Resubmissions

13-06-2024 02:00

240613-cfdk1azhkb 7

11-06-2024 06:18

240611-g2mg9axgqp 7

Analysis

  • max time kernel
    22s
  • max time network
    23s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-06-2024 06:18

General

  • Target

    runtimebroker.exe

  • Size

    154.7MB

  • MD5

    75990ee1ed0dd57459df924c28b46700

  • SHA1

    be7d7c518a44b3d73230364fd2064f9e2918f733

  • SHA256

    43ebd800204d360a8ea88eb0d2ed10df9553a910741cd5646ed7d276fd0723a5

  • SHA512

    f1337181f33e6724939859dc5d9fff45242870b36021fb45c737a261f82ed56e594370a24afe87f94a4376e92c0391604714fa2ff80ec000709fc66bc48341e2

  • SSDEEP

    1572864:WQLTsMunuCM2/w9Asn6xzIEhw3JvqzPd24cwT3tIDvvEO/TZidNoyiMhOab0XLHE:WA8g5vu

Score
7/10

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
    "C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4400
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "tasklist"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1848
      • C:\Windows\system32\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:4580
    • C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
      "C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\runtimebroker" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1708 --field-trial-handle=1820,i,11960413089767931548,8449855656748798269,131072 --disable-features=BlinkSchedulerMicroTaskQueuePerWindowAgent,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
      2⤵
        PID:4588
      • C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
        "C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\runtimebroker" --mojo-platform-channel-handle=2060 --field-trial-handle=1820,i,11960413089767931548,8449855656748798269,131072 --disable-features=BlinkSchedulerMicroTaskQueuePerWindowAgent,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
        2⤵
          PID:1708
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,21,13,251,61,125,41,113,73,181,63,165,1,91,36,248,68,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,52,149,19,144,89,112,59,59,251,229,141,202,64,101,240,104,137,13,3,69,53,156,155,146,175,90,146,162,246,238,201,90,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,8,59,176,18,137,226,140,52,19,171,62,247,31,153,110,138,40,43,108,72,120,10,22,206,204,166,195,251,206,76,84,236,48,0,0,0,182,67,21,24,178,28,183,38,171,5,235,33,128,96,100,191,115,29,3,244,255,89,222,94,221,44,46,134,199,244,235,56,71,157,109,19,168,133,44,36,119,44,14,122,209,122,31,112,64,0,0,0,122,214,19,81,118,163,136,78,57,148,251,210,240,3,134,99,156,175,50,154,230,153,101,220,35,132,92,147,223,230,14,232,202,102,120,97,201,199,70,225,226,97,114,2,149,239,63,52,211,209,152,49,2,92,152,238,148,185,58,73,30,45,12,201), $null, 'CurrentUser')"
          2⤵
          • An obfuscated cmd.exe command-line is typically used to evade detection.
          • Suspicious use of WriteProcessMemory
          PID:4972
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,21,13,251,61,125,41,113,73,181,63,165,1,91,36,248,68,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,52,149,19,144,89,112,59,59,251,229,141,202,64,101,240,104,137,13,3,69,53,156,155,146,175,90,146,162,246,238,201,90,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,8,59,176,18,137,226,140,52,19,171,62,247,31,153,110,138,40,43,108,72,120,10,22,206,204,166,195,251,206,76,84,236,48,0,0,0,182,67,21,24,178,28,183,38,171,5,235,33,128,96,100,191,115,29,3,244,255,89,222,94,221,44,46,134,199,244,235,56,71,157,109,19,168,133,44,36,119,44,14,122,209,122,31,112,64,0,0,0,122,214,19,81,118,163,136,78,57,148,251,210,240,3,134,99,156,175,50,154,230,153,101,220,35,132,92,147,223,230,14,232,202,102,120,97,201,199,70,225,226,97,114,2,149,239,63,52,211,209,152,49,2,92,152,238,148,185,58,73,30,45,12,201), $null, 'CurrentUser')
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4960
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,21,13,251,61,125,41,113,73,181,63,165,1,91,36,248,68,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,87,225,225,105,74,250,17,14,121,162,50,56,214,71,202,251,32,121,40,26,5,205,214,52,26,191,58,177,200,241,246,155,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,137,230,184,142,248,175,36,120,222,4,110,117,60,85,255,52,21,39,177,126,38,76,194,9,75,54,127,87,52,196,251,57,48,0,0,0,62,242,129,76,25,82,189,44,92,5,130,128,156,115,35,25,175,83,81,85,159,232,192,255,184,181,3,127,179,216,232,85,78,47,144,255,115,62,133,108,75,82,5,154,21,128,253,243,64,0,0,0,96,3,115,172,134,228,139,54,161,25,254,150,216,24,138,103,124,43,211,181,183,191,211,17,78,104,20,9,218,8,230,157,99,145,15,109,156,238,65,113,104,211,133,73,126,187,22,212,132,81,131,66,39,202,237,184,142,225,59,166,44,170,47,76), $null, 'CurrentUser')"
          2⤵
          • An obfuscated cmd.exe command-line is typically used to evade detection.
          • Suspicious use of WriteProcessMemory
          PID:5040
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,21,13,251,61,125,41,113,73,181,63,165,1,91,36,248,68,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,87,225,225,105,74,250,17,14,121,162,50,56,214,71,202,251,32,121,40,26,5,205,214,52,26,191,58,177,200,241,246,155,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,137,230,184,142,248,175,36,120,222,4,110,117,60,85,255,52,21,39,177,126,38,76,194,9,75,54,127,87,52,196,251,57,48,0,0,0,62,242,129,76,25,82,189,44,92,5,130,128,156,115,35,25,175,83,81,85,159,232,192,255,184,181,3,127,179,216,232,85,78,47,144,255,115,62,133,108,75,82,5,154,21,128,253,243,64,0,0,0,96,3,115,172,134,228,139,54,161,25,254,150,216,24,138,103,124,43,211,181,183,191,211,17,78,104,20,9,218,8,230,157,99,145,15,109,156,238,65,113,104,211,133,73,126,187,22,212,132,81,131,66,39,202,237,184,142,225,59,166,44,170,47,76), $null, 'CurrentUser')
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4916

