d4008eb38d10ae27765fa344785fdcb2e34d372d85578e406fc43f74d4f257a7

Analysis

max time kernel
1801s
max time network
1598s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
30/06/2024, 15:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

runtimebroker.exe
Size

154.7MB
MD5

75990ee1ed0dd57459df924c28b46700
SHA1

be7d7c518a44b3d73230364fd2064f9e2918f733
SHA256

43ebd800204d360a8ea88eb0d2ed10df9553a910741cd5646ed7d276fd0723a5
SHA512

f1337181f33e6724939859dc5d9fff45242870b36021fb45c737a261f82ed56e594370a24afe87f94a4376e92c0391604714fa2ff80ec000709fc66bc48341e2
SSDEEP

1572864:WQLTsMunuCM2/w9Asn6xzIEhw3JvqzPd24cwT3tIDvvEO/TZidNoyiMhOab0XLHE:WA8g5vu

Score

7^/10

spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runtimebroker.exe	runtimebroker.exe

Loads dropped DLL 2 IoCs

pid	Process
4844	runtimebroker.exe
4844	runtimebroker.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
19	discord.com
21	discord.com
32	discord.com

An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs

pid	Process
3216	cmd.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
4200	tasklist.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1016	powershell.exe
1016	powershell.exe
1016	powershell.exe
4328	runtimebroker.exe
4328	runtimebroker.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4200	tasklist.exe
Token: SeShutdownPrivilege	4844	runtimebroker.exe
Token: SeCreatePagefilePrivilege	4844	runtimebroker.exe
Token: SeShutdownPrivilege	4844	runtimebroker.exe
Token: SeCreatePagefilePrivilege	4844	runtimebroker.exe
Token: SeShutdownPrivilege	4844	runtimebroker.exe
Token: SeCreatePagefilePrivilege	4844	runtimebroker.exe
Token: SeDebugPrivilege	1016	powershell.exe
Token: SeShutdownPrivilege	4844	runtimebroker.exe
Token: SeCreatePagefilePrivilege	4844	runtimebroker.exe
Token: SeShutdownPrivilege	4844	runtimebroker.exe
Token: SeCreatePagefilePrivilege	4844	runtimebroker.exe
Token: SeShutdownPrivilege	4844	runtimebroker.exe
Token: SeCreatePagefilePrivilege	4844	runtimebroker.exe
Token: SeShutdownPrivilege	4844	runtimebroker.exe
Token: SeCreatePagefilePrivilege	4844	runtimebroker.exe
Token: SeShutdownPrivilege	4844	runtimebroker.exe
Token: SeCreatePagefilePrivilege	4844	runtimebroker.exe
Token: SeShutdownPrivilege	4844	runtimebroker.exe
Token: SeCreatePagefilePrivilege	4844	runtimebroker.exe
Token: SeShutdownPrivilege	4844	runtimebroker.exe
Token: SeCreatePagefilePrivilege	4844	runtimebroker.exe
Token: SeShutdownPrivilege	4844	runtimebroker.exe
Token: SeCreatePagefilePrivilege	4844	runtimebroker.exe
Token: SeShutdownPrivilege	4844	runtimebroker.exe
Token: SeCreatePagefilePrivilege	4844	runtimebroker.exe
Token: SeShutdownPrivilege	4844	runtimebroker.exe
Token: SeCreatePagefilePrivilege	4844	runtimebroker.exe
Token: SeShutdownPrivilege	4844	runtimebroker.exe
Token: SeCreatePagefilePrivilege	4844	runtimebroker.exe
Token: SeShutdownPrivilege	4844	runtimebroker.exe
Token: SeCreatePagefilePrivilege	4844	runtimebroker.exe
Token: SeShutdownPrivilege	4844	runtimebroker.exe
Token: SeCreatePagefilePrivilege	4844	runtimebroker.exe
Token: SeShutdownPrivilege	4844	runtimebroker.exe
Token: SeCreatePagefilePrivilege	4844	runtimebroker.exe
Token: SeShutdownPrivilege	4844	runtimebroker.exe
Token: SeCreatePagefilePrivilege	4844	runtimebroker.exe
Token: SeShutdownPrivilege	4844	runtimebroker.exe
Token: SeCreatePagefilePrivilege	4844	runtimebroker.exe
Token: SeShutdownPrivilege	4844	runtimebroker.exe
Token: SeCreatePagefilePrivilege	4844	runtimebroker.exe
Token: SeShutdownPrivilege	4844	runtimebroker.exe
Token: SeCreatePagefilePrivilege	4844	runtimebroker.exe
