Overview
overview
7Static
static
3WinSAT.exe
windows10-1703-x64
7WinSAT.exe
windows11-21h2-x64
7$PLUGINSDI...ls.dll
windows10-1703-x64
3$PLUGINSDI...ls.dll
windows11-21h2-x64
3$PLUGINSDI...em.dll
windows10-1703-x64
3$PLUGINSDI...em.dll
windows11-21h2-x64
3LICENSES.c...m.html
windows10-1703-x64
4LICENSES.c...m.html
windows11-21h2-x64
1Runtime Broker.exe
windows10-1703-x64
7Runtime Broker.exe
windows11-21h2-x64
7d3dcompiler_47.dll
windows10-1703-x64
3d3dcompiler_47.dll
windows11-21h2-x64
3ffmpeg.dll
windows10-1703-x64
1ffmpeg.dll
windows11-21h2-x64
1libEGL.dll
windows10-1703-x64
1libEGL.dll
windows11-21h2-x64
1libGLESv2.dll
windows10-1703-x64
3libGLESv2.dll
windows11-21h2-x64
3locales/af.ps1
windows10-1703-x64
3locales/af.ps1
windows11-21h2-x64
3locales/uk.ps1
windows10-1703-x64
3locales/uk.ps1
windows11-21h2-x64
3resources/elevate.exe
windows10-1703-x64
1resources/elevate.exe
windows11-21h2-x64
1vk_swiftshader.dll
windows10-1703-x64
3vk_swiftshader.dll
windows11-21h2-x64
3vulkan-1.dll
windows10-1703-x64
3vulkan-1.dll
windows11-21h2-x64
3$PLUGINSDI...7z.dll
windows10-1703-x64
3$PLUGINSDI...7z.dll
windows11-21h2-x64
3Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
20/07/2024, 12:16
Static task
static1
Behavioral task
behavioral1
Sample
WinSAT.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral2
Sample
WinSAT.exe
Resource
win11-20240709-en
windows11-21h2-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win11-20240709-en
windows11-21h2-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win11-20240709-en
windows11-21h2-x64
Behavioral task
behavioral7
Sample
LICENSES.chromium.html
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral8
Sample
LICENSES.chromium.html
Resource
win11-20240709-en
windows11-21h2-x64
Behavioral task
behavioral9
Sample
Runtime Broker.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral10
Sample
Runtime Broker.exe
Resource
win11-20240709-en
windows11-21h2-x64
Behavioral task
behavioral11
Sample
d3dcompiler_47.dll
Resource
win10-20240611-en
windows10-1703-x64
Behavioral task
behavioral12
Sample
d3dcompiler_47.dll
Resource
win11-20240709-en
windows11-21h2-x64
Behavioral task
behavioral13
Sample
ffmpeg.dll
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral14
Sample
ffmpeg.dll
Resource
win11-20240709-en
windows11-21h2-x64
Behavioral task
behavioral15
Sample
libEGL.dll
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral16
Sample
libEGL.dll
Resource
win11-20240709-en
windows11-21h2-x64
Behavioral task
behavioral17
Sample
libGLESv2.dll
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral18
Sample
libGLESv2.dll
Resource
win11-20240709-en
windows11-21h2-x64
Behavioral task
behavioral19
Sample
locales/af.ps1
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral20
Sample
locales/af.ps1
Resource
win11-20240709-en
windows11-21h2-x64
Behavioral task
behavioral21
Sample
locales/uk.ps1
Resource
win10-20240611-en
windows10-1703-x64
Behavioral task
behavioral22
Sample
locales/uk.ps1
Resource
win11-20240709-en
windows11-21h2-x64
Behavioral task
behavioral23
Sample
resources/elevate.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral24
Sample
resources/elevate.exe
Resource
win11-20240709-en
windows11-21h2-x64
Behavioral task
behavioral25