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\webdata.db

        Filesize

        100KB

        MD5

        d4993802b9cf3203200f899233c3e2fc

        SHA1

        a632e8d796c8a0d1cf8cda55aa882b1a82b7318f

        SHA256

        cff606c51ac13f4352de08f7838939c1e261bdc232a10bb94f6924d00cbd0dd6

        SHA512

        1910cf846fe61ef744dc6bcf9062caaf6ab1856a64bd8aa6849cbddcdc8fa921f0cef16d0d9cc38842345f5873724b27764307076bd50bd46bb74f643cde03bd

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

        Filesize

        3KB

        MD5

        f48896adf9a23882050cdff97f610a7f

        SHA1

        4c5a610df62834d43f470cae7e851946530e3086

        SHA256

        3ae35c2828715a2f9a5531d334a0cfffc81396c2dc058ca42a9943f3cdc22e78

        SHA512

        16644246f2a35a186fcb5c2b6456ed6a16e8db65ad1383109e06547f9b1f9358f071c30cca541ca4cf7bae66cb534535e88f75f6296a4bfc6c7b22b0684a6ba9

      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\webdata.db

        Filesize

        116KB

        MD5

        f70aa3fa04f0536280f872ad17973c3d

        SHA1

        50a7b889329a92de1b272d0ecf5fce87395d3123

        SHA256

        8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

        SHA512

        30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        1KB

        MD5

        1b0e3f53981de4024598d155ed522cad

        SHA1

        7ac4e8a1b4b89c455b90c887cd778b66b2ca818f

        SHA256

        049b105bc3c6af55d6310a5041a367a31cddeb6dbbc67bdccb275ca7d17c8411

        SHA512

        4f3a22482852a68d5aea984d9bac9fce6cc159b1b6a874e7a75c5b8415ec723c3da7503257bf7888af49d486afb032bb1e7c9337bed23d8a1f46e53d3ff3cb74

      • C:\Users\Admin\AppData\Local\Temp\39543890-855c-4291-8a0e-21c79e6bdf3c.tmp.node

        Filesize

        137KB

        MD5

        04bfbfec8db966420fe4c7b85ebb506a

        SHA1

        939bb742a354a92e1dcd3661a62d69e48030a335

        SHA256

        da2172ce055fa47d6a0ea1c90654f530abed33f69a74d52fab06c4c7653b48fd

        SHA512

        4ea97a9a120ed5bee8638e0a69561c2159fc3769062d7102167b0e92b4f1a5c002a761bd104282425f6cee8d0e39dbe7e12ad4e4a38570c3f90f31b65072dd65

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_02rbfjkq.apw.ps1

        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      • C:\Users\Admin\AppData\Local\Temp\b636eacc-7b68-4720-bf63-a563b2100af7.tmp.node

        Filesize

        1.6MB

        MD5

        aa8da32ebca307d4f99cf2da290afd22

        SHA1

        8590c0b54987ad6b0bc15a1aa66b9d2ca65ca899

        SHA256

        ed3a86d32e83849720e150c18c4d19c90cabe912d674624f34051c19936167db

        SHA512

        d7809a39922d99a716744e6cc17e4094930c40a8a21c983830c3570c4e52846151d66ad5d6021bc2a5b5fd29f520465b7b88f71cb86c30e0fadc4d0fb21ee1d7

      • C:\Users\Admin\AppData\Local\Temp\xx_lol\Browser.zip

        Filesize

        22B

        MD5

        76cdb2bad9582d23c1f6f4d868218d6c

        SHA1

        b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

        SHA256

        8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

        SHA512

        5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

      • memory/4960-11-0x00000192F2D90000-0x00000192F2DB2000-memory.dmp

        Filesize

        136KB

      • memory/4960-21-0x00000192F3250000-0x00000192F32A0000-memory.dmp

        Filesize

        320KB