c1853b7f39c854c19408c29f02fb13b883edcde8d61bd261cb8be0d2c8621dbe

Analysis

max time kernel
93s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
12/04/2023, 13:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1853b7f39c854c19408c29f02fb13b883edcde8d61bd.exe
Size

5.4MB
MD5

0cb1e47546d778ad888baee0f6c9b5ec
SHA1

164220f9706f898d33dd76435c0603ea8972d2b3
SHA256

c1853b7f39c854c19408c29f02fb13b883edcde8d61bd261cb8be0d2c8621dbe
SHA512

f372c052b8b61ecf7036ef6ec1d067d104ed5cf451c6d08ee2cad39ca57c6b21ce6c109cb3103c0a5631ddc55ea367db1687c0e5ad1e816f5e8b4fa725da99ff
SSDEEP

49152:BhWEaxrr2WrVovR5PUSrmVqK27r918DbJrzD2y5dzAE5ElDH73LCV0UOQJUh9qRq:daKvzHAzZhEZ32VLV+h9u6

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4896	runtime.exe
3392	runtime.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\runtime_2 = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\config\\runtime.exe"	c1853b7f39c854c19408c29f02fb13b883edcde8d61bd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\runtime_3 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\config\\runtime.exe"	c1853b7f39c854c19408c29f02fb13b883edcde8d61bd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\runtime_1 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\config\\runtime.exe"	c1853b7f39c854c19408c29f02fb13b883edcde8d61bd.exe

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3924	schtasks.exe
3752	schtasks.exe
1388	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
392	powershell.exe
392	powershell.exe
1276	powershell.exe
1276	powershell.exe
5012	powershell.exe
5012	powershell.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeDebugPrivilege	392	powershell.exe
Token: SeDebugPrivilege	1276	powershell.exe
Token: SeDebugPrivilege	5012	powershell.exe
Token: SeIncreaseQuotaPrivilege	3932	WMIC.exe
Token: SeSecurityPrivilege	3932	WMIC.exe
Token: SeTakeOwnershipPrivilege	3932	WMIC.exe
Token: SeLoadDriverPrivilege	3932	WMIC.exe
Token: SeSystemProfilePrivilege	3932	WMIC.exe
Token: SeSystemtimePrivilege	3932	WMIC.exe
Token: SeProfSingleProcessPrivilege	3932	WMIC.exe
Token: SeIncBasePriorityPrivilege	3932	WMIC.exe
Token: SeCreatePagefilePrivilege	3932	WMIC.exe
Token: SeBackupPrivilege	3932	WMIC.exe
Token: SeRestorePrivilege	3932	WMIC.exe
Token: SeShutdownPrivilege	3932	WMIC.exe
Token: SeDebugPrivilege	3932	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3932	WMIC.exe
Token: SeRemoteShutdownPrivilege	3932	WMIC.exe
Token: SeUndockPrivilege	3932	WMIC.exe
Token: SeManageVolumePrivilege	3932	WMIC.exe
Token: 33	3932	WMIC.exe
Token: 34	3932	WMIC.exe
Token: 35	3932	WMIC.exe
Token: 36	3932	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3932	WMIC.exe
Token: SeSecurityPrivilege	3932	WMIC.exe
Token: SeTakeOwnershipPrivilege	3932	WMIC.exe
Token: SeLoadDriverPrivilege	3932	WMIC.exe
Token: SeSystemProfilePrivilege	3932	WMIC.exe
Token: SeSystemtimePrivilege	3932	WMIC.exe
Token: SeProfSingleProcessPrivilege	3932	WMIC.exe
Token: SeIncBasePriorityPrivilege	3932	WMIC.exe
Token: SeCreatePagefilePrivilege	3932	WMIC.exe
Token: SeBackupPrivilege	3932	WMIC.exe
Token: SeRestorePrivilege	3932	WMIC.exe
Token: SeShutdownPrivilege	3932	WMIC.exe
Token: SeDebugPrivilege	3932	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3932	WMIC.exe
Token: SeRemoteShutdownPrivilege	3932	WMIC.exe
Token: SeUndockPrivilege	3932	WMIC.exe
Token: SeManageVolumePrivilege	3932	WMIC.exe
Token: 33	3932	WMIC.exe
Token: 34	3932	WMIC.exe
Token: 35	3932	WMIC.exe
Token: 36	3932	WMIC.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 824 wrote to memory of 392	824	c1853b7f39c854c19408c29f02fb13b883edcde8d61bd.exe	85
PID 824 wrote to memory of 392	824	c1853b7f39c854c19408c29f02fb13b883edcde8d61bd.exe	85
PID 392 wrote to memory of 3924	392	powershell.exe	87
PID 392 wrote to memory of 3924	392	powershell.exe	87
PID 824 wrote to memory of 1276	824	c1853b7f39c854c19408c29f02fb13b883edcde8d61bd.exe	88
PID 824 wrote to memory of 1276	824	c1853b7f39c854c19408c29f02fb13b883edcde8d61bd.exe	88
PID 1276 wrote to memory of 3752	1276	powershell.exe	90
PID 1276 wrote to memory of 3752	1276	powershell.exe	90
PID 824 wrote to memory of 5012	824	c1853b7f39c854c19408c29f02fb13b883edcde8d61bd.exe	91
PID 824 wrote to memory of 5012	824	c1853b7f39c854c19408c29f02fb13b883edcde8d61bd.exe	91
PID 5012 wrote to memory of 1388	5012	powershell.exe	93
PID 5012 wrote to memory of 1388	5012	powershell.exe	93
PID 824 wrote to memory of 4396	824	c1853b7f39c854c19408c29f02fb13b883edcde8d61bd.exe	94
PID 824 wrote to memory of 4396	824	c1853b7f39c854c19408c29f02fb13b883edcde8d61bd.exe	94
PID 4396 wrote to memory of 3932	4396	cmd.exe	96
PID 4396 wrote to memory of 3932	4396	cmd.exe	96

