Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Download

RuntimeBroker.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	5.566832868679161
Filename:	RuntimeBroker.exe
Filesize:	95232
MD5:	3785497fd4339e24258e3bd47b933c34
SHA1:	8974341d2328f6561075ee16f4139fbfabdeb0f2
SHA256:	39b7d36f78ad70c878581c1052fc6c1e0aab18312c9d8e229d9041494784f4b2
SHA512:	17e0f9b78e9c8127109a396da564d589d89442f8dd268e11cc9317dad11eb80f345cde7568f6aea760c70b6f18ca08dc3df176b502ba0646e5c04b2936eee049
SSDEEP:	1536:SUt8mGnrQr1EjOoYdsjEwzGi1dDtDagS:SUmnrQr1qr2i1dZf
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Z..g.................p..........N.... ........@.. ....................................@................................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection	Access Token Manipulation
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains potential unpacker	Data Obfuscation	Access Token Manipulation Software Packing
Contains functionality to disable the Task Manager (.Net Source)	Lowering of HIPS / PFW / Operating System Security Settings	Access Token Manipulation
Contains functionality to spread to USB devices (.Net source)	Spreading	Replication Through Removable Media Access Token Manipulation
Disables zone checking for all users	Lowering of HIPS / PFW / Operating System Security Settings	Access Token Manipulation
Drops PE files to the startup folder	Boot Survival	Access Token Manipulation
Modifies the windows firewall	Lowering of HIPS / PFW / Operating System Security Settings
Uses netsh to modify the Windows network and firewall settings	Lowering of HIPS / PFW / Operating System Security Settings	Access Token Manipulation Disable or Modify Tools
Abnormal high CPU Usage	System Summary	Access Token Manipulation
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Contains functionality to call native functions	System Summary
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates a start menu entry (Start Menu\Programs\Startup)	Boot Survival	Registry Run Keys / Startup Folder Access Token Manipulation
Creates a window with clipboard capturing capabilities	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Detected potential crypto function	System Summary	Access Token Manipulation Archive Collected Data Encrypted Channel
Drops PE files	Persistence and Installation Behavior	Access Token Manipulation
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
May infect USB drives	Spreading	Access Token Manipulation
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Sample file is different than original file name gathered from version info	System Summary	Access Token Manipulation
Stores files to the Windows start menu directory	Boot Survival
Uses 32bit PE files	Compliance, System Summary	Masquerading
Yara signature match	System Summary
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary	Access Token Manipulation
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging
Creates mutexes	System Summary	Access Token Manipulation
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion
PE file has an executable .text section and no other executable section	System Summary	Access Token Manipulation
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	Access Token Manipulation System Information Discovery
Reads software policies	System Summary	Access Token Manipulation
Sample is known by Antivirus	System Summary	Access Token Manipulation
Sample reads its own file content	System Summary	Access Token Manipulation
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary	Access Token Manipulation
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Uses new MSVCR Dlls	Compliance, System Summary	Access Token Manipulation
Uses Microsoft Silverlight	System Summary	Access Token Manipulation

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe
Category:	dropped
Dump:	Microsoft Corporation.exe.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\RuntimeBroker.exe
Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	5.566832868679161
Encrypted:	false
Ssdeep:	1536:SUt8mGnrQr1EjOoYdsjEwzGi1dDtDagS:SUmnrQr1qr2i1dZf
Size:	95232
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Yara detected Njrat	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Drops PE files to the startup folder	Boot Survival	Registry Run Keys / Startup Folder
Creates a start menu entry (Start Menu\Programs\Startup)	Boot Survival	Registry Run Keys / Startup Folder
Drops PE files	Persistence and Installation Behavior
Sigma detected: Startup Folder File Write	System Summary
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe:Zone.Identifier

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe:Zone.Identifier
Category:	dropped
Dump:	Microsoft Corporation.exe_Zone.Identifier.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\RuntimeBroker.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	3.95006375643621
Encrypted:	false
Ssdeep:	3:ggPYV:rPYV
Size:	26
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection

C:\Users\user\AppData\Roaming\app

Unicode text, UTF-8 (with BOM) text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Roaming\app
Category:	dropped
Dump:	app.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\RuntimeBroker.exe
Type:	Unicode text, UTF-8 (with BOM) text, with no line terminators
Entropy:	2.321928094887362
Encrypted:	false
Ssdeep:	3:l:l
Size:	5
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Creates files inside the user directory	System Summary	Masquerading