Sample
vk_swiftshader.dll
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral26
Sample
vk_swiftshader.dll
Resource
win11-20240709-en
windows11-21h2-x64
Behavioral task
behavioral27
Sample
vulkan-1.dll
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral28
Sample
vulkan-1.dll
Resource
win11-20240709-en
windows11-21h2-x64
Behavioral task
behavioral29
Sample
$PLUGINSDIR/nsis7z.dll
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral30
Sample
$PLUGINSDIR/nsis7z.dll
Resource
win11-20240709-en
windows11-21h2-x64
General
-
Target
Runtime Broker.exe
-
Size
131.9MB
-
MD5
bff65c95858e13e36588e3ff4db40784
-
SHA1
12f97cf0ab8b9b99f492910fb78538dbde77c21a
-
SHA256
376f74c9e2d2964f43ad1f1f2e627c563f72d868ec83df9cdccc5a9d49b2bcee
-
SHA512
75f5912bc7e0eb30174b9f0e2e91552b4b67c781b5eee1b0a9adf33b2d6d9d4ab6fda01b4b6d480e173a3af699e246c333869966faab75da0ba338b76942371d
-
SSDEEP
1572864:Q4sMLl/BkZTVV2iplzf+ekzrMdTOG0AfhgojwlwVgmPQtn06H9rejAEdCoIZXCVX:ll/BkVVPBDgmPKa5Wnu3X7
Malware Config
Signatures
-
Loads dropped DLL 3 IoCs
pid Process 4140 Runtime Broker.exe 4140 Runtime Broker.exe 4140 Runtime Broker.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4140 Runtime Broker.exe 4140 Runtime Broker.exe 2508 Runtime Broker.exe 2508 Runtime Broker.exe 2652 Runtime Broker.exe 2652 Runtime Broker.exe 2652 Runtime Broker.exe 2652 Runtime Broker.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4140 Runtime Broker.exe Token: SeCreatePagefilePrivilege 4140 Runtime Broker.exe Token: SeShutdownPrivilege 4140 Runtime Broker.exe Token: SeCreatePagefilePrivilege 4140 Runtime Broker.exe Token: SeShutdownPrivilege 4140 Runtime Broker.exe Token: SeCreatePagefilePrivilege 4140 Runtime Broker.exe Token: SeShutdownPrivilege 4140 Runtime Broker.exe Token: SeCreatePagefilePrivilege 4140 Runtime Broker.exe Token: SeShutdownPrivilege 4140 Runtime Broker.exe Token: SeCreatePagefilePrivilege 4140 Runtime Broker.exe Token: SeShutdownPrivilege 4140 Runtime Broker.exe Token: SeCreatePagefilePrivilege 4140 Runtime Broker.exe Token: SeShutdownPrivilege 4140 Runtime Broker.exe Token: SeCreatePagefilePrivilege 4140 Runtime Broker.exe Token: SeShutdownPrivilege 4140 Runtime Broker.exe Token: SeCreatePagefilePrivilege 4140 Runtime Broker.exe Token: SeShutdownPrivilege 4140 Runtime Broker.exe Token: SeCreatePagefilePrivilege 4140 Runtime Broker.exe Token: SeShutdownPrivilege 4140 Runtime Broker.exe Token: SeCreatePagefilePrivilege 4140 Runtime Broker.exe Token: SeShutdownPrivilege 4140 Runtime Broker.exe Token: SeCreatePagefilePrivilege 4140 Runtime Broker.exe Token: SeShutdownPrivilege 4140 Runtime Broker.exe Token: SeCreatePagefilePrivilege 4140 Runtime Broker.exe Token: SeShutdownPrivilege 4140 Runtime Broker.exe Token: SeCreatePagefilePrivilege 4140 Runtime Broker.exe Token: SeShutdownPrivilege 4140 Runtime Broker.exe Token: SeCreatePagefilePrivilege 4140 Runtime Broker.exe Token: SeShutdownPrivilege 4140 Runtime Broker.exe Token: SeCreatePagefilePrivilege 4140 Runtime Broker.exe Token: SeShutdownPrivilege 4140 Runtime Broker.exe Token: SeCreatePagefilePrivilege 4140 Runtime Broker.exe Token: SeShutdownPrivilege 4140 Runtime Broker.exe Token: SeCreatePagefilePrivilege 4140 Runtime Broker.exe Token: SeShutdownPrivilege 4140 Runtime Broker.exe Token: SeCreatePagefilePrivilege 4140 Runtime Broker.exe Token: SeShutdownPrivilege 4140 Runtime Broker.exe Token: SeCreatePagefilePrivilege 4140 Runtime Broker.exe Token: SeShutdownPrivilege 4140 Runtime Broker.exe Token: SeCreatePagefilePrivilege 4140 Runtime Broker.exe Token: SeShutdownPrivilege 4140 Runtime Broker.exe Token: SeCreatePagefilePrivilege 4140 Runtime Broker.exe Token: SeShutdownPrivilege 4140 Runtime Broker.exe Token: SeCreatePagefilePrivilege 4140 Runtime Broker.exe Token: SeShutdownPrivilege 4140 Runtime Broker.exe Token: SeCreatePagefilePrivilege 4140 Runtime Broker.exe Token: SeShutdownPrivilege 4140 Runtime Broker.exe Token: SeCreatePagefilePrivilege 4140 Runtime Broker.exe Token: SeShutdownPrivilege 4140 Runtime Broker.exe Token: SeCreatePagefilePrivilege 4140 Runtime Broker.exe Token: SeShutdownPrivilege 4140 Runtime Broker.exe Token: SeCreatePagefilePrivilege 4140 Runtime Broker.exe Token: SeShutdownPrivilege 4140 Runtime Broker.exe Token: SeCreatePagefilePrivilege 4140 Runtime Broker.exe Token: SeShutdownPrivilege 4140 Runtime Broker.exe Token: SeCreatePagefilePrivilege 4140 Runtime Broker.exe Token: SeShutdownPrivilege 4140 Runtime Broker.exe Token: SeCreatePagefilePrivilege 4140 Runtime Broker.exe Token: SeShutdownPrivilege 4140 Runtime Broker.exe Token: SeCreatePagefilePrivilege 4140 Runtime Broker.exe Token: SeShutdownPrivilege 4140 Runtime Broker.exe Token: SeCreatePagefilePrivilege 4140 Runtime Broker.exe Token: SeShutdownPrivilege 4140 Runtime Broker.exe Token: SeCreatePagefilePrivilege 4140 Runtime Broker.exe -
Suspicious use of WriteProcessMemory 47 IoCs
description pid Process procid_target PID 4140 wrote to memory of 836 4140 Runtime Broker.exe 75 PID 4140 wrote to memory of 836 4140 Runtime Broker.exe 75 PID 4140 wrote to memory of 836 4140 Runtime Broker.exe 75 PID 836 wrote to memory of 68 836 cmd.exe 77 PID 836 wrote to memory of 68 836 cmd.exe 77 PID 836 wrote to memory of 68 836 cmd.exe 77 PID 4140 wrote to memory of 4772 4140 Runtime Broker.exe 78 PID 4140 wrote to memory of 4772 4140 Runtime Broker.exe 78 PID 4140 wrote to memory of 4772 4140 Runtime Broker.exe 78 PID 4140 wrote to memory of 4884 4140 Runtime Broker.exe 80 PID 4140 wrote to memory of 4884 4140 Runtime Broker.exe 80 PID 4140 wrote to memory of 4884 4140 Runtime Broker.exe 80 PID 4140 wrote to memory of 4884 4140 Runtime Broker.exe 80 PID 4140 wrote to memory of 4884 4140 Runtime Broker.exe 80 PID 4140 wrote to memory of 4884 4140 Runtime Broker.exe 80 PID 4140 wrote to memory of 4884 4140 Runtime Broker.exe 80 PID 4140 wrote to memory of 4884 4140 Runtime Broker.exe 80 PID 4140 wrote to memory of 4884 4140 Runtime Broker.exe 80 PID 4140 wrote to memory of 4884 4140 Runtime Broker.exe 80 PID 4140 wrote to memory of 4884 4140 Runtime Broker.exe 80 PID 4140 wrote to memory of 4884 4140 Runtime Broker.exe 80 PID 4140 wrote to memory of 4884 4140 Runtime Broker.exe 80 PID 4140 wrote to memory of 4884 4140 Runtime Broker.exe 80 PID 4140 wrote to memory of 4884 4140 Runtime Broker.exe 80 PID 4140 wrote to memory of 4884 4140 Runtime Broker.exe 80 PID 4140 wrote to memory of 4884 4140 Runtime Broker.exe 80 PID 4140 wrote to memory of 4884 4140 Runtime