Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
95s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25/09/2024, 07:08
Static task
static1
Behavioral task
behavioral1
Sample
RustAnticheat.exe
Resource
win7-20240903-en
General
-
Target
RustAnticheat.exe
-
Size
1.1MB
-
MD5
f6f5e5a1dd30fb5fa22f220ecbe1b05a
-
SHA1
c04279611affa2129b36332b2f748b842cd0e7a7
-
SHA256
5bf57a09e808187117a444d16d5145fe8cd5064aaecb383d16a1b0336fe618c4
-
SHA512
730d5719d50148ae79a28d70f2cd102ba260560cdb141aad7d31066453f9ad6cfe8a36a46da9d162a122dec5a5d1685879a4f5b0adef48677daa7168717cb1ff
-
SSDEEP
24576:32oxfnX+1FmWYQw00hlKAv65/9KlH8XbF1A/t30TuG/m+V54/6AH1Ba:3L5nXumWYCTsCKlcXbU/tjGg/6AV
Malware Config
Extracted
xworm
web-amend.gl.at.ply.gg:59501
-
Install_directory
%Userprofile%
-
install_file
USB.exe
Signatures
-
Detect Umbral payload 2 IoCs
resource yara_rule behavioral2/files/0x000700000002342f-61.dat family_umbral behavioral2/memory/1684-89-0x00000201B64C0000-0x00000201B6500000-memory.dmp family_umbral -
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral2/files/0x000700000002342e-34.dat family_xworm behavioral2/memory/3316-91-0x0000000000210000-0x000000000022C000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 768 powershell.exe 2748 powershell.exe 3992 powershell.exe 2212 powershell.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation RustAnticheat.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RuntimeBroker.lnk RuntimeBroker.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RuntimeBroker.lnk RuntimeBroker.exe -
Executes dropped EXE 4 IoCs
pid Process 5064 Loader (1).exe 3316 RuntimeBroker.exe 1684 Umbral1.exe 5028 RuntimeBroker -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "C:\\Users\\Admin\\RuntimeBroker" RuntimeBroker.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 8 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loader (1).exe -
Delays execution with timeout.exe 1 IoCs
pid Process 3356 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 404 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 3992 powershell.exe 3992 powershell.exe 2212 powershell.exe 2212 powershell.exe 768 powershell.exe 768 powershell.exe 2748 powershell.exe 2748 powershell.exe 3316 RuntimeBroker.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
description pid Process Token: SeDebugPrivilege 3316 RuntimeBroker.exe Token: SeDebugPrivilege 1684 Umbral1.exe Token: SeIncreaseQuotaPrivilege 2340 wmic.exe Token: SeSecurityPrivilege 2340 wmic.exe Token: SeTakeOwnershipPrivilege 2340 wmic.exe Token: SeLoadDriverPrivilege 2340 wmic.exe Token: SeSystemProfilePrivilege 2340 wmic.exe Token: SeSystemtimePrivilege 2340 wmic.exe Token: SeProfSingleProcessPrivilege 2340 wmic.exe Token: SeIncBasePriorityPrivilege 2340 wmic.exe Token: SeCreatePagefilePrivilege 2340 wmic.exe Token: SeBackupPrivilege 2340 wmic.exe Token: SeRestorePrivilege 2340 wmic.exe Token: SeShutdownPrivilege 2340 wmic.exe Token: SeDebugPrivilege 2340 wmic.exe Token: SeSystemEnvironmentPrivilege 2340 wmic.exe Token: SeRemoteShutdownPrivilege 2340 wmic.exe Token: SeUndockPrivilege 2340 wmic.exe Token: SeManageVolumePrivilege 2340 wmic.exe Token: 33 2340 wmic.exe Token: 34 2340 wmic.exe Token: 35 2340 wmic.exe Token: 36 2340 wmic.exe Token: SeIncreaseQuotaPrivilege 2340 wmic.exe Token: SeSecurityPrivilege 2340 wmic.exe Token: SeTakeOwnershipPrivilege 2340 wmic.exe Token: SeLoadDriverPrivilege 2340 wmic.exe Token: SeSystemProfilePrivilege 2340 wmic.exe Token: SeSystemtimePrivilege 2340 wmic.exe Token: SeProfSingleProcessPrivilege 2340 wmic.exe Token: SeIncBasePriorityPrivilege 2340 wmic.exe Token: SeCreatePagefilePrivilege 2340 wmic.exe Token: SeBackupPrivilege 2340 wmic.exe Token: SeRestorePrivilege 2340 wmic.exe Token: SeShutdownPrivilege 2340 wmic.exe Token: SeDebugPrivilege 2340 wmic.exe Token: SeSystemEnvironmentPrivilege 2340 wmic.exe Token: SeRemoteShutdownPrivilege 2340 wmic.exe Token: SeUndockPrivilege 2340 wmic.exe Token: SeManageVolumePrivilege 2340 wmic.exe Token: 33 2340 wmic.exe Token: 34 2340 wmic.exe Token: 35 2340 wmic.exe Token: 36 2340 wmic.exe Token: SeDebugPrivilege 3992 powershell.exe Token: SeDebugPrivilege 2212 powershell.exe Token: SeDebugPrivilege 768 powershell.exe Token: SeDebugPrivilege 2748 powershell.exe Token: SeDebugPrivilege 3316 RuntimeBroker.exe Token: SeDebugPrivilege 5028 RuntimeBroker -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3316 RuntimeBroker.