systembc | 40003d01db9c34da73a415792dba3a617fab65e91d2aae7bbbcd335af198a66b

Resubmissions

22-02-2023 10:35

230222-mmyvmacf6x 10

22-02-2023 10:19

230222-mcwmhscf3y 6

Analysis

max time kernel
595s
max time network
601s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
22-02-2023 10:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

40003d01db9c34da73a415792dba3a617fab65e91d2aae7bbbcd335af198a66b.exe
Size

7.2MB
MD5

9606143c857bbfe1b1da8e3d1fa9ae0e
SHA1

cb3a1b1d8e6acbe46c96b5b159a7be2d372b3cc6
SHA256

40003d01db9c34da73a415792dba3a617fab65e91d2aae7bbbcd335af198a66b
SHA512

2e118c618265b8769b15dff8add661c60f17afd46365773ca22e359b03a765c83a7f316057045293a71b53a889771fadf54e6ac1ee3fd9b3a7437f266f8af08b
SSDEEP

196608:jeuNPzUCugRPeW7R9dGfqEjirb49GOD2MpkB:CmZB77R9d0q1A9GLM

Score

10^/10

systembc discovery spyware stealer trojan

Malware Config

Extracted

Family

systembc

31.222.238.58:4280

192.168.1.28:4280

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Downloads MZ/PE file
Drops startup file 1 IoCs

Processes:

MsMpEng.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pu5xtvhm.lnk MsMpEng.exe
Executes dropped EXE 4 IoCs

Processes:

Runtime Broker.exeMsMpEng.exeRuntime Broker.exepu5xtvhm.exe

pid process

1348 Runtime Broker.exe
1788 MsMpEng.exe
1672 Runtime Broker.exe
1860 pu5xtvhm.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pu5xtvhm.lnk	MsMpEng.exe

pid	process
1348	Runtime Broker.exe
1788	MsMpEng.exe
1672	Runtime Broker.exe
1860	pu5xtvhm.exe

Loads dropped DLL 6 IoCs

Processes:

40003d01db9c34da73a415792dba3a617fab65e91d2aae7bbbcd335af198a66b.exeRuntime Broker.execmd.exe

pid	process
1744	40003d01db9c34da73a415792dba3a617fab65e91d2aae7bbbcd335af198a66b.exe
1744	40003d01db9c34da73a415792dba3a617fab65e91d2aae7bbbcd335af198a66b.exe
1744	40003d01db9c34da73a415792dba3a617fab65e91d2aae7bbbcd335af198a66b.exe
1672	Runtime Broker.exe
1672	Runtime Broker.exe
824	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ipinfo.io
5 ipinfo.io

flow	ioc
4	ipinfo.io
5	ipinfo.io

Suspicious use of SetThreadContext 2 IoCs

Processes:

Runtime Broker.exepu5xtvhm.exe

description	pid	process	target process
PID 1348 set thread context of 1672	1348	Runtime Broker.exe	Runtime Broker.exe
PID 1860 set thread context of 1540	1860	pu5xtvhm.exe	AddInProcess32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Runtime Broker.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Runtime Broker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Runtime Broker.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

40003d01db9c34da73a415792dba3a617fab65e91d2aae7bbbcd335af198a66b.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	40003d01db9c34da73a415792dba3a617fab65e91d2aae7bbbcd335af198a66b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	40003d01db9c34da73a415792dba3a617fab65e91d2aae7bbbcd335af198a66b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	40003d01db9c34da73a415792dba3a617fab65e91d2aae7bbbcd335af198a66b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	40003d01db9c34da73a415792dba3a617fab65e91d2aae7bbbcd335af198a66b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	40003d01db9c34da73a415792dba3a617fab65e91d2aae7bbbcd335af198a66b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	40003d01db9c34da73a415792dba3a617fab65e91d2aae7bbbcd335af198a66b.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

1512 PING.EXE
1656 PING.EXE

pid	process
1512	PING.EXE
1656	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

