24c485ecb00d9d6ed8c12fb7a3162169cb1b666ab9a90eb3c1bcdf8dd8c40df4

Analysis

max time kernel
254s
max time network
303s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
15/03/2023, 04:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

24c485ecb00d9d6ed8c12fb7a3162169cb1b666ab9a90eb3c1bcdf8dd8c40df4.exe
Size

5.4MB
MD5

e0d2634fe2b085685f0b71e66ac91ec9
SHA1

c03d6b2218ffff1957a91f64d15ee1cbb57726fd
SHA256

24c485ecb00d9d6ed8c12fb7a3162169cb1b666ab9a90eb3c1bcdf8dd8c40df4
SHA512

48e72eccb385e282b419fe7116d6a0c7c0a6cd5ca482e57ae7b1b52440e347833d0aa9c15097bdeec8074b9a60d90843a5d4f20e4ce9d0595f3dc0a38b6fdde8
SSDEEP

49152:pyWMOEmrU4VWLP6zev05oej0EL9gCegK/efy5d8A45EG273LCV0UOQJUh9q101GF:Eq6PQn4/9GEp32VLV+h9sF

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1996	runtime.exe
1280	runtime.exe
884	runtime.exe

Loads dropped DLL 6 IoCs

pid	Process
1556	taskeng.exe
1556	taskeng.exe
1556	taskeng.exe
1556	taskeng.exe
1556	taskeng.exe
1556	taskeng.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Run\runtime_2 = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\config\\runtime.exe"	24c485ecb00d9d6ed8c12fb7a3162169cb1b666ab9a90eb3c1bcdf8dd8c40df4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Run\runtime_3 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\config\\runtime.exe"	24c485ecb00d9d6ed8c12fb7a3162169cb1b666ab9a90eb3c1bcdf8dd8c40df4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Run\runtime_1 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\config\\runtime.exe"	24c485ecb00d9d6ed8c12fb7a3162169cb1b666ab9a90eb3c1bcdf8dd8c40df4.exe

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
588	schtasks.exe
1532	schtasks.exe
1928	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1736	powershell.exe
1748	powershell.exe
1620	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	1748	powershell.exe
Token: SeDebugPrivilege	1620	powershell.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1108 wrote to memory of 1736	1108	24c485ecb00d9d6ed8c12fb7a3162169cb1b666ab9a90eb3c1bcdf8dd8c40df4.exe	27
PID 1108 wrote to memory of 1736	1108	24c485ecb00d9d6ed8c12fb7a3162169cb1b666ab9a90eb3c1bcdf8dd8c40df4.exe	27
PID 1108 wrote to memory of 1736	1108	24c485ecb00d9d6ed8c12fb7a3162169cb1b666ab9a90eb3c1bcdf8dd8c40df4.exe	27
PID 1736 wrote to memory of 588	1736	powershell.exe	29
PID 1736 wrote to memory of 588	1736	powershell.exe	29
PID 1736 wrote to memory of 588	1736	powershell.exe	29
PID 1108 wrote to memory of 1748	1108	24c485ecb00d9d6ed8c12fb7a3162169cb1b666ab9a90eb3c1bcdf8dd8c40df4.exe	30
PID 1108 wrote to memory of 1748	1108	24c485ecb00d9d6ed8c12fb7a3162169cb1b666ab9a90eb3c1bcdf8dd8c40df4.exe	30
PID 1108 wrote to memory of 1748	1108	24c485ecb00d9d6ed8c12fb7a3162169cb1b666ab9a90eb3c1bcdf8dd8c40df4.exe	30
PID 1748 wrote to memory of 1532	1748	powershell.exe	32
PID 1748 wrote to memory of 1532	1748	powershell.exe	32
PID 1748 wrote to memory of 1532	1748	powershell.exe	32
PID 1108 wrote to memory of 1620	1108	24c485ecb00d9d6ed8c12fb7a3162169cb1b666ab9a90eb3c1bcdf8dd8c40df4.exe	33
PID 1108 wrote to memory of 1620	1108	24c485ecb00d9d6ed8c12fb7a3162169cb1b666ab9a90eb3c1bcdf8dd8c40df4.exe	33
PID 1108 wrote to memory of 1620	1108	24c485ecb00d9d6ed8c12fb7a3162169cb1b666ab9a90eb3c1bcdf8dd8c40df4.exe	33
PID 1620 wrote to memory of 1928	1620	powershell.exe	35
PID 1620 wrote to memory of 1928	1620	powershell.exe	35
PID 1620 wrote to memory of 1928	1620	powershell.exe	35
PID 1556 wrote to memory of 1996	1556	taskeng.exe	37
PID 1556 wrote to memory of 1996	1556	taskeng.exe	37
PID 1556 wrote to memory of 1996	1556	taskeng.exe	37
PID 1556 wrote to memory of 884	1556	taskeng.exe	38
PID 1556 wrote to memory of 884	1556	taskeng.exe	38
PID 1556 wrote to memory of 884	1556	taskeng.exe	38
PID 1556 wrote to memory of 1280	1556	taskeng.exe	39
PID 1556 wrote to memory of 1280	1556	taskeng.exe	39
PID 1556 wrote to memory of 1280	1556	taskeng.exe	39

