Windows Analysis Report
RuntimeBrooker.exe

Overview

General Information

Sample name: RuntimeBrooker.exe
Analysis ID: 1431606
MD5: 7d1082288a0d3f0467c1d57de7471036
SHA1: 7561a197d02bb43c3868a6fc0bd81a4a34e1570b
SHA256: 0870dabc1f1d62016d4b5c92565d86e1fe9b45ca26148fe98f0fb8cb811675d8
Infos:

Detection

Score: 68
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected unpacking (changes PE section rights)
Found direct / indirect Syscall (likely to bypass EDR)
Hides threads from debuggers
Machine Learning detection for sample
PE file has nameless sections
Query firmware table information (likely to detect VMs)
Checks if the current process is being debugged
PE file contains more sections than normal
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info

Classification

AV Detection
barindex
Machine Learning detection for sample
Source: RuntimeBrooker.exe Joe Sandbox ML: detected
Source: RuntimeBrooker.exe, 00000000.00000002.2127598004.0000000000767000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
Source: RuntimeBrooker.exe, 00000000.00000002.2127598004.0000000000767000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: RuntimeBrooker.exe, 00000000.00000002.2127598004.0000000000767000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
Source: RuntimeBrooker.exe, 00000000.00000002.2127598004.0000000000767000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
Source: RuntimeBrooker.exe, 00000000.00000002.2127598004.0000000000767000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: RuntimeBrooker.exe String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: RuntimeBrooker.exe String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: RuntimeBrooker.exe, 00000000.00000002.2127598004.0000000000767000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
Source: RuntimeBrooker.exe, 00000000.00000002.2127598004.0000000000767000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl0
Source: RuntimeBrooker.exe, 00000000.00000002.2127598004.0000000000767000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0
Source: RuntimeBrooker.exe String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: RuntimeBrooker.exe String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: RuntimeBrooker.exe String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: RuntimeBrooker.exe, 00000000.00000002.2127598004.0000000000767000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: RuntimeBrooker.exe, 00000000.00000002.2127598004.0000000000767000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: RuntimeBrooker.exe, 00000000.00000002.2127598004.0000000000767000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: RuntimeBrooker.exe String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: RuntimeBrooker.exe String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: RuntimeBrooker.exe String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: RuntimeBrooker.exe, 00000000.00000002.2127598004.0000000000767000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: http://ocsp.accv.es0
Source: RuntimeBrooker.exe String found in binary or memory: http://ocsp.comodoca.com0
Source: RuntimeBrooker.exe String found in binary or memory: http://ocsp.sectigo.com0
Source: RuntimeBrooker.exe, 00000000.00000002.2127598004.0000000000767000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: http://policy.camerfirma.com0
Source: RuntimeBrooker.exe, 00000000.00000002.2127598004.0000000000767000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: http://repository.swisssign.com/0
Source: RuntimeBrooker.exe, 00000000.00000002.2127332064.0000000000489000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: RuntimeBrooker.exe, 00000000.00000002.2127332064.0000000000489000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: RuntimeBrooker.exe, 00000000.00000002.2127598004.0000000000767000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: RuntimeBrooker.exe, 00000000.00000002.2127598004.0000000000767000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: RuntimeBrooker.exe, 00000000.00000002.2127598004.0000000000767000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: RuntimeBrooker.exe, 00000000.00000002.2127598004.0000000000767000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.accv.es00
Source: RuntimeBrooker.exe, 00000000.00000002.2127598004.0000000000767000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.cert.fnmt.es/dpcs/0
Source: RuntimeBrooker.exe, 00000000.00000002.2127598004.0000000000767000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.chambersign.org1
Source: RuntimeBrooker.exe, 00000000.00000002.2127598004.0000000000767000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: RuntimeBrooker.exe, 00000000.00000002.2127598004.0000000000767000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: RuntimeBrooker.exe, 00000000.00000002.2127332064.0000000000489000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://api.iproyal.com/https://api6.my-ip.io/ipidna:
Source: RuntimeBrooker.exe String found in binary or memory: https://enigmaprotector.com/taggant/spv.crl0
Source: RuntimeBrooker.exe String found in binary or memory: https://enigmaprotector.com/taggant/user.crl0
Source: RuntimeBrooker.exe String found in binary or memory: https://sectigo.com/CPS0
Source: RuntimeBrooker.exe, 00000000.00000002.2127598004.0000000000767000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.catcert.net/verarrel
Source: RuntimeBrooker.exe, 00000000.00000002.2127598004.0000000000767000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.catcert.net/verarrel05
Source: RuntimeBrooker.exe, 00000000.00000002.2127598004.0000000000767000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: https://wwww.certigna.fr/autorites/0m

