blankgrabber | f30eb63328b85d20a39eb4a4be946c23095534091d6898f7aed0a89e544b8f7d | Triage

Submit
Reports

Overview

overview

Static

static

Runtime Br...1).exe

windows11-21h2-x64

9

Sharing

General

Target

Runtime Broker (1).exe
Size

11.4MB
Sample

241013-y55axawgnd
MD5

7642bd2f1d2663c9dbaec9d6bd0386f1
SHA1

76510f9aa1d8c1838a30e314fc6f8646345df4de
SHA256

f30eb63328b85d20a39eb4a4be946c23095534091d6898f7aed0a89e544b8f7d
SHA512

aa2a5dac5faf6381199c276e797449fd25a2226d215d90edc6d799256d4c72004b36c698224c2ab29ab09b9c8a397a2dc0bbfe54e80c58dfd777a0351781cb87
SSDEEP

196608:U6g8VEtGLZ6eVYj/5or8HwCo+PSowfI9jUC2gYBYv3vbW4SEf+iITx1U6ns:q8VEEZ6eVW/5or8H7JPS3IH2gYBgDWZY

Score

10^/10

blankgrabber discovery evasion execution upx

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

Runtime Broker (1).exe

Resource

win11-20241007-en

discovery evasion execution upx

windows11-21h2-x64

14 signatures

150 seconds

Malware Config

Targets

- Target
  
  Runtime Broker (1).exe
- Size
  
  11.4MB
- MD5
  
  7642bd2f1d2663c9dbaec9d6bd0386f1
- SHA1
  
  76510f9aa1d8c1838a30e314fc6f8646345df4de
- SHA256
  
  f30eb63328b85d20a39eb4a4be946c23095534091d6898f7aed0a89e544b8f7d
- SHA512
  
  aa2a5dac5faf6381199c276e797449fd25a2226d215d90edc6d799256d4c72004b36c698224c2ab29ab09b9c8a397a2dc0bbfe54e80c58dfd777a0351781cb87
- SSDEEP
  
  196608:U6g8VEtGLZ6eVYj/5or8HwCo+PSowfI9jUC2gYBYv3vbW4SEf+iITx1U6ns:q8VEEZ6eVW/5or8H7JPS3IH2gYBgDWZY
Score

9^/10

discovery evasion execution upx
- Looks for VirtualBox Guest Additions in registry
  evasion
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Enumerates processes with tasklist
  discovery
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

Process Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryevasionexecutionupx

© 2018-2025

Terms | Privacy