Analysis
-
max time kernel
103s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
30-05-2023 00:05
Behavioral task
behavioral1
Sample
RuntimeBroker.exe
Resource
win7-20230220-en
General
-
Target
RuntimeBroker.exe
-
Size
63KB
-
MD5
251e7183331025aac57c3965ca6bdb3b
-
SHA1
b7d7e6f953bf378dae8d9f666369d8e60e405e95
-
SHA256
ae799c3696cadbbe3a8d2036f67685e01f385f214f47b0c7d094a15159688e71
-
SHA512
0209d2916ec0a1c67043e04c2c4ce9a3b6401d437791581887fe3ba17f2eefdec35fe2adc79704868a1750977f0b9fb7a29c3fe68d4df9b5a494988757e1b453
-
SSDEEP
768:+uw6LVcsTPq781wC8A+XjGDp4b+tlbBH11+T4pSBGHmDbDG5phQWoXeYQTJKZGSv:PeQPcmlTOYUbch05qKxulkpqKmY7
Malware Config
Extracted
asyncrat
Default
udmansoud-59712.portmap.host:59712
ikU2zF吉诶T8تXω比9ΖNIר
-
delay
1
-
install
true
-
install_file
svchost.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3700-133-0x00000000003F0000-0x0000000000406000-memory.dmp asyncrat C:\Users\Admin\AppData\Roaming\svchost.exe asyncrat C:\Users\Admin\AppData\Roaming\svchost.exe asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
RuntimeBroker.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 4280 svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3436 timeout.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
Processes:
RuntimeBroker.exepid process 3700 RuntimeBroker.exe 3700 RuntimeBroker.exe 3700 RuntimeBroker.exe 3700 RuntimeBroker.exe 3700 RuntimeBroker.exe 3700 RuntimeBroker.exe 3700 RuntimeBroker.exe 3700 RuntimeBroker.exe 3700 RuntimeBroker.exe 3700 RuntimeBroker.exe 3700 RuntimeBroker.exe 3700 RuntimeBroker.exe 3700 RuntimeBroker.exe 3700 RuntimeBroker.exe 3700 RuntimeBroker.exe 3700 RuntimeBroker.exe 3700 RuntimeBroker.exe 3700 RuntimeBroker.exe 3700 RuntimeBroker.exe 3700 RuntimeBroker.exe 3700 RuntimeBroker.exe 3700 RuntimeBroker.exe 3700 RuntimeBroker.exe 3700 RuntimeBroker.exe 3700 RuntimeBroker.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
RuntimeBroker.exesvchost.exedescription pid process Token: SeDebugPrivilege 3700 RuntimeBroker.exe Token: SeDebugPrivilege 4280 svchost.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
RuntimeBroker.execmd.execmd.exedescription pid process target process PID 3700 wrote to memory of 4508 3700 RuntimeBroker.exe cmd.exe PID 3700 wrote to memory of 4508 3700 RuntimeBroker.exe cmd.exe PID 3700 wrote to memory of 4608 3700 RuntimeBroker.exe cmd.exe PID 3700 wrote to memory of 4608 3700 RuntimeBroker.exe cmd.exe PID 4508 wrote to memory of 3124 4508 cmd.exe schtasks.exe PID 4508 wrote to memory of 3124 4508 cmd.exe schtasks.exe PID 4608 wrote to memory of 3436 4608 cmd.exe timeout.exe PID 4608 wrote to memory of 3436 4608 cmd.exe timeout.exe PID 4608 wrote to memory of 4280 4608 cmd.exe svchost.exe PID 4608 wrote to memory of 4280 4608 cmd.exe svchost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6EDC.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp6EDC.tmp.batFilesize
151B
MD5a86fca233d738f9e04500f43493fd016
SHA1149bb3a19c9225c051588108e46d62e1903d612f
SHA2566ebaf5daf9d292f7754e9ecee79fcf8a469fc2307521f5af899837f9fa7fda25
SHA512c27d86abbf9e0143da94ec48a8c8eeffa70830c16b100ff0cc30e9dd45ac0fd8b3ddc7b1892091c774ec5741100eaccafdd07d5e307ac13040ca40e641404ea8
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
63KB
MD5251e7183331025aac57c3965ca6bdb3b
SHA1b7d7e6f953bf378dae8d9f666369d8e60e405e95
SHA256ae799c3696cadbbe3a8d2036f67685e01f385f214f47b0c7d094a15159688e71
SHA5120209d2916ec0a1c67043e04c2c4ce9a3b6401d437791581887fe3ba17f2eefdec35fe2adc79704868a1750977f0b9fb7a29c3fe68d4df9b5a494988757e1b453
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
63KB
MD5251e7183331025aac57c3965ca6bdb3b
SHA1b7d7e6f953bf378dae8d9f666369d8e60e405e95
SHA256ae799c3696cadbbe3a8d2036f67685e01f385f214f47b0c7d094a15159688e71
SHA5120209d2916ec0a1c67043e04c2c4ce9a3b6401d437791581887fe3ba17f2eefdec35fe2adc79704868a1750977f0b9fb7a29c3fe68d4df9b5a494988757e1b453
-
memory/3700-133-0x00000000003F0000-0x0000000000406000-memory.dmpFilesize
88KB