Overview
overview
7Static
static
3Vanta/AutoHotkey.exe
windows10-1703-x64
1Vanta/AutoHotkey.exe
windows10-2004-x64
1Vanta/AutoHotkey.exe
windows11-21h2-x64
1Vanta/vant...er.exe
windows10-1703-x64
7Vanta/vant...er.exe
windows10-2004-x64
7Vanta/vant...er.exe
windows11-21h2-x64
7resources/elevate.exe
windows10-1703-x64
1resources/elevate.exe
windows10-2004-x64
1resources/elevate.exe
windows11-21h2-x64
1runtimebroker.exe
windows10-1703-x64
7runtimebroker.exe
windows10-2004-x64
7runtimebroker.exe
windows11-21h2-x64
7Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
02/06/2024, 15:27
Static task
static1
Behavioral task
behavioral1
Sample
Vanta/AutoHotkey.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Vanta/AutoHotkey.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
Vanta/AutoHotkey.exe
Resource
win11-20240508-en
Behavioral task
behavioral4
Sample
Vanta/vanta_loader.exe
Resource
win10-20240404-en
Behavioral task
behavioral5
Sample
Vanta/vanta_loader.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral6
Sample
Vanta/vanta_loader.exe
Resource
win11-20240426-en
Behavioral task
behavioral7
Sample
resources/elevate.exe
Resource
win10-20240404-en
Behavioral task
behavioral8
Sample
resources/elevate.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
resources/elevate.exe
Resource
win11-20240508-en
Behavioral task
behavioral10
Sample
runtimebroker.exe
Resource
win10-20240404-en
Behavioral task
behavioral11
Sample
runtimebroker.exe
Resource
win10v2004-20240426-en
General
-
Target
runtimebroker.exe
-
Size
154.7MB
-
MD5
75990ee1ed0dd57459df924c28b46700
-
SHA1
be7d7c518a44b3d73230364fd2064f9e2918f733
-
SHA256
43ebd800204d360a8ea88eb0d2ed10df9553a910741cd5646ed7d276fd0723a5
-
SHA512
f1337181f33e6724939859dc5d9fff45242870b36021fb45c737a261f82ed56e594370a24afe87f94a4376e92c0391604714fa2ff80ec000709fc66bc48341e2
-
SSDEEP
1572864:WQLTsMunuCM2/w9Asn6xzIEhw3JvqzPd24cwT3tIDvvEO/TZidNoyiMhOab0XLHE:WA8g5vu
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runtimebroker.exe runtimebroker.exe -
Loads dropped DLL 2 IoCs
pid Process 2764 runtimebroker.exe 2764 runtimebroker.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
pid Process 4640 cmd.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 4512 tasklist.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 5044 powershell.exe 5044 powershell.exe 5044 powershell.exe 3020 runtimebroker.exe 3020 runtimebroker.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4512 tasklist.exe Token: SeShutdownPrivilege 2764 runtimebroker.exe Token: SeCreatePagefilePrivilege 2764 runtimebroker.exe Token: SeShutdownPrivilege 2764 runtimebroker.exe Token: SeCreatePagefilePrivilege 2764 runtimebroker.exe Token: SeShutdownPrivilege 2764 runtimebroker.exe Token: SeCreatePagefilePrivilege 2764 runtimebroker.exe Token: SeDebugPrivilege 5044 powershell.exe Token: SeShutdownPrivilege 2764 runtimebroker.exe Token: SeCreatePagefilePrivilege 2764 runtimebroker.exe Token: SeShutdownPrivilege 2764 runtimebroker.exe Token: SeCreatePagefilePrivilege 2764 runtimebroker.exe Token: SeShutdownPrivilege 2764 runtimebroker.exe Token: SeCreatePagefilePrivilege 2764 runtimebroker.exe Token: SeShutdownPrivilege 2764 runtimebroker.exe Token: SeCreatePagefilePrivilege 2764 runtimebroker.exe Token: SeShutdownPrivilege 2764 runtimebroker.exe Token: SeCreatePagefilePrivilege 2764 runtimebroker.exe Token: SeShutdownPrivilege 2764 runtimebroker.exe Token: SeCreatePagefilePrivilege 2764 runtimebroker.exe Token: SeShutdownPrivilege 2764 runtimebroker.exe Token: SeCreatePagefilePrivilege 2764 runtimebroker.exe Token: SeShutdownPrivilege 2764 runtimebroker.exe Token: SeCreatePagefilePrivilege 2764 runtimebroker.exe Token: SeShutdownPrivilege 2764 runtimebroker.exe Token: SeCreatePagefilePrivilege 2764 runtimebroker.exe Token: SeShutdownPrivilege 2764 runtimebroker.exe Token: SeCreatePagefilePrivilege 2764 runtimebroker.exe Token: SeShutdownPrivilege 2764 runtimebroker.exe Token: SeCreatePagefilePrivilege 2764 runtimebroker.exe Token: SeShutdownPrivilege 2764 runtimebroker.exe Token: SeCreatePagefilePrivilege 2764 runtimebroker.exe Token: SeShutdownPrivilege 2764 runtimebroker.exe Token: SeCreatePagefilePrivilege 2764 runtimebroker.exe Token: SeShutdownPrivilege 2764 runtimebroker.exe Token: SeCreatePagefilePrivilege 2764 runtimebroker.exe Token: SeShutdownPrivilege 2764 runtimebroker.exe Token: SeCreatePagefilePrivilege 2764 runtimebroker.exe Token: SeShutdownPrivilege 2764 runtimebroker.exe Token: SeCreatePagefilePrivilege 2764 runtimebroker.exe Token: SeShutdownPrivilege 2764 runtimebroker.exe Token: SeCreatePagefilePrivilege 2764 runtimebroker.exe Token: SeShutdownPrivilege 2764 runtimebroker.exe Token: SeCreatePagefilePrivilege 2764 runtimebroker.exe Token: SeShutdownPrivilege 2764 runtimebroker.exe Token: SeCreatePagefilePrivilege 2764 runtimebroker.exe Token: SeShutdownPrivilege 2764 runtimebroker.exe Token: SeCreatePagefilePrivilege 2764 runtimebroker.exe Token: SeShutdownPrivilege 2764 runtimebroker.exe Token: SeCreatePagefilePrivilege 2764 runtimebroker.exe Token: SeShutdownPrivilege 2764 runtimebroker.exe Token: SeCreatePagefilePrivilege 2764 runtimebroker.exe Token: SeShutdownPrivilege 2764 runtimebroker.exe Token: SeCreatePagefilePrivilege 2764 runtimebroker.exe Token: SeShutdownPrivilege 2764 runtimebroker.exe Token: SeCreatePagefilePrivilege 2764 runtimebroker.exe Token: SeShutdownPrivilege 2764 runtimebroker.exe Token: SeCreatePagefilePrivilege 2764 runtimebroker.exe Token: SeShutdownPrivilege 2764 runtimebroker.exe Token: SeCreatePagefilePrivilege 2764 runtimebroker.exe Token: SeShutdownPrivilege 2764 runtimebroker.exe Token: SeCreatePagefilePrivilege 2764 runtimebroker.exe Token: SeShutdownPrivilege 2764 runtimebroker.exe Token: SeCreatePagefilePrivilege 2764 runtimebroker.exe -
Suspicious use of WriteProcessMemory 43 IoCs
description pid Process procid_target PID 2764 wrote to memory of 4628 2764 runtimebroker.exe 74 PID 2764 wrote to memory of 4628 2764 runtimebroker.exe 74 PID 4628 wrote to memory of 4512 4628 cmd.exe 76 PID 4628 wrote to memory of 4512 4628 cmd.exe 76 PID 2764 wrote to memory of 888 2764 runtimebroker.exe 78 PID 2764 wrote to memory of 888 2764 runtimebroker.exe 78 PID 2764 wrote to memory of 888 2764 runtimebroker.exe 78 PID 2764 wrote to memory of 888 2764 runtimebroker.exe 78 PID 2764 wrote to memory of 888 2764 runtimebroker.exe 78 PID 2764 wrote to memory of 888 2764 runtimebroker.exe 78 PID 2764 wrote to memory of 888 2764 runtimebroker.exe 78 PID 2764 wrote to memory of 888 2764 runtimebroker.exe 78 PID 2764 wrote to memory of 888 2764 runtimebroker.exe 78 PID 2764 wrote to memory of 888 2764 runtimebroker.exe 78 PID 2764 wrote to memory of 888 2764 runtimebroker.exe 78 PID 2764 wrote to memory of 888 2764 runtimebroker.exe 78 PID 2764 wrote to memory of 888 2764 runtimebroker.exe 78 PID 2764 wrote to memory of 888 2764 runtimebroker.exe 78 PID 2764 wrote to memory of 888 2764 runtimebroker.exe 78 PID 2764 wrote to memory of 888 2764 runtimebroker.exe 78 PID 2764 wrote to memory of 888 2764 runtimebroker.exe 78 PID 2764 wrote to memory of 888 2764 runtimebroker.exe 78 PID 2764 wrote to memory of 888 2764 runtimebroker.exe 78 PID 2764 wrote to memory of 888 2764 runtimebroker.exe 78 PID 2764 wrote to memory of 888 2764 runtimebroker.exe 78 PID 2764 wrote to memory of 888 2764 runtimebroker.exe 78 PID 2764 wrote to memory of 888 2764 runtimebroker.exe 78 PID 2764 wrote to memory of 888 2764 runtimebroker.exe 78 PID 2764 wrote to memory of 888 2764 runtimebroker.exe 78 PID 2764 wrote to memory of 888 2764 runtimebroker.exe 78 PID 2764 wrote to memory of 888 2764 runtimebroker.exe 78 PID 2764 wrote to memory of 888 2764 runtimebroker.exe 78 PID 2764 wrote to memory of 888 2764 runtimebroker.exe 78 PID 2764 wrote to memory of 888 2764 runtimebroker.exe 78 PID 2764 wrote to memory of 888 2764 runtimebroker.exe 78 PID 2764 wrote to memory of 4332 2764 runtimebroker.exe 79 PID 2764 wrote to memory of 4332 2764 runtimebroker.exe 79 PID 2764 wrote to memory of 4640 2764 runtimebroker.exe 80 PID 2764 wrote to memory of 4640 2764 runtimebroker.exe 80 PID 4640 wrote to memory of 5044 4640 cmd.exe 82 PID 4640 wrote to memory of 5044 4640 cmd.exe 82 PID 2764 wrote to memory of 3020 2764 runtimebroker.exe 83 PID 2764 wrote to memory of 3020 2764 runtimebroker.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe"C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4512
