bec45de531ea05bf558a58b477fa85b91f347cb203eb753579c3cebcedccbf31

General

Target

868448f6c06d672fd544f64ae73ca4b1fe8403af947b870edd99ff842c02c59d.exe
Size

180KB
MD5

4f333b5a74e464d8fd46fe49bedc760e
SHA1

110588bfa2559e700564af03db5cf851be5ac3d3
SHA256

868448f6c06d672fd544f64ae73ca4b1fe8403af947b870edd99ff842c02c59d
SHA512

5ea9dbfae7dcf16f38aa0b064dd51cb7f6d398d5bb38b0877e9c7bf6b676151c01828c030d9d2f03707366651a66a3df39985aea43528baea55e79e83f784baf
SSDEEP

3072:AK3fycY2pTpIb42etB/RpH5pXZOaXqmmgDXnkUrsK0GEx4FvPA+LjpgKab8iPt9G:9r9GE7PH3XZ84kUuVxG7Hpg3f9dO+

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

868448f6c06d672fd544f64ae73ca4b1fe8403af947b870edd99ff842c02c59d.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	868448f6c06d672fd544f64ae73ca4b1fe8403af947b870edd99ff842c02c59d.exe

Drops startup file 3 IoCs

Processes:

Runtime Broker.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Runtime Broker.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe	Runtime Broker.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.url	Runtime Broker.exe

Executes dropped EXE 1 IoCs

Processes:

Runtime Broker.exe

pid process

3584 Runtime Broker.exe

pid	process
3584	Runtime Broker.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Runtime Broker.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Runtime Broker.exe = "\"C:\\ProgramData\\Runtime Broker.exe\" .."	Runtime Broker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Runtime Broker.exe = "\"C:\\ProgramData\\Runtime Broker.exe\" .."	Runtime Broker.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Drops file in System32 directory 1 IoCs

Processes:

868448f6c06d672fd544f64ae73ca4b1fe8403af947b870edd99ff842c02c59d.exe

description ioc process

File created C:\windows\system32\6molin.exe 868448f6c06d672fd544f64ae73ca4b1fe8403af947b870edd99ff842c02c59d.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Kills process with taskkill 4 IoCs
evasion

Processes:

TASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exe

pid process

3680 TASKKILL.exe
1128 TASKKILL.exe
1840 TASKKILL.exe
1164 TASKKILL.exe

description	ioc	process
File created	C:\windows\system32\6molin.exe	868448f6c06d672fd544f64ae73ca4b1fe8403af947b870edd99ff842c02c59d.exe

pid	process
3680	TASKKILL.exe
1128	TASKKILL.exe
1840	TASKKILL.exe
1164	TASKKILL.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

Processes:

868448f6c06d672fd544f64ae73ca4b1fe8403af947b870edd99ff842c02c59d.exeRuntime Broker.exe