MsMpEng.exeRuntime Broker.exe

pid	process
1788	MsMpEng.exe
1788	MsMpEng.exe
1788	MsMpEng.exe
1788	MsMpEng.exe
1788	MsMpEng.exe
1788	MsMpEng.exe
1788	MsMpEng.exe
1788	MsMpEng.exe
1788	MsMpEng.exe
1788	MsMpEng.exe
1788	MsMpEng.exe
1788	MsMpEng.exe
1788	MsMpEng.exe
1788	MsMpEng.exe
1788	MsMpEng.exe
1788	MsMpEng.exe
1788	MsMpEng.exe
1788	MsMpEng.exe
1788	MsMpEng.exe
1788	MsMpEng.exe
1788	MsMpEng.exe
1788	MsMpEng.exe
1788	MsMpEng.exe
1788	MsMpEng.exe
1788	MsMpEng.exe
1788	MsMpEng.exe
1788	MsMpEng.exe
1788	MsMpEng.exe
1788	MsMpEng.exe
1788	MsMpEng.exe
1788	MsMpEng.exe
1788	MsMpEng.exe
1672	Runtime Broker.exe
1788	MsMpEng.exe
1788	MsMpEng.exe
1788	MsMpEng.exe
1788	MsMpEng.exe
1788	MsMpEng.exe
1788	MsMpEng.exe
1788	MsMpEng.exe
1788	MsMpEng.exe
1788	MsMpEng.exe
1788	MsMpEng.exe
1788	MsMpEng.exe
1788	MsMpEng.exe
1788	MsMpEng.exe
1788	MsMpEng.exe
1788	MsMpEng.exe
1788	MsMpEng.exe
1788	MsMpEng.exe
1788	MsMpEng.exe
1788	MsMpEng.exe
1788	MsMpEng.exe
1788	MsMpEng.exe
1788	MsMpEng.exe
1788	MsMpEng.exe
1788	MsMpEng.exe
1788	MsMpEng.exe
1788	MsMpEng.exe
1788	MsMpEng.exe
1788	MsMpEng.exe
1788	MsMpEng.exe
1788	MsMpEng.exe
1788	MsMpEng.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

cmd.exe

pid process

1760 cmd.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

Runtime Broker.exe

pid process

1348 Runtime Broker.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

MsMpEng.exepu5xtvhm.exe

description pid process

Token: SeDebugPrivilege 1788 MsMpEng.exe
Token: SeDebugPrivilege 1860 pu5xtvhm.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Runtime Broker.exe

pid process

1348 Runtime Broker.exe

pid	process
1760	cmd.exe

pid	process
1348	Runtime Broker.exe

description	pid	process
Token: SeDebugPrivilege	1788	MsMpEng.exe
Token: SeDebugPrivilege	1860	pu5xtvhm.exe

pid	process
1348	Runtime Broker.exe

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

40003d01db9c34da73a415792dba3a617fab65e91d2aae7bbbcd335af198a66b.execmd.exeRuntime Broker.exeRuntime Broker.exeMsMpEng.execmd.exepu5xtvhm.exe