\Device\ConDrv

ASCII text, with CRLF line terminators

dropped

Details

File:	\Device\ConDrv
Category:	dropped
Dump:	ConDrv.1.dr
ID:	dr_3
Target ID:	1
Process:	C:\Windows\SysWOW64\netsh.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	4.971939296804078
Encrypted:	false
Ssdeep:	6:/ojfKsUTGN8Ypox42k9L+DbGMKeQE+vigqAZs2E+AYeDPO+Yswyha:wjPIGNrkHk9iaeIM6ADDPOHyha
Size:	313
Whitelisted:	false
Reputation:	high

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\RuntimeBroker.exe

"C:\Users\user\Desktop\RuntimeBroker.exe"

Details

Is windows:	false
Is dropped:	false
PID:	1220
Target ID:	0
Parent PID:	3964
Name:	RuntimeBroker.exe
Path:	C:\Users\user\Desktop\RuntimeBroker.exe
Commandline:	"C:\Users\user\Desktop\RuntimeBroker.exe"
Size:	95232
MD5:	3785497FD4339E24258E3BD47B933C34
Time:	12:14:41
Date:	23/03/2025
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x5f0000
Modulesize:	114688
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Njrat	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Modifies the windows firewall	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Sigma detected: System File Execution Location Anomaly	System Summary
Sigma detected: Windows Binaries Write Suspicious Extensions	System Summary
Uses netsh to modify the Windows network and firewall settings	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
May infect USB drives	Spreading	Replication Through Removable Media
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Startup Folder File Write	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\user\Desktop\RuntimeBroker.exe" "RuntimeBroker.exe" ENABLE

Details

Is windows:	true
Is dropped:	false
PID:	3220
Target ID:	1
Parent PID:	1220
Name:	netsh.exe
Path:	C:\Windows\SysWOW64\netsh.exe
Commandline:	netsh firewall add allowedprogram "C:\Users\user\Desktop\RuntimeBroker.exe" "RuntimeBroker.exe" ENABLE
Size:	82432
MD5:	4E89A1A088BE715D6C946E55AB07C7DF
Time:	12:14:43
Date:	23/03/2025
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xe30000
Modulesize:	122880
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Modifies the windows firewall	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Uses netsh to modify the Windows network and firewall settings	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	1880
Target ID:	2
Parent PID:	3220
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	12:14:44
Date:	23/03/2025
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff62fc20000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://go.microsoft.

unknown

Details

Name:	http://go.microsoft.
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\RuntimeBroker.exe
Source:	RuntimeBroker.exe, 00000000.00000002.3887806908.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://go.microsoft.LinkId=42127

unknown

Details

Name:	http://go.microsoft.LinkId=42127
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\RuntimeBroker.exe
Source:	RuntimeBroker.exe, 00000000.00000002.3887806908.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Domains

Name

Malicious

morning-ultimately.gl.at.ply.gg

147.185.221.26

Details

Name:	morning-ultimately.gl.at.ply.gg
IP:	147.185.221.26
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

147.185.221.26

morning-ultimately.gl.at.ply.gg

United States

Details

IP:	147.185.221.26
TargetID:	0
Current Path:	C:\Users\user\Desktop\RuntimeBroker.exe
Country:	United States
Countrycode:	USA
ASN number:	12087
ASN name:	SALSGIVERUS
Private:	false
Domain:	morning-ultimately.gl.at.ply.gg