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 3424 wrote to memory of 5064 3424 RustAnticheat.exe 82 PID 3424 wrote to memory of 5064 3424 RustAnticheat.exe 82 PID 3424 wrote to memory of 5064 3424 RustAnticheat.exe 82 PID 3424 wrote to memory of 3316 3424 RustAnticheat.exe 83 PID 3424 wrote to memory of 3316 3424 RustAnticheat.exe 83 PID 3424 wrote to memory of 1684 3424 RustAnticheat.exe 84 PID 3424 wrote to memory of 1684 3424 RustAnticheat.exe 84 PID 1684 wrote to memory of 2340 1684 Umbral1.exe 85 PID 1684 wrote to memory of 2340 1684 Umbral1.exe 85 PID 3316 wrote to memory of 3992 3316 RuntimeBroker.exe 90 PID 3316 wrote to memory of 3992 3316 RuntimeBroker.exe 90 PID 3316 wrote to memory of 2212 3316 RuntimeBroker.exe 92 PID 3316 wrote to memory of 2212 3316 RuntimeBroker.exe 92 PID 3316 wrote to memory of 768 3316 RuntimeBroker.exe 94 PID 3316 wrote to memory of 768 3316 RuntimeBroker.exe 94 PID 3316 wrote to memory of 2748 3316 RuntimeBroker.exe 96 PID 3316 wrote to memory of 2748 3316 RuntimeBroker.exe 96 PID 3316 wrote to memory of 404 3316 RuntimeBroker.exe 98 PID 3316 wrote to memory of 404 3316 RuntimeBroker.exe 98 PID 3316 wrote to memory of 4144 3316 RuntimeBroker.exe 109 PID 3316 wrote to memory of 4144 3316 RuntimeBroker.exe 109 PID 3316 wrote to memory of 1016 3316 RuntimeBroker.exe 111 PID 3316 wrote to memory of 1016 3316 RuntimeBroker.exe 111 PID 1016 wrote to memory of 3356 1016 cmd.exe 113 PID 1016 wrote to memory of 3356 1016 cmd.exe 113 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\RustAnticheat.exe"C:\Users\Admin\AppData\Local\Temp\RustAnticheat.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3424 -
C:\Users\Admin\Loader (1).exe"C:\Users\Admin\Loader (1).exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5064
-
-
C:\Users\Admin\RuntimeBroker.exe"C:\Users\Admin\RuntimeBroker.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3316 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\RuntimeBroker.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3992
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RuntimeBroker.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2212
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\RuntimeBroker'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:768
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RuntimeBroker'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2748
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "RuntimeBroker" /tr "C:\Users\Admin\RuntimeBroker"3⤵
- Scheduled Task/Job: Scheduled Task
PID:404
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /delete /f /tn "RuntimeBroker"3⤵PID:4144
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD9E0.tmp.bat""3⤵
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Windows\system32\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
PID:3356
-
-
-
-
C:\Users\Admin\Umbral1.exe"C:\Users\Admin\Umbral1.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2340
-
-
-
C:\Users\Admin\RuntimeBrokerC:\Users\Admin\RuntimeBroker1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5028
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
944B
MD55cfe303e798d1cc6c1dab341e7265c15
SHA1cd2834e05191a24e28a100f3f8114d5a7708dc7c
SHA256c4d16552769ca1762f6867bce85589c645ac3dc490b650083d74f853f898cfab
SHA512ef151bbe0033a2caf2d40aff74855a3f42c8171e05a11c8ce93c7039d9430482c43fe93d9164ee94839aff253cad774dbf619dde9a8af38773ca66d59ac3400e
-
Filesize
944B
MD5d8cb3e9459807e35f02130fad3f9860d
SHA15af7f32cb8a30e850892b15e9164030a041f4bd6
SHA2562b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68
SHA512045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
146B
MD5b5d4e44cf56134a76d98832e9f4923e8
SHA105a15f200af7bfdcd467fbfe286afa545438f388
SHA256254ec6b271a5cd21728f41d92184d95790a38f0df0e94f9872fff097fb0fb033
SHA512a674622d376a145282727f77cd084f7c7bff4cc098fc09d0f1ce69f81885c288e2aedca1203c72d47624b026ad8fd2600e84afda329c94ca77f8a9ce467a5ca4
-
Filesize
827KB
MD5eefb801774c5ccb44153268a9357f5f1
SHA1b1906b22e14edd142c52808ab3e5ba9346b85de5
SHA256677aeb1981c58cba41a5d53ccbbf5b471e62dc49dc326570767da940560d840d
SHA5121cf162fe6184d68dca514059d2de1123e80d0faac401765a54224aa5a987c9454bc92263fbec566835aa7b402f1f63ba59bb425ccc139e0a7391e66991f270b7
-
Filesize
83KB
MD5ed27f16daba642c2bc917e75e3b8fbaa
SHA1b9e31e9835d2ca4a0490665559aadaa4c9e48c64
SHA25697fcd56746339d2e17bc5627c5827ad0e2e18e8a114c764a951299ea5f3a27fe
SHA512e5cab1626ab9824eb91cd79650b34840c29f10eaeb37cfbe2e024b21edc43d056b6e2cbd1edc949407a09ef10f75f477e2567f68c98078cf70d78d16f598bc91
-
Filesize
231KB
MD5844f85b3c38478161c8918e2d23a4835
SHA1d2da62e3f0c50ddb3cc510af88368143790d59b9
SHA2568f3ba7ae0aea1ad543fd98a1cb574bada9d363d476e12ae7a332ea83967883b5
SHA51296d4ccdd853a7f878d0409f4f39f4f8fdd6bdf7d086ccd665e8f9141cf9ebc2916d079838e599c67c86cddfd02262c14cee434622821a8550c0dbd87535c95c7