System Summary
barindex
PE file has nameless sections
Source: RuntimeBrooker.exe Static PE information: section name:
Source: RuntimeBrooker.exe Static PE information: section name:
Source: RuntimeBrooker.exe Static PE information: section name:
Source: RuntimeBrooker.exe Static PE information: section name:
Source: RuntimeBrooker.exe Static PE information: section name:
Source: RuntimeBrooker.exe Static PE information: section name:
Source: RuntimeBrooker.exe Static PE information: section name:
Source: RuntimeBrooker.exe Static PE information: section name:
Source: RuntimeBrooker.exe Static PE information: section name:
Source: RuntimeBrooker.exe Static PE information: section name:
Source: RuntimeBrooker.exe Static PE information: section name:
Source: RuntimeBrooker.exe Static PE information: section name:
Source: RuntimeBrooker.exe Static PE information: section name:
Source: RuntimeBrooker.exe Static PE information: section name:
Source: RuntimeBrooker.exe Static PE information: section name:
Source: RuntimeBrooker.exe Static PE information: section name:
PE file contains more sections than normal
Source: RuntimeBrooker.exe Static PE information: Number of sections : 17 > 10
Sample file is different than original file name gathered from version info
Source: RuntimeBrooker.exe, 00000000.00000002.2128078903.0000000000B13000.00000080.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameRuntimeBroker.exej% vs RuntimeBrooker.exe
Source: RuntimeBrooker.exe Binary or memory string: OriginalFilenameRuntimeBroker.exej% vs RuntimeBrooker.exe
Source: RuntimeBrooker.exe Static PE information: Section: ZLIB complexity 0.9988533266129033
Source: RuntimeBrooker.exe Static PE information: Section: ZLIB complexity 1.0003235716067864
Source: RuntimeBrooker.exe Static PE information: Section: ZLIB complexity 1.0004044349747474
Source: RuntimeBrooker.exe Static PE information: Section: ZLIB complexity 1.021484375
Source: RuntimeBrooker.exe Static PE information: Section: ZLIB complexity 1.0003137303149607
Source: RuntimeBrooker.exe Static PE information: Section: ZLIB complexity 1.0003164520711143
Source: RuntimeBrooker.exe Static PE information: Section: ZLIB complexity 1.0003610321969696
Source: RuntimeBrooker.exe Static PE information: Section: ZLIB complexity 0.9961219200721154
Source: classification engine Classification label: mal68.evad.winEXE@2/0@0/0
Source: C:\Users\user\Desktop\RuntimeBrooker.exe Mutant created: \Sessions\1\BaseNamedObjects\Mutex object: Unique: 2105161706--2021146733. Number: 0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2464:120:WilError_03
Source: C:\Users\user\Desktop\RuntimeBrooker.exe File opened: C:\Windows\system32\7219b70e1fa00b08958b0ce9d7136f2b238098f40f39c3462c0c53acac948228AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBrooker.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBrooker.exe File read: C:\Users\user\Desktop\RuntimeBrooker.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\RuntimeBrooker.exe "C:\Users\user\Desktop\RuntimeBrooker.exe"
Source: C:\Users\user\Desktop\RuntimeBrooker.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\RuntimeBrooker.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBrooker.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBrooker.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBrooker.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBrooker.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBrooker.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBrooker.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBrooker.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBrooker.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBrooker.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBrooker.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBrooker.exe Section loaded: umpdc.dll Jump to behavior
Source: RuntimeBrooker.exe Static file information: File size 12024072 > 1048576
Source: RuntimeBrooker.exe Static PE information: Raw size of is bigger than: 0x100000 < 0x11d200
Source: RuntimeBrooker.exe Static PE information: Raw size of is bigger than: 0x100000 < 0x138600
Source: RuntimeBrooker.exe Static PE information: Raw size of is bigger than: 0x100000 < 0x62e200

