Analysis
-
max time kernel
19s -
max time network
18s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
08/03/2025, 13:01
Behavioral task
behavioral1
Sample
RuntimeBroker.exe
Resource
win7-20250207-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral2
Sample
RuntimeBroker.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
RuntimeBroker.exe
-
Size
79.3MB
-
MD5
124f3fa6f41d84cbcc952b5c3e12ed3a
-
SHA1
9630394b99dc05faf1d9e1ddafca676958fb8eb4
-
SHA256
5e646d8c38c533bb4181066044ff543a1e82ea19151adbc9101e6087537aa859
-
SHA512
d3397a05f4f8d9fefb0114010f8700e7d5f46d5e6e002277944ca843d4eb03ff37e72d19d26b2ff1e02dbcbdf5a4e67664cfd6173917529295e587ff73b12083
-
SSDEEP
786432:0kghWEk49Otsbyx1DOUNoER7gfxv9cghdYzXoJAO:tgAEk49QsmPf2f19cghdYzXSAO
Score
1/10
Malware Config
Signatures
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
pid Process 4612 taskmgr.exe 4612 taskmgr.exe 4612 taskmgr.exe 4612 taskmgr.exe 4612 taskmgr.exe 4612 taskmgr.exe 4612 taskmgr.exe 4612 taskmgr.exe 4612 taskmgr.exe 4612 taskmgr.exe 4612 taskmgr.exe 4612 taskmgr.exe 4612 taskmgr.exe 4612 taskmgr.exe 4612 taskmgr.exe 4612 taskmgr.exe 4612 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4612 taskmgr.exe Token: SeSystemProfilePrivilege 4612 taskmgr.exe Token: SeCreateGlobalPrivilege 4612 taskmgr.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
pid Process 4612 taskmgr.exe 4612 taskmgr.exe 4612 taskmgr.exe 4612 taskmgr.exe 4612 taskmgr.exe 4612 taskmgr.exe 4612 taskmgr.exe 4612 taskmgr.exe 4612 taskmgr.exe 4612 taskmgr.exe 4612 taskmgr.exe 4612 taskmgr.exe 4612 taskmgr.exe 4612 taskmgr.exe 4612 taskmgr.exe 4612 taskmgr.exe 4612 taskmgr.exe 4612 taskmgr.exe 4612 taskmgr.exe 4612 taskmgr.exe 4612 taskmgr.exe 4612 taskmgr.exe 4612 taskmgr.exe 4612 taskmgr.exe 4612 taskmgr.exe 4612 taskmgr.exe 4612 taskmgr.exe 4612 taskmgr.exe -
Suspicious use of SendNotifyMessage 28 IoCs
pid Process 4612 taskmgr.exe 4612 taskmgr.exe 4612 taskmgr.exe 4612 taskmgr.exe 4612 taskmgr.exe 4612 taskmgr.exe 4612 taskmgr.exe 4612 taskmgr.exe 4612 taskmgr.exe 4612 taskmgr.exe 4612 taskmgr.exe 4612 taskmgr.exe 4612 taskmgr.exe 4612 taskmgr.exe 4612 taskmgr.exe 4612 taskmgr.exe 4612 taskmgr.exe 4612 taskmgr.exe 4612 taskmgr.exe 4612 taskmgr.exe 4612 taskmgr.exe 4612 taskmgr.exe 4612 taskmgr.exe 4612 taskmgr.exe 4612 taskmgr.exe 4612 taskmgr.exe 4612 taskmgr.exe 4612 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"1⤵PID:2892
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4612