Overview

overview

10

Static

static

3

Runtime Broker.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    36s
  • max time network
    37s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/09/2024, 01:25

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Runtime Broker.exe

  • Size

    3.6MB

  • MD5

    1484a688240ca48126a63402656a0ffb

  • SHA1

    9e8cf89f2c660c3de642c77505df683fdbdecf81

  • SHA256

    7dae384e0b67a443fce25a0e8b08e1ea8de09f8b25dd887f023667647db3f279

  • SHA512

    453310785a5357fb22249dbdd7c806537b4dc56f059eb80efbeb3113c2327cc6e3882ab677aac866364a8f7f46eeea62729bd692f6e8f074f237cb5df68d5dfa

  • SSDEEP

    98304:/ZjirkSkZ2z20nn4De0ybAwhEFRRF6dJx:/MUZ2S0nn4yg1fF+Jx

Score
10/10
agentteslaevasionkeyloggerspywarestealertrojan

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla payload 1 IoCs
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
    "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
    1⤵
    • Looks for VirtualBox Guest Additions in registry
    • Looks for VMWare Tools registry key
    • Checks BIOS information in registry
    • Maps connected drives based on registry
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:3320
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4292,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=4056 /prefetch:8
    1⤵
      PID:2436

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/3320-0-0x00007FFE95F73000-0x00007FFE95F75000-memory.dmp

            Filesize

            8KB

            Download

          • memory/3320-1-0x00000297094B0000-0x0000029709850000-memory.dmp

            Filesize

            3.6MB

            Download

          • memory/3320-2-0x00007FFE95F70000-0x00007FFE96A31000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3320-3-0x0000029723D60000-0x0000029723FD8000-memory.dmp

            Filesize

            2.5MB

            Download

          • memory/3320-4-0x00000297242D0000-0x00000297244E4000-memory.dmp

            Filesize

            2.1MB

            Download

          • memory/3320-5-0x00000297259E0000-0x00000297259F2000-memory.dmp

            Filesize

            72KB

            Download

          • memory/3320-6-0x00007FFE95F70000-0x00007FFE96A31000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3320-7-0x00007FFE95F73000-0x00007FFE95F75000-memory.dmp

            Filesize

            8KB

            Download

          • memory/3320-9-0x0000029725A00000-0x0000029725B02000-memory.dmp

            Filesize

            1.0MB

            Download

          • memory/3320-8-0x00000297244E0000-0x0000029724689000-memory.dmp

            Filesize

            1.7MB

            Download

          • memory/3320-10-0x00007FFE95F70000-0x00007FFE96A31000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3320-11-0x00007FFE95F70000-0x00007FFE96A31000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3320-12-0x00007FFE95F70000-0x00007FFE96A31000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3320-13-0x00000297244E0000-0x0000029724689000-memory.dmp

            Filesize

            1.7MB

            Download

          • memory/3320-15-0x00007FFE95F70000-0x00007FFE96A31000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3320-16-0x00007FFE95F70000-0x00007FFE96A31000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3320-17-0x00000297244E0000-0x0000029724689000-memory.dmp

            Filesize

            1.7MB

            Download

          • memory/3320-19-0x00007FFE95F70000-0x00007FFE96A31000-memory.dmp

            Filesize

            10.8MB

            Download