Edit tour

Windows Analysis Report
RuntimeBrooker.exe

Overview

General Information

Sample name:	RuntimeBrooker.exe
Analysis ID:	1431561
MD5:	7d1082288a0d3f0467c1d57de7471036
SHA1:	7561a197d02bb43c3868a6fc0bd81a4a34e1570b
SHA256:	0870dabc1f1d62016d4b5c92565d86e1fe9b45ca26148fe98f0fb8cb811675d8
Infos:

Detection

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Found direct / indirect Syscall (likely to bypass EDR)

Hides threads from debuggers

Machine Learning detection for sample

PE file has nameless sections

Query firmware table information (likely to detect VMs)

Checks if the current process is being debugged

PE file contains more sections than normal

PE file contains sections with non-standard names

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Classification

Process Tree

System is w10x64

RuntimeBrooker.exe (PID: 7704 cmdline: "C:\Users\user\Desktop\RuntimeBrooker.exe" MD5: 7D1082288A0D3F0467C1D57DE7471036)

conhost.exe (PID: 7712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Machine Learning detection for sample

Source: RuntimeBrooker.exe

Joe Sandbox ML: detected

Source: RuntimeBrooker.exe, 00000000.00000002.1649544788.00000000007C7000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
Source: RuntimeBrooker.exe, 00000000.00000002.1649544788.00000000007C7000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: RuntimeBrooker.exe, 00000000.00000002.1649544788.00000000007C7000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
Source: RuntimeBrooker.exe, 00000000.00000002.1649544788.00000000007C7000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
Source: RuntimeBrooker.exe, 00000000.00000002.1649544788.00000000007C7000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: RuntimeBrooker.exe	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: RuntimeBrooker.exe	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: RuntimeBrooker.exe, 00000000.00000002.1649544788.00000000007C7000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
Source: RuntimeBrooker.exe, 00000000.00000002.1649544788.00000000007C7000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl0
Source: RuntimeBrooker.exe, 00000000.00000002.1649544788.00000000007C7000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0
Source: RuntimeBrooker.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: RuntimeBrooker.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: RuntimeBrooker.exe	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: RuntimeBrooker.exe, 00000000.00000002.1649544788.00000000007C7000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: RuntimeBrooker.exe, 00000000.00000002.1649544788.00000000007C7000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: RuntimeBrooker.exe, 00000000.00000002.1649544788.00000000007C7000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: RuntimeBrooker.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: RuntimeBrooker.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: RuntimeBrooker.exe	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: RuntimeBrooker.exe, 00000000.00000002.1649544788.00000000007C7000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ocsp.accv.es0
Source: RuntimeBrooker.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: RuntimeBrooker.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: RuntimeBrooker.exe, 00000000.00000002.1649544788.00000000007C7000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://policy.camerfirma.com0
Source: RuntimeBrooker.exe, 00000000.00000002.1649544788.00000000007C7000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://repository.swisssign.com/0
Source: RuntimeBrooker.exe, 00000000.00000002.1649363162.00000000004E9000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: RuntimeBrooker.exe, 00000000.00000002.1649363162.00000000004E9000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: RuntimeBrooker.exe, 00000000.00000002.1649544788.00000000007C7000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: RuntimeBrooker.exe, 00000000.00000002.1649544788.00000000007C7000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: RuntimeBrooker.exe, 00000000.00000002.1649544788.00000000007C7000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: RuntimeBrooker.exe, 00000000.00000002.1649544788.00000000007C7000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.accv.es00
Source: RuntimeBrooker.exe, 00000000.00000002.1649544788.00000000007C7000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.cert.fnmt.es/dpcs/0
Source: RuntimeBrooker.exe, 00000000.00000002.1649544788.00000000007C7000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.chambersign.org1
Source: RuntimeBrooker.exe, 00000000.00000002.1649544788.00000000007C7000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: RuntimeBrooker.exe, 00000000.00000002.1649544788.00000000007C7000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: RuntimeBrooker.exe, 00000000.00000002.1649363162.00000000004E9000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://api.iproyal.com/https://api6.my-ip.io/ipidna:
Source: RuntimeBrooker.exe	String found in binary or memory: https://enigmaprotector.com/taggant/spv.crl0
Source: RuntimeBrooker.exe	String found in binary or memory: https://enigmaprotector.com/taggant/user.crl0
Source: RuntimeBrooker.exe	String found in binary or memory: https://sectigo.com/CPS0
Source: RuntimeBrooker.exe, 00000000.00000002.1649544788.00000000007C7000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.catcert.net/verarrel
Source: RuntimeBrooker.exe, 00000000.00000002.1649544788.00000000007C7000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.catcert.net/verarrel05
Source: RuntimeBrooker.exe, 00000000.00000002.1649544788.00000000007C7000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://wwww.certigna.fr/autorites/0m

