Analysis
-
max time kernel
128s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
06-02-2023 18:33
Static task
static1
Behavioral task
behavioral1
Sample
RuntimeBroker.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
RuntimeBroker.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral3
Sample
info.txt
Resource
win7-20221111-en
Behavioral task
behavioral4
Sample
info.txt
Resource
win10v2004-20220901-en
Behavioral task
behavioral5
Sample
umpdc.dll
Resource
win7-20220812-en
Behavioral task
behavioral6
Sample
umpdc.dll
Resource
win10v2004-20221111-en
General
-
Target
RuntimeBroker.exe
-
Size
100KB
-
MD5
ba4cfe6461afa1004c52f19c8f2169dc
-
SHA1
ab8539ef6b2a93ff9589dec4b34a0257b6296c92
-
SHA256
e86870769ee6c797e09457bd99c58d9bf2303cf0193a24ef9b1222c2c3daf628
-
SHA512
2c5190d7609767237311260f241c619b82434ca640f396bb9710d356286844f82f320f9e05525a38707f2a52977790c0c3e2a217b36a7f0095a87c138b939af0
-
SSDEEP
1536:l5gC0wSKok6UAeVEBFgvozLmwCedFpQHI8PXjYlTx/2whBGE/5K5/EJD2VEUcO8h:sC+vEArBCgmejo8X/2whRJDAE2r+e
Malware Config
Extracted
cobaltstrike
987654321
http://45.12.253.139:443/an.js
-
access_type
512
-
beacon_type
2048
-
host
45.12.253.139,/an.js
-
http_header1
AAAAEAAAABpIb3N0OiBidXNpbmVzc3NlcnZpY2VzLmNvbQAAAAoAAAARQ29ubmVjdGlvbjogY2xvc2UAAAAKAAAAE0FjY2VwdC1FbmNvZGluZzogYnIAAAAKAAAAFkFjY2VwdC1MYW5ndWFnZTogZW4tVVMAAAAHAAAAAAAAAA0AAAADAAAAAgAAABp3b29jb21tZXJjZV9pdGVtc19pbl9jYXJ0PQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAAEAAAABpIb3N0OiBidXNpbmVzc3NlcnZpY2VzLmNvbQAAAAoAAAARQ29ubmVjdGlvbjogY2xvc2UAAAAKAAAAGUFjY2VwdC1FbmNvZGluZzogZ3ppcCwgYnIAAAAKAAAAL0NvbnRlbnQtVHlwZTogYXBwbGljYXRpb24veC13d3ctZm9ybS11cmxlbmNvZGVkAAAABwAAAAEAAAANAAAAAwAAAAIAAAAIZGV0YWlscz0AAAAEAAAABwAAAAAAAAADAAAAAgAAAA5fX3Nlc3Npb25fX2lkPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
9472
-
polling_time
55991
-
port_number
443
-
sc_process32
%windir%\syswow64\dllhost.exe
-
sc_process64
%windir%\sysnative\dllhost.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCMEuNG3asVOp+bgSmSog10bB55R9e+aj5dF2sVbnRjA/dTkltRdDD0DdF5vJh/gURBikZ4FxqqmfqR2SPAheOzDDrYvV7ScpwPkZe8IUd/DbJmPs30ST9SGHn+eLjTQQEU+I142t7yTsO7HCKf1CTDMHfS3PNoz3V8ivNRwL1aiQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
9.63976192e+08
-
unknown2
AAAABAAAAAIAAANxAAAAAwAAAA0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/ch
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) Chrome/42.0.2311.135
-
watermark
987654321
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
Processes:
RuntimeBroker.exedescription pid process target process PID 4916 created 1032 4916 RuntimeBroker.exe Explorer.EXE PID 4916 created 1032 4916 RuntimeBroker.exe Explorer.EXE -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftLibrary = "powershell.exe -noP -sta -w 1 Set-Location -Path $env:Public\\Libraries\\MicrosoftLibrary; Start-Process $env:Public\\Libraries\\MicrosoftLibrary\\RuntimeBroker.exe\"" reg.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RuntimeBroker.exepid process 4916 RuntimeBroker.exe 4916 RuntimeBroker.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
Processes:
RuntimeBroker.exepid process 4916 RuntimeBroker.exe 4916 RuntimeBroker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
RuntimeBroker.execmd.exedescription pid process target process PID 4916 wrote to memory of 4812 4916 RuntimeBroker.exe wermgr.exe PID 4916 wrote to memory of 4812 4916 RuntimeBroker.exe wermgr.exe PID 4916 wrote to memory of 4812 4916 RuntimeBroker.exe wermgr.exe PID 4916 wrote to memory of 2488 4916 RuntimeBroker.exe cmd.exe PID 4916 wrote to memory of 2488 4916 RuntimeBroker.exe cmd.exe PID 4916 wrote to memory of 1620 4916 RuntimeBroker.exe schtasks.exe PID 4916 wrote to memory of 1620 4916 RuntimeBroker.exe schtasks.exe PID 2488 wrote to memory of 4704 2488 cmd.exe reg.exe PID 2488 wrote to memory of 4704 2488 cmd.exe reg.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe/C reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v MicrosoftLibrary /t REG_SZ /d "powershell.exe -noP -sta -w 1 Set-Location -Path $env:Public\Libraries\MicrosoftLibrary; Start-Process $env:Public\Libraries\MicrosoftLibrary\RuntimeBroker.exe"" /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v MicrosoftLibrary /t REG_SZ /d "powershell.exe -noP -sta -w 1 Set-Location -Path $env:Public\Libraries\MicrosoftLibrary; Start-Process $env:Public\Libraries\MicrosoftLibrary\RuntimeBroker.exe"" /f4⤵
- Adds Run key to start application
- Modifies registry key
-
C:\Windows\System32\schtasks.exe/F /Create /TN Microsoft_Library /sc minute /MO 80 /TR "powershell.exe -WindowStyle hidden -noP -sta -w 1 Set-Location -Path $env:Public\Libraries\MicrosoftLibrary; Start-Process $env:Public\Libraries\MicrosoftLibrary\RuntimeBroker.exe3⤵
- Creates scheduled task(s)
-
C:\windows\system32\wermgr.exe"C:\windows\system32\wermgr.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1620-137-0x0000000000000000-mapping.dmp
-
memory/2488-136-0x0000000000000000-mapping.dmp
-
memory/4704-138-0x0000000000000000-mapping.dmp
-
memory/4812-133-0x0000000000000000-mapping.dmp
-
memory/4812-134-0x00000125264D0000-0x0000012526514000-memory.dmpFilesize
272KB
-
memory/4812-135-0x0000012526800000-0x000001252687E000-memory.dmpFilesize
504KB
-
memory/4916-132-0x00007FF82E030000-0x00007FF82E225000-memory.dmpFilesize
2.0MB
-
memory/4916-139-0x00007FF82E030000-0x00007FF82E225000-memory.dmpFilesize
2.0MB