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\RuntimeBrooker.exe Unpacked PE file: 0.2.RuntimeBrooker.exe.190000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;Unknown_Section5:EW;Unknown_Section6:EW;Unknown_Section7:EW;Unknown_Section8:EW;Unknown_Section9:EW;Unknown_Section10:EW;Unknown_Section11:EW;Unknown_Section12:EW;Unknown_Section13:EW;.rsrc:EW;Unknown_Section15:EW;Unknown_Section16:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;Unknown_Section5:R;Unknown_Section6:R;Unknown_Section7:R;Unknown_Section8:R;Unknown_Section9:R;Unknown_Section10:W;Unknown_Section11:R;Unknown_Section12:R;Unknown_Section13:R;.rsrc:EW;Unknown_Section15:EW;Unknown_Section16:EW;
PE file contains sections with non-standard names
Source: RuntimeBrooker.exe Static PE information: section name:
Source: RuntimeBrooker.exe Static PE information: section name:
Source: RuntimeBrooker.exe Static PE information: section name:
Source: RuntimeBrooker.exe Static PE information: section name:
Source: RuntimeBrooker.exe Static PE information: section name:
Source: RuntimeBrooker.exe Static PE information: section name:
Source: RuntimeBrooker.exe Static PE information: section name:
Source: RuntimeBrooker.exe Static PE information: section name:
Source: RuntimeBrooker.exe Static PE information: section name:
Source: RuntimeBrooker.exe Static PE information: section name:
Source: RuntimeBrooker.exe Static PE information: section name:
Source: RuntimeBrooker.exe Static PE information: section name:
Source: RuntimeBrooker.exe Static PE information: section name:
Source: RuntimeBrooker.exe Static PE information: section name:
Source: RuntimeBrooker.exe Static PE information: section name:
Source: RuntimeBrooker.exe Static PE information: section name:
Source: RuntimeBrooker.exe Static PE information: section name: entropy: 7.998942135594241
Source: RuntimeBrooker.exe Static PE information: section name: entropy: 7.999613497251071
Source: RuntimeBrooker.exe Static PE information: section name: entropy: 7.9979503311609506
Source: RuntimeBrooker.exe Static PE information: section name: entropy: 7.437622686334161
Source: RuntimeBrooker.exe Static PE information: section name: entropy: 7.999837709460686
Source: RuntimeBrooker.exe Static PE information: section name: entropy: 7.999732846830117
Source: RuntimeBrooker.exe Static PE information: section name: entropy: 7.9990578242908725
Source: RuntimeBrooker.exe Static PE information: section name: entropy: 7.995003929911863
Source: C:\Users\user\Desktop\RuntimeBrooker.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBrooker.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\Desktop\RuntimeBrooker.exe System information queried: FirmwareTableInformation Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 3Windows 2012 Server Standard without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: #Windows 10 Microsoft Hyper-V Server
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8.1 Microsoft Hyper-V Server
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 Server Standard without Hyper-V
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8 Microsoft Hyper-V Server
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 3Windows 2016 Server Standard without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8.1 Server Standard without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: (Windows 2012 R2 Microsoft Hyper-V Server
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 6Windows 2012 R2 Server Standard without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8 Server Datacenter without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 10 Server Datacenter without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 0Windows 8 Server Standard without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 6Windows 8.1 Essential Server Solutions without Hyper-V
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: vmware
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8 Server Standard without Hyper-V
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 4Windows 8 Essential Server Solutions without Hyper-V
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (full)
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2016 Essential Server Solutions without Hyper-V
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (full)
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: "Windows 8 Microsoft Hyper-V Server
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (full)
Source: RuntimeBrooker.exe, 00000000.00000002.2132716631.000001B5FA8D2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllY
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 10 Server Standard without Hyper-V
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 R2 Microsoft Hyper-V Server
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8.1 Essential Server Solutions without Hyper-V
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Hyper-V (guest)
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 Essential Server Solutions without Hyper-V
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 10 Microsoft Hyper-V Server
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2016 Microsoft Hyper-V Server
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: /Windows 2012 R2 Server Standard without Hyper-V
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: )Windows 8 Server Standard without Hyper-V
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Hyper-V
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: %Windows 2012 Microsoft Hyper-V Server
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: $Windows 8.1 Microsoft Hyper-V Server
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: ,Windows 2012 Server Standard without Hyper-V
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (full)
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 Microsoft Hyper-V Server
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8 Essential Server Solutions without Hyper-V
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 10 Essential Server Solutions without Hyper-V
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 10 Server Standard without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 7Windows 2012 Essential Server Solutions without Hyper-V
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8 Server Enterprise without Hyper-V (full)
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (full)
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (full)
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: %Windows 2016 Microsoft Hyper-V Server
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (full)
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 7Windows 2016 Essential Server Solutions without Hyper-V
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: +Windows 8.1 Server Standard without Hyper-V
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2016 Server Standard without Hyper-V
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (full)
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (full)
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 10 Server Enterprise without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 10 Server Datacenter without Hyper-V (full)
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: :Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2016 Server Standard without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8 Server Standard without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 5Windows 10 Essential Server Solutions without Hyper-V
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (full)
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (full)
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8 Server Enterprise without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: ,Windows 2016 Server Standard without Hyper-V
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 Server Standard without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8 Server Datacenter without Hyper-V (full)
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (full)
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: VBoxService.exe
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 8.1 Server Standard without Hyper-V
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Virtual MachinesbiedllVBoxService.exe
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: *Windows 10 Server Standard without Hyper-V
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 1Windows 10 Server Standard without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (full)
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: VMWare
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (full)
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 2Windows 8.1 Server Standard without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Windows 10 Server Enterprise without Hyper-V (full)
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (full)
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (core)
Source: RuntimeBrooker.exe, 00000000.00000002.2128099939.0000000000B14000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (full)
Source: C:\Users\user\Desktop\RuntimeBrooker.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\RuntimeBrooker.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBrooker.exe Thread information set: HideFromDebugger Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\RuntimeBrooker.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBrooker.exe Process queried: DebugPort Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion
barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\Desktop\RuntimeBrooker.exe NtProtectVirtualMemory: Indirect: 0x277DFAA Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBrooker.exe NtSetInformationThread: Indirect: 0xB4CE3D Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBrooker.exe NtProtectVirtualMemory: Indirect: 0xB9513B Jump to behavior
Source: C:\Users\user\Desktop\RuntimeBrooker.exe Code function: 0_2_00007FF4B0E651F0 GetUserNameA, 0_2_00007FF4B0E651F0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1431606 Sample: RuntimeBrooker.exe Startdate: 25/04/2024 Architecture: WINDOWS Score: 68 11 Machine Learning detection for sample 2->11 13 PE file has nameless sections 2->13 6 RuntimeBrooker.exe 1 2->6         started        process3 signatures4 15 Detected unpacking (changes PE section rights) 6->15 17 Query firmware table information (likely to detect VMs) 6->17 19 Hides threads from debuggers 6->19 21 Found direct / indirect Syscall (likely to bypass EDR) 6->21 9 conhost.exe 6->9         started        process5
No contacted IP infos