System Summary

PE file has nameless sections

Source: RuntimeBrooker.exe	Static PE information: section name:
Source: RuntimeBrooker.exe	Static PE information: section name:
Source: RuntimeBrooker.exe	Static PE information: section name:
Source: RuntimeBrooker.exe	Static PE information: section name:
Source: RuntimeBrooker.exe	Static PE information: section name:
Source: RuntimeBrooker.exe	Static PE information: section name:
Source: RuntimeBrooker.exe	Static PE information: section name:
Source: RuntimeBrooker.exe	Static PE information: section name:
Source: RuntimeBrooker.exe	Static PE information: section name:
Source: RuntimeBrooker.exe	Static PE information: section name:
Source: RuntimeBrooker.exe	Static PE information: section name:
Source: RuntimeBrooker.exe	Static PE information: section name:
Source: RuntimeBrooker.exe	Static PE information: section name:
Source: RuntimeBrooker.exe	Static PE information: section name:
Source: RuntimeBrooker.exe	Static PE information: section name:
Source: RuntimeBrooker.exe	Static PE information: section name:

Source: RuntimeBrooker.exe

Static PE information: Number of sections : 17 > 10

Source: RuntimeBrooker.exe, 00000000.00000002.1649830548.0000000000B73000.00000080.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameRuntimeBroker.exej% vs RuntimeBrooker.exe
Source: RuntimeBrooker.exe	Binary or memory string: OriginalFilenameRuntimeBroker.exej% vs RuntimeBrooker.exe

Source: RuntimeBrooker.exe	Static PE information: Section: ZLIB complexity 0.9988533266129033
Source: RuntimeBrooker.exe	Static PE information: Section: ZLIB complexity 1.0003235716067864
Source: RuntimeBrooker.exe	Static PE information: Section: ZLIB complexity 1.0004044349747474
Source: RuntimeBrooker.exe	Static PE information: Section: ZLIB complexity 1.021484375
Source: RuntimeBrooker.exe	Static PE information: Section: ZLIB complexity 1.0003137303149607
Source: RuntimeBrooker.exe	Static PE information: Section: ZLIB complexity 1.0003164520711143
Source: RuntimeBrooker.exe	Static PE information: Section: ZLIB complexity 1.0003610321969696
Source: RuntimeBrooker.exe	Static PE information: Section: ZLIB complexity 0.9961219200721154

Source: classification engine

Classification label: mal68.evad.winEXE@2/0@0/0

Source: C:\Users\user\Desktop\RuntimeBrooker.exe	Mutant created: \Sessions\1\BaseNamedObjects\Mutex object: Unique: 2105161706--2021146733. Number: 0
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7712:120:WilError_03

Source: C:\Users\user\Desktop\RuntimeBrooker.exe

File opened: C:\Windows\system32\bb8ef617cf723f158fa9ded0023a305f7f286c9b65fd242af5f74d0366b0f433AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Jump to behavior

Source: C:\Users\user\Desktop\RuntimeBrooker.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\RuntimeBrooker.exe

