Analysis
-
max time kernel
166s -
max time network
178s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
22-09-2022 17:42
Behavioral task
behavioral1
Sample
HEUR-Trojan.Win32.Generic-3424a8c9c995896f9d6fe3bb4a164d0d8675a781f9f9c32286a5472ce8e9e50e.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
HEUR-Trojan.Win32.Generic-3424a8c9c995896f9d6fe3bb4a164d0d8675a781f9f9c32286a5472ce8e9e50e.exe
Resource
win10v2004-20220812-en
General
-
Target
HEUR-Trojan.Win32.Generic-3424a8c9c995896f9d6fe3bb4a164d0d8675a781f9f9c32286a5472ce8e9e50e.exe
-
Size
37KB
-
MD5
5c0e12b00990af8e6a82dee0c0e09d95
-
SHA1
cf2be3ad4715d73a3d55c26f8eb972de163b255d
-
SHA256
3424a8c9c995896f9d6fe3bb4a164d0d8675a781f9f9c32286a5472ce8e9e50e
-
SHA512
2cc6d4a725e1b21d1c0e7108c7103b17d6150add109bf4d3ce964e00210c3d7880b660c6a57e9c5695316fb60490328acc252232b63196cf76598c76b70c2ed2
-
SSDEEP
384:BcOmK3hUidksXR21cGMy8PIU5fHkFlacPZrAF+rMRTyN/0L+EcoinblneHQM3epY:6OmK3bLGv8PIU58KcBrM+rMRa8NubGt
Malware Config
Extracted
njrat
im523
HacKed
192.168.0.161:2478
0a477f3e02d48d76a648160656e258c9
-
reg_key
0a477f3e02d48d76a648160656e258c9
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Runtime Broker.exepid process 3880 Runtime Broker.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
HEUR-Trojan.Win32.Generic-3424a8c9c995896f9d6fe3bb4a164d0d8675a781f9f9c32286a5472ce8e9e50e.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation HEUR-Trojan.Win32.Generic-3424a8c9c995896f9d6fe3bb4a164d0d8675a781f9f9c32286a5472ce8e9e50e.exe -
Drops startup file 2 IoCs
Processes:
Runtime Broker.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0a477f3e02d48d76a648160656e258c9.exe Runtime Broker.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0a477f3e02d48d76a648160656e258c9.exe Runtime Broker.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Runtime Broker.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0a477f3e02d48d76a648160656e258c9 = "\"C:\\Windows\\Runtime Broker.exe\" .." Runtime Broker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\0a477f3e02d48d76a648160656e258c9 = "\"C:\\Windows\\Runtime Broker.exe\" .." Runtime Broker.exe -
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
Runtime Broker.exedescription ioc process File opened for modification C:\autorun.inf Runtime Broker.exe File created D:\autorun.inf Runtime Broker.exe File created C:\autorun.inf Runtime Broker.exe -
Drops file in Windows directory 3 IoCs
Processes:
HEUR-Trojan.Win32.Generic-3424a8c9c995896f9d6fe3bb4a164d0d8675a781f9f9c32286a5472ce8e9e50e.exeRuntime Broker.exedescription ioc process File created C:\Windows\Runtime Broker.exe HEUR-Trojan.Win32.Generic-3424a8c9c995896f9d6fe3bb4a164d0d8675a781f9f9c32286a5472ce8e9e50e.exe File opened for modification C:\Windows\Runtime Broker.exe HEUR-Trojan.Win32.Generic-3424a8c9c995896f9d6fe3bb4a164d0d8675a781f9f9c32286a5472ce8e9e50e.exe File opened for modification C:\Windows\Runtime Broker.exe Runtime Broker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 932 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Runtime Broker.exepid process 3880 Runtime Broker.exe 3880 Runtime Broker.exe 3880 Runtime Broker.exe 3880 Runtime Broker.exe 3880 Runtime Broker.exe 3880 Runtime Broker.exe 3880 Runtime Broker.exe 3880 Runtime Broker.exe 3880 Runtime Broker.exe 3880 Runtime Broker.exe 3880 Runtime Broker.exe 3880 Runtime Broker.exe 3880 Runtime Broker.exe 3880 Runtime Broker.exe 3880 Runtime Broker.exe 3880 Runtime Broker.exe 3880 Runtime Broker.exe 3880 Runtime Broker.exe 3880 Runtime Broker.exe 3880 Runtime Broker.exe 3880 Runtime Broker.exe 3880 Runtime Broker.exe 3880 Runtime Broker.exe 3880 Runtime Broker.exe 3880 Runtime Broker.exe 3880 Runtime Broker.exe 3880 Runtime Broker.exe 3880 Runtime Broker.exe 3880 Runtime Broker.exe 3880 Runtime Broker.exe 3880 Runtime Broker.exe 3880 Runtime Broker.exe 3880 Runtime Broker.exe 3880 Runtime Broker.exe 3880 Runtime Broker.exe 3880 Runtime Broker.exe 3880 Runtime Broker.exe 3880 Runtime Broker.exe 3880 Runtime Broker.exe 3880 Runtime Broker.exe 3880 Runtime Broker.exe 3880 Runtime Broker.exe 3880 Runtime Broker.exe 3880 Runtime Broker.exe 3880 Runtime Broker.exe 3880 Runtime Broker.exe 3880 Runtime Broker.exe 3880 Runtime Broker.exe 3880 Runtime Broker.exe 3880 Runtime Broker.exe 3880 Runtime Broker.exe 3880 Runtime Broker.exe 3880 Runtime Broker.exe 3880 Runtime Broker.exe 3880 Runtime Broker.exe 3880 Runtime Broker.exe 3880 Runtime Broker.exe 3880 Runtime Broker.exe 3880 Runtime Broker.exe 3880 Runtime Broker.exe 3880 Runtime Broker.exe 3880 Runtime Broker.exe 3880 Runtime Broker.exe 3880 Runtime Broker.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Runtime Broker.exepid process 3880 Runtime Broker.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