pid	process
1340	868448f6c06d672fd544f64ae73ca4b1fe8403af947b870edd99ff842c02c59d.exe
1340	868448f6c06d672fd544f64ae73ca4b1fe8403af947b870edd99ff842c02c59d.exe
1340	868448f6c06d672fd544f64ae73ca4b1fe8403af947b870edd99ff842c02c59d.exe
1340	868448f6c06d672fd544f64ae73ca4b1fe8403af947b870edd99ff842c02c59d.exe
1340	868448f6c06d672fd544f64ae73ca4b1fe8403af947b870edd99ff842c02c59d.exe
1340	868448f6c06d672fd544f64ae73ca4b1fe8403af947b870edd99ff842c02c59d.exe
1340	868448f6c06d672fd544f64ae73ca4b1fe8403af947b870edd99ff842c02c59d.exe
1340	868448f6c06d672fd544f64ae73ca4b1fe8403af947b870edd99ff842c02c59d.exe
1340	868448f6c06d672fd544f64ae73ca4b1fe8403af947b870edd99ff842c02c59d.exe
1340	868448f6c06d672fd544f64ae73ca4b1fe8403af947b870edd99ff842c02c59d.exe
1340	868448f6c06d672fd544f64ae73ca4b1fe8403af947b870edd99ff842c02c59d.exe
1340	868448f6c06d672fd544f64ae73ca4b1fe8403af947b870edd99ff842c02c59d.exe
1340	868448f6c06d672fd544f64ae73ca4b1fe8403af947b870edd99ff842c02c59d.exe
1340	868448f6c06d672fd544f64ae73ca4b1fe8403af947b870edd99ff842c02c59d.exe
1340	868448f6c06d672fd544f64ae73ca4b1fe8403af947b870edd99ff842c02c59d.exe
1340	868448f6c06d672fd544f64ae73ca4b1fe8403af947b870edd99ff842c02c59d.exe
1340	868448f6c06d672fd544f64ae73ca4b1fe8403af947b870edd99ff842c02c59d.exe
1340	868448f6c06d672fd544f64ae73ca4b1fe8403af947b870edd99ff842c02c59d.exe
1340	868448f6c06d672fd544f64ae73ca4b1fe8403af947b870edd99ff842c02c59d.exe
1340	868448f6c06d672fd544f64ae73ca4b1fe8403af947b870edd99ff842c02c59d.exe
1340	868448f6c06d672fd544f64ae73ca4b1fe8403af947b870edd99ff842c02c59d.exe
1340	868448f6c06d672fd544f64ae73ca4b1fe8403af947b870edd99ff842c02c59d.exe
1340	868448f6c06d672fd544f64ae73ca4b1fe8403af947b870edd99ff842c02c59d.exe
1340	868448f6c06d672fd544f64ae73ca4b1fe8403af947b870edd99ff842c02c59d.exe
1340	868448f6c06d672fd544f64ae73ca4b1fe8403af947b870edd99ff842c02c59d.exe
1340	868448f6c06d672fd544f64ae73ca4b1fe8403af947b870edd99ff842c02c59d.exe
1340	868448f6c06d672fd544f64ae73ca4b1fe8403af947b870edd99ff842c02c59d.exe
1340	868448f6c06d672fd544f64ae73ca4b1fe8403af947b870edd99ff842c02c59d.exe
1340	868448f6c06d672fd544f64ae73ca4b1fe8403af947b870edd99ff842c02c59d.exe
3584	Runtime Broker.exe
3584	Runtime Broker.exe
3584	Runtime Broker.exe
3584	Runtime Broker.exe
3584	Runtime Broker.exe
3584	Runtime Broker.exe
3584	Runtime Broker.exe
3584	Runtime Broker.exe
3584	Runtime Broker.exe
3584	Runtime Broker.exe
3584	Runtime Broker.exe
3584	Runtime Broker.exe
3584	Runtime Broker.exe
3584	Runtime Broker.exe
3584	Runtime Broker.exe
3584	Runtime Broker.exe
3584	Runtime Broker.exe
3584	Runtime Broker.exe
3584	Runtime Broker.exe
3584	Runtime Broker.exe
3584	Runtime Broker.exe
3584	Runtime Broker.exe
3584	Runtime Broker.exe
3584	Runtime Broker.exe
3584	Runtime Broker.exe
3584	Runtime Broker.exe
3584	Runtime Broker.exe
3584	Runtime Broker.exe
3584	Runtime Broker.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

Processes:

868448f6c06d672fd544f64ae73ca4b1fe8403af947b870edd99ff842c02c59d.exeTASKKILL.exeTASKKILL.exeRuntime Broker.exeTASKKILL.exeTASKKILL.exe

description	pid	process
Token: SeDebugPrivilege	1340	868448f6c06d672fd544f64ae73ca4b1fe8403af947b870edd99ff842c02c59d.exe
Token: SeDebugPrivilege	1128	TASKKILL.exe
Token: SeDebugPrivilege	3680	TASKKILL.exe
Token: SeDebugPrivilege	3584	Runtime Broker.exe
Token: SeDebugPrivilege	1164	TASKKILL.exe
Token: SeDebugPrivilege	1840	TASKKILL.exe
Token: 33	3584	Runtime Broker.exe
Token: SeIncBasePriorityPrivilege	3584	Runtime Broker.exe
Token: 33	3584	Runtime Broker.exe
Token: SeIncBasePriorityPrivilege	3584	Runtime Broker.exe
Token: 33	3584	Runtime Broker.exe
Token: SeIncBasePriorityPrivilege	3584	Runtime Broker.exe
Token: 33	3584	Runtime Broker.exe
Token: SeIncBasePriorityPrivilege	3584	Runtime Broker.exe
Token: 33	3584	Runtime Broker.exe
Token: SeIncBasePriorityPrivilege	3584	Runtime Broker.exe
Token: 33	3584	Runtime Broker.exe
Token: SeIncBasePriorityPrivilege	3584	Runtime Broker.exe
Token: 33	3584	Runtime Broker.exe
Token: SeIncBasePriorityPrivilege	3584	Runtime Broker.exe
Token: 33	3584	Runtime Broker.exe
Token: SeIncBasePriorityPrivilege	3584	Runtime Broker.exe
Token: 33	3584	Runtime Broker.exe
Token: SeIncBasePriorityPrivilege	3584	Runtime Broker.exe
Token: 33	3584	Runtime Broker.exe
Token: SeIncBasePriorityPrivilege	3584	Runtime Broker.exe
Token: 33	3584	Runtime Broker.exe
Token: SeIncBasePriorityPrivilege	3584	Runtime Broker.exe
Token: 33	3584	Runtime Broker.exe
Token: SeIncBasePriorityPrivilege	3584	Runtime Broker.exe
Token: 33	3584	Runtime Broker.exe
Token: SeIncBasePriorityPrivilege	3584	Runtime Broker.exe
Token: 33	3584	Runtime Broker.exe
Token: SeIncBasePriorityPrivilege	3584	Runtime Broker.exe
Token: 33	3584	Runtime Broker.exe
Token: SeIncBasePriorityPrivilege	3584	Runtime Broker.exe
Token: 33	3584	Runtime Broker.exe
Token: SeIncBasePriorityPrivilege	3584	Runtime Broker.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