File read: C:\Users\user\Desktop\RuntimeBrooker.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\RuntimeBrooker.exe "C:\Users\user\Desktop\RuntimeBrooker.exe"
Source: C:\Users\user\Desktop\RuntimeBrooker.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\RuntimeBrooker.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBrooker.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBrooker.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBrooker.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBrooker.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBrooker.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBrooker.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBrooker.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBrooker.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBrooker.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBrooker.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBrooker.exe	Section loaded: umpdc.dll	Jump to behavior

Source: RuntimeBrooker.exe

Static file information: File size 12024072 > 1048576

Source: RuntimeBrooker.exe	Static PE information: Raw size of is bigger than: 0x100000 < 0x11d200
Source: RuntimeBrooker.exe	Static PE information: Raw size of is bigger than: 0x100000 < 0x138600
Source: RuntimeBrooker.exe	Static PE information: Raw size of is bigger than: 0x100000 < 0x62e200

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\RuntimeBrooker.exe

Unpacked PE file: 0.2.RuntimeBrooker.exe.1f0000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;Unknown_Section5:EW;Unknown_Section6:EW;Unknown_Section7:EW;Unknown_Section8:EW;Unknown_Section9:EW;Unknown_Section10:EW;Unknown_Section11:EW;Unknown_Section12:EW;Unknown_Section13:EW;.rsrc:EW;Unknown_Section15:EW;Unknown_Section16:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;Unknown_Section5:R;Unknown_Section6:R;Unknown_Section7:R;Unknown_Section8:R;Unknown_Section9:R;Unknown_Section10:W;Unknown_Section11:R;Unknown_Section12:R;Unknown_Section13:R;.rsrc:EW;Unknown_Section15:EW;Unknown_Section16:EW;

Source: RuntimeBrooker.exe	Static PE information: section name:
Source: RuntimeBrooker.exe	Static PE information: section name:
Source: RuntimeBrooker.exe	Static PE information: section name:
Source: RuntimeBrooker.exe	Static PE information: section name:
Source: RuntimeBrooker.exe	Static PE information: section name:
Source: RuntimeBrooker.exe	Static PE information: section name:
Source: RuntimeBrooker.exe	Static PE information: section name:
Source: RuntimeBrooker.exe	Static PE information: section name:
Source: RuntimeBrooker.exe	Static PE information: section name:
Source: RuntimeBrooker.exe	Static PE information: section name:
Source: RuntimeBrooker.exe	Static PE information: section name:
Source: RuntimeBrooker.exe	Static PE information: section name:
Source: RuntimeBrooker.exe	Static PE information: section name:
Source: RuntimeBrooker.exe	Static PE information: section name:
Source: RuntimeBrooker.exe	Static PE information: section name:
Source: RuntimeBrooker.exe	Static PE information: section name:

Source: RuntimeBrooker.exe	Static PE information: section name: entropy: 7.998942135594241
Source: RuntimeBrooker.exe	Static PE information: section name: entropy: 7.999613497251071
Source: RuntimeBrooker.exe	Static PE information: section name: entropy: 7.9979503311609506
Source: RuntimeBrooker.exe	Static PE information: section name: entropy: 7.437622686334161
Source: RuntimeBrooker.exe	Static PE information: section name: entropy: 7.999837709460686
Source: RuntimeBrooker.exe	Static PE information: section name: entropy: 7.999732846830117
Source: RuntimeBrooker.exe	Static PE information: section name: entropy: 7.9990578242908725
Source: RuntimeBrooker.exe	Static PE information: section name: entropy: 7.995003929911863