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\24c485ecb00d9d6ed8c12fb7a3162169cb1b666ab9a90eb3c1bcdf8dd8c40df4.exe
"C:\Users\Admin\AppData\Local\Temp\24c485ecb00d9d6ed8c12fb7a3162169cb1b666ab9a90eb3c1bcdf8dd8c40df4.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1108
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN runtime_1 /TR C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /ED 12/12/2030 /TN runtime_1 /TR C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
    3⤵
    - Creates scheduled task(s)
    PID:588
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN runtime_2 /TR C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1748
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /ED 12/12/2030 /TN runtime_2 /TR C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
    3⤵
    - Creates scheduled task(s)
    PID:1532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN runtime_3 /TR C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /ED 12/12/2030 /TN runtime_3 /TR C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
    3⤵
    - Creates scheduled task(s)
    PID:1928

C:\Windows\system32\taskeng.exe
taskeng.exe {C71F5941-190D-4B67-9583-41841A95F1C4} S-1-5-21-3948302646-268491222-1934009652-1000:KXZDHPUW\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1556
- C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
  C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
  2⤵
  - Executes dropped EXE
  PID:1996
- C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
  2⤵
  - Executes dropped EXE
  PID:884
- C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
  C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
  2⤵
  - Executes dropped EXE
  PID:1280

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe

Filesize
333.6MB

MD5
cb695970391d2613e1a39b3e00667c0c

SHA1
3bf181199c1371c82f12afad9c9d728e11558135

SHA256
2028e2d13ae4a423527f8f0002a77e4cd82adf24c807756102f31cf171274ac1

SHA512
12ce6ba28552b50b790f55589dbaf5ce9e1c6be501c9b96e3f19559c6f808157a602491654a35d524a4b2cb6a548fc20dd9acac0f79215d335e61169a3a04878

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe

Filesize
343.1MB

MD5
736e7129f1961cb9c17e77afac4fc8c9

SHA1
aa4e1a97fdf9f16e6e9e47d4d98aa50dd8f863fb

SHA256
f208573af2e2dcb4e52748fb9be04387f9ac763515cf981f8edb0cfaec717434

SHA512
051a32d33a4e2126f4df17d99dc062270a598ac3e69327056065ec3e673dd5dbe942be9ccd0d00071f64dbb004203c65beefd8acff16cea120b46e3a3d33ce47

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe

Filesize
796.8MB

MD5
41c9bb4d736b3b6ead5edd8fb364747f

SHA1
84157f83bb1ac1a445e89b7d640b7c3fac095efd

SHA256
f7bb6dc60604615d723b95dd69a468a0a3068532064aaf5851c3db749a662054

SHA512
10a62dfed898ff77283577197e5a6fd11d719900ec93fabadff6babae828611d042a659bc5c499c7fd3aa21ea71df123804b3f6b1d6fe03e3ac36cc6b47ad79a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe

Filesize
342.5MB

MD5
b723e12f091d46b8abd1176e6ec7f14c

SHA1
63a40c1d76f0d7b44da43f49d52466a526dd865e

SHA256
8cb23c820bd70acf609392c312f52b004c5f2f8011464a835479f9558bed92dc

SHA512
adb9826ce1ba138a54b900dcc340b0729c21dccd7cb5deef542e6e2d5681aff1d68e0be92a7ad676db9c4a1f5fbce372aa30ed553bc07196b1e07073e99007be

