b90d59c4cd1fad6d0bf2de65188f610b62479cc066181bb99676e6dcd19f46e3

Resubmissions

03-05-2024 13:10

240503-qeh1zsgb3x 7

Analysis

max time kernel
151s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
03-05-2024 13:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Runtime Broker.exe
Size

131.9MB
MD5

5bbeb87f22b3c312d6bed60a9b17bb1e
SHA1

779d936cdf346cf673bc29026b6daf9057862b69
SHA256

a0cd0974fd9231eb22220a00f55748455d3b9e34179a4d943cfa8a5550e0cc2c
SHA512

87034545306083f46e32b70fe5f5e9c27a4f090363efad37fae284dce6a825af1dac24f5d847088c9a8a69ac0ad9bcdfef44656185ea90467b94d6f431ab6b6a
SSDEEP

1572864:Q4sMLl/BkZTVV2iplzf+ekzrMdTOG0AfhgojwlwVgmPQtn06H9rejAEdCoIZXCVn:ll/BkVVPBDgmPKa5Wnu3X7

Score

7^/10

spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	Runtime Broker.exe

Loads dropped DLL 3 IoCs

pid	Process
3304	Runtime Broker.exe
3304	Runtime Broker.exe
3304	Runtime Broker.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
27	pastebin.com
28	pastebin.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
29	ipinfo.io
30	ipinfo.io
44	ipinfo.io

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Runtime Broker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Runtime Broker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Runtime Broker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	Runtime Broker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Runtime Broker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Runtime Broker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Runtime Broker.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
1400	tasklist.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3304	Runtime Broker.exe
3304	Runtime Broker.exe
3304	Runtime Broker.exe
3304	Runtime Broker.exe
3304	Runtime Broker.exe
3304	Runtime Broker.exe
3304	Runtime Broker.exe
3304	Runtime Broker.exe
4280	Runtime Broker.exe
4280	Runtime Broker.exe
384	Runtime Broker.exe
384	Runtime Broker.exe
384	Runtime Broker.exe
384	Runtime Broker.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1400	tasklist.exe
Token: SeShutdownPrivilege	3304	Runtime Broker.exe
Token: SeCreatePagefilePrivilege	3304	Runtime Broker.exe
Token: SeShutdownPrivilege	3304	Runtime Broker.exe
Token: SeCreatePagefilePrivilege	3304	Runtime Broker.exe
Token: SeShutdownPrivilege	3304	Runtime Broker.exe
Token: SeCreatePagefilePrivilege	3304	Runtime Broker.exe
Token: SeShutdownPrivilege	3304	Runtime Broker.exe
Token: SeCreatePagefilePrivilege	3304	Runtime Broker.exe
Token: SeShutdownPrivilege	3304	Runtime Broker.exe
Token: SeCreatePagefilePrivilege	3304	Runtime Broker.exe
Token: SeShutdownPrivilege	3304	Runtime Broker.exe
Token: SeCreatePagefilePrivilege	3304	Runtime Broker.exe
Token: SeShutdownPrivilege	3304	Runtime Broker.exe
Token: SeCreatePagefilePrivilege	3304	Runtime Broker.exe
Token: SeShutdownPrivilege	3304	Runtime Broker.exe
Token: SeCreatePagefilePrivilege	3304	Runtime Broker.exe
Token: SeShutdownPrivilege	3304	Runtime Broker.exe
Token: SeCreatePagefilePrivilege	3304	Runtime Broker.exe
Token: SeShutdownPrivilege	3304	Runtime Broker.exe
Token: SeCreatePagefilePrivilege	3304	Runtime Broker.exe
Token: SeShutdownPrivilege	3304	Runtime Broker.exe
Token: SeCreatePagefilePrivilege	3304	Runtime Broker.exe
Token: SeShutdownPrivilege	3304	Runtime Broker.exe
Token: SeCreatePagefilePrivilege	3304	Runtime Broker.exe
Token: SeShutdownPrivilege	3304	Runtime Broker.exe
Token: SeCreatePagefilePrivilege	3304	Runtime Broker.exe
Token: SeShutdownPrivilege	3304	Runtime Broker.exe
Token: SeCreatePagefilePrivilege	3304	Runtime Broker.exe
Token: SeShutdownPrivilege	3304	Runtime Broker.exe
Token: SeCreatePagefilePrivilege	3304	Runtime Broker.exe
Token: SeShutdownPrivilege	3304	Runtime Broker.exe
Token: SeCreatePagefilePrivilege	3304	Runtime Broker.exe
Token: SeShutdownPrivilege	3304	Runtime Broker.exe
Token: SeCreatePagefilePrivilege	3304	Runtime Broker.exe
Token: SeShutdownPrivilege	3304	Runtime Broker.exe
Token: SeCreatePagefilePrivilege	3304	Runtime Broker.exe
Token: SeShutdownPrivilege	3304	Runtime Broker.exe
Token: SeCreatePagefilePrivilege	3304	Runtime Broker.exe
Token: SeShutdownPrivilege	3304	Runtime Broker.exe
Token: SeCreatePagefilePrivilege	3304	Runtime Broker.exe
Token: SeShutdownPrivilege	3304	Runtime Broker.exe
Token: SeCreatePagefilePrivilege	3304	Runtime Broker.exe
Token: SeShutdownPrivilege	3304	Runtime Broker.exe
Token: SeCreatePagefilePrivilege	3304	Runtime Broker.exe
Token: SeShutdownPrivilege	3304	Runtime Broker.exe
Token: SeCreatePagefilePrivilege	3304	Runtime Broker.exe
Token: SeShutdownPrivilege	3304	Runtime Broker.exe
Token: SeCreatePagefilePrivilege	3304	Runtime Broker.exe
Token: SeShutdownPrivilege	3304	Runtime Broker.exe
Token: SeCreatePagefilePrivilege	3304	Runtime Broker.exe
Token: SeShutdownPrivilege	3304	Runtime Broker.exe
Token: SeCreatePagefilePrivilege	3304	Runtime Broker.exe
Token: SeShutdownPrivilege	3304	Runtime Broker.exe
Token: SeCreatePagefilePrivilege	3304	Runtime Broker.exe
Token: SeShutdownPrivilege	3304	Runtime Broker.exe
Token: SeCreatePagefilePrivilege	3304	Runtime Broker.exe
Token: SeShutdownPrivilege	3304	Runtime Broker.exe
Token: SeCreatePagefilePrivilege	3304	Runtime Broker.exe
Token: SeShutdownPrivilege	3304	Runtime Broker.exe
Token: SeCreatePagefilePrivilege	3304	Runtime Broker.exe
Token: SeShutdownPrivilege	3304	Runtime Broker.exe
Token: SeCreatePagefilePrivilege	3304	Runtime Broker.exe
Token: SeShutdownPrivilege	3304	Runtime Broker.exe