Source: C:\Users\user\Desktop\RuntimeBrooker.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBrooker.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\RuntimeBrooker.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 3Windows 2012 Server Standard without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: #Windows 10 Microsoft Hyper-V Server
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 8.1 Microsoft Hyper-V Server
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2012 Server Standard without Hyper-V
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 8 Microsoft Hyper-V Server
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 3Windows 2016 Server Standard without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 8.1 Server Standard without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: (Windows 2012 R2 Microsoft Hyper-V Server
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 6Windows 2012 R2 Server Standard without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 8 Server Datacenter without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 10 Server Datacenter without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 0Windows 8 Server Standard without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 6Windows 8.1 Essential Server Solutions without Hyper-V
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: vmware
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 8 Server Standard without Hyper-V
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 4Windows 8 Essential Server Solutions without Hyper-V
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (full)
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2016 Essential Server Solutions without Hyper-V
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (full)
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: "Windows 8 Microsoft Hyper-V Server
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (full)
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 10 Server Standard without Hyper-V
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2012 R2 Microsoft Hyper-V Server
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 8.1 Essential Server Solutions without Hyper-V
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Hyper-V (guest)
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2012 Essential Server Solutions without Hyper-V
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 10 Microsoft Hyper-V Server
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2016 Microsoft Hyper-V Server
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: /Windows 2012 R2 Server Standard without Hyper-V
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: )Windows 8 Server Standard without Hyper-V
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Hyper-V
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: %Windows 2012 Microsoft Hyper-V Server
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: $Windows 8.1 Microsoft Hyper-V Server
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: ,Windows 2012 Server Standard without Hyper-V
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (full)
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2012 Microsoft Hyper-V Server
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 8 Essential Server Solutions without Hyper-V
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 10 Essential Server Solutions without Hyper-V
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 10 Server Standard without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 7Windows 2012 Essential Server Solutions without Hyper-V
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 8 Server Enterprise without Hyper-V (full)
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (full)
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (full)
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: %Windows 2016 Microsoft Hyper-V Server
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (full)
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 7Windows 2016 Essential Server Solutions without Hyper-V
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: +Windows 8.1 Server Standard without Hyper-V
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2016 Server Standard without Hyper-V
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (full)
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (full)
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 10 Server Enterprise without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 10 Server Datacenter without Hyper-V (full)
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: :Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2016 Server Standard without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 8 Server Standard without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 5Windows 10 Essential Server Solutions without Hyper-V
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (full)
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (full)
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 8 Server Enterprise without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: ,Windows 2016 Server Standard without Hyper-V
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2012 Server Standard without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 8 Server Datacenter without Hyper-V (full)
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (full)
Source: RuntimeBrooker.exe, 00000000.00000002.1652988015.000001EEE8030000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllss
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: VBoxService.exe
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 8.1 Server Standard without Hyper-V
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Virtual MachinesbiedllVBoxService.exe
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: *Windows 10 Server Standard without Hyper-V
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 1Windows 10 Server Standard without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (full)
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: VMWare
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (full)
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 2Windows 8.1 Server Standard without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Windows 10 Server Enterprise without Hyper-V (full)
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (full)
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000000.00000002.1649844236.0000000000B74000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (full)

Source: C:\Users\user\Desktop\RuntimeBrooker.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\RuntimeBrooker.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBrooker.exe	Thread information set: HideFromDebugger			Jump to behavior

Source: C:\Users\user\Desktop\RuntimeBrooker.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBrooker.exe	Process queried: DebugPort			Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\RuntimeBrooker.exe	NtSetInformationThread: Indirect: 0xBACE3D	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBrooker.exe	NtProtectVirtualMemory: Indirect: 0x27DDFAA	Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBrooker.exe	NtProtectVirtualMemory: Indirect: 0xBF513B	Jump to behavior