description	pid	process	target process
PID 1744 wrote to memory of 976	1744	40003d01db9c34da73a415792dba3a617fab65e91d2aae7bbbcd335af198a66b.exe	cmd.exe
PID 1744 wrote to memory of 976	1744	40003d01db9c34da73a415792dba3a617fab65e91d2aae7bbbcd335af198a66b.exe	cmd.exe
PID 1744 wrote to memory of 976	1744	40003d01db9c34da73a415792dba3a617fab65e91d2aae7bbbcd335af198a66b.exe	cmd.exe
PID 1744 wrote to memory of 976	1744	40003d01db9c34da73a415792dba3a617fab65e91d2aae7bbbcd335af198a66b.exe	cmd.exe
PID 976 wrote to memory of 968	976	cmd.exe	tzutil.exe
PID 976 wrote to memory of 968	976	cmd.exe	tzutil.exe
PID 976 wrote to memory of 968	976	cmd.exe	tzutil.exe
PID 976 wrote to memory of 968	976	cmd.exe	tzutil.exe
PID 1744 wrote to memory of 1348	1744	40003d01db9c34da73a415792dba3a617fab65e91d2aae7bbbcd335af198a66b.exe	Runtime Broker.exe
PID 1744 wrote to memory of 1348	1744	40003d01db9c34da73a415792dba3a617fab65e91d2aae7bbbcd335af198a66b.exe	Runtime Broker.exe
PID 1744 wrote to memory of 1348	1744	40003d01db9c34da73a415792dba3a617fab65e91d2aae7bbbcd335af198a66b.exe	Runtime Broker.exe
PID 1744 wrote to memory of 1348	1744	40003d01db9c34da73a415792dba3a617fab65e91d2aae7bbbcd335af198a66b.exe	Runtime Broker.exe
PID 1744 wrote to memory of 1788	1744	40003d01db9c34da73a415792dba3a617fab65e91d2aae7bbbcd335af198a66b.exe	MsMpEng.exe
PID 1744 wrote to memory of 1788	1744	40003d01db9c34da73a415792dba3a617fab65e91d2aae7bbbcd335af198a66b.exe	MsMpEng.exe
PID 1744 wrote to memory of 1788	1744	40003d01db9c34da73a415792dba3a617fab65e91d2aae7bbbcd335af198a66b.exe	MsMpEng.exe
PID 1744 wrote to memory of 1788	1744	40003d01db9c34da73a415792dba3a617fab65e91d2aae7bbbcd335af198a66b.exe	MsMpEng.exe
PID 1348 wrote to memory of 1672	1348	Runtime Broker.exe	Runtime Broker.exe
PID 1348 wrote to memory of 1672	1348	Runtime Broker.exe	Runtime Broker.exe
PID 1348 wrote to memory of 1672	1348	Runtime Broker.exe	Runtime Broker.exe
PID 1348 wrote to memory of 1672	1348	Runtime Broker.exe	Runtime Broker.exe
PID 1348 wrote to memory of 1672	1348	Runtime Broker.exe	Runtime Broker.exe
PID 1672 wrote to memory of 1760	1672	Runtime Broker.exe	cmd.exe
PID 1672 wrote to memory of 1760	1672	Runtime Broker.exe	cmd.exe
PID 1672 wrote to memory of 1760	1672	Runtime Broker.exe	cmd.exe
PID 1672 wrote to memory of 1760	1672	Runtime Broker.exe	cmd.exe
PID 1788 wrote to memory of 824	1788	MsMpEng.exe	cmd.exe
PID 1788 wrote to memory of 824	1788	MsMpEng.exe	cmd.exe
PID 1788 wrote to memory of 824	1788	MsMpEng.exe	cmd.exe
PID 1788 wrote to memory of 824	1788	MsMpEng.exe	cmd.exe
PID 824 wrote to memory of 1656	824	cmd.exe	PING.EXE
PID 824 wrote to memory of 1656	824	cmd.exe	PING.EXE
PID 824 wrote to memory of 1656	824	cmd.exe	PING.EXE
PID 824 wrote to memory of 1656	824	cmd.exe	PING.EXE
PID 824 wrote to memory of 1512	824	cmd.exe	PING.EXE
PID 824 wrote to memory of 1512	824	cmd.exe	PING.EXE
PID 824 wrote to memory of 1512	824	cmd.exe	PING.EXE
PID 824 wrote to memory of 1512	824	cmd.exe	PING.EXE
PID 824 wrote to memory of 1860	824	cmd.exe	pu5xtvhm.exe
PID 824 wrote to memory of 1860	824	cmd.exe	pu5xtvhm.exe
PID 824 wrote to memory of 1860	824	cmd.exe	pu5xtvhm.exe
PID 824 wrote to memory of 1860	824	cmd.exe	pu5xtvhm.exe
PID 1860 wrote to memory of 1540	1860	pu5xtvhm.exe	AddInProcess32.exe
PID 1860 wrote to memory of 1540	1860	pu5xtvhm.exe	AddInProcess32.exe
PID 1860 wrote to memory of 1540	1860	pu5xtvhm.exe	AddInProcess32.exe
PID 1860 wrote to memory of 1540	1860	pu5xtvhm.exe	AddInProcess32.exe
PID 1860 wrote to memory of 1540	1860	pu5xtvhm.exe	AddInProcess32.exe
PID 1860 wrote to memory of 1540	1860	pu5xtvhm.exe	AddInProcess32.exe
PID 1860 wrote to memory of 1540	1860	pu5xtvhm.exe	AddInProcess32.exe
PID 1860 wrote to memory of 1540	1860	pu5xtvhm.exe	AddInProcess32.exe
PID 1860 wrote to memory of 1540	1860	pu5xtvhm.exe	AddInProcess32.exe
PID 1860 wrote to memory of 1540	1860	pu5xtvhm.exe	AddInProcess32.exe

C:\Users\Admin\AppData\Local\Temp\40003d01db9c34da73a415792dba3a617fab65e91d2aae7bbbcd335af198a66b.exe
"C:\Users\Admin\AppData\Local\Temp\40003d01db9c34da73a415792dba3a617fab65e91d2aae7bbbcd335af198a66b.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tzutil /g
2⤵
- Suspicious use of WriteProcessMemory
PID:976

