Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    02/06/2024, 15:27

General

  • Target

    runtimebroker.exe

  • Size

    154.7MB

  • MD5

    75990ee1ed0dd57459df924c28b46700

  • SHA1

    be7d7c518a44b3d73230364fd2064f9e2918f733

  • SHA256

    43ebd800204d360a8ea88eb0d2ed10df9553a910741cd5646ed7d276fd0723a5

  • SHA512

    f1337181f33e6724939859dc5d9fff45242870b36021fb45c737a261f82ed56e594370a24afe87f94a4376e92c0391604714fa2ff80ec000709fc66bc48341e2

  • SSDEEP

    1572864:WQLTsMunuCM2/w9Asn6xzIEhw3JvqzPd24cwT3tIDvvEO/TZidNoyiMhOab0XLHE:WA8g5vu

Score
7/10

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
    "C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2764
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "tasklist"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4628
      • C:\Windows\system32\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:4512
    • C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
      "C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\runtimebroker" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=1640,i,1596845459529173983,10433284641322131880,131072 --disable-features=BlinkSchedulerMicroTaskQueuePerWindowAgent,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
      2⤵
        PID:888
      • C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
        "C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\runtimebroker" --mojo-platform-channel-handle=1924 --field-trial-handle=1640,i,1596845459529173983,10433284641322131880,131072 --disable-features=BlinkSchedulerMicroTaskQueuePerWindowAgent,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
        2⤵
          PID:4332
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,129,132,208,105,27,200,155,69,148,63,132,151,193,171,245,199,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,20,242,94,195,217,131,251,84,205,102,235,132,48,175,215,233,58,104,31,171,100,142,213,24,82,96,163,176,159,65,10,161,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,194,96,31,237,153,228,196,235,67,63,63,123,23,30,120,193,160,114,28,237,7,182,110,235,124,60,229,100,112,94,136,37,48,0,0,0,232,79,168,222,154,162,92,27,204,48,96,255,158,47,79,99,20,169,37,29,155,94,9,190,100,184,17,13,111,203,246,127,213,115,76,184,169,224,214,73,213,153,205,44,10,117,77,20,64,0,0,0,112,220,183,239,118,64,62,76,128,209,29,65,10,41,111,112,40,67,182,43,89,156,210,235,71,186,209,77,72,177,164,8,118,136,26,76,208,22,136,231,188,225,12,229,76,242,70,122,69,130,209,202,109,24,89,92,54,167,97,241,149,119,207,64), $null, 'CurrentUser')"
          2⤵
          • An obfuscated cmd.exe command-line is typically used to evade detection.
          • Suspicious use of WriteProcessMemory
          PID:4640
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,129,132,208,105,27,200,155,69,148,63,132,151,193,171,245,199,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,20,242,94,195,217,131,251,84,205,102,235,132,48,175,215,233,58,104,31,171,100,142,213,24,82,96,163,176,159,65,10,161,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,194,96,31,237,153,228,196,235,67,63,63,123,23,30,120,193,160,114,28,237,7,182,110,235,124,60,229,100,112,94,136,37,48,0,0,0,232,79,168,222,154,162,92,27,204,48,96,255,158,47,79,99,20,169,37,29,155,94,9,190,100,184,17,13,111,203,246,127,213,115,76,184,169,224,214,73,213,153,205,44,10,117,77,20,64,0,0,0,112,220,183,239,118,64,62,76,128,209,29,65,10,41,111,112,40,67,182,43,89,156,210,235,71,186,209,77,72,177,164,8,118,136,26,76,208,22,136,231,188,225,12,229,76,242,70,122,69,130,209,202,109,24,89,92,54,167,97,241,149,119,207,64), $null, 'CurrentUser')
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:5044
        • C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
          "C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --user-data-dir="C:\Users\Admin\AppData\Roaming\runtimebroker" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1628 --field-trial-handle=1640,i,1596845459529173983,10433284641322131880,131072 --disable-features=BlinkSchedulerMicroTaskQueuePerWindowAgent,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:3020

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zxphrtsi.4rv.ps1

              Filesize

              1B

              MD5

              c4ca4238a0b923820dcc509a6f75849b

              SHA1

              356a192b7913b04c54574d18c28d46e6395428ab

              SHA256

              6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

              SHA512

              4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

            • C:\Users\Admin\AppData\Local\Temp\xx_lol\Browser.zip

              Filesize

              22B

              MD5

              76cdb2bad9582d23c1f6f4d868218d6c

              SHA1

              b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

              SHA256

              8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

              SHA512

              5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

            • \Users\Admin\AppData\Local\Temp\5eee07e9-693e-4b04-898b-6377be119d3a.tmp.node

              Filesize

              1.6MB

              MD5

              aa8da32ebca307d4f99cf2da290afd22

              SHA1

              8590c0b54987ad6b0bc15a1aa66b9d2ca65ca899

              SHA256

              ed3a86d32e83849720e150c18c4d19c90cabe912d674624f34051c19936167db

              SHA512

              d7809a39922d99a716744e6cc17e4094930c40a8a21c983830c3570c4e52846151d66ad5d6021bc2a5b5fd29f520465b7b88f71cb86c30e0fadc4d0fb21ee1d7

            • \Users\Admin\AppData\Local\Temp\9e1204e9-8d20-4683-be32-c6ea70fa6acd.tmp.node

              Filesize

              137KB

              MD5

              04bfbfec8db966420fe4c7b85ebb506a

              SHA1

              939bb742a354a92e1dcd3661a62d69e48030a335

              SHA256

              da2172ce055fa47d6a0ea1c90654f530abed33f69a74d52fab06c4c7653b48fd

              SHA512

              4ea97a9a120ed5bee8638e0a69561c2159fc3769062d7102167b0e92b4f1a5c002a761bd104282425f6cee8d0e39dbe7e12ad4e4a38570c3f90f31b65072dd65

            • memory/5044-24-0x000001B9A1250000-0x000001B9A1272000-memory.dmp

              Filesize

              136KB

            • memory/5044-27-0x000001B9A1400000-0x000001B9A1476000-memory.dmp

              Filesize

              472KB

            • memory/5044-54-0x000001B9A1580000-0x000001B9A15D0000-memory.dmp

              Filesize

              320KB