-
-
-
C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe"C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\runtimebroker" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=1640,i,1596845459529173983,10433284641322131880,131072 --disable-features=BlinkSchedulerMicroTaskQueuePerWindowAgent,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:22⤵PID:888
-
-
C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe"C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\runtimebroker" --mojo-platform-channel-handle=1924 --field-trial-handle=1640,i,1596845459529173983,10433284641322131880,131072 --disable-features=BlinkSchedulerMicroTaskQueuePerWindowAgent,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:82⤵PID:4332
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,129,132,208,105,27,200,155,69,148,63,132,151,193,171,245,199,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,20,242,94,195,217,131,251,84,205,102,235,132,48,175,215,233,58,104,31,171,100,142,213,24,82,96,163,176,159,65,10,161,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,194,96,31,237,153,228,196,235,67,63,63,123,23,30,120,193,160,114,28,237,7,182,110,235,124,60,229,100,112,94,136,37,48,0,0,0,232,79,168,222,154,162,92,27,204,48,96,255,158,47,79,99,20,169,37,29,155,94,9,190,100,184,17,13,111,203,246,127,213,115,76,184,169,224,214,73,213,153,205,44,10,117,77,20,64,0,0,0,112,220,183,239,118,64,62,76,128,209,29,65,10,41,111,112,40,67,182,43,89,156,210,235,71,186,209,77,72,177,164,8,118,136,26,76,208,22,136,231,188,225,12,229,76,242,70,122,69,130,209,202,109,24,89,92,54,167,97,241,149,119,207,64), $null, 'CurrentUser')"2⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,129,132,208,105,27,200,155,69,148,63,132,151,193,171,245,199,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,20,242,94,195,217,131,251,84,205,102,235,132,48,175,215,233,58,104,31,171,100,142,213,24,82,96,163,176,159,65,10,161,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,194,96,31,237,153,228,196,235,67,63,63,123,23,30,120,193,160,114,28,237,7,182,110,235,124,60,229,100,112,94,136,37,48,0,0,0,232,79,168,222,154,162,92,27,204,48,96,255,158,47,79,99,20,169,37,29,155,94,9,190,100,184,17,13,111,203,246,127,213,115,76,184,169,224,214,73,213,153,205,44,10,117,77,20,64,0,0,0,112,220,183,239,118,64,62,76,128,209,29,65,10,41,111,112,40,67,182,43,89,156,210,235,71,186,209,77,72,177,164,8,118,136,26,76,208,22,136,231,188,225,12,229,76,242,70,122,69,130,209,202,109,24,89,92,54,167,97,241,149,119,207,64), $null, 'CurrentUser')3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5044
-
-
-
C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe"C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --user-data-dir="C:\Users\Admin\AppData\Roaming\runtimebroker" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1628 --field-trial-handle=1640,i,1596845459529173983,10433284641322131880,131072 --disable-features=BlinkSchedulerMicroTaskQueuePerWindowAgent,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:3020
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
22B
MD576cdb2bad9582d23c1f6f4d868218d6c
SHA1b04f3ee8f5e43fa3b162981b50bb72fe1acabb33
SHA2568739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85
SHA5125e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f
-
Filesize
1.6MB
MD5aa8da32ebca307d4f99cf2da290afd22
SHA18590c0b54987ad6b0bc15a1aa66b9d2ca65ca899
SHA256ed3a86d32e83849720e150c18c4d19c90cabe912d674624f34051c19936167db
SHA512d7809a39922d99a716744e6cc17e4094930c40a8a21c983830c3570c4e52846151d66ad5d6021bc2a5b5fd29f520465b7b88f71cb86c30e0fadc4d0fb21ee1d7
-
Filesize
137KB
MD504bfbfec8db966420fe4c7b85ebb506a
SHA1939bb742a354a92e1dcd3661a62d69e48030a335
SHA256da2172ce055fa47d6a0ea1c90654f530abed33f69a74d52fab06c4c7653b48fd
SHA5124ea97a9a120ed5bee8638e0a69561c2159fc3769062d7102167b0e92b4f1a5c002a761bd104282425f6cee8d0e39dbe7e12ad4e4a38570c3f90f31b65072dd65