Source: C:\Users\user\Desktop\RuntimeBrooker.exe

Code function: 0_2_00007FF44BD051F0 GetUserNameA,

0_2_00007FF44BD051F0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	21 Virtualization/Sandbox Evasion	OS Credential Dumping	211 Security Software Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Abuse Elevation Control Mechanism	12 Software Packing	LSASS Memory	21 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Abuse Elevation Control Mechanism	NTDS	1 Account Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 System Owner/User Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	2 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
RuntimeBrooker.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://crl.chambersign.org/chambersroot.crl0	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
https://wwww.certigna.fr/autorites/0m	0%	URL Reputation	safe
http://ocsp.accv.es0	0%	URL Reputation	safe
http://cps.chambersign.org/cps/chambersroot.html0	0%	URL Reputation	safe
http://crl.dhimyotis.com/certignarootca.crl0	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	0%	URL Reputation	safe
http://www.chambersign.org1	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	0%	URL Reputation	safe
http://crl.securetrust.com/SGCA.crl0	0%	URL Reputation	safe
http://crl.securetrust.com/STCA.crl0	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
https://www.catcert.net/verarrel	0%	URL Reputation	safe
https://www.catcert.net/verarrel	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
http://crl.chambersign.org/chambersignroot.crl0	0%	URL Reputation	safe
http://crl.xrampsecurity.com/XGCA.crl0	0%	URL Reputation	safe
https://www.catcert.net/verarrel05	0%	URL Reputation	safe
https://www.catcert.net/verarrel05	0%	URL Reputation	safe
http://crl.certigna.fr/certignarootca.crl01	0%	URL Reputation	safe
http://www.accv.es00	0%	URL Reputation	safe
http://cps.chambersign.org/cps/chambersignroot.html0	0%	URL Reputation	safe
http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0	0%	Avira URL Cloud	safe
http://policy.camerfirma.com0	0%	URL Reputation	safe
https://enigmaprotector.com/taggant/spv.crl0	0%	Avira URL Cloud	safe
https://enigmaprotector.com/taggant/user.crl0	0%	Avira URL Cloud	safe
https://api.iproyal.com/https://api6.my-ip.io/ipidna:	0%	Avira URL Cloud	safe
https://enigmaprotector.com/taggant/user.crl0	0%	Virustotal		Browse
https://enigmaprotector.com/taggant/spv.crl0	1%	Virustotal		Browse
http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0	0%	Virustotal		Browse
https://api.iproyal.com/https://api6.my-ip.io/ipidna:	0%	Virustotal		Browse