Token: SeShutdownPrivilege	4844	runtimebroker.exe
Token: SeCreatePagefilePrivilege	4844	runtimebroker.exe
Token: SeShutdownPrivilege	4844	runtimebroker.exe
Token: SeCreatePagefilePrivilege	4844	runtimebroker.exe
Token: SeShutdownPrivilege	4844	runtimebroker.exe
Token: SeCreatePagefilePrivilege	4844	runtimebroker.exe
Token: SeShutdownPrivilege	4844	runtimebroker.exe
Token: SeCreatePagefilePrivilege	4844	runtimebroker.exe
Token: SeShutdownPrivilege	4844	runtimebroker.exe
Token: SeCreatePagefilePrivilege	4844	runtimebroker.exe
Token: SeShutdownPrivilege	4844	runtimebroker.exe
Token: SeCreatePagefilePrivilege	4844	runtimebroker.exe
Token: SeShutdownPrivilege	4844	runtimebroker.exe
Token: SeCreatePagefilePrivilege	4844	runtimebroker.exe
Token: SeShutdownPrivilege	4844	runtimebroker.exe
Token: SeCreatePagefilePrivilege	4844	runtimebroker.exe
Token: SeShutdownPrivilege	4844	runtimebroker.exe
Token: SeCreatePagefilePrivilege	4844	runtimebroker.exe
Token: SeShutdownPrivilege	4844	runtimebroker.exe
Token: SeCreatePagefilePrivilege	4844	runtimebroker.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 4844 wrote to memory of 4688	4844	runtimebroker.exe	73
PID 4844 wrote to memory of 4688	4844	runtimebroker.exe	73
PID 4688 wrote to memory of 4200	4688	cmd.exe	75
PID 4688 wrote to memory of 4200	4688	cmd.exe	75
PID 4844 wrote to memory of 4240	4844	runtimebroker.exe	77
PID 4844 wrote to memory of 4240	4844	runtimebroker.exe	77
PID 4844 wrote to memory of 4240	4844	runtimebroker.exe	77
PID 4844 wrote to memory of 4240	4844	runtimebroker.exe	77
PID 4844 wrote to memory of 4240	4844	runtimebroker.exe	77
PID 4844 wrote to memory of 4240	4844	runtimebroker.exe	77
PID 4844 wrote to memory of 4240	4844	runtimebroker.exe	77
PID 4844 wrote to memory of 4240	4844	runtimebroker.exe	77
PID 4844 wrote to memory of 4240	4844	runtimebroker.exe	77
PID 4844 wrote to memory of 4240	4844	runtimebroker.exe	77
PID 4844 wrote to memory of 4240	4844	runtimebroker.exe	77
PID 4844 wrote to memory of 4240	4844	runtimebroker.exe	77
PID 4844 wrote to memory of 4240	4844	runtimebroker.exe	77
PID 4844 wrote to memory of 4240	4844	runtimebroker.exe	77
PID 4844 wrote to memory of 4240	4844	runtimebroker.exe	77
PID 4844 wrote to memory of 4240	4844	runtimebroker.exe	77
PID 4844 wrote to memory of 4240	4844	runtimebroker.exe	77
PID 4844 wrote to memory of 4240	4844	runtimebroker.exe	77
PID 4844 wrote to memory of 4240	4844	runtimebroker.exe	77
PID 4844 wrote to memory of 4240	4844	runtimebroker.exe	77
PID 4844 wrote to memory of 4240	4844	runtimebroker.exe	77
PID 4844 wrote to memory of 4240	4844	runtimebroker.exe	77
PID 4844 wrote to memory of 4240	4844	runtimebroker.exe	77
PID 4844 wrote to memory of 4240	4844	runtimebroker.exe	77
PID 4844 wrote to memory of 4240	4844	runtimebroker.exe	77
PID 4844 wrote to memory of 4240	4844	runtimebroker.exe	77
PID 4844 wrote to memory of 4240	4844	runtimebroker.exe	77
PID 4844 wrote to memory of 4240	4844	runtimebroker.exe	77
PID 4844 wrote to memory of 4240	4844	runtimebroker.exe	77
PID 4844 wrote to memory of 4240	4844	runtimebroker.exe	77
PID 4844 wrote to memory of 4240	4844	runtimebroker.exe	77
PID 4844 wrote to memory of 2520	4844	runtimebroker.exe	78
PID 4844 wrote to memory of 2520	4844	runtimebroker.exe	78
PID 4844 wrote to memory of 3216	4844	runtimebroker.exe	79
PID 4844 wrote to memory of 3216	4844	runtimebroker.exe	79
PID 3216 wrote to memory of 1016	3216	cmd.exe	81
PID 3216 wrote to memory of 1016	3216	cmd.exe	81
PID 4844 wrote to memory of 4328	4844	runtimebroker.exe	82
PID 4844 wrote to memory of 4328	4844	runtimebroker.exe	82

