Runtime Broker[.]exe

Resubmissions

18/11/2023, 22:39

231118-2lfpzsgf8x 3

18/11/2023, 22:37

231118-2j9v2sfg74 3

Sharing

Copy URL Twitter E-mail

General

Target

Runtime Broker.exe
Size

3.0MB
MD5

874d63b315a7df509beda41d5190e7c3
SHA1

6215dedde584d53c542aecbd8d8b2e7a97321b75
SHA256

188594b1ba4c81e60493d16354984cecd7bd48398d35b53932e5774f144c4540
SHA512

43ded7895bb333a7de08e49f1de258ffb4fdae88be60050a4792e5b60603dec9ebd64c7b3eedfc3290b7b350aea4fee0daf8d0dd43bad77dbf5caa9acb8647ec
SSDEEP

49152:4O6QGD2VWMlc/4oscmiT8kr5kRj/c8mKy3A/+ANzB69Zd/Z4wZbmWjP/VrBdvfvC:LWMlc/QcmErit0FI0n6qP/RH4pXeU

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
Runtime Broker.exe

Files

Runtime Broker.exe
.exe windows:6 windows x64 arch:x64

3d8e918407cd32d7a82528a931afffc9

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

TerminateProcess
WaitForSingleObject
OpenProcess
K32GetModuleFileNameExA
GetLastError
CloseHandle
K32EnumProcesses
GetFileAttributesA
CreateFileA
GetModuleFileNameA
GetTempPathA
FindResourceW
CreateDirectoryA
ExpandEnvironmentStringsA
ReadFile
CreatePipe
GlobalMemoryStatusEx
CreateProcessA
GetComputerNameA
RtlLookupFunctionEntry
GetModuleHandleW
GetStartupInfoW
IsDebuggerPresent
LoadResource
LockResource
GetModuleHandleExW
SizeofResource
InitializeSListHead
GetSystemTimeAsFileTime
GetCurrentThreadId
GetCurrentProcessId
QueryPerformanceCounter
IsProcessorFeaturePresent
GetCurrentProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlVirtualUnwind
RtlCaptureContext

user32

GetClientRect
GetDesktopWindow

advapi32

RegQueryValueExA
RegOpenKeyExA
GetUserNameA
RegCloseKey

shell32

ShellExecuteExA
SHGetKnownFolderPath

ole32

CoTaskMemFree

archive

archive_entry_size
archive_read_free
archive_write_disk_new
archive_write_free
archive_write_disk_set_standard_lookup
archive_read_new
archive_read_support_format_7zip
archive_entry_pathname
archive_read_next_header
archive_write_disk_set_options
archive_read_open_filename
archive_read_close
archive_entry_set_pathname
archive_write_finish_entry
archive_read_extract

boost_iostreams-vc143-mt-x64-1_82

??0gzip_header@detail@iostreams@boost@@QEAA@XZ
??1gzip_header@detail@iostreams@boost@@QEAA@XZ
?check@zlib_error@iostreams@boost@@SAXH@Z
?process@gzip_footer@detail@iostreams@boost@@QEAAXD@Z
?reset@gzip_footer@detail@iostreams@boost@@QEAAXXZ
??0zlib_base@detail@iostreams@boost@@IEAA@XZ
??1zlib_base@detail@iostreams@boost@@IEAA@XZ
?before@zlib_base@detail@iostreams@boost@@IEAAXAEAPEBDPEBDAEAPEADPEAD@Z
?after@zlib_base@detail@iostreams@boost@@IEAAXAEAPEBDAEAPEAD_N@Z
?xinflate@zlib_base@detail@iostreams@boost@@IEAAHH@Z
?reset@zlib_base@detail@iostreams@boost@@IEAAX_N0@Z
?do_init@zlib_base@detail@iostreams@boost@@AEAAXAEBUzlib_params@34@_NP6APEAXPEAXII@ZP6AX22@Z2@Z
?process@gzip_header@detail@iostreams@boost@@QEAAXD@Z
?reset@gzip_header@detail@iostreams@boost@@QEAAXXZ
?default_compression@zlib@iostreams@boost@@3HB
?okay@zlib@iostreams@boost@@3HB
?default_strategy@zlib@iostreams@boost@@3HB
?sync_flush@zlib@iostreams@boost@@3HB
?deflated@zlib@iostreams@boost@@3HB
??0gzip_header@detail@iostreams@boost@@QEAA@AEBV0123@@Z
?stream_end@zlib@iostreams@boost@@3HB

libcrypto-3-x64

EVP_DigestUpdate
EVP_MD_CTX_free
EVP_DigestInit_ex
EVP_DigestFinal_ex
EVP_sha256
EVP_MD_CTX_new

libcurl

curl_easy_cleanup
curl_easy_setopt
curl_easy_perform
curl_global_init
curl_global_cleanup
curl_easy_init

