Overview

overview

10

Static

static

3

RuntimeBroker.exe

windows7-x64

10

RuntimeBroker.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-09-2024 17:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RuntimeBroker.exe

  • Size

    346KB

  • MD5

    6a983258dfa7b270cc0938e4c453f66a

  • SHA1

    21cb0158a55a859552fbfe442b7e7ca04c3dd77f

  • SHA256

    2b80a0860ed3b8e262f242f251839d513808829fc3e209b93d2048c272ccc205

  • SHA512

    7273d35af4e4c590566c9d514a26a24aa71696a94aab0a0bfc30820d6a6e9918044cd0df11c20b9b983b3b30edcfecc76a6e9670bdbb8ab7a7ed48c9d405fef5

  • SSDEEP

    6144:q/cLTw+cOiFUk6Pv6U9yy/J6cIiPx166FpQoO/KzFHT809ii6VfNtvAeB9:q0LdcOiFhXKU6/3zFA09iD1tIeB9

Score
10/10
umbralxwormcredential_accessdiscoveryexecutionpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xworm

C2

expected-schema.gl.at.ply.gg:2980

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    USB.exe

Signatures

  • Detect Umbral payload 2 IoCs
  • Detect Xworm Payload 2 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
    "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3644
    • C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe
      "C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2888
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4508
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RuntimeBroker.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:5076
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\RuntimeBroker'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:3088
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RuntimeBroker'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:2212
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "RuntimeBroker" /tr "C:\Users\Admin\RuntimeBroker"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:376
    • C:\Users\Admin\AppData\Roaming\Umbrall.exe
      "C:\Users\Admin\AppData\Roaming\Umbrall.exe"
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3300
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1808
      • C:\Windows\SYSTEM32\attrib.exe
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Roaming\Umbrall.exe"
        3⤵
        • Views/modifies file attributes
        PID:4168
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Umbrall.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1748
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1412
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2924
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4672
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" os get Caption
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1628
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" computersystem get totalphysicalmemory
        3⤵
          PID:4244
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" csproduct get uuid
          3⤵
            PID:1524
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            PID:3208
          • C:\Windows\System32\Wbem\wmic.exe
            "wmic" path win32_VideoController get name
            3⤵
            • Detects videocard installed
            PID:2856
          • C:\Windows\SYSTEM32\cmd.exe
            "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Roaming\Umbrall.exe" && pause
            3⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Suspicious use of WriteProcessMemory
            PID:2672
            • C:\Windows\system32\PING.EXE
              ping localhost
              4⤵
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:4276
        • C:\Users\Admin\AppData\Roaming\SynsWave.exe
          "C:\Users\Admin\AppData\Roaming\SynsWave.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:1080
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c cls
            3⤵
              PID:1896
        • C:\Users\Admin\RuntimeBroker
          C:\Users\Admin\RuntimeBroker
          1⤵
          • Executes dropped EXE
          PID:3036
        • C:\Users\Admin\RuntimeBroker
          C:\Users\Admin\RuntimeBroker
          1⤵
          • Executes dropped EXE
          PID:1808
        • C:\Users\Admin\RuntimeBroker
          C:\Users\Admin\RuntimeBroker
          1⤵
          • Executes dropped EXE
          PID:2448

        Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Command and Scripting Interpreter

        1
        T1059

        PowerShell

        1
        T1059.001

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Defense Evasion

        Hide Artifacts

        1
        T1564

        Hidden Files and Directories

        1
        T1564.001

        Modify Registry

        1
        T1112

        Credential Access

        Credentials from Password Stores

        1
        T1555

        Credentials from Web Browsers

        1
        T1555.003

        Unsecured Credentials

        1
        T1552

        Credentials In Files

        1
        T1552.001

        Discovery

        Query Registry

        2
        T1012

        Remote System Discovery

        1
        T1018

        System Information Discovery

        3
        T1082

        System Network Configuration Discovery

        1
        T1016

        Internet Connection Discovery

        1
        T1016.001

        Lateral Movement

        Collection

        Data from Local System

        1
        T1005

        Command and Control

        Web Service

        1
        T1102

        Exfiltration

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.log
          Filesize

          654B

          MD5

          2ff39f6c7249774be85fd60a8f9a245e

          SHA1

          684ff36b31aedc1e587c8496c02722c6698c1c4e

          SHA256

          e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

          SHA512

          1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
          Filesize

          2KB

          MD5

          d85ba6ff808d9e5444a4b369f5bc2730

          SHA1

          31aa9d96590fff6981b315e0b391b575e4c0804a

          SHA256

          84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

          SHA512

          8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          36d03a272b43b1c16e5bce541906f649

          SHA1

          66f0178c3182a09386738d60501411a14b4a3864

          SHA256

          3fe1814466c786b9b14e3d1b9f9348434db490bc462b9e071f7bcaea5ef9e270

          SHA512

          d6c34935c1c22bda2ffd3550e54ca77bca92ab46829d3acc58c263fec94f8b6fa578105a80121c78e6d38ee51ec8f1bb8ae74ba7844a207499145308ec982a3a

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          852f019aa3823e1c90335ba698f31412

