Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
01-10-2022 11:01
Behavioral task
behavioral1
Sample
e034e8e29330b4f73cf244cc2e66f26b.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
e034e8e29330b4f73cf244cc2e66f26b.exe
Resource
win10v2004-20220812-en
General
-
Target
e034e8e29330b4f73cf244cc2e66f26b.exe
-
Size
37KB
-
MD5
e034e8e29330b4f73cf244cc2e66f26b
-
SHA1
e982aa01df4307d1e70a2c6f6c22f3bf597fb19f
-
SHA256
79a474adc54cca49d5027b531bf4e0bea013de30a1343a25342673347ba50233
-
SHA512
6ba091c63ec6ee9e1b6f8cf3b09e5587b220888565d5f675a33db21ceae36c0119e92adc37790ecbc071dddf46d2a41629e62f159071edea2cb576c4f1958785
-
SSDEEP
384:0dJcaCis7/WRdL5kyc/FgP7KngCAlIprAF+rMRTyN/0L+EcoinblneHQM3epzXG9:2JcQD5nc/Fg+FAsrM+rMRa8Nuo3t
Malware Config
Extracted
njrat
im523
HacKed
4.tcp.eu.ngrok.io:17824
4ecc2556a0e0459076421d4c517a51cb
-
reg_key
4ecc2556a0e0459076421d4c517a51cb
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Runtime Broker.exepid process 1176 Runtime Broker.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
Runtime Broker.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4ecc2556a0e0459076421d4c517a51cb.exe Runtime Broker.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4ecc2556a0e0459076421d4c517a51cb.exe Runtime Broker.exe -
Loads dropped DLL 1 IoCs
Processes:
e034e8e29330b4f73cf244cc2e66f26b.exepid process 532 e034e8e29330b4f73cf244cc2e66f26b.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Runtime Broker.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\4ecc2556a0e0459076421d4c517a51cb = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Runtime Broker.exe\" .." Runtime Broker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\4ecc2556a0e0459076421d4c517a51cb = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Runtime Broker.exe\" .." Runtime Broker.exe -
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
Runtime Broker.exedescription ioc process File created C:\autorun.inf Runtime Broker.exe File opened for modification C:\autorun.inf Runtime Broker.exe File created D:\autorun.inf Runtime Broker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Runtime Broker.exepid process 1176 Runtime Broker.exe 1176 Runtime Broker.exe 1176 Runtime Broker.exe 1176 Runtime Broker.exe 1176 Runtime Broker.exe 1176 Runtime Broker.exe 1176 Runtime Broker.exe 1176 Runtime Broker.exe 1176 Runtime Broker.exe 1176 Runtime Broker.exe 1176 Runtime Broker.exe 1176 Runtime Broker.exe 1176 Runtime Broker.exe 1176 Runtime Broker.exe 1176 Runtime Broker.exe 1176 Runtime Broker.exe 1176 Runtime Broker.exe 1176 Runtime Broker.exe 1176 Runtime Broker.exe 1176 Runtime Broker.exe 1176 Runtime Broker.exe 1176 Runtime Broker.exe 1176 Runtime Broker.exe 1176 Runtime Broker.exe 1176 Runtime Broker.exe 1176 Runtime Broker.exe 1176 Runtime Broker.exe 1176 Runtime Broker.exe 1176 Runtime Broker.exe 1176 Runtime Broker.exe 1176 Runtime Broker.exe 1176 Runtime Broker.exe 1176 Runtime Broker.exe 1176 Runtime Broker.exe 1176 Runtime Broker.exe 1176 Runtime Broker.exe 1176 Runtime Broker.exe 1176 Runtime Broker.exe 1176 Runtime Broker.exe 1176 Runtime Broker.exe 1176 Runtime Broker.exe 1176 Runtime Broker.exe 1176 Runtime Broker.exe 1176 Runtime Broker.exe 1176 Runtime Broker.exe 1176 Runtime Broker.exe 1176 Runtime Broker.exe 1176 Runtime Broker.exe 1176 Runtime Broker.exe 1176 Runtime Broker.exe 1176 Runtime Broker.exe 1176 Runtime Broker.exe 1176 Runtime Broker.exe 1176 Runtime Broker.exe 1176 Runtime Broker.exe 1176 Runtime Broker.exe 1176 Runtime Broker.exe 1176 Runtime Broker.exe 1176 Runtime Broker.exe 1176 Runtime Broker.exe 1176 Runtime Broker.exe 1176 Runtime Broker.exe 1176 Runtime Broker.exe 1176 Runtime Broker.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Runtime Broker.exepid process 1176 Runtime Broker.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