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 3304 wrote to memory of 1392	3304	Runtime Broker.exe	85
PID 3304 wrote to memory of 1392	3304	Runtime Broker.exe	85
PID 3304 wrote to memory of 1392	3304	Runtime Broker.exe	85
PID 1392 wrote to memory of 3112	1392	cmd.exe	87
PID 1392 wrote to memory of 3112	1392	cmd.exe	87
PID 1392 wrote to memory of 3112	1392	cmd.exe	87
PID 3304 wrote to memory of 3408	3304	Runtime Broker.exe	88
PID 3304 wrote to memory of 3408	3304	Runtime Broker.exe	88
PID 3304 wrote to memory of 3408	3304	Runtime Broker.exe	88
PID 3408 wrote to memory of 1400	3408	cmd.exe	90
PID 3408 wrote to memory of 1400	3408	cmd.exe	90
PID 3408 wrote to memory of 1400	3408	cmd.exe	90
PID 3304 wrote to memory of 740	3304	Runtime Broker.exe	94
PID 3304 wrote to memory of 740	3304	Runtime Broker.exe	94
PID 3304 wrote to memory of 740	3304	Runtime Broker.exe	94
PID 3304 wrote to memory of 740	3304	Runtime Broker.exe	94
PID 3304 wrote to memory of 740	3304	Runtime Broker.exe	94
PID 3304 wrote to memory of 740	3304	Runtime Broker.exe	94
PID 3304 wrote to memory of 740	3304	Runtime Broker.exe	94
PID 3304 wrote to memory of 740	3304	Runtime Broker.exe	94
PID 3304 wrote to memory of 740	3304	Runtime Broker.exe	94
PID 3304 wrote to memory of 740	3304	Runtime Broker.exe	94
PID 3304 wrote to memory of 740	3304	Runtime Broker.exe	94
PID 3304 wrote to memory of 740	3304	Runtime Broker.exe	94
PID 3304 wrote to memory of 740	3304	Runtime Broker.exe	94
PID 3304 wrote to memory of 740	3304	Runtime Broker.exe	94
PID 3304 wrote to memory of 740	3304	Runtime Broker.exe	94
PID 3304 wrote to memory of 740	3304	Runtime Broker.exe	94
PID 3304 wrote to memory of 740	3304	Runtime Broker.exe	94
PID 3304 wrote to memory of 740	3304	Runtime Broker.exe	94
PID 3304 wrote to memory of 740	3304	Runtime Broker.exe	94
PID 3304 wrote to memory of 740	3304	Runtime Broker.exe	94
PID 3304 wrote to memory of 740	3304	Runtime Broker.exe	94
PID 3304 wrote to memory of 740	3304	Runtime Broker.exe	94
PID 3304 wrote to memory of 740	3304	Runtime Broker.exe	94
PID 3304 wrote to memory of 740	3304	Runtime Broker.exe	94
PID 3304 wrote to memory of 740	3304	Runtime Broker.exe	94
PID 3304 wrote to memory of 740	3304	Runtime Broker.exe	94
PID 3304 wrote to memory of 740	3304	Runtime Broker.exe	94
PID 3304 wrote to memory of 740	3304	Runtime Broker.exe	94
PID 3304 wrote to memory of 740	3304	Runtime Broker.exe	94
PID 3304 wrote to memory of 740	3304	Runtime Broker.exe	94
PID 3304 wrote to memory of 740	3304	Runtime Broker.exe	94
PID 3304 wrote to memory of 740	3304	Runtime Broker.exe	94
PID 3304 wrote to memory of 4280	3304	Runtime Broker.exe	95
PID 3304 wrote to memory of 4280	3304	Runtime Broker.exe	95
PID 3304 wrote to memory of 4280	3304	Runtime Broker.exe	95
PID 3304 wrote to memory of 384	3304	Runtime Broker.exe	116
PID 3304 wrote to memory of 384	3304	Runtime Broker.exe	116
PID 3304 wrote to memory of 384	3304	Runtime Broker.exe	116

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3304
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "chcp"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1392
- - C:\Windows\SysWOW64\chcp.com
    chcp
    3⤵
    PID:3112
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3408
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1400
- C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
  "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\fxmiovhpbmuljziu" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1848 --field-trial-handle=1852,i,1222242479903705452,11465080732132879367,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:740
- C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
  "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\fxmiovhpbmuljziu" --mojo-platform-channel-handle=2068 --field-trial-handle=1852,i,1222242479903705452,11465080732132879367,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4280
- C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
  "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\fxmiovhpbmuljziu" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1668 --field-trial-handle=1852,i,1222242479903705452,11465080732132879367,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\98e6a87e-75b4-4d0d-a477-68664eef6453.tmp.node

Filesize
1.4MB

MD5
880b61ab7baea5ee94581584c45bfb64

SHA1
27f05814eb03367a7c56bd5e9b06563fb4ba300c

SHA256
36af162bb5c03aa1bbcb5b81f6b1b8a3d15efa0bf5c853830b78a5a36af87435

SHA512
660c7a0968e09129342ce0ecf39fafc86619c38cf4ca610f063149d89d61d702fce6d5455a96079015d24b9f52febab80ec0c91d8193c7334376a970747d439b

Download Submit
C:\Users\Admin\AppData\Local\Temp\9a6b95c3-36d5-46ca-b965-b75a382d84de.tmp.node

Filesize
83KB

MD5
c854c2822b905a84ec0b42f0aeee695f

SHA1
b3a9948c709fab279d482fcd570d0e3e1f33c1d5

SHA256
6555d1541c3c3840ebad7b2f48dea53423a0935ee1b262cabb76f8248488a21a

SHA512
0e8b4243dd49a920f591f431e0e118d7dd65c996279eec015421183779f4353e3ef3da22ba2dc84116115bb9bdb9f63d025b55761b36ce368a3b908367b8ca42

Download Submit
C:\Users\Admin\AppData\Local\Temp\9f930378-3367-4718-bed0-9cb04bfab4df.tmp.node

Filesize
121KB

MD5
aadcb6c6f19277e2bcf2cc0cbf459353

SHA1
7cbb424b28d3b8e3a403e6de5e7649ff7982456f

SHA256
dc6d806356e291965e6d4382a012cb7509e3795c582354b8285a8b10384645eb

SHA512
654530df2d35aeee6ba013e9480536427d4949dd27bbce59d0e88466a5fca6d3733a9438b75f5189d059354da7c859628bc232bf353a459512bf247552d53a06

Download Submit
memory/384-40-0x000000000E9E0000-0x000000000E9E1000-memory.dmp

Filesize
4KB

Download
memory/384-35-0x000000000E9E0000-0x000000000E9E1000-memory.dmp

Filesize
4KB

Download
memory/384-36-0x000000000E9E0000-0x000000000E9E1000-memory.dmp

Filesize
4KB

Download
memory/384-34-0x000000000E9E0000-0x000000000E9E1000-memory.dmp

Filesize
4KB

Download
memory/384-43-0x000000000E9E0000-0x000000000E9E1000-memory.dmp

Filesize
4KB

Download
memory/384-46-0x000000000E9E0000-0x000000000E9E1000-memory.dmp

Filesize
4KB

Download
memory/384-45-0x000000000E9E0000-0x000000000E9E1000-memory.dmp

Filesize
4KB

Download
memory/384-44-0x000000000E9E0000-0x000000000E9E1000-memory.dmp

Filesize
4KB

Download
memory/384-42-0x000000000E9E0000-0x000000000E9E1000-memory.dmp

Filesize
4KB

Download
memory/384-41-0x000000000E9E0000-0x000000000E9E1000-memory.dmp

Filesize
4KB

Download