Analysis
-
max time kernel
113s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
01-06-2023 23:12
Behavioral task
behavioral1
Sample
RuntimeBroker.exe
Resource
win7-20230220-en
General
-
Target
RuntimeBroker.exe
-
Size
63KB
-
MD5
8b64f097a7b9a7d77ee30183bd60bbf2
-
SHA1
3e1459fe5563399de3b5a0b94424472aadb7fc94
-
SHA256
bf763ec14d5b41a506dfc0144dd0197e3c0bae5928401eb688b1eeec74789050
-
SHA512
a97899d480b3d053f61607e8d0a0d16252eadd724d886f880e59ac1f6fb2622959cf8795d18db5f04419cb6b6bc892fc3ac7e11aea86df706c954506c5117e40
-
SSDEEP
768:+uw6LVcsTPq781wC8A+XjGDp4b+tlbBH11+T4pSBGHmDbDG5phQWoX6wwPTkv8um:PeQPcmlTOYUbch06w64FOulkpqKmY7
Malware Config
Extracted
asyncrat
Default
udmansoud-59712.portmap.host:59712
yl西德Ιp弗0吾Θ0MyD弗ΔΑ
-
delay
1
-
install
true
-
install_file
svchost.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/232-133-0x0000000000D50000-0x0000000000D66000-memory.dmp asyncrat C:\Users\Admin\AppData\Roaming\svchost.exe asyncrat C:\Users\Admin\AppData\Roaming\svchost.exe asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
RuntimeBroker.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 3428 svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2424 timeout.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
Processes:
RuntimeBroker.exepid process 232 RuntimeBroker.exe 232 RuntimeBroker.exe 232 RuntimeBroker.exe 232 RuntimeBroker.exe 232 RuntimeBroker.exe 232 RuntimeBroker.exe 232 RuntimeBroker.exe 232 RuntimeBroker.exe 232 RuntimeBroker.exe 232 RuntimeBroker.exe 232 RuntimeBroker.exe 232 RuntimeBroker.exe 232 RuntimeBroker.exe 232 RuntimeBroker.exe 232 RuntimeBroker.exe 232 RuntimeBroker.exe 232 RuntimeBroker.exe 232 RuntimeBroker.exe 232 RuntimeBroker.exe 232 RuntimeBroker.exe 232 RuntimeBroker.exe 232 RuntimeBroker.exe 232 RuntimeBroker.exe 232 RuntimeBroker.exe 232 RuntimeBroker.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
RuntimeBroker.exesvchost.exedescription pid process Token: SeDebugPrivilege 232 RuntimeBroker.exe Token: SeDebugPrivilege 3428 svchost.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
RuntimeBroker.execmd.execmd.exedescription pid process target process PID 232 wrote to memory of 4884 232 RuntimeBroker.exe cmd.exe PID 232 wrote to memory of 4884 232 RuntimeBroker.exe cmd.exe PID 232 wrote to memory of 4844 232 RuntimeBroker.exe cmd.exe PID 232 wrote to memory of 4844 232 RuntimeBroker.exe cmd.exe PID 4884 wrote to memory of 4564 4884 cmd.exe schtasks.exe PID 4884 wrote to memory of 4564 4884 cmd.exe schtasks.exe PID 4844 wrote to memory of 2424 4844 cmd.exe timeout.exe PID 4844 wrote to memory of 2424 4844 cmd.exe timeout.exe PID 4844 wrote to memory of 3428 4844 cmd.exe svchost.exe PID 4844 wrote to memory of 3428 4844 cmd.exe svchost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8AD0.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp8AD0.tmp.batFilesize
151B
MD57c75d7c945096ea88d66e42405533e2c
SHA111760d56f6bf6dab9e2784247b348f9d47daa950
SHA256ae41a60882388017edf568aebb1aa08daae802cd07277c2c2dccbd90b75681c6
SHA5125a616d7993191af3a994bd3109b979060402f49b7069d42b7f8465db36a2222f3695d18eb52a2df74ce537e589e55bf45d1b7e8bbe4677af5d456da3b0cb71a2
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
63KB
MD58b64f097a7b9a7d77ee30183bd60bbf2
SHA13e1459fe5563399de3b5a0b94424472aadb7fc94
SHA256bf763ec14d5b41a506dfc0144dd0197e3c0bae5928401eb688b1eeec74789050
SHA512a97899d480b3d053f61607e8d0a0d16252eadd724d886f880e59ac1f6fb2622959cf8795d18db5f04419cb6b6bc892fc3ac7e11aea86df706c954506c5117e40
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
63KB
MD58b64f097a7b9a7d77ee30183bd60bbf2
SHA13e1459fe5563399de3b5a0b94424472aadb7fc94
SHA256bf763ec14d5b41a506dfc0144dd0197e3c0bae5928401eb688b1eeec74789050
SHA512a97899d480b3d053f61607e8d0a0d16252eadd724d886f880e59ac1f6fb2622959cf8795d18db5f04419cb6b6bc892fc3ac7e11aea86df706c954506c5117e40
-
memory/232-133-0x0000000000D50000-0x0000000000D66000-memory.dmpFilesize
88KB