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0	RuntimeBrooker.exe, 00000000.00000002.1649544788.00000000007C7000.00000004.00000001.01000000.00000003.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://sectigo.com/CPS0	RuntimeBrooker.exe	false	URL Reputation: safe	unknown
http://crl.chambersign.org/chambersroot.crl0	RuntimeBrooker.exe, 00000000.00000002.1649544788.00000000007C7000.00000004.00000001.01000000.00000003.sdmp	false	URL Reputation: safe	unknown
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	RuntimeBrooker.exe	false	URL Reputation: safe	unknown
http://ocsp.sectigo.com0	RuntimeBrooker.exe	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/	RuntimeBrooker.exe, 00000000.00000002.1649363162.00000000004E9000.00000002.00000001.01000000.00000003.sdmp	false		high
http://www.accv.es/legislacion_c.htm0U	RuntimeBrooker.exe, 00000000.00000002.1649544788.00000000007C7000.00000004.00000001.01000000.00000003.sdmp	false		high
https://wwww.certigna.fr/autorites/0m	RuntimeBrooker.exe, 00000000.00000002.1649544788.00000000007C7000.00000004.00000001.01000000.00000003.sdmp	false	URL Reputation: safe	unknown
http://ocsp.accv.es0	RuntimeBrooker.exe, 00000000.00000002.1649544788.00000000007C7000.00000004.00000001.01000000.00000003.sdmp	false	URL Reputation: safe	unknown
http://cps.chambersign.org/cps/chambersroot.html0	RuntimeBrooker.exe, 00000000.00000002.1649544788.00000000007C7000.00000004.00000001.01000000.00000003.sdmp	false	URL Reputation: safe	unknown
http://crl.dhimyotis.com/certignarootca.crl0	RuntimeBrooker.exe, 00000000.00000002.1649544788.00000000007C7000.00000004.00000001.01000000.00000003.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/soap/envelope/	RuntimeBrooker.exe, 00000000.00000002.1649363162.00000000004E9000.00000002.00000001.01000000.00000003.sdmp	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	RuntimeBrooker.exe	false	URL Reputation: safe	unknown
http://www.chambersign.org1	RuntimeBrooker.exe, 00000000.00000002.1649544788.00000000007C7000.00000004.00000001.01000000.00000003.sdmp	false	URL Reputation: safe	unknown
http://www.firmaprofesional.com/cps0	RuntimeBrooker.exe, 00000000.00000002.1649544788.00000000007C7000.00000004.00000001.01000000.00000003.sdmp	false		high
http://repository.swisssign.com/0	RuntimeBrooker.exe, 00000000.00000002.1649544788.00000000007C7000.00000004.00000001.01000000.00000003.sdmp	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	RuntimeBrooker.exe	false	URL Reputation: safe	unknown
https://enigmaprotector.com/taggant/spv.crl0	RuntimeBrooker.exe	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crl.securetrust.com/SGCA.crl0	RuntimeBrooker.exe, 00000000.00000002.1649544788.00000000007C7000.00000004.00000001.01000000.00000003.sdmp	false	URL Reputation: safe	unknown
https://api.iproyal.com/https://api6.my-ip.io/ipidna:	RuntimeBrooker.exe, 00000000.00000002.1649363162.00000000004E9000.00000002.00000001.01000000.00000003.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crl.securetrust.com/STCA.crl0	RuntimeBrooker.exe, 00000000.00000002.1649544788.00000000007C7000.00000004.00000001.01000000.00000003.sdmp	false	URL Reputation: safe	unknown
https://enigmaprotector.com/taggant/user.crl0	RuntimeBrooker.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	RuntimeBrooker.exe	false	URL Reputation: safe	unknown
https://www.catcert.net/verarrel	RuntimeBrooker.exe, 00000000.00000002.1649544788.00000000007C7000.00000004.00000001.01000000.00000003.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	RuntimeBrooker.exe	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0	RuntimeBrooker.exe, 00000000.00000002.1649544788.00000000007C7000.00000004.00000001.01000000.00000003.sdmp	false		high
http://www.quovadisglobal.com/cps0	RuntimeBrooker.exe, 00000000.00000002.1649544788.00000000007C7000.00000004.00000001.01000000.00000003.sdmp	false		high
http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0	RuntimeBrooker.exe, 00000000.00000002.1649544788.00000000007C7000.00000004.00000001.01000000.00000003.sdmp	false		high
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	RuntimeBrooker.exe	false	URL Reputation: safe	unknown
http://crl.chambersign.org/chambersignroot.crl0	RuntimeBrooker.exe, 00000000.00000002.1649544788.00000000007C7000.00000004.00000001.01000000.00000003.sdmp	false	URL Reputation: safe	unknown
http://crl.xrampsecurity.com/XGCA.crl0	RuntimeBrooker.exe, 00000000.00000002.1649544788.00000000007C7000.00000004.00000001.01000000.00000003.sdmp	false	URL Reputation: safe	unknown
https://www.catcert.net/verarrel05	RuntimeBrooker.exe, 00000000.00000002.1649544788.00000000007C7000.00000004.00000001.01000000.00000003.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://crl.certigna.fr/certignarootca.crl01	RuntimeBrooker.exe, 00000000.00000002.1649544788.00000000007C7000.00000004.00000001.01000000.00000003.sdmp	false	URL Reputation: safe	unknown
http://www.accv.es00	RuntimeBrooker.exe, 00000000.00000002.1649544788.00000000007C7000.00000004.00000001.01000000.00000003.sdmp	false	URL Reputation: safe	unknown
http://www.cert.fnmt.es/dpcs/0	RuntimeBrooker.exe, 00000000.00000002.1649544788.00000000007C7000.00000004.00000001.01000000.00000003.sdmp	false		high
http://cps.chambersign.org/cps/chambersignroot.html0	RuntimeBrooker.exe, 00000000.00000002.1649544788.00000000007C7000.00000004.00000001.01000000.00000003.sdmp	false	URL Reputation: safe	unknown
http://policy.camerfirma.com0	RuntimeBrooker.exe, 00000000.00000002.1649544788.00000000007C7000.00000004.00000001.01000000.00000003.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1431561
Start date and time:	2024-04-25 13:05:32 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	RuntimeBrooker.exe
Detection:	MAL
Classification:	mal68.evad.winEXE@2/0@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Execution Graph export aborted for target RuntimeBrooker.exe, PID 7704 because there are no executed function
Not all processes where analyzed, report is missing behavior information