C:\Windows\SysWOW64\tzutil.exe
tzutil /g
3⤵
PID:968

C:\Users\Admin\AppData\Roaming\WindowsInstaller\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WindowsInstaller\Runtime Broker.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1348

C:\Users\Admin\AppData\Roaming\WindowsInstaller\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WindowsInstaller\Runtime Broker.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\DGDAEHCBGI.exe"
4⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:1760

C:\Users\Admin\AppData\Roaming\WindowsInstaller\MsMpEng.exe
"C:\Users\Admin\AppData\Roaming\WindowsInstaller\MsMpEng.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1788

C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 43 > nul && copy "C:\Users\Admin\AppData\Roaming\WindowsInstaller\MsMpEng.exe" "C:\Users\Admin\AppData\Roaming\ncache\pu5xtvhm.exe" && ping 127.0.0.1 -n 43 > nul && "C:\Users\Admin\AppData\Roaming\ncache\pu5xtvhm.exe"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:824

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 43
4⤵
- Runs ping.exe
PID:1656

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 43
4⤵
- Runs ping.exe
PID:1512

C:\Users\Admin\AppData\Roaming\ncache\pu5xtvhm.exe
"C:\Users\Admin\AppData\Roaming\ncache\pu5xtvhm.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
5⤵
PID:1540

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
8aa03dddcb3983334e4fecf2c2912564

SHA1
3ccbc3eb5d785bbafce4c8c88792469bb3fb8398

SHA256
e53a8b0092748a58320a76403e58a07da411a0f6658a18f3f337a98b23767167

SHA512
b6e979051bdbcba8b6a91551f9a904432b680fbee5030f6b08357770b2386b94e83c28db20dce1db81f4f9f4b7cda5a6369eac8bde77e9189fe351b1ab94581f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6B82.tmp
Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6C31.tmp
Filesize
161KB

MD5
73b4b714b42fc9a6aaefd0ae59adb009

SHA1
efdaffd5b0ad21913d22001d91bf6c19ecb4ac41

SHA256
c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd

SHA512
73af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsInstaller\MsMpEng.exe
Filesize
420KB

MD5
e85fa08c1ed20440363e2e44eced6299

SHA1
e0867a371a5c6bfdf6bd84470b188f0817b4d23a

SHA256
c1f5b88413bef3bc89aacd544847d5690fe17247b10d5922e59e4cbc6c37707e

SHA512
73bc5a867c7b86f32257f43167c1816b9087a0fc6d70f1500194821abbdfcaddb4f79325e0b24837fabb9594284ff9bb7b180de5fc0264287a6345b146ffcfbf

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsInstaller\MsMpEng.exe
Filesize
420KB

MD5
e85fa08c1ed20440363e2e44eced6299

SHA1
e0867a371a5c6bfdf6bd84470b188f0817b4d23a

SHA256
c1f5b88413bef3bc89aacd544847d5690fe17247b10d5922e59e4cbc6c37707e

SHA512
73bc5a867c7b86f32257f43167c1816b9087a0fc6d70f1500194821abbdfcaddb4f79325e0b24837fabb9594284ff9bb7b180de5fc0264287a6345b146ffcfbf

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsInstaller\Runtime Broker.exe
Filesize
584KB

MD5
c32c03cf9a70ade1d4efc11853cd0225

SHA1
11ed71198457e158e15cc3e157dc7b979951d7e1

SHA256
b51beb1c3f5b26d7766492130826d5f985a05b72b628a257a06494999a054c02

SHA512
13b2ec3e400ef25596eb13e891ffdc7e9b6492a4cf0733b48252d2c1d273ab4fcbe0d843b00f1e491eaff339fa2a1cd68a59366e36cf24a0f1e2a45b7f8df20b

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsInstaller\Runtime Broker.exe
Filesize
584KB

MD5
c32c03cf9a70ade1d4efc11853cd0225

SHA1
11ed71198457e158e15cc3e157dc7b979951d7e1

SHA256
b51beb1c3f5b26d7766492130826d5f985a05b72b628a257a06494999a054c02

SHA512
13b2ec3e400ef25596eb13e891ffdc7e9b6492a4cf0733b48252d2c1d273ab4fcbe0d843b00f1e491eaff339fa2a1cd68a59366e36cf24a0f1e2a45b7f8df20b