          SHA1

          a94ebb8e47316a5fec092ab897ec34299a82d200

          SHA256

          b4bed2ce3d5b6577836eb2b0a766c008243a1db942e341717fb4bc18e84fc2f0

          SHA512

          ca94865644cb570f60cf35a08ad5de6a3af4503bc40845237219c31e910f89cc93b280d997514583d86e6cf45eb2b8749bfe2e41bbaef67471e0b64b579e5ab3

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          7daa0b6c9f8fb37635f8121b0c06690a

          SHA1

          5684d950c7e582b02ba88e579f0d350100d16889

          SHA256

          a37ab7ac828226c2de1d05cdf35a6d7934ff3e5ecd617d46df1cdc784783d86b

          SHA512

          55578b4054f8e12df4721df0f8f35ca1f879dd2e2e32ac8aaa8bebf68f5521dfb35547a0f15e670cecd8019f18b32c0e6d78f44556431807e4225b04c0e99c35

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          22310ad6749d8cc38284aa616efcd100

          SHA1

          440ef4a0a53bfa7c83fe84326a1dff4326dcb515

          SHA256

          55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf

          SHA512

          2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          6d42b6da621e8df5674e26b799c8e2aa

          SHA1

          ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

          SHA256

          5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

          SHA512

          53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          948B

          MD5

          985b3105d8889886d6fd953575c54e08

          SHA1

          0f9a041240a344d82bac0a180520e7982c15f3cd

          SHA256

          5178fdd457eb3eb25c8f72ed4c22c582a83de0d324db66d0446d660f226e944d

          SHA512

          0fd59bc4886b70aa3b7eeeaa23229b7fdc93410ca7f8452860e4a1bbda2559eaa5e4b05c3ec2d85f7d648daf3c16741f4c2c18f2dd3bae4cc4a4e57ae4f665b0

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          548dd08570d121a65e82abb7171cae1c

          SHA1

          1a1b5084b3a78f3acd0d811cc79dbcac121217ab

          SHA256

          cdf17b8532ebcebac3cfe23954a30aa32edd268d040da79c82687e4ccb044adc

          SHA512

          37b98b09178b51eec9599af90d027d2f1028202efc1633047e16e41f1a95610984af5620baac07db085ccfcb96942aafffad17aa1f44f63233e83869dc9f697b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_o4skeuya.vtn.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe
          Filesize

          80KB

          MD5

          5b8832e9845170717385ed9fb6dd6589

          SHA1

          b51bbc5d54e0e7c84a3488ca16643e8c88e452fa

          SHA256

          21ed3d77c21d3f856d7a0852f316abb104c90004e912fa330562435921a26d1d

          SHA512

          841f88b766c9aae7d6ac3f8c6e563da16a1266bb795c38060d465451c15b0052b13e58e26ad95325253d9196d30717418cbe3c75ad19eaad21a9bdf9f5289fa6

          Download Submit

        • C:\Users\Admin\AppData\Roaming\SynsWave.exe
          Filesize

          25KB

          MD5

          12e7359129744823438f3d6b97192955

          SHA1

          89872a5a18abefe25d10efa824281718cf85ae39

          SHA256

          348086f9bd5939a48efcc94702271c1caf92ea11f3b0385367daf9530b51cf3e

          SHA512

          b38516752817d3ac6541d300cc17176c5bf1c38d321fd19c006cb1f5cf9d5ab7a228184ed267636841225e718f71d9cd8aed5e53e36c7ee3548ed6958b9e8563

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Umbrall.exe
          Filesize

          230KB

          MD5

          0b1ca5b7db9b402d2a2d5f2ceffb6d03

          SHA1

          e29fc0c937e930ae463110e6954759bdad901063

          SHA256

          7e7441520b44960fdc5fc8ec1b43c27a460baf7d84874d91fc78f4f97fd85aab

          SHA512

          5106921b55ec7f907b79a5b5fcab8cd387f27005c1da9a64680e0c2bdb25b99a20bbe59132452176ad9dcee9d8c2d23a8326f786de6453ef47094723f3e9a8b3

          Download Submit

        • memory/1748-37-0x000002BBB3C30000-0x000002BBB3C52000-memory.dmp

          Filesize

          136KB

          Download

        • memory/2888-34-0x00007FFFCDA10000-0x00007FFFCE4D1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2888-168-0x00007FFFCDA10000-0x00007FFFCE4D1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2888-29-0x0000000000540000-0x000000000055A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/3300-30-0x0000020D35780000-0x0000020D357C0000-memory.dmp

          Filesize

          256KB

          Download

        • memory/3300-101-0x0000020D37430000-0x0000020D3743A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/3300-102-0x0000020D375D0000-0x0000020D375E2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/3300-65-0x0000020D373F0000-0x0000020D3740E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/3300-64-0x0000020D37440000-0x0000020D37490000-memory.dmp

          Filesize

          320KB

          Download

        • memory/3300-63-0x0000020D4FCF0000-0x0000020D4FD66000-memory.dmp

          Filesize

          472KB

          Download

        • memory/3300-36-0x00007FFFCDA10000-0x00007FFFCE4D1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3300-164-0x00007FFFCDA10000-0x00007FFFCE4D1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3644-0-0x00007FFFCDA13000-0x00007FFFCDA15000-memory.dmp

          Filesize

          8KB

          Download

        • memory/3644-1-0x0000000000360000-0x00000000003BC000-memory.dmp

          Filesize

          368KB

          Download