Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
17/05/2024, 00:33
Static task
static1
Behavioral task
behavioral1
Sample
RUNTIMEBROKER.EXE-BD75D63A.pf
Resource
win7-20240508-en
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
RUNTIMEBROKER.EXE-BD75D63A.pf
Resource
win10v2004-20240508-en
3 signatures
150 seconds
General
-
Target
RUNTIMEBROKER.EXE-BD75D63A.pf
-
Size
5KB
-
MD5
3b0e8498307a9aedc64b30d8d1d98fed
-
SHA1
fc120f9a8163d7b3eb4fabb0d1866ab26283cbb0
-
SHA256
db68a256e683219233308d3c031f2b87f45f5ce3708683b9d9181ebcaa5bae98
-
SHA512
6aee06e6d26213002dd8f9ef9ec5214141c18faf66bd2786026af4857634d5a5c6828974e1e4ffee4e6b16799c523b0552dd4abf4a63c7ad34764589f929bef7
-
SSDEEP
96:+yKTkQqXX3Y5UwH66XVQFK0W8nUKhQ9pZOeo+K2sn8Cec0Ixapl6wCqWcwDSGSKo:TKTkQA3Y5RPQFuKEbOef8h9wLWcwmPcc
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2692 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2240 wrote to memory of 2692 2240 cmd.exe 29 PID 2240 wrote to memory of 2692 2240 cmd.exe 29 PID 2240 wrote to memory of 2692 2240 cmd.exe 29
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\RUNTIMEBROKER.EXE-BD75D63A.pf1⤵
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\RUNTIMEBROKER.EXE-BD75D63A.pf2⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:2692
-