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\Environment

SEE_MASK_NOZONECHECKS

Memdumps

Base Address

Regiontype

Protect

Malicious

Download

5F2000

unkown

page readonly

61C000

heap

page read and write

7B28000

trusted library allocation

page read and write

63F000

heap

page read and write

641D000

stack

page read and write

4C62000

heap

page read and write

650000

heap

page read and write

647000

heap

page read and write

640000

heap

page read and write

5FDD000

stack

page read and write

650000

heap

page read and write

97F000

stack

page read and write

64D000

heap

page read and write

CD7000

heap

page read and write

2BEB000

trusted library allocation

page execute and read and write

600000

heap

page read and write

60A000

heap

page read and write

117F000

stack

page read and write

5D1000

heap

page read and write

655000

heap

page read and write

43E0000

heap

page read and write

11B000

stack

page read and write

2BDA000

trusted library allocation

page execute and read and write

180000

heap

page read and write

65D000

heap

page read and write

2BA2000

trusted library allocation

page execute and read and write

65A000

heap

page read and write

64F000

heap

page read and write

5E3D000

stack

page read and write

565B000

stack

page read and write

5480000

trusted library allocation

page read and write

1A5000

heap

page read and write

7B26000

trusted library allocation

page read and write

61D000

heap

page read and write

643000

heap

page read and write

65E000

heap

page read and write

2BE7000

trusted library allocation

page execute and read and write

7B06000

trusted library allocation

page read and write

4530000

heap

page read and write

61F000

heap

page read and write

107E000

stack

page read and write

5C5000

heap

page read and write

4AAF000

stack

page read and write

623000

heap

page read and write

648000

heap

page read and write

43E6000

trusted library allocation

page read and write

6AE000

heap

page read and write

7B42000

trusted library allocation

page read and write

4AEE000

stack

page read and write

4281000

trusted library allocation

page read and write

651E000

stack

page read and write

7B9B000

trusted library allocation

page read and write

4C7B000

heap

page read and write

A76000

heap

page read and write

5C2000

heap

page read and write

C42000

heap

page read and write

656000

heap

page read and write

648000

heap

page read and write

4EE000

stack

page read and write

42A8000

trusted library allocation

page read and write

61D000

heap

page read and write

64D000

heap

page read and write

535C000

stack

page read and write

4C61000

heap

page read and write

655000

heap

page read and write

647000

heap

page read and write

43AE000

trusted library allocation

page read and write

2BE2000

trusted library allocation

page read and write

60A000

heap

page read and write

63E000

heap

page read and write

4C78000

heap

page read and write

7F080000

trusted library allocation

page execute and read and write

5F9000

heap

page read and write

6A1000

heap

page read and write

641000

heap

page read and write

7BD7000

trusted library allocation

page read and write

656000

heap

page read and write

5D3C000

stack

page read and write

63E000

heap

page read and write

654000

heap

page read and write

647000

heap

page read and write

63DE000

stack

page read and write

760D000

heap

page read and write

52C0000

trusted library allocation

page execute and read and write

4C7C000

heap

page read and write

4C6D000

heap

page read and write

4C62000

heap

page read and write

5E5000

heap

page read and write

CC3000

heap

page read and write

5FC000

heap

page read and write

60A000

heap

page read and write

5F7D000

stack

page read and write

A00000

heap

page read and write

5F0000

unkown

page readonly

64E000

heap

page read and write

C53000

heap

page read and write

3281000

trusted library allocation

page read and write

60A000

heap

page read and write

615B000

stack

page read and write

C7B000

heap

page read and write

5BFD000

stack

page read and write

1180000

heap

page read and write

500000

heap

page read and write

590000

heap

page read and write

61D000

heap

page read and write

643000

heap

page read and write

659000

heap

page read and write

7B8C000

trusted library allocation

page read and write

5E7D000

stack

page read and write

6AC000

heap

page read and write

569C000

stack

page read and write

63F000

heap

page read and write

2BB0000

trusted library allocation

page read and write

647000

heap

page read and write

C92000

heap

page read and write

65E000

heap

page read and write

11F0000

trusted library allocation

page read and write

64D000

heap

page read and write

4C7B000

heap

page read and write

60A000

heap

page read and write

5460000

heap

page read and write

602000

heap

page read and write

69A000

stack

page read and write

2BBA000

trusted library allocation

page execute and read and write

4C70000

heap

page read and write

5F8000

heap

page read and write

5FC000

heap

page read and write

C0B000

heap

page read and write

5BA000

heap

page read and write

61C000

heap

page read and write

5FD000

heap

page read and write

4C69000

heap

page read and write

5FC000

heap

page read and write

1EE000

unkown

page read and write

555C000

stack

page read and write

C27000

heap

page read and write

49AE000

stack

page read and write

C00000

heap

page read and write

1312000

heap

page read and write

643000

heap

page read and write

2BB2000

trusted library allocation

page execute and read and write

4C67000

heap

page read and write

8831000

trusted library allocation

page read and write

641000

heap

page read and write

649000

heap

page read and write

B00000

heap

page read and write

42FF000

trusted library allocation

page read and write

4357000

trusted library allocation

page read and write

60DE000

stack

page read and write

4C78000

heap

page read and write

61D000

heap

page read and write

2BDC000

trusted library allocation

page execute and read and write

E10000

heap

page read and write

2BD0000

trusted library allocation

page read and write

A70000

heap

page read and write

D01000

heap

page read and write

7801000

trusted library allocation

page read and write

7E0000

heap

page read and write

54B0000

trusted library allocation

page execute and read and write

1201000

heap

page read and write

441E000

trusted library allocation

page read and write

2C01000

heap

page execute and read and write

654000

heap

page read and write

2D01000

heap

page read and write

1A0000

heap

page read and write

619E000

stack

page read and write

4C67000

heap

page read and write

5E7000

heap

page read and write

4C78000

heap

page read and write

65C000

heap

page read and write

52F0000

trusted library allocation

page read and write

54A0000

trusted library allocation

page read and write

4BEF000

stack

page read and write

2BAA000

trusted library allocation

page execute and read and write

5CFE000

stack

page read and write

640000

heap

page read and write

655000

heap

page read and write

2BC7000

trusted library allocation

page execute and read and write

608000

heap

page read and write

60A000

heap

page read and write

5F9000

heap

page read and write

545E000

stack

page read and write

5D1000

heap

page read and write

6530000

trusted library allocation

page execute and read and write

65B000

heap

page read and write

4F3000

stack

page read and write

C7D000

heap

page read and write

5FC000

heap

page read and write

652000

heap

page read and write

190000

heap

page read and write

7C0000

heap

page read and write

7B08000

trusted library allocation

page read and write

4C6F000

heap

page read and write

4C78000

heap

page read and write

605000

heap

page read and write

CAF000

heap

page read and write

63F000

heap

page read and write

4C60000

heap

page read and write

65D000

heap

page read and write

6A5000

heap

page read and write

61D000

heap

page read and write

6A6000

heap

page read and write

6AD000

heap

page read and write

64E000

heap

page read and write

11B0000

heap

page read and write

C79000

heap

page read and write

64D000

heap

page read and write

629E000

stack

page read and write

7B82000

trusted library allocation

page read and write

42A0000

heap

page read and write

2E3E000

stack

page read and write

2BCA000

trusted library allocation

page execute and read and write

6A2000

heap

page read and write

60A000

heap

page read and write

5B0000

heap

page read and write

2BD2000

trusted library allocation

page execute and read and write

1301000

heap

page read and write

65E000

heap

page read and write

1190000

heap

page execute and read and write

6AD000

heap

page read and write

65E000

heap

page read and write

611C000

stack

page read and write

641000

heap

page read and write

7929000

trusted library allocation

page read and write

C12000

heap

page read and write

652000

heap

page read and write

87F000

unkown

page read and write

5FB000

heap

page read and write

645000

heap

page read and write

4C79000

heap

page read and write

6A7000

heap

page read and write

7600000

heap

page read and write

7BA2000

trusted library allocation

page read and write

D12000

heap

page read and write

5300000

unclassified section

page read and write

6AB000

heap

page read and write

5FF000

heap

page read and write

CF8000

heap

page read and write

6A9000

heap

page read and write

6600000

heap

page read and write

5F8000

heap

page read and write

CFC000

heap

page read and write

328E000

trusted library allocation

page read and write

5F8000

heap

page read and write

2F3E000

stack

page read and write

7B89000

trusted library allocation

page read and write

4C7A000

heap

page read and write

4FB000

stack

page read and write

4FE000

stack

page read and write

4C41000

heap

page read and write

CB9000

heap

page read and write

2BE0000

trusted library allocation

page read and write

604000

heap

page read and write

7B87000

trusted library allocation

page read and write

5D1000

heap

page read and write

62DD000

stack

page read and write

579C000

stack

page read and write

4C78000

heap

page read and write

4C65000

heap

page read and write

796000

stack

page read and write

EF0000

heap

page read and write

4C40000

heap

page read and write

C77000

heap

page read and write

4C65000

heap

page read and write

A14000

heap

page read and write

55E000

stack

page read and write

There are 256 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
RuntimeBroker.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportRuntimeBroker.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
RuntimeBroker.exe