File type:	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):	7.996630319116559
TrID:	Win64 Executable (generic) (12005/4) 74.95% Generic Win/DOS Executable (2004/3) 12.51% DOS Executable Generic (2002/1) 12.50% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:	RuntimeBrooker.exe
File size:	12'024'072 bytes
MD5:	7d1082288a0d3f0467c1d57de7471036
SHA1:	7561a197d02bb43c3868a6fc0bd81a4a34e1570b
SHA256:	0870dabc1f1d62016d4b5c92565d86e1fe9b45ca26148fe98f0fb8cb811675d8
SHA512:	dc6337013dc61b9971e5fa2a15b11ed05557c989cded240da8dc0d0a2fdd8102d41a0daa6bb84eb60e1bf09e7093e219d1091d2db95a973cf01615f163ccd433
SSDEEP:	196608:/VtRsOyxKZXB9jJYt/Tr8verWaS/GiLbN2AsBHTbtlyxE11qU75u4CLNbmCJytzz:dDsOvL91Yt/TouQ/GUphs5btlyx4qU7d
TLSH:	24C6331D754589E5E1A0D9364EED2D762422A10339C09A7943AC9CFE13AEEFFCD8344E
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d............"...."......t/...................@.....................................2.....`...@...... ........ ...... .....

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x30dbeec
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	9dc580b98fdc55e0bc3b6c6f01e8c0c2

Entrypoint Preview

Instruction
jmp 00007F422CEBC85Ah
add byte ptr [esp+edx*2+00h], ch
add byte ptr [eax], al
add byte ptr [eax], al
push eax
push ecx
push edx
push ebx
push ebp
push esi
push edi
inc ecx
push eax
inc ecx
push ecx
inc ecx
push edx
inc ecx
push ebx
inc ecx
push esp
inc ecx
push ebp
inc ecx
push esi
inc ecx
push edi
dec eax
pushfd
dec eax
sub esp, 00000008h
stmxcsr dword ptr [esp]
call 00007F422CEBC855h
pop ebp
dec eax
sub ebp, 00000033h
dec eax
sub ebp, 02CDBEECh
dec eax
sub esp, 00000020h
jmp 00007F422CEBC859h
or ch, byte ptr [eax]
cmc
ror dword ptr [eax-39h], 1
shr ah, FFFFFFBEh
int 02h
dec eax
add eax, ebp
dec eax
add eax, 00000084h
dec eax
mov ecx, 0000060Bh
dec eax
mov edx, BF922518h
xor byte ptr [eax], dl
dec eax
inc eax
dec eax
dec ecx
jne 00007F422CEBC848h
jmp 00007F422CEBC859h
das
insb
fild word ptr [edx]
push eax
xchg eax, ecx
int1
xchg eax, ebx
xchg eax, ecx
and al, 18h
sbb byte ptr [eax], bl
push eax
cdq
fst dword ptr [eax]
sbb dword ptr [eax], ebx
sbb byte ptr [eax+19h], dl
int1
push eax
fstp9 st(0)
pop ss
sbb byte ptr [eax], bl
sbb byte ptr [eax-21h], dl
fidiv dword ptr [eax]
sbb byte ptr [eax], bl
sbb byte ptr [eax-11h], dl
cli
push eax
sbb ecx, ebx
xchg eax, ebx
cdq
adc al, 18h
sbb byte ptr [eax], bl
push eax
sbb eax, esi
dec eax
dec eax
push eax
mov al, byte ptr [18799A24h]
sbb byte ptr [eax], bl
sbb byte ptr [eax], bl
push eax
mov eax, dword ptr [000024B5h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x26b5020	0xdcf
IMAGE_DIRECTORY_ENTRY_IMPORT	0x26b5df0	0x25c
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x983000	0x954	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x26b6390	0x9d8c
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x26b5000	0xc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x2f8000	0x11d200	657a39c3008e678da7e4b414b0d0fb3e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x2f9000	0x2de000	0x138600	5a11825d3385096c17173373e336c61d	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x5d7000	0xce000	0x3a200	7889260547349b38f37a16511fc5a786	False	0.9988533266129033	data	7.998942135594241	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x6a5000	0x1000	0x200	eff181115962c3e0f82de970904edc34	False	0.693359375	data	5.613828153638671	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x6a6000	0x7e000	0x7d400	95aba7dd2e4d753be569d4802554503b	False	1.0003235716067864	data	7.999613497251071	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x724000	0x19000	0x18c00	13b51f1eaba8815a4250ab43d77c21db	False	1.0004044349747474	data	7.9979503311609506	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x73d000	0x1000	0x200	df5ba5055dcbd6b4561f7696bbd73055	False	1.021484375	data	7.437622686334161	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x73e000	0xef000	0xee200	52821cb348ec4cc533577704e2716d12	False	1.0003137303149607	data	7.999837709460686	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x82d000	0xab000	0xaa800	ac9ac48077237755bce2d7162e6cc5a5	False	1.0003164520711143	executable (RISC System/6000 V3.1) or obj module	7.999732846830117	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x8d8000	0x2a000	0x29400	c54d86a450a26a95be8451c1083d13ff	False	1.0003610321969696	data	7.9990578242908725	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x902000	0x1000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x903000	0xe000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x911000	0x71000	0x1a000	86ac60fdab5a66a81012d7f36e54daa6	False	0.9961219200721154	data	7.995003929911863	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x982000	0x1000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x983000	0x1000	0xa00	9a556661f523a871e4d381e5e3485a11	False	0.400390625	data	4.551913019276211	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x984000	0x1d2e000	0x44000	49f8f8c50112c394169e9c88003eccab	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x26b2000	0x62f000	0x62e200	0d8782e6e82f7016fd149500f9fc2d6b	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x9830a0	0x3a4	data	English	United States	0.44742489270386265
RT_MANIFEST	0x983448	0x50b	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.42989930286599537

Imports

DLL	Import
kernel32.dll	GetModuleHandleA, GetProcAddress, ExitProcess, LoadLibraryA
user32.dll	MessageBoxA
advapi32.dll	RegCloseKey
oleaut32.dll	SysFreeString
gdi32.dll	CreateFontA
shell32.dll	ShellExecuteA
version.dll	GetFileVersionInfoA
ole32.dll	OleInitialize

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	13:06:18
Start date:	25/04/2024
Path:	C:\Users\user\Desktop\RuntimeBrooker.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\RuntimeBrooker.exe"
Imagebase:	0x1f0000
File size:	12'024'072 bytes
MD5 hash:	7D1082288A0D3F0467C1D57DE7471036
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Go lang
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	13:06:18
Start date:	25/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Function 00007FF44BD051F0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654138175.00007FF44BD00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007FF44BD00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff44bd00000_RuntimeBrooker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13b6cb95863020ae7ed8d6be28ed13175d6b1879af5edda7bca3cc6f0b70b91f
Instruction ID: 48df4bfde3955bbaafe74bc964a11f930cb2546f1de918c8aa2a0e0a7bdef5d8
Opcode Fuzzy Hash: 13b6cb95863020ae7ed8d6be28ed13175d6b1879af5edda7bca3cc6f0b70b91f
Instruction Fuzzy Hash: FBD022C020EBC52FF34460380C897981BD6DB3A308F8800E5A40DCB0A3D80C88860328

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report RuntimeBrooker.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: RuntimeBrooker.exePID: 7704, Parent PID: 2580

General

Chronological Activities

Analysis Process: conhost.exePID: 7712, Parent PID: 7704

General

Chronological Activities

Disassembly

Analysis Process: RuntimeBrooker.exePID: 7704, Parent PID: 2580COMMON

Windows Analysis Report
RuntimeBrooker.exe