C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
"C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4688
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4200
- C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
  "C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\runtimebroker" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1580 --field-trial-handle=1644,i,4051939112819348333,8372905147857267618,131072 --disable-features=BlinkSchedulerMicroTaskQueuePerWindowAgent,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:4240
- C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
  "C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\runtimebroker" --mojo-platform-channel-handle=1948 --field-trial-handle=1644,i,4051939112819348333,8372905147857267618,131072 --disable-features=BlinkSchedulerMicroTaskQueuePerWindowAgent,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  PID:2520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,232,159,15,37,184,164,197,67,155,100,64,96,73,208,199,211,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,128,197,188,185,26,145,76,15,62,201,172,187,93,12,81,37,46,112,72,124,142,188,233,121,60,138,30,176,241,197,186,78,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,101,40,142,145,69,116,174,111,126,112,112,244,6,15,225,43,221,217,119,110,240,38,241,122,219,89,67,165,189,226,48,85,48,0,0,0,151,228,200,78,36,115,135,148,175,56,251,3,22,144,140,252,250,153,129,16,255,170,222,246,67,34,95,202,97,102,189,225,244,157,123,122,100,167,18,117,219,134,17,176,21,22,183,250,64,0,0,0,54,219,77,124,243,156,81,125,163,178,183,29,9,152,78,84,60,250,136,148,61,148,247,212,203,146,59,232,161,174,79,216,2,70,30,139,223,96,240,167,171,4,123,208,56,117,96,139,211,124,160,76,231,216,52,12,250,231,229,214,159,234,207,229), $null, 'CurrentUser')"
  2⤵
  - An obfuscated cmd.exe command-line is typically used to evade detection.
  - Suspicious use of WriteProcessMemory
  PID:3216
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,232,159,15,37,184,164,197,67,155,100,64,96,73,208,199,211,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,128,197,188,185,26,145,76,15,62,201,172,187,93,12,81,37,46,112,72,124,142,188,233,121,60,138,30,176,241,197,186,78,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,101,40,142,145,69,116,174,111,126,112,112,244,6,15,225,43,221,217,119,110,240,38,241,122,219,89,67,165,189,226,48,85,48,0,0,0,151,228,200,78,36,115,135,148,175,56,251,3,22,144,140,252,250,153,129,16,255,170,222,246,67,34,95,202,97,102,189,225,244,157,123,122,100,167,18,117,219,134,17,176,21,22,183,250,64,0,0,0,54,219,77,124,243,156,81,125,163,178,183,29,9,152,78,84,60,250,136,148,61,148,247,212,203,146,59,232,161,174,79,216,2,70,30,139,223,96,240,167,171,4,123,208,56,117,96,139,211,124,160,76,231,216,52,12,250,231,229,214,159,234,207,229), $null, 'CurrentUser')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1016
- C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe
  "C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --user-data-dir="C:\Users\Admin\AppData\Roaming\runtimebroker" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1732 --field-trial-handle=1644,i,4051939112819348333,8372905147857267618,131072 --disable-features=BlinkSchedulerMicroTaskQueuePerWindowAgent,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\webdata.db

Filesize
92KB

MD5
dc89cfe2a3b5ff9acb683c7237226713

SHA1
24f19bc7d79fa0c5af945b28616225866ee51dd5

SHA256
ceddefa824f1dd6e7e669d4470e18e557c22fe73359f5b31edf4537473b96148

SHA512
ee5d047e1124351997ecfaa5c8bd3e9ce8a974ac281675cda4d0a55e40f3883336a2378b9ebf3d1f227d01b386c26473c32e39bcab836da2b392bf778a6cf5c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hp3azwly.10g.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\xx_lol\Browser.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
\Users\Admin\AppData\Local\Temp\3a4eb8a3-6662-4b33-b573-08505bd69e43.tmp.node

Filesize
137KB

MD5
04bfbfec8db966420fe4c7b85ebb506a

SHA1
939bb742a354a92e1dcd3661a62d69e48030a335

SHA256
da2172ce055fa47d6a0ea1c90654f530abed33f69a74d52fab06c4c7653b48fd

SHA512
4ea97a9a120ed5bee8638e0a69561c2159fc3769062d7102167b0e92b4f1a5c002a761bd104282425f6cee8d0e39dbe7e12ad4e4a38570c3f90f31b65072dd65

Download Submit
\Users\Admin\AppData\Local\Temp\3d784584-acaa-4984-89d0-82559aee0216.tmp.node

Filesize
1.6MB

MD5
aa8da32ebca307d4f99cf2da290afd22

SHA1
8590c0b54987ad6b0bc15a1aa66b9d2ca65ca899

SHA256
ed3a86d32e83849720e150c18c4d19c90cabe912d674624f34051c19936167db

SHA512
d7809a39922d99a716744e6cc17e4094930c40a8a21c983830c3570c4e52846151d66ad5d6021bc2a5b5fd29f520465b7b88f71cb86c30e0fadc4d0fb21ee1d7

Download Submit
memory/1016-25-0x0000018658DD0000-0x0000018658DF2000-memory.dmp

Filesize
136KB

Download
memory/1016-28-0x0000018671420000-0x0000018671496000-memory.dmp

Filesize
472KB

Download
memory/1016-55-0x00000186714A0000-0x00000186714F0000-memory.dmp

Filesize
320KB

Download