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe

Filesize
344.2MB

MD5
f4c7eaac1f573fe0fe0800f2ef464f9f

SHA1
a65dd60ce7caea044fc5b9202a828e77856549f6

SHA256
91bcfb44eac04d60d694ad276d2e2f57c35cca4b0b754a9d9514943c48c07c97

SHA512
fa4e016c9e5520b1ffc25c5715dd7bd6780f87644d6bcbb106e5256a13bfedd00c28250b042f2f0c2b05d576859240cb1698cea58f2fc50b6f3196a7924d0f87

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
1fe6d485b140ad40f6d476df6470f7f1

SHA1
2b1cb7b3b48cbbb0e0ccb5e351f695149cea853e

SHA256
561ac9d86bec744d761b3a3b151d6c20f90d2f8283eaa88c561486bf2843356b

SHA512
63387d0c7e1ed96b1557cf6ddf37dbceec5e723885ae473ca2ae8f37fbade4686a4134b3ffb8f8f990fcef15973451b1a2eb8792141bd801c3df6f99ea8b3868

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
1fe6d485b140ad40f6d476df6470f7f1

SHA1
2b1cb7b3b48cbbb0e0ccb5e351f695149cea853e

SHA256
561ac9d86bec744d761b3a3b151d6c20f90d2f8283eaa88c561486bf2843356b

SHA512
63387d0c7e1ed96b1557cf6ddf37dbceec5e723885ae473ca2ae8f37fbade4686a4134b3ffb8f8f990fcef15973451b1a2eb8792141bd801c3df6f99ea8b3868

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ULRZOWQLQH4MAO1I944Y.temp

Filesize
7KB

MD5
1fe6d485b140ad40f6d476df6470f7f1

SHA1
2b1cb7b3b48cbbb0e0ccb5e351f695149cea853e

SHA256
561ac9d86bec744d761b3a3b151d6c20f90d2f8283eaa88c561486bf2843356b

SHA512
63387d0c7e1ed96b1557cf6ddf37dbceec5e723885ae473ca2ae8f37fbade4686a4134b3ffb8f8f990fcef15973451b1a2eb8792141bd801c3df6f99ea8b3868

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe

Filesize
318.9MB

MD5
af3e157a3528f081d70fd07c6b33ce6b

SHA1
aa1a444f71cdd705923e01d24e3590c2e4b9a7cb

SHA256
3e37b40c095933ce5041247bd7dc8d5b529a8a6ca27c215180d932915ce02bf2

SHA512
3a9077cbdc55466c3a379cef18a9a26eff3fe0129fa25e6b7e22323ae5d09f38e1635849f8c5f19626e0c0d2284c692a498ebc679a653e1ed534b371f226c0de

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe

Filesize
333.9MB

MD5
4e398afbf680ad31717c5de527d1b6a8

SHA1
5048206a0ba144efd753853386572caa4597c2af

SHA256
6d683adcdef66ef422d861db3bd653bf0df305c6ed4ee41fe9d0c0682b8dade1

SHA512
7abd3f826c1fb00c6e73d978e5dbe4b9634604a8f40e6095dd62bc9462d294d916336d229dcf2b7dface6ba731966dee204f0ae831594e9470f36b7944a979f2

Download Submit
\Users\Admin\AppData\Local\Microsoft\config\runtime.exe

Filesize
344.3MB

MD5
9cfd27df2ec1db59830821fcaf0eb2d7

SHA1
33c70f1c4c9f810c56a4ba880e49e0bdf1767590

SHA256
99a9e6277ccb36cf0e23b4736b79f8dae2ce0343e878b87699f65bbe65fb90ff

SHA512
dc74e495e328b8d05e08a63141bfb96ad4da9548c9cf92ceaa217d813b903e4188aa1b057ddb4eb8441d09855d0d7b933d6e5e30de609b1679f070b9652706de

