bb4a164d0d8675a781f9f9c32286a5472ce8e9e50e.exeRuntime Broker.exedescription pid process target process PID 564 wrote to memory of 1820 564 HEUR-Trojan.Win32.Generic-3424a8c9c995896f9d6fe3bb4a164d0d8675a781f9f9c32286a5472ce8e9e50e.exe Runtime Broker.exe PID 564 wrote to memory of 1820 564 HEUR-Trojan.Win32.Generic-3424a8c9c995896f9d6fe3bb4a164d0d8675a781f9f9c32286a5472ce8e9e50e.exe Runtime Broker.exe PID 564 wrote to memory of 1820 564 HEUR-Trojan.Win32.Generic-3424a8c9c995896f9d6fe3bb4a164d0d8675a781f9f9c32286a5472ce8e9e50e.exe Runtime Broker.exe PID 564 wrote to memory of 1820 564 HEUR-Trojan.Win32.Generic-3424a8c9c995896f9d6fe3bb4a164d0d8675a781f9f9c32286a5472ce8e9e50e.exe Runtime Broker.exe PID 1820 wrote to memory of 1316 1820 Runtime Broker.exe netsh.exe PID 1820 wrote to memory of 1316 1820 Runtime Broker.exe netsh.exe PID 1820 wrote to memory of 1316 1820 Runtime Broker.exe netsh.exe PID 1820 wrote to memory of 1316 1820 Runtime Broker.exe netsh.exe PID 1820 wrote to memory of 848 1820 Runtime Broker.exe taskkill.exe PID 1820 wrote to memory of 848 1820 Runtime Broker.exe taskkill.exe PID 1820 wrote to memory of 848 1820 Runtime Broker.exe taskkill.exe PID 1820 wrote to memory of 848 1820 Runtime Broker.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-3424a8c9c995896f9d6fe3bb4a164d0d8675a781f9f9c32286a5472ce8e9e50e.exe"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-3424a8c9c995896f9d6fe3bb4a164d0d8675a781f9f9c32286a5472ce8e9e50e.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\Runtime Broker.exe"C:\Windows\Runtime Broker.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\Runtime Broker.exe" "Runtime Broker.exe" ENABLE3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM Avast.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Runtime Broker.exeFilesize
37KB
MD55c0e12b00990af8e6a82dee0c0e09d95
SHA1cf2be3ad4715d73a3d55c26f8eb972de163b255d
SHA2563424a8c9c995896f9d6fe3bb4a164d0d8675a781f9f9c32286a5472ce8e9e50e
SHA5122cc6d4a725e1b21d1c0e7108c7103b17d6150add109bf4d3ce964e00210c3d7880b660c6a57e9c5695316fb60490328acc252232b63196cf76598c76b70c2ed2
-
C:\Windows\Runtime Broker.exeFilesize
37KB
MD55c0e12b00990af8e6a82dee0c0e09d95
SHA1cf2be3ad4715d73a3d55c26f8eb972de163b255d
SHA2563424a8c9c995896f9d6fe3bb4a164d0d8675a781f9f9c32286a5472ce8e9e50e
SHA5122cc6d4a725e1b21d1c0e7108c7103b17d6150add109bf4d3ce964e00210c3d7880b660c6a57e9c5695316fb60490328acc252232b63196cf76598c76b70c2ed2
-
memory/564-54-0x0000000074AD1000-0x0000000074AD3000-memory.dmpFilesize
8KB
-
memory/564-55-0x00000000740B0000-0x000000007465B000-memory.dmpFilesize
5.7MB
-
memory/564-61-0x00000000740B0000-0x000000007465B000-memory.dmpFilesize
5.7MB
-
memory/848-63-0x0000000000000000-mapping.dmp
-
memory/1316-62-0x0000000000000000-mapping.dmp
-
memory/1820-56-0x0000000000000000-mapping.dmp
-
memory/1820-60-0x00000000740B0000-0x000000007465B000-memory.dmpFilesize
5.7MB
-
memory/1820-65-0x00000000740B0000-0x000000007465B000-memory.dmpFilesize
5.7MB