msvcp140

?_Xinvalid_argument@std@@YAXPEBD@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_J@Z
?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
?_Random_device@std@@YAIXZ
?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@PEAV32@@Z
?sgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEAD_J@Z
?pubsync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?pubimbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA?AVlocale@2@AEBV32@@Z
?_Syserror_map@std@@YAPEBDH@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@N@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z
?setprecision@std@@YA?AU?$_Smanip@_J@1@_J@Z
?_Xbad_function_call@std@@YAXXZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?good@ios_base@std@@QEBA_NXZ
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD0@Z
?pbase@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?uncaught_exception@std@@YA_NXZ
?eof@ios_base@std@@QEBA_NXZ
?bad@ios_base@std@@QEBA_NXZ
?_Incref@facet@locale@std@@UEAAXXZ
?_Decref@facet@locale@std@@UEAAPEAV_Facet_base@3@XZ
?_Addfac@_Locimp@locale@std@@AEAAXPEAVfacet@23@_K@Z
?out@?$codecvt@_WDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEB_W1AEAPEB_WPEAD3AEAPEAD@Z
??0?$codecvt@_WDU_Mbstatet@@@std@@QEAA@_K@Z
??1?$codecvt@_WDU_Mbstatet@@@std@@MEAA@XZ
_Query_perf_frequency
?_Xlength_error@std@@YAXPEBD@Z
_Thrd_sleep
_Query_perf_counter
_Xtime_get_ticks
??1_Lockit@std@@QEAA@XZ
??0_Lockit@std@@QEAA@H@Z
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
?_Xout_of_range@std@@YAXPEBD@Z
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?read@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEAD_J@Z
?tellg@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA?AV?$fpos@U_Mbstatet@@@2@XZ
??7ios_base@std@@QEBA_NXZ
?always_noconv@codecvt_base@std@@QEBA_NXZ
??Bid@locale@std@@QEAA_KXZ
?_New_Locimp@_Locimp@locale@std@@CAPEAV123@AEBV123@@Z
?_Init@locale@std@@CAPEAV_Locimp@12@_N@Z
?id@?$codecvt@_WDU_Mbstatet@@@std@@2V0locale@2@A
??4?$_Yarn@D@std@@QEAAAEAV01@PEBD@Z

vcruntime140_1

__CxxFrameHandler4

vcruntime140

memcpy
memmove
memset
memcmp
__std_exception_destroy
__std_exception_copy
__std_terminate
_purecall
__current_exception
__current_exception_context
__C_specific_handler
_CxxThrowException

api-ms-win-crt-runtime-l1-1-0

_initialize_narrow_environment
_set_app_type
_seh_filter_exe
terminate
_get_narrow_winmain_command_line
_initterm
_initterm_e
_invalid_parameter_noinfo_noreturn
_exit
_configure_narrow_argv
_errno
exit
_cexit
_c_exit
_register_thread_local_exe_atexit_callback
_crt_atexit
_register_onexit_function
_initialize_onexit_table

api-ms-win-crt-heap-l1-1-0

_callnewh
malloc
free
_set_new_mode

api-ms-win-crt-stdio-l1-1-0

__p__commode
_set_fmode
_get_stream_buffer_pointers
fopen
fputc
fflush
fclose
fgetc
_fseeki64
__stdio_common_vsprintf
fwrite
fgetpos
setvbuf
ungetc
fsetpos
fread

api-ms-win-crt-filesystem-l1-1-0

_unlock_file
_lock_file

api-ms-win-crt-string-l1-1-0

tolower
isspace

api-ms-win-crt-math-l1-1-0

_dsign
_dclass
ceil
__setusermatherr

api-ms-win-crt-convert-l1-1-0

strtoll
strtod
strtoull
strtol

api-ms-win-crt-locale-l1-1-0

localeconv
_configthreadlocale

api-ms-win-crt-time-l1-1-0

_localtime64_s

Sections

.text
Size: 176KB - Virtual size: 176KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 61KB - Virtual size: 60KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 6KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 2.8MB - Virtual size: 2.8MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1024B - Virtual size: 776B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Resubmissions

Sharing

General

Malware Config

Signatures

Files

3d8e918407cd32d7a82528a931afffc9

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

advapi32

shell32

ole32

archive

boost_iostreams-vc143-mt-x64-1_82

libcrypto-3-x64

libcurl

msvcp140

vcruntime140_1

vcruntime140

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-time-l1-1-0

Sections

.text Size: 176KB - Virtual size: 176KB

.rdata Size: 61KB - Virtual size: 60KB

.data Size: 6KB - Virtual size: 7KB

.pdata Size: 8KB - Virtual size: 7KB

.rsrc Size: 2.8MB - Virtual size: 2.8MB

.reloc Size: 1024B - Virtual size: 776B

.text
Size: 176KB - Virtual size: 176KB

.rdata
Size: 61KB - Virtual size: 60KB

.data
Size: 6KB - Virtual size: 7KB

.pdata
Size: 8KB - Virtual size: 7KB

.rsrc
Size: 2.8MB - Virtual size: 2.8MB

.reloc
Size: 1024B - Virtual size: 776B