| File name: | RuntimeBroker.exe |
| Full analysis: | https://app.any.run/tasks/af640e2d-2978-4db9-8daf-19b837823d53 |
| Verdict: | Malicious activity |
| Analysis date: | December 04, 2023, 13:27:19 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
| MD5: | DF4AD77804D72A0CA3C9BF65B5E92507 |
| SHA1: | 6D369E924E837FCE62D66A6A888FF26DEEE88313 |
| SHA256: | A28AABF82C5FDC9FA56F7E04AC35355110CDACEE7332A369875D2E384B1A8772 |
| SSDEEP: | 192:P1nPWkBJyY1nDsRuj5+JtdBvDEe0ZM9jLPQ0dpCDc9ZCL:gkBJxtDsRusdBvDEe0ZM9fPQ+CDc9ZC |
MALICIOUS
Changes the autorun value in the registry
- ie4uinit.exe (PID: 2716)
SUSPICIOUS
Uses REG/REGEDIT.EXE to modify registry
- RuntimeBroker.exe (PID: 3476)
Starts CMD.EXE for commands execution
- RuntimeBroker.exe (PID: 3476)
Reads the Internet Settings
- RuntimeBroker.exe (PID: 3476)
- cmd.exe (PID: 1864)
Reads settings of System Certificates
- RuntimeBroker.exe (PID: 3476)
Changes default file association
- ie4uinit.exe (PID: 2716)
- unregmp2.exe (PID: 1016)
INFO
Reads the computer name
- RuntimeBroker.exe (PID: 3476)
- wmpnscfg.exe (PID: 2764)
- wmpnscfg.exe (PID: 3156)
Checks supported languages
- RuntimeBroker.exe (PID: 3476)
- wmpnscfg.exe (PID: 2764)
- wmpnscfg.exe (PID: 3156)
Create files in a temporary directory
- RuntimeBroker.exe (PID: 3476)
Reads the machine GUID from the registry
- RuntimeBroker.exe (PID: 3476)
Reads Environment values
- RuntimeBroker.exe (PID: 3476)
Manual execution by a user
- wmpnscfg.exe (PID: 2764)
- explorer.exe (PID: 3092)
- wmpnscfg.exe (PID: 3156)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Generic CIL Executable (.NET, Mono, etc.) (82.9) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (7.4) |
| .exe | | | Win32 Executable (generic) (5.1) |
| .exe | | | Generic Win/DOS Executable (2.2) |
| .exe | | | DOS Executable Generic (2.2) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2023:12:03 00:00:52+01:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 11 |
| CodeSize: | 8192 |
| InitializedDataSize: | 2048 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x3fce |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 5.3.0.0 |
| ProductVersionNumber: | 5.3.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| Comments: | Runtime Broker Klatter |
| CompanyName: | Runtime Broker KMR |
| FileDescription: | Runtime Broker |
| FileVersion: | 5.3.0.0 |
| InternalName: | RuntimeBroker.exe |
| LegalCopyright: | Copyright © 2023 |
| OriginalFileName: | RuntimeBroker.exe |
| ProductName: | Runtime Broker 2 |
| ProductVersion: | 5.3.0.0 |
| AssemblyVersion: | 1.0.0.0 |
Total processes
58
Monitored processes
12
Malicious processes
5
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1016 | C:\Windows\system32\unregmp2.exe /SetWMPAsDefault | C:\Windows\System32\unregmp2.exe | — | ComputerDefaults.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Windows Media Player Setup Utility Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1864 | "cmd.exe" /C computerdefaults.exe | C:\Windows\System32\cmd.exe | — | RuntimeBroker.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2076 | computerdefaults.exe | C:\Windows\System32\ComputerDefaults.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Set Program Access and Computer Defaults Control Panel Exit code: 3221226540 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2332 | "C:\Windows\system32\ComputerDefaults.exe" | C:\Windows\System32\ComputerDefaults.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Set Program Access and Computer Defaults Control Panel Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2524 | "C:\Windows\system32\reg.exe" add "HKCU\Software\Classes\ms-settings\shell\open\command" /v DelegateExecute /d "0" /f | C:\Windows\System32\reg.exe | — | RuntimeBroker.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2624 | "C:\Windows\system32\reg.exe" add "HKCU\Software\Classes\ms-settings\shell\open\command" /d "wscript.exe C:\Users\admin\AppData\Local\Temp\creambitch181444.vbs" /f | C:\Windows\System32\reg.exe | — | RuntimeBroker.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2716 | "C:\Windows\System32\ie4uinit.exe" -reinstall | C:\Windows\System32\ie4uinit.exe | ComputerDefaults.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: IE Per-User Initialization Utility Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
| 2764 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3028 | "C:\Windows\system32\ComputerDefaults.exe" | C:\Windows\System32\ComputerDefaults.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Set Program Access and Computer Defaults Control Panel Exit code: 3221226540 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3092 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
5 032
Read events
4 663
Write events
361
Delete events
8
Modification events
| (PID) Process: | (1864) cmd.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (1864) cmd.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (1864) cmd.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (1864) cmd.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (3476) RuntimeBroker.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\17F\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (2332) ComputerDefaults.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\17F\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (2332) ComputerDefaults.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet |
| Operation: | write | Name: | LastUserInitiatedDefaultChange |
Value: FE43B4A6B526DA01 | |||
| (PID) Process: | (2716) ie4uinit.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383} |
| Operation: | write | Name: | IsInstalled |
Value: 1 | |||
| (PID) Process: | (2716) ie4uinit.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\InstallInfo |
| Operation: | write | Name: | IconsVisible |
Value: 1 | |||
| (PID) Process: | (2716) ie4uinit.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\http |
| Operation: | write | Name: | EditFlags |
Value: 2097154 | |||
Executable files
0
Suspicious files
0
Text files
1
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3476 | RuntimeBroker.exe | C:\Users\admin\AppData\Local\Temp\creambitch181444.vbs | text | |
MD5:A34267102C21AFF46AECC85598924544 | SHA256:EBA7AB5C248E46DBE70470B41EBF25A378B4EFF9CE632ADFF927AC1F95583D44 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
1
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
2588 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
3476 | RuntimeBroker.exe | 104.21.28.191:443 | certsc.lat | CLOUDFLARENET | — | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
certsc.lat |
| unknown |