868448f6c06d672fd544f64ae73ca4b1fe8403af947b870edd99ff842c02c59d.exeRuntime Broker.execmd.exe

description	pid	process	target process
PID 1340 wrote to memory of 3680	1340	868448f6c06d672fd544f64ae73ca4b1fe8403af947b870edd99ff842c02c59d.exe	TASKKILL.exe
PID 1340 wrote to memory of 3680	1340	868448f6c06d672fd544f64ae73ca4b1fe8403af947b870edd99ff842c02c59d.exe	TASKKILL.exe
PID 1340 wrote to memory of 1128	1340	868448f6c06d672fd544f64ae73ca4b1fe8403af947b870edd99ff842c02c59d.exe	TASKKILL.exe
PID 1340 wrote to memory of 1128	1340	868448f6c06d672fd544f64ae73ca4b1fe8403af947b870edd99ff842c02c59d.exe	TASKKILL.exe
PID 1340 wrote to memory of 3584	1340	868448f6c06d672fd544f64ae73ca4b1fe8403af947b870edd99ff842c02c59d.exe	Runtime Broker.exe
PID 1340 wrote to memory of 3584	1340	868448f6c06d672fd544f64ae73ca4b1fe8403af947b870edd99ff842c02c59d.exe	Runtime Broker.exe
PID 1340 wrote to memory of 2520	1340	868448f6c06d672fd544f64ae73ca4b1fe8403af947b870edd99ff842c02c59d.exe	cmd.exe
PID 1340 wrote to memory of 2520	1340	868448f6c06d672fd544f64ae73ca4b1fe8403af947b870edd99ff842c02c59d.exe	cmd.exe
PID 3584 wrote to memory of 1164	3584	Runtime Broker.exe	TASKKILL.exe
PID 3584 wrote to memory of 1164	3584	Runtime Broker.exe	TASKKILL.exe
PID 3584 wrote to memory of 1840	3584	Runtime Broker.exe	TASKKILL.exe
PID 3584 wrote to memory of 1840	3584	Runtime Broker.exe	TASKKILL.exe
PID 2520 wrote to memory of 400	2520	cmd.exe	choice.exe
PID 2520 wrote to memory of 400	2520	cmd.exe	choice.exe
PID 3584 wrote to memory of 3768	3584	Runtime Broker.exe	attrib.exe
PID 3584 wrote to memory of 3768	3584	Runtime Broker.exe	attrib.exe
PID 3584 wrote to memory of 760	3584	Runtime Broker.exe	attrib.exe
PID 3584 wrote to memory of 760	3584	Runtime Broker.exe	attrib.exe
PID 3584 wrote to memory of 4892	3584	Runtime Broker.exe	attrib.exe
PID 3584 wrote to memory of 4892	3584	Runtime Broker.exe	attrib.exe
PID 3584 wrote to memory of 4684	3584	Runtime Broker.exe	attrib.exe
PID 3584 wrote to memory of 4684	3584	Runtime Broker.exe	attrib.exe
PID 3584 wrote to memory of 1792	3584	Runtime Broker.exe	attrib.exe
PID 3584 wrote to memory of 1792	3584	Runtime Broker.exe	attrib.exe
PID 3584 wrote to memory of 3832	3584	Runtime Broker.exe	attrib.exe
PID 3584 wrote to memory of 3832	3584	Runtime Broker.exe	attrib.exe
PID 3584 wrote to memory of 1116	3584	Runtime Broker.exe	attrib.exe
PID 3584 wrote to memory of 1116	3584	Runtime Broker.exe	attrib.exe
PID 3584 wrote to memory of 1348	3584	Runtime Broker.exe	attrib.exe
PID 3584 wrote to memory of 1348	3584	Runtime Broker.exe	attrib.exe
PID 3584 wrote to memory of 4268	3584	Runtime Broker.exe	attrib.exe
PID 3584 wrote to memory of 4268	3584	Runtime Broker.exe	attrib.exe
PID 3584 wrote to memory of 1176	3584	Runtime Broker.exe	attrib.exe
PID 3584 wrote to memory of 1176	3584	Runtime Broker.exe	attrib.exe
PID 3584 wrote to memory of 452	3584	Runtime Broker.exe	attrib.exe
PID 3584 wrote to memory of 452	3584	Runtime Broker.exe	attrib.exe
PID 3584 wrote to memory of 1416	3584	Runtime Broker.exe	attrib.exe
PID 3584 wrote to memory of 1416	3584	Runtime Broker.exe	attrib.exe
PID 3584 wrote to memory of 3604	3584	Runtime Broker.exe	attrib.exe
PID 3584 wrote to memory of 3604	3584	Runtime Broker.exe	attrib.exe
PID 3584 wrote to memory of 3932	3584	Runtime Broker.exe	attrib.exe
PID 3584 wrote to memory of 3932	3584	Runtime Broker.exe	attrib.exe
PID 3584 wrote to memory of 3040	3584	Runtime Broker.exe	attrib.exe
PID 3584 wrote to memory of 3040	3584	Runtime Broker.exe	attrib.exe
PID 3584 wrote to memory of 1180	3584	Runtime Broker.exe	attrib.exe
PID 3584 wrote to memory of 1180	3584	Runtime Broker.exe	attrib.exe
PID 3584 wrote to memory of 1988	3584	Runtime Broker.exe	attrib.exe
PID 3584 wrote to memory of 1988	3584	Runtime Broker.exe	attrib.exe
PID 3584 wrote to memory of 4476	3584	Runtime Broker.exe	attrib.exe
PID 3584 wrote to memory of 4476	3584	Runtime Broker.exe	attrib.exe
PID 3584 wrote to memory of 2088	3584	Runtime Broker.exe	attrib.exe
PID 3584 wrote to memory of 2088	3584	Runtime Broker.exe	attrib.exe
PID 3584 wrote to memory of 4328	3584	Runtime Broker.exe	attrib.exe
PID 3584 wrote to memory of 4328	3584	Runtime Broker.exe	attrib.exe
PID 3584 wrote to memory of 3440	3584	Runtime Broker.exe	attrib.exe
PID 3584 wrote to memory of 3440	3584	Runtime Broker.exe	attrib.exe
PID 3584 wrote to memory of 1788	3584	Runtime Broker.exe	attrib.exe
PID 3584 wrote to memory of 1788	3584	Runtime Broker.exe	attrib.exe
PID 3584 wrote to memory of 4984	3584	Runtime Broker.exe	attrib.exe
PID 3584 wrote to memory of 4984	3584	Runtime Broker.exe	attrib.exe
PID 3584 wrote to memory of 5024	3584	Runtime Broker.exe	attrib.exe
PID 3584 wrote to memory of 5024	3584	Runtime Broker.exe	attrib.exe
PID 3584 wrote to memory of 3336	3584	Runtime Broker.exe	attrib.exe
PID 3584 wrote to memory of 3336	3584	Runtime Broker.exe	attrib.exe

Views/modifies file attributes 1 TTPs 28 IoCs

evasion

Hidden Files and Directories

T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid	process
452	attrib.exe
3040	attrib.exe
1180	attrib.exe
2088	attrib.exe
1348	attrib.exe
1176	attrib.exe
3604	attrib.exe
3932	attrib.exe
4892	attrib.exe
3832	attrib.exe
1116	attrib.exe
4684	attrib.exe
3440	attrib.exe
4984	attrib.exe
4492	attrib.exe
4328	attrib.exe
1788	attrib.exe
5024	attrib.exe
3768	attrib.exe
1792	attrib.exe
1416	attrib.exe
1988	attrib.exe
4268	attrib.exe
3336	attrib.exe
760	attrib.exe
4476	attrib.exe
4204	attrib.exe
3692	attrib.exe

C:\Users\Admin\AppData\Local\Temp\868448f6c06d672fd544f64ae73ca4b1fe8403af947b870edd99ff842c02c59d.exe
"C:\Users\Admin\AppData\Local\Temp\868448f6c06d672fd544f64ae73ca4b1fe8403af947b870edd99ff842c02c59d.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1340

C:\Windows\SYSTEM32\TASKKILL.exe
TASKKILL /F /IM wscript.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3680

C:\Windows\SYSTEM32\TASKKILL.exe
TASKKILL /F /IM cmd.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1128

C:\ProgramData\Runtime Broker.exe
"C:\ProgramData\Runtime Broker.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3584

C:\Windows\SYSTEM32\TASKKILL.exe
TASKKILL /F /IM cmd.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1840

C:\Windows\SYSTEM32\TASKKILL.exe
TASKKILL /F /IM wscript.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1164

C:\Windows\SYSTEM32\attrib.exe
attrib +h "C:\ProgramData\Runtime Broker.exe"
3⤵
- Views/modifies file attributes
PID:3768

C:\Windows\SYSTEM32\attrib.exe
attrib +h "C:\ProgramData\Runtime Broker.exe"
3⤵
- Views/modifies file attributes
PID:760

C:\Windows\SYSTEM32\attrib.exe
attrib +h "C:\ProgramData\Runtime Broker.exe"
3⤵
- Views/modifies file attributes
PID:4892

C:\Windows\SYSTEM32\attrib.exe
attrib +h "C:\ProgramData\Runtime Broker.exe"
3⤵
- Views/modifies file attributes
PID:4684

C:\Windows\SYSTEM32\attrib.exe
attrib +h "C:\ProgramData\Runtime Broker.exe"
3⤵
- Views/modifies file attributes
PID:1792

C:\Windows\SYSTEM32\attrib.exe
attrib +h "C:\ProgramData\Runtime Broker.exe"
3⤵
- Views/modifies file attributes
PID:3832

C:\Windows\SYSTEM32\attrib.exe
attrib +h "C:\ProgramData\Runtime Broker.exe"
3⤵
- Views/modifies file attributes
PID:1116

C:\Windows\SYSTEM32\attrib.exe
attrib +h "C:\ProgramData\Runtime Broker.exe"
3⤵
- Views/modifies file attributes
PID:1348

C:\Windows\SYSTEM32\attrib.exe
attrib +h "C:\ProgramData\Runtime Broker.exe"
3⤵
- Views/modifies file attributes
PID:4268

C:\Windows\SYSTEM32\attrib.exe
attrib +h "C:\ProgramData\Runtime Broker.exe"
3⤵
- Views/modifies file attributes
PID:1176

C:\Windows\SYSTEM32\attrib.exe
attrib +h "C:\ProgramData\Runtime Broker.exe"
3⤵
- Views/modifies file attributes
PID:452

C:\Windows\SYSTEM32\attrib.exe
attrib +h "C:\ProgramData\Runtime Broker.exe"
3⤵
- Views/modifies file attributes
PID:1416

C:\Windows\SYSTEM32\attrib.exe
attrib +h "C:\ProgramData\Runtime Broker.exe"
3⤵
- Views/modifies file attributes
PID:3604

C:\Windows\SYSTEM32\attrib.exe
attrib +h "C:\ProgramData\Runtime Broker.exe"
3⤵
- Views/modifies file attributes
PID:3932

C:\Windows\SYSTEM32\attrib.exe
attrib +h "C:\ProgramData\Runtime Broker.exe"
3⤵
- Views/modifies file attributes
PID:3040

C:\Windows\SYSTEM32\attrib.exe
attrib +h "C:\ProgramData\Runtime Broker.exe"
3⤵
- Views/modifies file attributes
PID:1180

C:\Windows\SYSTEM32\attrib.exe
attrib +h "C:\ProgramData\Runtime Broker.exe"
3⤵
- Views/modifies file attributes
PID:1988

C:\Windows\SYSTEM32\attrib.exe
attrib +h "C:\ProgramData\Runtime Broker.exe"
3⤵
- Views/modifies file attributes
PID:4476

C:\Windows\SYSTEM32\attrib.exe
attrib +h "C:\ProgramData\Runtime Broker.exe"
3⤵
- Views/modifies file attributes
PID:2088

C:\Windows\SYSTEM32\attrib.exe
attrib +h "C:\ProgramData\Runtime Broker.exe"
3⤵
- Views/modifies file attributes
PID:4328

C:\Windows\SYSTEM32\attrib.exe
attrib +h "C:\ProgramData\Runtime Broker.exe"
3⤵
- Views/modifies file attributes
PID:3440

C:\Windows\SYSTEM32\attrib.exe
attrib +h "C:\ProgramData\Runtime Broker.exe"
3⤵
- Views/modifies file attributes
PID:1788

C:\Windows\SYSTEM32\attrib.exe
attrib +h "C:\ProgramData\Runtime Broker.exe"
3⤵
- Views/modifies file attributes
PID:4984

C:\Windows\SYSTEM32\attrib.exe
attrib +h "C:\ProgramData\Runtime Broker.exe"
3⤵
- Views/modifies file attributes
PID:5024

C:\Windows\SYSTEM32\attrib.exe
attrib +h "C:\ProgramData\Runtime Broker.exe"
3⤵
- Views/modifies file attributes
PID:3336

C:\Windows\SYSTEM32\attrib.exe
attrib +h "C:\ProgramData\Runtime Broker.exe"
3⤵
- Views/modifies file attributes
PID:4204

C:\Windows\SYSTEM32\attrib.exe
attrib +h "C:\ProgramData\Runtime Broker.exe"
3⤵
- Views/modifies file attributes
PID:4492

C:\Windows\SYSTEM32\attrib.exe
attrib +h "C:\ProgramData\Runtime Broker.exe"
3⤵
- Views/modifies file attributes
PID:3692

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 5 & Del "C:\Users\Admin\AppData\Local\Temp\868448f6c06d672fd544f64ae73ca4b1fe8403af947b870edd99ff842c02c59d.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2520

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 5
3⤵
PID:400

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Hidden Files and Directories

1

T1158

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Runtime Broker.exe
Filesize
180KB

MD5
4f333b5a74e464d8fd46fe49bedc760e

SHA1
110588bfa2559e700564af03db5cf851be5ac3d3

SHA256
868448f6c06d672fd544f64ae73ca4b1fe8403af947b870edd99ff842c02c59d

SHA512
5ea9dbfae7dcf16f38aa0b064dd51cb7f6d398d5bb38b0877e9c7bf6b676151c01828c030d9d2f03707366651a66a3df39985aea43528baea55e79e83f784baf

Download Submit
C:\ProgramData\Runtime Broker.exe
Filesize
180KB

MD5
4f333b5a74e464d8fd46fe49bedc760e

SHA1
110588bfa2559e700564af03db5cf851be5ac3d3

SHA256
868448f6c06d672fd544f64ae73ca4b1fe8403af947b870edd99ff842c02c59d

SHA512
5ea9dbfae7dcf16f38aa0b064dd51cb7f6d398d5bb38b0877e9c7bf6b676151c01828c030d9d2f03707366651a66a3df39985aea43528baea55e79e83f784baf

Download Submit
C:\ProgramData\Runtime Broker.exe
Filesize
180KB

MD5
4f333b5a74e464d8fd46fe49bedc760e

SHA1
110588bfa2559e700564af03db5cf851be5ac3d3

SHA256
868448f6c06d672fd544f64ae73ca4b1fe8403af947b870edd99ff842c02c59d

SHA512
5ea9dbfae7dcf16f38aa0b064dd51cb7f6d398d5bb38b0877e9c7bf6b676151c01828c030d9d2f03707366651a66a3df39985aea43528baea55e79e83f784baf

Download Submit
memory/1340-133-0x0000000000A90000-0x0000000000AC4000-memory.dmp

Filesize
208KB

Download
memory/1340-136-0x000000001B7B0000-0x000000001B7C0000-memory.dmp

Filesize
64KB

Download
memory/3584-153-0x000000001B440000-0x000000001B450000-memory.dmp

Filesize
64KB

Download
memory/3584-149-0x000000001B440000-0x000000001B450000-memory.dmp

Filesize
64KB

Download
memory/3584-154-0x000000001B440000-0x000000001B450000-memory.dmp

Filesize
64KB

Download
memory/3584-155-0x000000001B440000-0x000000001B450000-memory.dmp

Filesize
64KB

Download
memory/3584-156-0x000000001B440000-0x000000001B450000-memory.dmp

Filesize
64KB

Download
memory/3584-157-0x000000001B440000-0x000000001B450000-memory.dmp

Filesize
64KB

Download
memory/3584-158-0x000000001B440000-0x000000001B450000-memory.dmp

Filesize
64KB

Download
memory/3584-159-0x000000001B440000-0x000000001B450000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads