81f069c4d7744588c4df0519a1b1e84dfd58a68232753726c103266a037ed6d4

General

Target

81f069c4d7744588c4df0519a1b1e84dfd58a68232753726c103266a037ed6d4.exe
Size

727KB
MD5

53d2bc3100160eded9a20ef1076687ed
SHA1

1c2d8bd19c921872e27662f36436bfec68712b8a
SHA256

81f069c4d7744588c4df0519a1b1e84dfd58a68232753726c103266a037ed6d4
SHA512

bc5e6cf2d3b3d3c8373b9ea0ba593ea4b94d5faadb6e04c0b05e3c346fc22ee3d10fcc92008c55c8f493864fcf89205aeb5265d166f1e488a927a87ad6d14417
SSDEEP

12288:I//o5HC8btqqqKmP0E8HVNqLhYh+mtKqDmPEsTHNxfw:8kqTKy8HAwVasQw

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2584	RuntimeBroker.exe

Loads dropped DLL 1 IoCs

pid	Process
2816	cmd.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	81f069c4d7744588c4df0519a1b1e84dfd58a68232753726c103266a037ed6d4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2860	timeout.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2088	81f069c4d7744588c4df0519a1b1e84dfd58a68232753726c103266a037ed6d4.exe
2088	81f069c4d7744588c4df0519a1b1e84dfd58a68232753726c103266a037ed6d4.exe
2088	81f069c4d7744588c4df0519a1b1e84dfd58a68232753726c103266a037ed6d4.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2088	81f069c4d7744588c4df0519a1b1e84dfd58a68232753726c103266a037ed6d4.exe
Token: SeDebugPrivilege	2584	RuntimeBroker.exe
Token: SeDebugPrivilege	2584	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 2816	2088	81f069c4d7744588c4df0519a1b1e84dfd58a68232753726c103266a037ed6d4.exe	32
PID 2088 wrote to memory of 2816	2088	81f069c4d7744588c4df0519a1b1e84dfd58a68232753726c103266a037ed6d4.exe	32
PID 2088 wrote to memory of 2816	2088	81f069c4d7744588c4df0519a1b1e84dfd58a68232753726c103266a037ed6d4.exe	32
PID 2088 wrote to memory of 2816	2088	81f069c4d7744588c4df0519a1b1e84dfd58a68232753726c103266a037ed6d4.exe	32
PID 2816 wrote to memory of 2860	2816	cmd.exe	34
PID 2816 wrote to memory of 2860	2816	cmd.exe	34
PID 2816 wrote to memory of 2860	2816	cmd.exe	34
PID 2816 wrote to memory of 2860	2816	cmd.exe	34
PID 2816 wrote to memory of 2584	2816	cmd.exe	35
PID 2816 wrote to memory of 2584	2816	cmd.exe	35
PID 2816 wrote to memory of 2584	2816	cmd.exe	35
PID 2816 wrote to memory of 2584	2816	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\81f069c4d7744588c4df0519a1b1e84dfd58a68232753726c103266a037ed6d4.exe
"C:\Users\Admin\AppData\Local\Temp\81f069c4d7744588c4df0519a1b1e84dfd58a68232753726c103266a037ed6d4.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp213.tmp.bat""
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:2860
- - C:\Users\Public\RuntimeBroker.exe
    "C:\Users\Public\RuntimeBroker.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp213.tmp.bat

Filesize
141B

MD5
619b4cb6692817dfe10e6c34da97f8f6

SHA1
b7bf6ade39fbe3d673513115b9e12afd070df5aa

SHA256
c31811e6b25eb62903b3068cc7a9a53988588f5bc6a86b575af5c26071140f9f

SHA512
c730ba5e01c7a1986784bd00ecfbfe08e2758082c1b90bc709cee629da4cb5b76baef0d73cac02d4395b20572727c6b52b34c10084a2d7b9bc793d7b3edd1c6d

Download Submit
\Users\Public\RuntimeBroker.exe

Filesize
727KB

MD5
53d2bc3100160eded9a20ef1076687ed

SHA1
1c2d8bd19c921872e27662f36436bfec68712b8a

SHA256
81f069c4d7744588c4df0519a1b1e84dfd58a68232753726c103266a037ed6d4

SHA512
bc5e6cf2d3b3d3c8373b9ea0ba593ea4b94d5faadb6e04c0b05e3c346fc22ee3d10fcc92008c55c8f493864fcf89205aeb5265d166f1e488a927a87ad6d14417

Download Submit
memory/2088-3-0x0000000074C40000-0x000000007532E000-memory.dmp

Filesize
6.9MB

Download
memory/2088-0-0x0000000074C4E000-0x0000000074C4F000-memory.dmp

Filesize
4KB

Download
memory/2088-4-0x000000000D780000-0x000000000D8DE000-memory.dmp

Filesize
1.4MB

Download
memory/2088-5-0x0000000000550000-0x0000000000556000-memory.dmp

Filesize
24KB

Download
memory/2088-2-0x0000000000300000-0x0000000000306000-memory.dmp

Filesize
24KB

Download
memory/2088-15-0x0000000074C40000-0x000000007532E000-memory.dmp

Filesize
6.9MB

Download
memory/2088-1-0x0000000000180000-0x000000000023C000-memory.dmp

Filesize
752KB

Download
memory/2584-19-0x0000000074BF0000-0x00000000752DE000-memory.dmp

Filesize
6.9MB

Download
memory/2584-20-0x0000000001160000-0x000000000121C000-memory.dmp

Filesize
752KB

Download
memory/2584-21-0x0000000074BF0000-0x00000000752DE000-memory.dmp

Filesize
6.9MB

Download
memory/2584-22-0x0000000074BF0000-0x00000000752DE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing