Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\Server.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe	N/A

Suspicious use of SetWindowsHookEx

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 1888 wrote to memory of 4892	N/A	C:\Users\Admin\AppData\Local\Temp\Server.exe	C:\Windows\SYSTEM32\schtasks.exe
PID 1888 wrote to memory of 4892	N/A	C:\Users\Admin\AppData\Local\Temp\Server.exe	C:\Windows\SYSTEM32\schtasks.exe
PID 1888 wrote to memory of 836	N/A	C:\Users\Admin\AppData\Local\Temp\Server.exe	C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe
PID 1888 wrote to memory of 836	N/A	C:\Users\Admin\AppData\Local\Temp\Server.exe	C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe
PID 836 wrote to memory of 3908	N/A	C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe	C:\Windows\SYSTEM32\schtasks.exe
PID 836 wrote to memory of 3908	N/A	C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe	C:\Windows\SYSTEM32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Server.exe

"C:\Users\Admin\AppData\Local\Temp\Server.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe

"C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe" /rl HIGHEST /f

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	battery-stripes.gl.at.ply.gg	udp
US	147.185.221.20:26129	battery-stripes.gl.at.ply.gg	tcp
US	8.8.8.8:53	20.221.185.147.in-addr.arpa	udp
US	8.8.8.8:53	ipwho.is	udp
DE	195.201.57.90:443	ipwho.is	tcp
US	8.8.8.8:53	172.214.232.199.in-addr.arpa	udp
US	8.8.8.8:53	90.57.201.195.in-addr.arpa	udp
US	8.8.8.8:53	14.227.111.52.in-addr.arpa	udp
US	8.8.8.8:53	168.117.168.52.in-addr.arpa	udp

Files

memory/1888-0-0x00007FF91EBF3000-0x00007FF91EBF4000-memory.dmp

memory/1888-1-0x00000000007A0000-0x0000000000AC4000-memory.dmp

memory/1888-2-0x00007FF91EBF0000-0x00007FF91F5DC000-memory.dmp

C:\Users\Admin\AppData\Roaming\WD\Runtime Broker.exe

MD5	e45a6c438c6ab1538b44fc43a242a5d3
SHA1	00a85654779955ca989d1f2907ea1831b2511688
SHA256	f5acec48afbdd2a4850462e4613ce91c983bc3a3498c69a306a4ca12ccd15de0
SHA512	806783dfc96b3a97c11675236d31f10c6540668e6149ab158eea680b0f84248b7b25ba4f36b4790250459b87e2b0bc91d551b07a79e236c8a4356df4f3878a6f

memory/836-10-0x00007FF91EBF0000-0x00007FF91F5DC000-memory.dmp

memory/1888-9-0x00007FF91EBF0000-0x00007FF91F5DC000-memory.dmp

memory/836-11-0x00007FF91EBF0000-0x00007FF91F5DC000-memory.dmp

memory/836-12-0x000000001BC80000-0x000000001BCD0000-memory.dmp

memory/836-13-0x000000001C420000-0x000000001C4D2000-memory.dmp

memory/836-16-0x000000001BD00000-0x000000001BD12000-memory.dmp

memory/836-17-0x000000001C3A0000-0x000000001C3DE000-memory.dmp

memory/836-18-0x00007FF91EBF0000-0x00007FF91F5DC000-memory.dmp

Malware Analysis Report

2024-08-06 11:25

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Sample ID	240616-akebzsvdkq
Target	Server.exe
SHA256	f5acec48afbdd2a4850462e4613ce91c983bc3a3498c69a306a4ca12ccd15de0
Tags	stealer quasar spyware trojan