Runtime Broker.exedescription pid process Token: SeDebugPrivilege 1176 Runtime Broker.exe Token: 33 1176 Runtime Broker.exe Token: SeIncBasePriorityPrivilege 1176 Runtime Broker.exe Token: 33 1176 Runtime Broker.exe Token: SeIncBasePriorityPrivilege 1176 Runtime Broker.exe Token: 33 1176 Runtime Broker.exe Token: SeIncBasePriorityPrivilege 1176 Runtime Broker.exe Token: 33 1176 Runtime Broker.exe Token: SeIncBasePriorityPrivilege 1176 Runtime Broker.exe Token: 33 1176 Runtime Broker.exe Token: SeIncBasePriorityPrivilege 1176 Runtime Broker.exe Token: 33 1176 Runtime Broker.exe Token: SeIncBasePriorityPrivilege 1176 Runtime Broker.exe Token: 33 1176 Runtime Broker.exe Token: SeIncBasePriorityPrivilege 1176 Runtime Broker.exe Token: 33 1176 Runtime Broker.exe Token: SeIncBasePriorityPrivilege 1176 Runtime Broker.exe Token: 33 1176 Runtime Broker.exe Token: SeIncBasePriorityPrivilege 1176 Runtime Broker.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
e034e8e29330b4f73cf244cc2e66f26b.exeRuntime Broker.exedescription pid process target process PID 532 wrote to memory of 1176 532 e034e8e29330b4f73cf244cc2e66f26b.exe Runtime Broker.exe PID 532 wrote to memory of 1176 532 e034e8e29330b4f73cf244cc2e66f26b.exe Runtime Broker.exe PID 532 wrote to memory of 1176 532 e034e8e29330b4f73cf244cc2e66f26b.exe Runtime Broker.exe PID 532 wrote to memory of 1176 532 e034e8e29330b4f73cf244cc2e66f26b.exe Runtime Broker.exe PID 1176 wrote to memory of 1740 1176 Runtime Broker.exe netsh.exe PID 1176 wrote to memory of 1740 1176 Runtime Broker.exe netsh.exe PID 1176 wrote to memory of 1740 1176 Runtime Broker.exe netsh.exe PID 1176 wrote to memory of 1740 1176 Runtime Broker.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e034e8e29330b4f73cf244cc2e66f26b.exe"C:\Users\Admin\AppData\Local\Temp\e034e8e29330b4f73cf244cc2e66f26b.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe" "Runtime Broker.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exeFilesize
37KB
MD5e034e8e29330b4f73cf244cc2e66f26b
SHA1e982aa01df4307d1e70a2c6f6c22f3bf597fb19f
SHA25679a474adc54cca49d5027b531bf4e0bea013de30a1343a25342673347ba50233
SHA5126ba091c63ec6ee9e1b6f8cf3b09e5587b220888565d5f675a33db21ceae36c0119e92adc37790ecbc071dddf46d2a41629e62f159071edea2cb576c4f1958785
-
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exeFilesize
37KB
MD5e034e8e29330b4f73cf244cc2e66f26b
SHA1e982aa01df4307d1e70a2c6f6c22f3bf597fb19f
SHA25679a474adc54cca49d5027b531bf4e0bea013de30a1343a25342673347ba50233
SHA5126ba091c63ec6ee9e1b6f8cf3b09e5587b220888565d5f675a33db21ceae36c0119e92adc37790ecbc071dddf46d2a41629e62f159071edea2cb576c4f1958785
-
\Users\Admin\AppData\Local\Temp\Runtime Broker.exeFilesize
37KB
MD5e034e8e29330b4f73cf244cc2e66f26b
SHA1e982aa01df4307d1e70a2c6f6c22f3bf597fb19f
SHA25679a474adc54cca49d5027b531bf4e0bea013de30a1343a25342673347ba50233
SHA5126ba091c63ec6ee9e1b6f8cf3b09e5587b220888565d5f675a33db21ceae36c0119e92adc37790ecbc071dddf46d2a41629e62f159071edea2cb576c4f1958785
-
memory/532-54-0x0000000075091000-0x0000000075093000-memory.dmpFilesize
8KB
-
memory/532-55-0x0000000074110000-0x00000000746BB000-memory.dmpFilesize
5.7MB
-
memory/532-61-0x0000000074110000-0x00000000746BB000-memory.dmpFilesize
5.7MB
-
memory/1176-57-0x0000000000000000-mapping.dmp
-
memory/1176-62-0x0000000074110000-0x00000000746BB000-memory.dmpFilesize
5.7MB
-
memory/1176-65-0x0000000074110000-0x00000000746BB000-memory.dmpFilesize
5.7MB
-
memory/1740-63-0x0000000000000000-mapping.dmp