Broker.exe 80 PID 4140 wrote to memory of 4884 4140 Runtime Broker.exe 80 PID 4140 wrote to memory of 4884 4140 Runtime Broker.exe 80 PID 4140 wrote to memory of 4884 4140 Runtime Broker.exe 80 PID 4140 wrote to memory of 4884 4140 Runtime Broker.exe 80 PID 4140 wrote to memory of 4884 4140 Runtime Broker.exe 80 PID 4140 wrote to memory of 4884 4140 Runtime Broker.exe 80 PID 4140 wrote to memory of 4884 4140 Runtime Broker.exe 80 PID 4140 wrote to memory of 4884 4140 Runtime Broker.exe 80 PID 4140 wrote to memory of 4884 4140 Runtime Broker.exe 80 PID 4140 wrote to memory of 4884 4140 Runtime Broker.exe 80 PID 4140 wrote to memory of 4884 4140 Runtime Broker.exe 80 PID 4140 wrote to memory of 4884 4140 Runtime Broker.exe 80 PID 4140 wrote to memory of 4884 4140 Runtime Broker.exe 80 PID 4140 wrote to memory of 4884 4140 Runtime Broker.exe 80 PID 4140 wrote to memory of 2508 4140 Runtime Broker.exe 81 PID 4140 wrote to memory of 2508 4140 Runtime Broker.exe 81 PID 4140 wrote to memory of 2508 4140 Runtime Broker.exe 81 PID 4140 wrote to memory of 2652 4140 Runtime Broker.exe 82 PID 4140 wrote to memory of 2652 4140 Runtime Broker.exe 82 PID 4140 wrote to memory of 2652 4140 Runtime Broker.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4140 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "chcp"2⤵
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Windows\SysWOW64\chcp.comchcp3⤵PID:68
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"2⤵PID:4772
-
-
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\wtcysiftkispyelt" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1736 --field-trial-handle=1740,i,1344111475683998846,758644542348631035,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:22⤵PID:4884
-
-
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\wtcysiftkispyelt" --mojo-platform-channel-handle=1288 --field-trial-handle=1740,i,1344111475683998846,758644542348631035,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2508
-
-
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --user-data-dir="C:\Users\Admin\AppData\Roaming\wtcysiftkispyelt" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1672 --field-trial-handle=1740,i,1344111475683998846,758644542348631035,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:2652
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
121KB
MD5f46fe538a709da6b7fa4ad1ff81ff21d
SHA1a5d5faa88d196d4882fc59e06449106997dd1493
SHA2560c242257696ee67083e6aff39945ee9b287b31a1d3907cf0c71a5be629e35d97
SHA5129c3a627996f748255222d48d1fb9cefc56f161be46e357b5c9e75ad5dceeeb5ab04877ec76472969c0ab8890ae79f450027cd34c65e7138be2be7ca7586347c9
-
Filesize
1.4MB
MD5d66c8072d89fbd0db96746255b069803
SHA1730ee9ed085bd5f90712c74610c79664b0c1e581
SHA256c691de7e9369ada175e0db89590f91f65e1b6cc4e591a0c7cf359036b208f764
SHA5125d90d69d9b39e9641b86be9825fc437dba93c8ffafe5b3dbd8be68a6d85eed572ddccd74ed6cbaed8b0a6204cfc0feab07826983f37c773fc0c1b7acf4d969f8
-
Filesize
83KB
MD5a15d6f4bef89a3e388e76e150467ac6d
SHA13de913f8b9cb1522c5d1b482cce95ce885df07db
SHA256fd912308a71b4885f32bef19fab5a643b58a8992187917e3d8f1c392bfd622d0
SHA512d48b9c99cb82c57cdd6cca123a80053fe88a7765640667d40ca09d49dcf215162b2864a4f0cb1042b12487c59145e09c1b74aedc3af88e207234cef1048162a0