Processes:
Runtime Broker.exetaskkill.exedescription pid process Token: SeDebugPrivilege 3880 Runtime Broker.exe Token: SeDebugPrivilege 932 taskkill.exe Token: 33 3880 Runtime Broker.exe Token: SeIncBasePriorityPrivilege 3880 Runtime Broker.exe Token: 33 3880 Runtime Broker.exe Token: SeIncBasePriorityPrivilege 3880 Runtime Broker.exe Token: 33 3880 Runtime Broker.exe Token: SeIncBasePriorityPrivilege 3880 Runtime Broker.exe Token: 33 3880 Runtime Broker.exe Token: SeIncBasePriorityPrivilege 3880 Runtime Broker.exe Token: 33 3880 Runtime Broker.exe Token: SeIncBasePriorityPrivilege 3880 Runtime Broker.exe Token: 33 3880 Runtime Broker.exe Token: SeIncBasePriorityPrivilege 3880 Runtime Broker.exe Token: 33 3880 Runtime Broker.exe Token: SeIncBasePriorityPrivilege 3880 Runtime Broker.exe Token: 33 3880 Runtime Broker.exe Token: SeIncBasePriorityPrivilege 3880 Runtime Broker.exe Token: 33 3880 Runtime Broker.exe Token: SeIncBasePriorityPrivilege 3880 Runtime Broker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
HEUR-Trojan.Win32.Generic-3424a8c9c995896f9d6fe3bb4a164d0d8675a781f9f9c32286a5472ce8e9e50e.exeRuntime Broker.exedescription pid process target process PID 1336 wrote to memory of 3880 1336 HEUR-Trojan.Win32.Generic-3424a8c9c995896f9d6fe3bb4a164d0d8675a781f9f9c32286a5472ce8e9e50e.exe Runtime Broker.exe PID 1336 wrote to memory of 3880 1336 HEUR-Trojan.Win32.Generic-3424a8c9c995896f9d6fe3bb4a164d0d8675a781f9f9c32286a5472ce8e9e50e.exe Runtime Broker.exe PID 1336 wrote to memory of 3880 1336 HEUR-Trojan.Win32.Generic-3424a8c9c995896f9d6fe3bb4a164d0d8675a781f9f9c32286a5472ce8e9e50e.exe Runtime Broker.exe PID 3880 wrote to memory of 4520 3880 Runtime Broker.exe netsh.exe PID 3880 wrote to memory of 4520 3880 Runtime Broker.exe netsh.exe PID 3880 wrote to memory of 4520 3880 Runtime Broker.exe netsh.exe PID 3880 wrote to memory of 932 3880 Runtime Broker.exe taskkill.exe PID 3880 wrote to memory of 932 3880 Runtime Broker.exe taskkill.exe PID 3880 wrote to memory of 932 3880 Runtime Broker.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-3424a8c9c995896f9d6fe3bb4a164d0d8675a781f9f9c32286a5472ce8e9e50e.exe"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-3424a8c9c995896f9d6fe3bb4a164d0d8675a781f9f9c32286a5472ce8e9e50e.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\Runtime Broker.exe"C:\Windows\Runtime Broker.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\Runtime Broker.exe" "Runtime Broker.exe" ENABLE3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM Avast.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Runtime Broker.exeFilesize
37KB
MD55c0e12b00990af8e6a82dee0c0e09d95
SHA1cf2be3ad4715d73a3d55c26f8eb972de163b255d
SHA2563424a8c9c995896f9d6fe3bb4a164d0d8675a781f9f9c32286a5472ce8e9e50e
SHA5122cc6d4a725e1b21d1c0e7108c7103b17d6150add109bf4d3ce964e00210c3d7880b660c6a57e9c5695316fb60490328acc252232b63196cf76598c76b70c2ed2
-
C:\Windows\Runtime Broker.exeFilesize
37KB
MD55c0e12b00990af8e6a82dee0c0e09d95
SHA1cf2be3ad4715d73a3d55c26f8eb972de163b255d
SHA2563424a8c9c995896f9d6fe3bb4a164d0d8675a781f9f9c32286a5472ce8e9e50e
SHA5122cc6d4a725e1b21d1c0e7108c7103b17d6150add109bf4d3ce964e00210c3d7880b660c6a57e9c5695316fb60490328acc252232b63196cf76598c76b70c2ed2
-
memory/932-141-0x0000000000000000-mapping.dmp
-
memory/1336-132-0x00000000752E0000-0x0000000075891000-memory.dmpFilesize
5.7MB
-
memory/1336-133-0x00000000752E0000-0x0000000075891000-memory.dmpFilesize
5.7MB
-
memory/1336-138-0x00000000752E0000-0x0000000075891000-memory.dmpFilesize
5.7MB
-
memory/3880-134-0x0000000000000000-mapping.dmp
-
memory/3880-137-0x00000000752E0000-0x0000000075891000-memory.dmpFilesize
5.7MB
-
memory/3880-140-0x00000000752E0000-0x0000000075891000-memory.dmpFilesize
5.7MB
-
memory/4520-139-0x0000000000000000-mapping.dmp