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsInstaller\Runtime Broker.exe
Filesize
584KB

MD5
c32c03cf9a70ade1d4efc11853cd0225

SHA1
11ed71198457e158e15cc3e157dc7b979951d7e1

SHA256
b51beb1c3f5b26d7766492130826d5f985a05b72b628a257a06494999a054c02

SHA512
13b2ec3e400ef25596eb13e891ffdc7e9b6492a4cf0733b48252d2c1d273ab4fcbe0d843b00f1e491eaff339fa2a1cd68a59366e36cf24a0f1e2a45b7f8df20b

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsInstaller\Runtime Broker.exe
Filesize
584KB

MD5
c32c03cf9a70ade1d4efc11853cd0225

SHA1
11ed71198457e158e15cc3e157dc7b979951d7e1

SHA256
b51beb1c3f5b26d7766492130826d5f985a05b72b628a257a06494999a054c02

SHA512
13b2ec3e400ef25596eb13e891ffdc7e9b6492a4cf0733b48252d2c1d273ab4fcbe0d843b00f1e491eaff339fa2a1cd68a59366e36cf24a0f1e2a45b7f8df20b

Download Submit
C:\Users\Admin\AppData\Roaming\ncache\pu5xtvhm.exe
Filesize
420KB

MD5
e85fa08c1ed20440363e2e44eced6299

SHA1
e0867a371a5c6bfdf6bd84470b188f0817b4d23a

SHA256
c1f5b88413bef3bc89aacd544847d5690fe17247b10d5922e59e4cbc6c37707e

SHA512
73bc5a867c7b86f32257f43167c1816b9087a0fc6d70f1500194821abbdfcaddb4f79325e0b24837fabb9594284ff9bb7b180de5fc0264287a6345b146ffcfbf

Download Submit
C:\Users\Admin\AppData\Roaming\ncache\pu5xtvhm.exe
Filesize
420KB

MD5
e85fa08c1ed20440363e2e44eced6299

SHA1
e0867a371a5c6bfdf6bd84470b188f0817b4d23a

SHA256
c1f5b88413bef3bc89aacd544847d5690fe17247b10d5922e59e4cbc6c37707e

SHA512
73bc5a867c7b86f32257f43167c1816b9087a0fc6d70f1500194821abbdfcaddb4f79325e0b24837fabb9594284ff9bb7b180de5fc0264287a6345b146ffcfbf

Download Submit
C:\Users\Admin\AppData\Roaming\ncache\pu5xtvhm.exe
Filesize
420KB

MD5
e85fa08c1ed20440363e2e44eced6299

SHA1
e0867a371a5c6bfdf6bd84470b188f0817b4d23a

SHA256
c1f5b88413bef3bc89aacd544847d5690fe17247b10d5922e59e4cbc6c37707e

SHA512
73bc5a867c7b86f32257f43167c1816b9087a0fc6d70f1500194821abbdfcaddb4f79325e0b24837fabb9594284ff9bb7b180de5fc0264287a6345b146ffcfbf

Download Submit
\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll
Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
\Users\Admin\AppData\Roaming\WindowsInstaller\MsMpEng.exe
Filesize
420KB

MD5
e85fa08c1ed20440363e2e44eced6299

SHA1
e0867a371a5c6bfdf6bd84470b188f0817b4d23a

SHA256
c1f5b88413bef3bc89aacd544847d5690fe17247b10d5922e59e4cbc6c37707e

SHA512
73bc5a867c7b86f32257f43167c1816b9087a0fc6d70f1500194821abbdfcaddb4f79325e0b24837fabb9594284ff9bb7b180de5fc0264287a6345b146ffcfbf

Download Submit
\Users\Admin\AppData\Roaming\WindowsInstaller\Runtime Broker.exe
Filesize
584KB

MD5
c32c03cf9a70ade1d4efc11853cd0225

SHA1
11ed71198457e158e15cc3e157dc7b979951d7e1

SHA256
b51beb1c3f5b26d7766492130826d5f985a05b72b628a257a06494999a054c02

SHA512
13b2ec3e400ef25596eb13e891ffdc7e9b6492a4cf0733b48252d2c1d273ab4fcbe0d843b00f1e491eaff339fa2a1cd68a59366e36cf24a0f1e2a45b7f8df20b

