Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
01-10-2022 11:01
Behavioral task
behavioral1
Sample
e034e8e29330b4f73cf244cc2e66f26b.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
e034e8e29330b4f73cf244cc2e66f26b.exe
Resource
win10v2004-20220812-en
General
-
Target
e034e8e29330b4f73cf244cc2e66f26b.exe
-
Size
37KB
-
MD5
e034e8e29330b4f73cf244cc2e66f26b
-
SHA1
e982aa01df4307d1e70a2c6f6c22f3bf597fb19f
-
SHA256
79a474adc54cca49d5027b531bf4e0bea013de30a1343a25342673347ba50233
-
SHA512
6ba091c63ec6ee9e1b6f8cf3b09e5587b220888565d5f675a33db21ceae36c0119e92adc37790ecbc071dddf46d2a41629e62f159071edea2cb576c4f1958785
-
SSDEEP
384:0dJcaCis7/WRdL5kyc/FgP7KngCAlIprAF+rMRTyN/0L+EcoinblneHQM3epzXG9:2JcQD5nc/Fg+FAsrM+rMRa8Nuo3t
Malware Config
Extracted
njrat
im523
HacKed
4.tcp.eu.ngrok.io:17824
4ecc2556a0e0459076421d4c517a51cb
-
reg_key
4ecc2556a0e0459076421d4c517a51cb
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Runtime Broker.exepid process 4824 Runtime Broker.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
e034e8e29330b4f73cf244cc2e66f26b.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation e034e8e29330b4f73cf244cc2e66f26b.exe -
Drops startup file 2 IoCs
Processes:
Runtime Broker.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4ecc2556a0e0459076421d4c517a51cb.exe Runtime Broker.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4ecc2556a0e0459076421d4c517a51cb.exe Runtime Broker.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Runtime Broker.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4ecc2556a0e0459076421d4c517a51cb = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Runtime Broker.exe\" .." Runtime Broker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\4ecc2556a0e0459076421d4c517a51cb = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Runtime Broker.exe\" .." Runtime Broker.exe -
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
Runtime Broker.exedescription ioc process File created C:\autorun.inf Runtime Broker.exe File opened for modification C:\autorun.inf Runtime Broker.exe File created D:\autorun.inf Runtime Broker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Runtime Broker.exepid process 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe 4824 Runtime Broker.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Runtime Broker.exepid process 4824 Runtime Broker.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
Runtime Broker.exedescription pid process Token: SeDebugPrivilege 4824 Runtime Broker.exe Token: 33 4824 Runtime Broker.exe Token: SeIncBasePriorityPrivilege 4824 Runtime Broker.exe Token: 33 4824 Runtime Broker.exe Token: SeIncBasePriorityPrivilege 4824 Runtime Broker.exe Token: 33 4824 Runtime Broker.exe Token: SeIncBasePriorityPrivilege 4824 Runtime Broker.exe Token: 33 4824 Runtime Broker.exe Token: SeIncBasePriorityPrivilege 4824 Runtime Broker.exe Token: 33 4824 Runtime Broker.exe Token: SeIncBasePriorityPrivilege 4824 Runtime Broker.exe Token: 33 4824 Runtime Broker.exe Token: SeIncBasePriorityPrivilege 4824 Runtime Broker.exe Token: 33 4824 Runtime Broker.exe Token: SeIncBasePriorityPrivilege 4824 Runtime Broker.exe Token: 33 4824 Runtime Broker.exe Token: SeIncBasePriorityPrivilege 4824 Runtime Broker.exe Token: 33 4824 Runtime Broker.exe Token: SeIncBasePriorityPrivilege 4824 Runtime Broker.exe Token: 33 4824 Runtime Broker.exe Token: SeIncBasePriorityPrivilege 4824 Runtime Broker.exe Token: 33 4824 Runtime Broker.exe Token: SeIncBasePriorityPrivilege 4824 Runtime Broker.exe Token: 33 4824 Runtime Broker.exe Token: SeIncBasePriorityPrivilege 4824 Runtime Broker.exe Token: 33 4824 Runtime Broker.exe Token: SeIncBasePriorityPrivilege 4824 Runtime Broker.exe Token: 33 4824 Runtime Broker.exe Token: SeIncBasePriorityPrivilege 4824 Runtime Broker.exe Token: 33 4824 Runtime Broker.exe Token: SeIncBasePriorityPrivilege 4824 Runtime Broker.exe Token: 33 4824 Runtime Broker.exe Token: SeIncBasePriorityPrivilege 4824 Runtime Broker.exe Token: 33 4824 Runtime Broker.exe Token: SeIncBasePriorityPrivilege 4824 Runtime Broker.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
e034e8e29330b4f73cf244cc2e66f26b.exeRuntime Broker.exedescription pid process target process PID 2092 wrote to memory of 4824 2092 e034e8e29330b4f73cf244cc2e66f26b.exe Runtime Broker.exe PID 2092 wrote to memory of 4824 2092 e034e8e29330b4f73cf244cc2e66f26b.exe Runtime Broker.exe PID 2092 wrote to memory of 4824 2092 e034e8e29330b4f73cf244cc2e66f26b.exe Runtime Broker.exe PID 4824 wrote to memory of 2460 4824 Runtime Broker.exe netsh.exe PID 4824 wrote to memory of 2460 4824 Runtime Broker.exe netsh.exe PID 4824 wrote to memory of 2460 4824 Runtime Broker.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e034e8e29330b4f73cf244cc2e66f26b.exe"C:\Users\Admin\AppData\Local\Temp\e034e8e29330b4f73cf244cc2e66f26b.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe" "Runtime Broker.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exeFilesize
37KB
MD5e034e8e29330b4f73cf244cc2e66f26b
SHA1e982aa01df4307d1e70a2c6f6c22f3bf597fb19f
SHA25679a474adc54cca49d5027b531bf4e0bea013de30a1343a25342673347ba50233
SHA5126ba091c63ec6ee9e1b6f8cf3b09e5587b220888565d5f675a33db21ceae36c0119e92adc37790ecbc071dddf46d2a41629e62f159071edea2cb576c4f1958785
-
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exeFilesize
37KB
MD5e034e8e29330b4f73cf244cc2e66f26b
SHA1e982aa01df4307d1e70a2c6f6c22f3bf597fb19f
SHA25679a474adc54cca49d5027b531bf4e0bea013de30a1343a25342673347ba50233
SHA5126ba091c63ec6ee9e1b6f8cf3b09e5587b220888565d5f675a33db21ceae36c0119e92adc37790ecbc071dddf46d2a41629e62f159071edea2cb576c4f1958785
-
memory/2092-132-0x0000000075300000-0x00000000758B1000-memory.dmpFilesize
5.7MB
-
memory/2092-136-0x0000000075300000-0x00000000758B1000-memory.dmpFilesize
5.7MB
-
memory/2460-138-0x0000000000000000-mapping.dmp
-
memory/4824-133-0x0000000000000000-mapping.dmp
-
memory/4824-137-0x0000000075300000-0x00000000758B1000-memory.dmpFilesize
5.7MB
-
memory/4824-139-0x0000000075300000-0x00000000758B1000-memory.dmpFilesize
5.7MB