Download Submit
\Users\Admin\AppData\Local\Microsoft\config\runtime.exe

Filesize
343.3MB

MD5
65621e3d0d2d85fee79ba39d67ae9c38

SHA1
60e145f0302d4bf0063d073cc69db6940e448f7f

SHA256
ab918a2fb260cc4bbd2782ec363ddb638d28b56ca5179c97a5e9d0cb66f4f1e0

SHA512
38f08c7c324b95f1385dd4db34dfda0fa8fbafbc5113f20b4f531e28c0e94219095179e92aeb18f0e11e4483a1cbdcb2f6fdf3c165a83127296c10a88bc42166

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe

Filesize
343.7MB

MD5
96cc3d5509d5404323a03787452329c1

SHA1
95681f5a7ae3378d72fc892a653b3495158fd02e

SHA256
11ebde190630eff25b7df15494afe053588823e751e870768198857123cfacbf

SHA512
d5ef3408a604f6dfc2208a36ba54e2e32a2610654d0949c85789fce56964f8fc709a1ebd578affec64e582daa07eaa11457975f7c6a6842a0a0ef24691ee5e30

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe

Filesize
332.4MB

MD5
abe9ac82892ad2ec143444113c8ea4be

SHA1
231dea7f68c0ead09bb0c35c8ca8e716fe0ab2e0

SHA256
f72530236af6e16765db15bff63690e6c499fad7df95ea2a17a26e532517cd2e

SHA512
3b3465b3f1d1ba39fa23de1ad8716b65f16bd13dd0370a1c885374f66ef1f5515a596d589805c1d1a074d54712de03633b4ac74683ba161ae6aa4b2a59aaf9c8

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe

Filesize
320.8MB

MD5
269acc318dae9879088b2d2a31549592

SHA1
7ad3cf18b5b1a7b95b69b14d01af321554abb8f9

SHA256
665f3ef4e52276e83eb41e7c9ea41b242a1478e65165739c293517dba91b397b

SHA512
d46c40c75a8dfc41f54cc01154b8fbda2eb731808465df7999257ff796c87129aa79c22092c6f1ff744370e9d4c568f68d10a037658de53c839f19b4c9b8ee84

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe

Filesize
301.8MB

MD5
b5e4a2caa9a6655bc6d85d163b52c6ac

SHA1
d3975c5f85331cc2ea4bc291aac04484a8f35af2

SHA256
b4c652fbb8905b933b20a881d12a9c81210a70c8604db98241a6f131dad6c84b

SHA512
5c8678a295eb2d41166f05c94c07aa524ee921b306436c3a16d6ec97f4151f2e289f90a6b5cbe1534c6b3ccbd890e10d95154fd5d43c3c6fe608b7ee47c530d4

Download Submit
memory/1620-87-0x00000000026A0000-0x0000000002720000-memory.dmp

Filesize
512KB

Download
memory/1620-85-0x00000000026A0000-0x0000000002720000-memory.dmp

Filesize
512KB

Download
memory/1620-88-0x00000000026A0000-0x0000000002720000-memory.dmp

Filesize
512KB

Download
memory/1620-86-0x00000000026A0000-0x0000000002720000-memory.dmp

Filesize
512KB

Download
memory/1736-64-0x0000000002A20000-0x0000000002AA0000-memory.dmp

Filesize
512KB

Download
memory/1736-63-0x0000000002A20000-0x0000000002AA0000-memory.dmp

Filesize
512KB

Download
memory/1736-62-0x0000000002A20000-0x0000000002AA0000-memory.dmp

Filesize
512KB

Download
memory/1736-65-0x0000000002A2B000-0x0000000002A62000-memory.dmp

Filesize
220KB

Download
memory/1736-61-0x0000000002470000-0x0000000002478000-memory.dmp

Filesize
32KB

Download
memory/1736-60-0x000000001B390000-0x000000001B672000-memory.dmp

Filesize
2.9MB

Download
memory/1748-73-0x000000001B1A0000-0x000000001B482000-memory.dmp

Filesize
2.9MB

Download
memory/1748-76-0x000000000250B000-0x0000000002542000-memory.dmp

Filesize
220KB

Download
memory/1748-75-0x0000000002504000-0x0000000002507000-memory.dmp

Filesize
12KB

Download
memory/1748-74-0x0000000001F50000-0x0000000001F58000-memory.dmp

Filesize
32KB

Download