Download Submit
\Users\Admin\AppData\Roaming\WindowsInstaller\Runtime Broker.exe
Filesize
584KB

MD5
c32c03cf9a70ade1d4efc11853cd0225

SHA1
11ed71198457e158e15cc3e157dc7b979951d7e1

SHA256
b51beb1c3f5b26d7766492130826d5f985a05b72b628a257a06494999a054c02

SHA512
13b2ec3e400ef25596eb13e891ffdc7e9b6492a4cf0733b48252d2c1d273ab4fcbe0d843b00f1e491eaff339fa2a1cd68a59366e36cf24a0f1e2a45b7f8df20b

Download Submit
\Users\Admin\AppData\Roaming\ncache\pu5xtvhm.exe
Filesize
420KB

MD5
e85fa08c1ed20440363e2e44eced6299

SHA1
e0867a371a5c6bfdf6bd84470b188f0817b4d23a

SHA256
c1f5b88413bef3bc89aacd544847d5690fe17247b10d5922e59e4cbc6c37707e

SHA512
73bc5a867c7b86f32257f43167c1816b9087a0fc6d70f1500194821abbdfcaddb4f79325e0b24837fabb9594284ff9bb7b180de5fc0264287a6345b146ffcfbf

Download Submit
memory/1348-169-0x0000000000240000-0x0000000000248000-memory.dmp

Filesize
32KB

Download
memory/1348-164-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1348-165-0x0000000000240000-0x0000000000248000-memory.dmp

Filesize
32KB

Download
memory/1540-299-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1540-294-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1540-295-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1540-301-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1540-300-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1540-296-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1540-297-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1540-298-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1540-302-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1672-167-0x0000000000400000-0x000000000062D000-memory.dmp

Filesize
2.2MB

Download
memory/1672-178-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/1672-236-0x0000000000400000-0x000000000062D000-memory.dmp

Filesize
2.2MB

Download
memory/1672-238-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1672-171-0x0000000000400000-0x000000000062D000-memory.dmp

Filesize
2.2MB

Download
memory/1672-176-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/1672-173-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1744-141-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1744-54-0x0000000000CF0000-0x0000000001764000-memory.dmp

Filesize
10.5MB

Download
memory/1744-61-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1744-58-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1760-274-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/1788-162-0x0000000000EC0000-0x0000000000F2E000-memory.dmp

Filesize
440KB

Download
memory/1788-277-0x0000000002490000-0x00000000024D0000-memory.dmp

Filesize
256KB

Download
memory/1788-163-0x0000000002490000-0x00000000024D0000-memory.dmp

Filesize
256KB

Download
memory/1788-174-0x0000000000420000-0x000000000046A000-memory.dmp

Filesize
296KB

Download
memory/1788-175-0x0000000000610000-0x0000000000628000-memory.dmp

Filesize
96KB

Download
memory/1788-177-0x0000000002490000-0x00000000024D0000-memory.dmp

Filesize
256KB

Download
memory/1788-235-0x0000000002490000-0x00000000024D0000-memory.dmp

Filesize
256KB

Download
memory/1788-275-0x0000000002490000-0x00000000024D0000-memory.dmp

Filesize
256KB

Download
memory/1788-276-0x0000000002490000-0x00000000024D0000-memory.dmp

Filesize
256KB

Download
memory/1860-290-0x0000000004E90000-0x0000000004ED0000-memory.dmp

Filesize
256KB

Download
memory/1860-285-0x0000000001300000-0x000000000136E000-memory.dmp

Filesize
440KB

Download
memory/1860-293-0x0000000000540000-0x0000000000546000-memory.dmp

Filesize
24KB

Download
memory/1860-292-0x0000000000B60000-0x0000000000B7A000-memory.dmp

Filesize
104KB

Download
memory/1860-291-0x0000000004E90000-0x0000000004ED0000-memory.dmp

Filesize
256KB

Download
memory/1860-286-0x0000000004E90000-0x0000000004ED0000-memory.dmp

Filesize
256KB

Download
memory/1860-289-0x0000000004E90000-0x0000000004ED0000-memory.dmp

Filesize
256KB

Download
memory/1860-288-0x0000000004E90000-0x0000000004ED0000-memory.dmp

Filesize
256KB

Download
memory/1860-287-0x0000000004E90000-0x0000000004ED0000-memory.dmp

Filesize
256KB

Download