868448f6c06d672fd544f64ae73ca4b1fe8403af947b870edd99ff842c02c59d

General

Target

868448F6C06D672FD544F64AE73CA4B1FE8403AF947B8.exe
Size

180KB
MD5

4f333b5a74e464d8fd46fe49bedc760e
SHA1

110588bfa2559e700564af03db5cf851be5ac3d3
SHA256

868448f6c06d672fd544f64ae73ca4b1fe8403af947b870edd99ff842c02c59d
SHA512

5ea9dbfae7dcf16f38aa0b064dd51cb7f6d398d5bb38b0877e9c7bf6b676151c01828c030d9d2f03707366651a66a3df39985aea43528baea55e79e83f784baf
SSDEEP

3072:AK3fycY2pTpIb42etB/RpH5pXZOaXqmmgDXnkUrsK0GEx4FvPA+LjpgKab8iPt9G:9r9GE7PH3XZ84kUuVxG7Hpg3f9dO+

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

868448F6C06D672FD544F64AE73CA4B1FE8403AF947B8.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	868448F6C06D672FD544F64AE73CA4B1FE8403AF947B8.exe

Drops startup file 3 IoCs

Processes:

Runtime Broker.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Runtime Broker.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Runtime Broker.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.url	Runtime Broker.exe

Executes dropped EXE 1 IoCs

Processes:

Runtime Broker.exe

pid process

568 Runtime Broker.exe

pid	process
568	Runtime Broker.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Runtime Broker.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Runtime Broker.exe = "\"C:\\ProgramData\\Runtime Broker.exe\" .."	Runtime Broker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Runtime Broker.exe = "\"C:\\ProgramData\\Runtime Broker.exe\" .."	Runtime Broker.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Drops file in System32 directory 1 IoCs

Processes:

868448F6C06D672FD544F64AE73CA4B1FE8403AF947B8.exe

description ioc process

File created C:\windows\system32\noyb6-.exe 868448F6C06D672FD544F64AE73CA4B1FE8403AF947B8.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Kills process with taskkill 4 IoCs
evasion

Processes:

TASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exe

pid process

4888 TASKKILL.exe
3348 TASKKILL.exe
820 TASKKILL.exe
3684 TASKKILL.exe

description	ioc	process
File created	C:\windows\system32\noyb6-.exe	868448F6C06D672FD544F64AE73CA4B1FE8403AF947B8.exe

pid	process
4888	TASKKILL.exe
3348	TASKKILL.exe
820	TASKKILL.exe
3684	TASKKILL.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