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c1853b7f39c854c19408c29f02fb13b883edcde8d61bd.exe
"C:\Users\Admin\AppData\Local\Temp\c1853b7f39c854c19408c29f02fb13b883edcde8d61bd.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:824
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN runtime_1 /TR C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:392
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /ED 12/12/2030 /TN runtime_1 /TR C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
    3⤵
    - Creates scheduled task(s)
    PID:3924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN runtime_2 /TR C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1276
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /ED 12/12/2030 /TN runtime_2 /TR C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
    3⤵
    - Creates scheduled task(s)
    PID:3752
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN runtime_3 /TR C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5012
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /ED 12/12/2030 /TN runtime_3 /TR C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
    3⤵
    - Creates scheduled task(s)
    PID:1388
- C:\Windows\system32\cmd.exe
  cmd.exe /c "wmic csproduct get uuid"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4396
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3932

C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
1⤵
- Executes dropped EXE
PID:3392
- C:\Windows\system32\cmd.exe
  cmd.exe /c "wmic csproduct get uuid"
  2⤵
  PID:788
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    PID:1508

C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
1⤵
PID:4436

C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
1⤵
- Executes dropped EXE
PID:4896
- C:\Windows\system32\cmd.exe
  cmd.exe /c "wmic csproduct get uuid"
  2⤵
  PID:2876
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    PID:2400

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
235a8eb126d835efb2e253459ab8b089

SHA1
293fbf68e6726a5a230c3a42624c01899e35a89f

SHA256
5ffd4a816ae5d1c1a8bdc51d2872b7dd99e9c383c88001d303a6f64a77773686

SHA512
a83d17203b581491e47d65131e1efc8060ff04d1852e3415fc0a341c6a9691ef9f4cf4dd29d2f6d0032a49f2ba4bd36c35b3f472f0ce5f78f4bb139124760e92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe

Filesize
987.2MB

MD5
cae0753df0aa612c594d3065a006f493

SHA1
d649f8ad1fd4ece6c5f16c76717c41d0e727babc

SHA256
eebea9eb677afb777bd3bf18b24a83d53ca1eebd61b075ca67641eedebc77958

SHA512
f15e49bdf44a263452f26497915311417a0fef682728ad1abfad33f9a4f7e7ad710c42905d7c207335a7533f55fbaaa41673d5d515f2b11392c0f0211353a285

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe

Filesize
214.1MB

MD5
00d9033184fef025263fadf0c3e059ec

SHA1
d6079d123d564876145e519fa453784bcdd28d76

SHA256
e49a0fc1b9453a65738f37ac2c8c6954a47ed4475ccc80abefd5cb54aefdd925

SHA512
597db9579d7b3434ad48f17ee725fd01aab544fe70e2a99d0e5fece59285a14dc1a06ee3c163c942dd2ad40cbd75ff9f060d224d575886ec71877006c0ae1c0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe

Filesize
214.1MB

MD5
f56487ea10c9d4c6e487df7b71201c22

SHA1
91edf9e14a2f28fe6440cbd8a7993b19626f8135

SHA256
003bfb299790c5d1d6756e0768884f394fa9db6a53b61816672427570594abd3

SHA512
68e8462c5bf3ff3fbfab5b76fd88c968f86338fb525dbd7c816bbecbb3053178b29ed19b785732bbf36ae7ead0d88e75625b45a2b920394fbfd583373d0973e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wtrjmwkh.ulm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe

Filesize
224.0MB

MD5
8c0059bd321606c47eef018e5052adf5

SHA1
e36e435b710350a1baabe0b1e89a8f057757af1a

SHA256
e912cb9ad7cc159f0833c852e163cf15e28f7147bc4cfc20b2973bb70b8daf3c

SHA512
4d596d30daea93997c3a5227438446f53c57eec066afdbb830b969da2ddbf7ecf9a4141e83d77af34e3c08b22e0a575f635dd71cbdc92affae1bbfedc1c762c1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe

Filesize
216.5MB

MD5
f179aef687aefe6b36b0d1be8af24bd1

SHA1
94c596db5fd8e3a75d0e046c2ca42442ef9edbc5

SHA256
e6c91b6ca466a1c5e9e7c8abd181d861bb4a72ee6f708e8c27ad692009d9c7eb

SHA512
2b92a85bfc836cabebea7f7e99355dac297355afbd1bcb967259b6b98a4cec588178b08948cdcb4c69b8575484eb454f26912f4721d9cdc3fca0007ce1f6dda5

Download Submit
memory/392-147-0x000001C759B80000-0x000001C759B90000-memory.dmp

Filesize
64KB

Download
memory/392-140-0x000001C741570000-0x000001C741592000-memory.dmp

Filesize
136KB

Download
memory/392-146-0x000001C759B80000-0x000001C759B90000-memory.dmp

Filesize
64KB

Download
memory/392-145-0x000001C759B80000-0x000001C759B90000-memory.dmp

Filesize
64KB

Download