81f069c4d7744588c4df0519a1b1e84dfd58a68232753726c103266a037ed6d4

General

Target

81f069c4d7744588c4df0519a1b1e84dfd58a68232753726c103266a037ed6d4.exe
Size

727KB
MD5

53d2bc3100160eded9a20ef1076687ed
SHA1

1c2d8bd19c921872e27662f36436bfec68712b8a
SHA256

81f069c4d7744588c4df0519a1b1e84dfd58a68232753726c103266a037ed6d4
SHA512

bc5e6cf2d3b3d3c8373b9ea0ba593ea4b94d5faadb6e04c0b05e3c346fc22ee3d10fcc92008c55c8f493864fcf89205aeb5265d166f1e488a927a87ad6d14417
SSDEEP

12288:I//o5HC8btqqqKmP0E8HVNqLhYh+mtKqDmPEsTHNxfw:8kqTKy8HAwVasQw

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2396	RuntimeBroker.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	81f069c4d7744588c4df0519a1b1e84dfd58a68232753726c103266a037ed6d4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
64	timeout.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
4228	81f069c4d7744588c4df0519a1b1e84dfd58a68232753726c103266a037ed6d4.exe
4228	81f069c4d7744588c4df0519a1b1e84dfd58a68232753726c103266a037ed6d4.exe
4228	81f069c4d7744588c4df0519a1b1e84dfd58a68232753726c103266a037ed6d4.exe
4228	81f069c4d7744588c4df0519a1b1e84dfd58a68232753726c103266a037ed6d4.exe
4228	81f069c4d7744588c4df0519a1b1e84dfd58a68232753726c103266a037ed6d4.exe
4228	81f069c4d7744588c4df0519a1b1e84dfd58a68232753726c103266a037ed6d4.exe
4228	81f069c4d7744588c4df0519a1b1e84dfd58a68232753726c103266a037ed6d4.exe
4228	81f069c4d7744588c4df0519a1b1e84dfd58a68232753726c103266a037ed6d4.exe
4228	81f069c4d7744588c4df0519a1b1e84dfd58a68232753726c103266a037ed6d4.exe
4228	81f069c4d7744588c4df0519a1b1e84dfd58a68232753726c103266a037ed6d4.exe
4228	81f069c4d7744588c4df0519a1b1e84dfd58a68232753726c103266a037ed6d4.exe
4228	81f069c4d7744588c4df0519a1b1e84dfd58a68232753726c103266a037ed6d4.exe
4228	81f069c4d7744588c4df0519a1b1e84dfd58a68232753726c103266a037ed6d4.exe
4228	81f069c4d7744588c4df0519a1b1e84dfd58a68232753726c103266a037ed6d4.exe
4228	81f069c4d7744588c4df0519a1b1e84dfd58a68232753726c103266a037ed6d4.exe
4228	81f069c4d7744588c4df0519a1b1e84dfd58a68232753726c103266a037ed6d4.exe
4228	81f069c4d7744588c4df0519a1b1e84dfd58a68232753726c103266a037ed6d4.exe
4228	81f069c4d7744588c4df0519a1b1e84dfd58a68232753726c103266a037ed6d4.exe
4228	81f069c4d7744588c4df0519a1b1e84dfd58a68232753726c103266a037ed6d4.exe
4228	81f069c4d7744588c4df0519a1b1e84dfd58a68232753726c103266a037ed6d4.exe
4228	81f069c4d7744588c4df0519a1b1e84dfd58a68232753726c103266a037ed6d4.exe
4228	81f069c4d7744588c4df0519a1b1e84dfd58a68232753726c103266a037ed6d4.exe
4228	81f069c4d7744588c4df0519a1b1e84dfd58a68232753726c103266a037ed6d4.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4228	81f069c4d7744588c4df0519a1b1e84dfd58a68232753726c103266a037ed6d4.exe
Token: SeDebugPrivilege	2396	RuntimeBroker.exe
Token: SeDebugPrivilege	2396	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4228 wrote to memory of 3680	4228	81f069c4d7744588c4df0519a1b1e84dfd58a68232753726c103266a037ed6d4.exe	91
PID 4228 wrote to memory of 3680	4228	81f069c4d7744588c4df0519a1b1e84dfd58a68232753726c103266a037ed6d4.exe	91
PID 4228 wrote to memory of 3680	4228	81f069c4d7744588c4df0519a1b1e84dfd58a68232753726c103266a037ed6d4.exe	91
PID 3680 wrote to memory of 64	3680	cmd.exe	93
PID 3680 wrote to memory of 64	3680	cmd.exe	93
PID 3680 wrote to memory of 64	3680	cmd.exe	93
PID 3680 wrote to memory of 2396	3680	cmd.exe	95
PID 3680 wrote to memory of 2396	3680	cmd.exe	95
PID 3680 wrote to memory of 2396	3680	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\81f069c4d7744588c4df0519a1b1e84dfd58a68232753726c103266a037ed6d4.exe
"C:\Users\Admin\AppData\Local\Temp\81f069c4d7744588c4df0519a1b1e84dfd58a68232753726c103266a037ed6d4.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4228
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9E92.tmp.bat""
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3680
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:64
- - C:\Users\Public\RuntimeBroker.exe
    "C:\Users\Public\RuntimeBroker.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp9E92.tmp.bat

Filesize
142B

MD5
f675ef70d6f74fa4fdcc65d640c0db11

SHA1
4151c18d6da21017d8c56a8dd34c2afc63c6592d

SHA256
d2cf80ae78ccb7e257e9fc98bb51efa51a52c4e0a7a33c7b39daf5719e05ed31

SHA512
0eb59c2415460124ae36780eb7626d8e27da35d9daed7f3f7a514f04fdef4c72aea95b30f7e897efdc3ef9fe39a4c72d68515be6fca298164c196884d979653d

Download Submit
C:\Users\Public\RuntimeBroker.exe

Filesize
727KB

MD5
53d2bc3100160eded9a20ef1076687ed

SHA1
1c2d8bd19c921872e27662f36436bfec68712b8a

SHA256
81f069c4d7744588c4df0519a1b1e84dfd58a68232753726c103266a037ed6d4

SHA512
bc5e6cf2d3b3d3c8373b9ea0ba593ea4b94d5faadb6e04c0b05e3c346fc22ee3d10fcc92008c55c8f493864fcf89205aeb5265d166f1e488a927a87ad6d14417

Download Submit
memory/2396-18-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/2396-17-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/4228-6-0x00000000079B0000-0x0000000007A16000-memory.dmp

Filesize
408KB

Download
memory/4228-5-0x0000000002CB0000-0x0000000002CB6000-memory.dmp

Filesize
24KB

Download
memory/4228-0-0x0000000074EEE000-0x0000000074EEF000-memory.dmp

Filesize
4KB

Download
memory/4228-7-0x00000000082C0000-0x000000000835C000-memory.dmp

Filesize
624KB

Download
memory/4228-4-0x000000000DED0000-0x000000000E02E000-memory.dmp

Filesize
1.4MB

Download
memory/4228-12-0x0000000074EE0000-0x0000000075690000-memory.dmp

Filesize
7.7MB

Download
memory/4228-3-0x0000000074EE0000-0x0000000075690000-memory.dmp

Filesize
7.7MB

Download
memory/4228-2-0x0000000005290000-0x0000000005296000-memory.dmp

Filesize
24KB

Download
memory/4228-1-0x00000000008B0000-0x000000000096C000-memory.dmp

Filesize
752KB

Download

Analysis

Sharing