868448F6C06D672FD544F64AE73CA4B1FE8403AF947B8.exeRuntime Broker.exe

pid	process
4816	868448F6C06D672FD544F64AE73CA4B1FE8403AF947B8.exe
4816	868448F6C06D672FD544F64AE73CA4B1FE8403AF947B8.exe
4816	868448F6C06D672FD544F64AE73CA4B1FE8403AF947B8.exe
4816	868448F6C06D672FD544F64AE73CA4B1FE8403AF947B8.exe
4816	868448F6C06D672FD544F64AE73CA4B1FE8403AF947B8.exe
4816	868448F6C06D672FD544F64AE73CA4B1FE8403AF947B8.exe
4816	868448F6C06D672FD544F64AE73CA4B1FE8403AF947B8.exe
4816	868448F6C06D672FD544F64AE73CA4B1FE8403AF947B8.exe
4816	868448F6C06D672FD544F64AE73CA4B1FE8403AF947B8.exe
4816	868448F6C06D672FD544F64AE73CA4B1FE8403AF947B8.exe
4816	868448F6C06D672FD544F64AE73CA4B1FE8403AF947B8.exe
4816	868448F6C06D672FD544F64AE73CA4B1FE8403AF947B8.exe
4816	868448F6C06D672FD544F64AE73CA4B1FE8403AF947B8.exe
4816	868448F6C06D672FD544F64AE73CA4B1FE8403AF947B8.exe
4816	868448F6C06D672FD544F64AE73CA4B1FE8403AF947B8.exe
4816	868448F6C06D672FD544F64AE73CA4B1FE8403AF947B8.exe
4816	868448F6C06D672FD544F64AE73CA4B1FE8403AF947B8.exe
4816	868448F6C06D672FD544F64AE73CA4B1FE8403AF947B8.exe
4816	868448F6C06D672FD544F64AE73CA4B1FE8403AF947B8.exe
4816	868448F6C06D672FD544F64AE73CA4B1FE8403AF947B8.exe
4816	868448F6C06D672FD544F64AE73CA4B1FE8403AF947B8.exe
4816	868448F6C06D672FD544F64AE73CA4B1FE8403AF947B8.exe
4816	868448F6C06D672FD544F64AE73CA4B1FE8403AF947B8.exe
4816	868448F6C06D672FD544F64AE73CA4B1FE8403AF947B8.exe
4816	868448F6C06D672FD544F64AE73CA4B1FE8403AF947B8.exe
568	Runtime Broker.exe
568	Runtime Broker.exe
568	Runtime Broker.exe
568	Runtime Broker.exe
568	Runtime Broker.exe
568	Runtime Broker.exe
568	Runtime Broker.exe
568	Runtime Broker.exe
568	Runtime Broker.exe
568	Runtime Broker.exe
568	Runtime Broker.exe
568	Runtime Broker.exe
568	Runtime Broker.exe
568	Runtime Broker.exe
568	Runtime Broker.exe
568	Runtime Broker.exe
568	Runtime Broker.exe
568	Runtime Broker.exe
568	Runtime Broker.exe
568	Runtime Broker.exe
568	Runtime Broker.exe
568	Runtime Broker.exe
568	Runtime Broker.exe
568	Runtime Broker.exe
568	Runtime Broker.exe
568	Runtime Broker.exe
568	Runtime Broker.exe
568	Runtime Broker.exe
568	Runtime Broker.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

Processes:

868448F6C06D672FD544F64AE73CA4B1FE8403AF947B8.exeTASKKILL.exeTASKKILL.exeRuntime Broker.exeTASKKILL.exeTASKKILL.exe

description	pid	process
Token: SeDebugPrivilege	4816	868448F6C06D672FD544F64AE73CA4B1FE8403AF947B8.exe
Token: SeDebugPrivilege	4888	TASKKILL.exe
Token: SeDebugPrivilege	3348	TASKKILL.exe
Token: SeDebugPrivilege	568	Runtime Broker.exe
Token: SeDebugPrivilege	820	TASKKILL.exe
Token: SeDebugPrivilege	3684	TASKKILL.exe
Token: 33	568	Runtime Broker.exe
Token: SeIncBasePriorityPrivilege	568	Runtime Broker.exe
Token: 33	568	Runtime Broker.exe
Token: SeIncBasePriorityPrivilege	568	Runtime Broker.exe
Token: 33	568	Runtime Broker.exe
Token: SeIncBasePriorityPrivilege	568	Runtime Broker.exe
Token: 33	568	Runtime Broker.exe
Token: SeIncBasePriorityPrivilege	568	Runtime Broker.exe
Token: 33	568	Runtime Broker.exe
Token: SeIncBasePriorityPrivilege	568	Runtime Broker.exe
Token: 33	568	Runtime Broker.exe
Token: SeIncBasePriorityPrivilege	568	Runtime Broker.exe
Token: 33	568	Runtime Broker.exe
Token: SeIncBasePriorityPrivilege	568	Runtime Broker.exe
Token: 33	568	Runtime Broker.exe
Token: SeIncBasePriorityPrivilege	568	Runtime Broker.exe
Token: 33	568	Runtime Broker.exe
Token: SeIncBasePriorityPrivilege	568	Runtime Broker.exe
Token: 33	568	Runtime Broker.exe
Token: SeIncBasePriorityPrivilege	568	Runtime Broker.exe
Token: 33	568	Runtime Broker.exe
Token: SeIncBasePriorityPrivilege	568	Runtime Broker.exe
Token: 33	568	Runtime Broker.exe
Token: SeIncBasePriorityPrivilege	568	Runtime Broker.exe
Token: 33	568	Runtime Broker.exe
Token: SeIncBasePriorityPrivilege	568	Runtime Broker.exe
Token: 33	568	Runtime Broker.exe
Token: SeIncBasePriorityPrivilege	568	Runtime Broker.exe
Token: 33	568	Runtime Broker.exe
Token: SeIncBasePriorityPrivilege	568	Runtime Broker.exe
Token: 33	568	Runtime Broker.exe
Token: SeIncBasePriorityPrivilege	568	Runtime Broker.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

868448F6C06D672FD544F64AE73CA4B1FE8403AF947B8.exeRuntime Broker.execmd.exe

description	pid	process	target process
PID 4816 wrote to memory of 4888	4816	868448F6C06D672FD544F64AE73CA4B1FE8403AF947B8.exe	TASKKILL.exe
PID 4816 wrote to memory of 4888	4816	868448F6C06D672FD544F64AE73CA4B1FE8403AF947B8.exe	TASKKILL.exe
PID 4816 wrote to memory of 3348	4816	868448F6C06D672FD544F64AE73CA4B1FE8403AF947B8.exe	TASKKILL.exe
PID 4816 wrote to memory of 3348	4816	868448F6C06D672FD544F64AE73CA4B1FE8403AF947B8.exe	TASKKILL.exe
PID 4816 wrote to memory of 568	4816	868448F6C06D672FD544F64AE73CA4B1FE8403AF947B8.exe	Runtime Broker.exe
PID 4816 wrote to memory of 568	4816	868448F6C06D672FD544F64AE73CA4B1FE8403AF947B8.exe	Runtime Broker.exe
PID 4816 wrote to memory of 3544	4816	868448F6C06D672FD544F64AE73CA4B1FE8403AF947B8.exe	cmd.exe
PID 4816 wrote to memory of 3544	4816	868448F6C06D672FD544F64AE73CA4B1FE8403AF947B8.exe	cmd.exe
PID 568 wrote to memory of 820	568	Runtime Broker.exe	TASKKILL.exe
PID 568 wrote to memory of 820	568	Runtime Broker.exe	TASKKILL.exe
PID 568 wrote to memory of 3684	568	Runtime Broker.exe	TASKKILL.exe
PID 568 wrote to memory of 3684	568	Runtime Broker.exe	TASKKILL.exe
PID 3544 wrote to memory of 4976	3544	cmd.exe	choice.exe
PID 3544 wrote to memory of 4976	3544	cmd.exe	choice.exe
PID 568 wrote to memory of 2484	568	Runtime Broker.exe	attrib.exe
PID 568 wrote to memory of 2484	568	Runtime Broker.exe	attrib.exe
PID 568 wrote to memory of 3216	568	Runtime Broker.exe	attrib.exe
PID 568 wrote to memory of 3216	568	Runtime Broker.exe	attrib.exe
PID 568 wrote to memory of 2604	568	Runtime Broker.exe	attrib.exe
PID 568 wrote to memory of 2604	568	Runtime Broker.exe	attrib.exe
PID 568 wrote to memory of 3320	568	Runtime Broker.exe	attrib.exe
PID 568 wrote to memory of 3320	568	Runtime Broker.exe	attrib.exe
PID 568 wrote to memory of 4460	568	Runtime Broker.exe	attrib.exe
PID 568 wrote to memory of 4460	568	Runtime Broker.exe	attrib.exe
PID 568 wrote to memory of 2616	568	Runtime Broker.exe	attrib.exe
PID 568 wrote to memory of 2616	568	Runtime Broker.exe	attrib.exe
PID 568 wrote to memory of 2248	568	Runtime Broker.exe	attrib.exe
PID 568 wrote to memory of 2248	568	Runtime Broker.exe	attrib.exe
PID 568 wrote to memory of 2144	568	Runtime Broker.exe	attrib.exe
PID 568 wrote to memory of 2144	568	Runtime Broker.exe	attrib.exe
PID 568 wrote to memory of 4904	568	Runtime Broker.exe	attrib.exe
PID 568 wrote to memory of 4904	568	Runtime Broker.exe	attrib.exe
PID 568 wrote to memory of 4864	568	Runtime Broker.exe	attrib.exe
PID 568 wrote to memory of 4864	568	Runtime Broker.exe	attrib.exe
PID 568 wrote to memory of 2184	568	Runtime Broker.exe	attrib.exe
PID 568 wrote to memory of 2184	568	Runtime Broker.exe	attrib.exe
PID 568 wrote to memory of 60	568	Runtime Broker.exe	attrib.exe
PID 568 wrote to memory of 60	568	Runtime Broker.exe	attrib.exe
PID 568 wrote to memory of 4376	568	Runtime Broker.exe	attrib.exe
PID 568 wrote to memory of 4376	568	Runtime Broker.exe	attrib.exe
PID 568 wrote to memory of 2748	568	Runtime Broker.exe	attrib.exe
PID 568 wrote to memory of 2748	568	Runtime Broker.exe	attrib.exe
PID 568 wrote to memory of 936	568	Runtime Broker.exe	attrib.exe
PID 568 wrote to memory of 936	568	Runtime Broker.exe	attrib.exe
PID 568 wrote to memory of 852	568	Runtime Broker.exe	attrib.exe
PID 568 wrote to memory of 852	568	Runtime Broker.exe	attrib.exe
PID 568 wrote to memory of 4876	568	Runtime Broker.exe	attrib.exe
PID 568 wrote to memory of 4876	568	Runtime Broker.exe	attrib.exe
PID 568 wrote to memory of 4704	568	Runtime Broker.exe	attrib.exe
PID 568 wrote to memory of 4704	568	Runtime Broker.exe	attrib.exe
PID 568 wrote to memory of 3212	568	Runtime Broker.exe	attrib.exe
PID 568 wrote to memory of 3212	568	Runtime Broker.exe	attrib.exe
PID 568 wrote to memory of 3380	568	Runtime Broker.exe	attrib.exe
PID 568 wrote to memory of 3380	568	Runtime Broker.exe	attrib.exe
PID 568 wrote to memory of 2956	568	Runtime Broker.exe	attrib.exe
PID 568 wrote to memory of 2956	568	Runtime Broker.exe	attrib.exe
PID 568 wrote to memory of 4804	568	Runtime Broker.exe	attrib.exe
PID 568 wrote to memory of 4804	568	Runtime Broker.exe	attrib.exe
PID 568 wrote to memory of 3168	568	Runtime Broker.exe	attrib.exe
PID 568 wrote to memory of 3168	568	Runtime Broker.exe	attrib.exe
PID 568 wrote to memory of 3224	568	Runtime Broker.exe	attrib.exe
PID 568 wrote to memory of 3224	568	Runtime Broker.exe	attrib.exe
PID 568 wrote to memory of 4064	568	Runtime Broker.exe	attrib.exe
PID 568 wrote to memory of 4064	568	Runtime Broker.exe	attrib.exe

Views/modifies file attributes 1 TTPs 28 IoCs

evasion

Hidden Files and Directories

T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid	process
2144	attrib.exe
4904	attrib.exe
3380	attrib.exe
2604	attrib.exe
4460	attrib.exe
2616	attrib.exe
60	attrib.exe
2956	attrib.exe
4064	attrib.exe
2484	attrib.exe
4864	attrib.exe
3224	attrib.exe
1676	attrib.exe
3320	attrib.exe
852	attrib.exe
4804	attrib.exe
4376	attrib.exe
3216	attrib.exe
2248	attrib.exe
180	attrib.exe
4876	attrib.exe
4704	attrib.exe
3212	attrib.exe
3168	attrib.exe
2184	attrib.exe
2748	attrib.exe
936	attrib.exe
3476	attrib.exe

C:\Users\Admin\AppData\Local\Temp\868448F6C06D672FD544F64AE73CA4B1FE8403AF947B8.exe
"C:\Users\Admin\AppData\Local\Temp\868448F6C06D672FD544F64AE73CA4B1FE8403AF947B8.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4816

C:\Windows\SYSTEM32\TASKKILL.exe
TASKKILL /F /IM wscript.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4888

C:\Windows\SYSTEM32\TASKKILL.exe
TASKKILL /F /IM cmd.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3348

C:\ProgramData\Runtime Broker.exe
"C:\ProgramData\Runtime Broker.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:568

C:\Windows\SYSTEM32\TASKKILL.exe
TASKKILL /F /IM wscript.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:820

C:\Windows\SYSTEM32\TASKKILL.exe
TASKKILL /F /IM cmd.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3684

C:\Windows\SYSTEM32\attrib.exe
attrib +h "C:\ProgramData\Runtime Broker.exe"
3⤵
- Views/modifies file attributes
PID:2484

C:\Windows\SYSTEM32\attrib.exe
attrib +h "C:\ProgramData\Runtime Broker.exe"
3⤵
- Views/modifies file attributes
PID:3216

C:\Windows\SYSTEM32\attrib.exe
attrib +h "C:\ProgramData\Runtime Broker.exe"
3⤵
- Views/modifies file attributes
PID:2604

C:\Windows\SYSTEM32\attrib.exe
attrib +h "C:\ProgramData\Runtime Broker.exe"
3⤵
- Views/modifies file attributes
PID:3320

C:\Windows\SYSTEM32\attrib.exe
attrib +h "C:\ProgramData\Runtime Broker.exe"
3⤵
- Views/modifies file attributes
PID:4460

C:\Windows\SYSTEM32\attrib.exe
attrib +h "C:\ProgramData\Runtime Broker.exe"
3⤵
- Views/modifies file attributes
PID:2616

C:\Windows\SYSTEM32\attrib.exe
attrib +h "C:\ProgramData\Runtime Broker.exe"
3⤵
- Views/modifies file attributes
PID:2248

C:\Windows\SYSTEM32\attrib.exe
attrib +h "C:\ProgramData\Runtime Broker.exe"
3⤵
- Views/modifies file attributes
PID:2144

C:\Windows\SYSTEM32\attrib.exe
attrib +h "C:\ProgramData\Runtime Broker.exe"
3⤵
- Views/modifies file attributes
PID:4904

C:\Windows\SYSTEM32\attrib.exe
attrib +h "C:\ProgramData\Runtime Broker.exe"
3⤵
- Views/modifies file attributes
PID:4864

C:\Windows\SYSTEM32\attrib.exe
attrib +h "C:\ProgramData\Runtime Broker.exe"
3⤵
- Views/modifies file attributes
PID:2184

C:\Windows\SYSTEM32\attrib.exe
attrib +h "C:\ProgramData\Runtime Broker.exe"
3⤵
- Views/modifies file attributes
PID:60

C:\Windows\SYSTEM32\attrib.exe
attrib +h "C:\ProgramData\Runtime Broker.exe"
3⤵
- Views/modifies file attributes
PID:4376

C:\Windows\SYSTEM32\attrib.exe
attrib +h "C:\ProgramData\Runtime Broker.exe"
3⤵
- Views/modifies file attributes
PID:2748

C:\Windows\SYSTEM32\attrib.exe
attrib +h "C:\ProgramData\Runtime Broker.exe"
3⤵
- Views/modifies file attributes
PID:936

C:\Windows\SYSTEM32\attrib.exe
attrib +h "C:\ProgramData\Runtime Broker.exe"
3⤵
- Views/modifies file attributes
PID:852

C:\Windows\SYSTEM32\attrib.exe
attrib +h "C:\ProgramData\Runtime Broker.exe"
3⤵
- Views/modifies file attributes
PID:4876

C:\Windows\SYSTEM32\attrib.exe
attrib +h "C:\ProgramData\Runtime Broker.exe"
3⤵
- Views/modifies file attributes
PID:4704

C:\Windows\SYSTEM32\attrib.exe
attrib +h "C:\ProgramData\Runtime Broker.exe"
3⤵
- Views/modifies file attributes
PID:3212

C:\Windows\SYSTEM32\attrib.exe
attrib +h "C:\ProgramData\Runtime Broker.exe"
3⤵
- Views/modifies file attributes
PID:3380

C:\Windows\SYSTEM32\attrib.exe
attrib +h "C:\ProgramData\Runtime Broker.exe"
3⤵
- Views/modifies file attributes
PID:2956

C:\Windows\SYSTEM32\attrib.exe
attrib +h "C:\ProgramData\Runtime Broker.exe"
3⤵
- Views/modifies file attributes
PID:4804

C:\Windows\SYSTEM32\attrib.exe
attrib +h "C:\ProgramData\Runtime Broker.exe"
3⤵
- Views/modifies file attributes
PID:3168

C:\Windows\SYSTEM32\attrib.exe
attrib +h "C:\ProgramData\Runtime Broker.exe"
3⤵
- Views/modifies file attributes
PID:3224

C:\Windows\SYSTEM32\attrib.exe
attrib +h "C:\ProgramData\Runtime Broker.exe"
3⤵
- Views/modifies file attributes
PID:4064

C:\Windows\SYSTEM32\attrib.exe
attrib +h "C:\ProgramData\Runtime Broker.exe"
3⤵
- Views/modifies file attributes
PID:180

C:\Windows\SYSTEM32\attrib.exe
attrib +h "C:\ProgramData\Runtime Broker.exe"
3⤵
- Views/modifies file attributes
PID:3476

C:\Windows\SYSTEM32\attrib.exe
attrib +h "C:\ProgramData\Runtime Broker.exe"
3⤵
- Views/modifies file attributes
PID:1676

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 5 & Del "C:\Users\Admin\AppData\Local\Temp\868448F6C06D672FD544F64AE73CA4B1FE8403AF947B8.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3544

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 5
3⤵
PID:4976

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Hidden Files and Directories

1

T1158

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Runtime Broker.exe
Filesize
180KB

MD5
4f333b5a74e464d8fd46fe49bedc760e

SHA1
110588bfa2559e700564af03db5cf851be5ac3d3

SHA256
868448f6c06d672fd544f64ae73ca4b1fe8403af947b870edd99ff842c02c59d

SHA512
5ea9dbfae7dcf16f38aa0b064dd51cb7f6d398d5bb38b0877e9c7bf6b676151c01828c030d9d2f03707366651a66a3df39985aea43528baea55e79e83f784baf

Download Submit
C:\ProgramData\Runtime Broker.exe
Filesize
180KB

MD5
4f333b5a74e464d8fd46fe49bedc760e

SHA1
110588bfa2559e700564af03db5cf851be5ac3d3

SHA256
868448f6c06d672fd544f64ae73ca4b1fe8403af947b870edd99ff842c02c59d

SHA512
5ea9dbfae7dcf16f38aa0b064dd51cb7f6d398d5bb38b0877e9c7bf6b676151c01828c030d9d2f03707366651a66a3df39985aea43528baea55e79e83f784baf

Download Submit
C:\ProgramData\Runtime Broker.exe
Filesize
180KB

MD5
4f333b5a74e464d8fd46fe49bedc760e

SHA1
110588bfa2559e700564af03db5cf851be5ac3d3

SHA256
868448f6c06d672fd544f64ae73ca4b1fe8403af947b870edd99ff842c02c59d

SHA512
5ea9dbfae7dcf16f38aa0b064dd51cb7f6d398d5bb38b0877e9c7bf6b676151c01828c030d9d2f03707366651a66a3df39985aea43528baea55e79e83f784baf

Download Submit
memory/568-149-0x000000001AD80000-0x000000001AD90000-memory.dmp

Filesize
64KB

Download
memory/568-153-0x000000001AD80000-0x000000001AD90000-memory.dmp

Filesize
64KB

Download
memory/568-154-0x000000001AD80000-0x000000001AD90000-memory.dmp

Filesize
64KB

Download
memory/568-155-0x000000001AD80000-0x000000001AD90000-memory.dmp

Filesize
64KB

Download
memory/568-156-0x000000001AD80000-0x000000001AD90000-memory.dmp

Filesize
64KB

Download
memory/568-157-0x000000001AD80000-0x000000001AD90000-memory.dmp

Filesize
64KB

Download
memory/4816-133-0x0000000000E90000-0x0000000000EC4000-memory.dmp

Filesize
208KB

Download
memory/4816-134-0x0000000001420000-0x0000000001430000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads