quasar | 932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-12-2024 23:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c.exe
Size

3.1MB
MD5

7ae9e9867e301a3fdd47d217b335d30f
SHA1

d8c62d8d73aeee1cbc714245f7a9a39fcfb80760
SHA256

932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c
SHA512

063648705e1817a1df82c9a595e4bbe8e0b1dbb7e31a6517df59905ebe7f22160f4acb55349d03dfe70744a14fd53c59a4c657c7a96646fcccf1c2214fc803dd
SSDEEP

49152:/vTlL26AaNeWgPhlmVqvMQ7XSKn8GE18hk/gv4oGdQTHHB72eh2NT:/vJL26AaNeWgPhlmVqkQ7XSKn8mA

Score

10^/10

quasar runtimebroker discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

RuntimeBroker

Cmaster-57540.portmap.io:57540:8080

Mutex

7d0b5d0f-c185-4da8-b709-726d2f58400c

Attributes

encryption_key
6275D618DF6119CEEF062AB381785B6186B8C0EB
install_name
RuntimeBroker.exe
log_directory
Logs
reconnect_delay
3000
startup_key
RuntimeBroker
subdirectory
devtun

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 7 IoCs

resource	yara_rule
behavioral1/memory/2368-1-0x0000000001290000-0x00000000015B4000-memory.dmp	family_quasar
behavioral1/files/0x0008000000018d68-5.dat	family_quasar
behavioral1/memory/2932-8-0x0000000000CF0000-0x0000000001014000-memory.dmp	family_quasar
behavioral1/memory/2920-22-0x00000000003C0000-0x00000000006E4000-memory.dmp	family_quasar
behavioral1/memory/1732-33-0x00000000002F0000-0x0000000000614000-memory.dmp	family_quasar
behavioral1/memory/2528-45-0x0000000001050000-0x0000000001374000-memory.dmp	family_quasar
behavioral1/memory/1504-56-0x0000000001310000-0x0000000001634000-memory.dmp	family_quasar

Executes dropped EXE 16 IoCs

pid	Process
2932	RuntimeBroker.exe
2920	RuntimeBroker.exe
1732	RuntimeBroker.exe
2528	RuntimeBroker.exe
1504	RuntimeBroker.exe
1712	RuntimeBroker.exe
884	RuntimeBroker.exe
2728	RuntimeBroker.exe
2624	RuntimeBroker.exe
376	RuntimeBroker.exe
3004	RuntimeBroker.exe
2964	RuntimeBroker.exe
1376	RuntimeBroker.exe
2108	RuntimeBroker.exe
2280	RuntimeBroker.exe
2580	RuntimeBroker.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\devtun\RuntimeBroker.exe	932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c.exe
File opened for modification	C:\Windows\system32\devtun\RuntimeBroker.exe	932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2764	PING.EXE
1792	PING.EXE
2460	PING.EXE
1816	PING.EXE
3008	PING.EXE
448	PING.EXE
1760	PING.EXE
2452	PING.EXE
964	PING.EXE
1164	PING.EXE
1956	PING.EXE
2584	PING.EXE
1000	PING.EXE
2184	PING.EXE
2984	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
964	PING.EXE
2764	PING.EXE
1164	PING.EXE
2984	PING.EXE
1792	PING.EXE
2460	PING.EXE
1956	PING.EXE
1000	PING.EXE
448	PING.EXE
2184	PING.EXE
3008	PING.EXE
1760	PING.EXE
2452	PING.EXE
2584	PING.EXE
1816	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 17 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2252	schtasks.exe
1612	schtasks.exe
1056	schtasks.exe
1564	schtasks.exe
2912	schtasks.exe
680	schtasks.exe
756	schtasks.exe
2740	schtasks.exe
692	schtasks.exe
2108	schtasks.exe
2692	schtasks.exe
2040	schtasks.exe
2520	schtasks.exe
2368	schtasks.exe
2220	schtasks.exe
824	schtasks.exe
2760	schtasks.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	2368	932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c.exe
Token: SeDebugPrivilege	2932	RuntimeBroker.exe
Token: SeDebugPrivilege	2920	RuntimeBroker.exe
Token: SeDebugPrivilege	1732	RuntimeBroker.exe
Token: SeDebugPrivilege	2528	RuntimeBroker.exe
Token: SeDebugPrivilege	1504	RuntimeBroker.exe
Token: SeDebugPrivilege	1712	RuntimeBroker.exe
Token: SeDebugPrivilege	884	RuntimeBroker.exe
Token: SeDebugPrivilege	2728	RuntimeBroker.exe
Token: SeDebugPrivilege	2624	RuntimeBroker.exe
Token: SeDebugPrivilege	376	RuntimeBroker.exe
Token: SeDebugPrivilege	3004	RuntimeBroker.exe
Token: SeDebugPrivilege	2964	RuntimeBroker.exe
Token: SeDebugPrivilege	1376	RuntimeBroker.exe
Token: SeDebugPrivilege	2108	RuntimeBroker.exe
Token: SeDebugPrivilege	2280	RuntimeBroker.exe
Token: SeDebugPrivilege	2580	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 2520	2368	932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c.exe	30
PID 2368 wrote to memory of 2520	2368	932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c.exe	30
PID 2368 wrote to memory of 2520	2368	932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c.exe	30
PID 2368 wrote to memory of 2932	2368	932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c.exe	32
PID 2368 wrote to memory of 2932	2368	932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c.exe	32
PID 2368 wrote to memory of 2932	2368	932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c.exe	32
PID 2932 wrote to memory of 1056	2932	RuntimeBroker.exe	34
PID 2932 wrote to memory of 1056	2932	RuntimeBroker.exe	34
PID 2932 wrote to memory of 1056	2932	RuntimeBroker.exe	34
PID 2932 wrote to memory of 2404	2932	RuntimeBroker.exe	36
PID 2932 wrote to memory of 2404	2932	RuntimeBroker.exe	36
PID 2932 wrote to memory of 2404	2932	RuntimeBroker.exe	36
PID 2404 wrote to memory of 2824	2404	cmd.exe	38
PID 2404 wrote to memory of 2824	2404	cmd.exe	38
PID 2404 wrote to memory of 2824	2404	cmd.exe	38
PID 2404 wrote to memory of 2764	2404	cmd.exe	39
PID 2404 wrote to memory of 2764	2404	cmd.exe	39
PID 2404 wrote to memory of 2764	2404	cmd.exe	39
PID 2404 wrote to memory of 2920	2404	cmd.exe	40
PID 2404 wrote to memory of 2920	2404	cmd.exe	40
PID 2404 wrote to memory of 2920	2404	cmd.exe	40
PID 2920 wrote to memory of 2740	2920	RuntimeBroker.exe	41
PID 2920 wrote to memory of 2740	2920	RuntimeBroker.exe	41
PID 2920 wrote to memory of 2740	2920	RuntimeBroker.exe	41
PID 2920 wrote to memory of 3060	2920	RuntimeBroker.exe	43
PID 2920 wrote to memory of 3060	2920	RuntimeBroker.exe	43
PID 2920 wrote to memory of 3060	2920	RuntimeBroker.exe	43
PID 3060 wrote to memory of 3040	3060	cmd.exe	45
PID 3060 wrote to memory of 3040	3060	cmd.exe	45
PID 3060 wrote to memory of 3040	3060	cmd.exe	45
PID 3060 wrote to memory of 1792	3060	cmd.exe	46
PID 3060 wrote to memory of 1792	3060	cmd.exe	46
PID 3060 wrote to memory of 1792	3060	cmd.exe	46
PID 3060 wrote to memory of 1732	3060	cmd.exe	47
PID 3060 wrote to memory of 1732	3060	cmd.exe	47
PID 3060 wrote to memory of 1732	3060	cmd.exe	47
PID 1732 wrote to memory of 1564	1732	RuntimeBroker.exe	48
PID 1732 wrote to memory of 1564	1732	RuntimeBroker.exe	48
PID 1732 wrote to memory of 1564	1732	RuntimeBroker.exe	48
PID 1732 wrote to memory of 2564	1732	RuntimeBroker.exe	50
PID 1732 wrote to memory of 2564	1732	RuntimeBroker.exe	50
PID 1732 wrote to memory of 2564	1732	RuntimeBroker.exe	50
PID 2564 wrote to memory of 2004	2564	cmd.exe	52
PID 2564 wrote to memory of 2004	2564	cmd.exe	52
PID 2564 wrote to memory of 2004	2564	cmd.exe	52
PID 2564 wrote to memory of 1164	2564	cmd.exe	53
PID 2564 wrote to memory of 1164	2564	cmd.exe	53
PID 2564 wrote to memory of 1164	2564	cmd.exe	53
PID 2564 wrote to memory of 2528	2564	cmd.exe	54
PID 2564 wrote to memory of 2528	2564	cmd.exe	54
PID 2564 wrote to memory of 2528	2564	cmd.exe	54
PID 2528 wrote to memory of 2912	2528	RuntimeBroker.exe	55
PID 2528 wrote to memory of 2912	2528	RuntimeBroker.exe	55
PID 2528 wrote to memory of 2912	2528	RuntimeBroker.exe	55
PID 2528 wrote to memory of 2396	2528	RuntimeBroker.exe	57
PID 2528 wrote to memory of 2396	2528	RuntimeBroker.exe	57
PID 2528 wrote to memory of 2396	2528	RuntimeBroker.exe	57
PID 2396 wrote to memory of 1408	2396	cmd.exe	59
PID 2396 wrote to memory of 1408	2396	cmd.exe	59
PID 2396 wrote to memory of 1408	2396	cmd.exe	59
PID 2396 wrote to memory of 1760	2396	cmd.exe	60
PID 2396 wrote to memory of 1760	2396	cmd.exe	60
PID 2396 wrote to memory of 1760	2396	cmd.exe	60
PID 2396 wrote to memory of 1504	2396	cmd.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c.exe
"C:\Users\Admin\AppData\Local\Temp\932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2520
- C:\Windows\system32\devtun\RuntimeBroker.exe
  "C:\Windows\system32\devtun\RuntimeBroker.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2932
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1056
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tvkqwWTbN7qR.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2404
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2824
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2764
  - - C:\Windows\system32\devtun\RuntimeBroker.exe
      "C:\Windows\system32\devtun\RuntimeBroker.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2920
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2740
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DtcJZWXWKPJG.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3060
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:3040
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1792
      - C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1564
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\grv36W9GNG1C.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2004
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1164
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2912
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\R8tDMOWSgRbo.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:1408
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1760
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1504
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:680
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WJmVk2Rmv0t0.bat" "
        11⤵
        
        PID:1868
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1304
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2460
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1712
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:692
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JgRmCoQFyIVc.bat" "
        13⤵
        
        PID:1924
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2168
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2452
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:884
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2108
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OeROztwhws66.bat" "
        15⤵
        
        PID:2996
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:1524
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1956
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2728
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2368
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NOVHkiEpwV3K.bat" "
        17⤵
        
        PID:2128
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2840
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2584
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2692
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\O0G6I6rXBLUK.bat" "
        19⤵
        
        PID:1440
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1540
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1816
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:376
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:756
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vMAlRbJPLxfG.bat" "
        21⤵
        
        PID:2388
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1168
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1000
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3004
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2252
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VIIKHJHzw4m9.bat" "
        23⤵
        
        PID:2528
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:1480
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:448
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2964
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2040
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\37wheF7Y9h94.bat" "
        25⤵
        
        PID:704
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:912
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:964
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1376
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2220
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cfMyvs9fsCwB.bat" "
        27⤵
        
        PID:1544
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:2296
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2184
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2108
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1612
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JEK2ZwX4xE8P.bat" "
        29⤵
        
        PID:2532
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:1812
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2984
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2280
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:824
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\91Y5anfrZQwv.bat" "
        31⤵
        
        PID:2664
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:2704
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3008
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        32⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2580
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        33⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\37wheF7Y9h94.bat

Filesize
203B

MD5
17109bfb1801a6038289e6cb62be72a9

SHA1
161cd44b746360a9b2611b260e12dbb8cf2e11c5

SHA256
6a6949bb8f80c12049ef7fc9ccfbcbe4b040968af0355590960376b2920793b5

SHA512
045af48b579ca3d417bd32fbb72a0046ea3f45ae75cdc60961ff46118ed42316cb0c5de0be5022300614a92f489048bca8a6504b39ab21809123510f4551801b

Download Submit
C:\Users\Admin\AppData\Local\Temp\91Y5anfrZQwv.bat

Filesize
203B

MD5
740ef15e5a0a65884dab727aa9717350

SHA1
c8e7100cc4f6086740a2ad02497022a60675c2f7

SHA256
9a99d6811b16725ad201ed641b832e0947a0a3ed63ad4e0b30319f91bc0af0a3

SHA512
cbe21b53f3455af44ae314ed9344175c784e15f869e79548632e26dd21713c61f58de37db1982e5aa4c7454d88e4f16ae6814c5df185ceb808067f7ccf3506df

Download Submit
C:\Users\Admin\AppData\Local\Temp\DtcJZWXWKPJG.bat

Filesize
203B

MD5
2b909ded2564c9450b7e84b03efe583b

SHA1
34dbf9673ec234ac8c1837dcde424dd2c81e71d0

SHA256
f24bed074d4d6693f698aeb8172b206964e45452f70270efc8a500aa5d551fc7

SHA512
81ec3073475b57d4a5671974742b2364df9ae7b8cb3d8405eced48b86432b8334ccaa09e02b4cc1c7f8984fff074863728e6e77f91a92cb234f7aecb15f9aca3

Download Submit
C:\Users\Admin\AppData\Local\Temp\JEK2ZwX4xE8P.bat

Filesize
203B

MD5
79fd02403ec678d26d4f44fec4d8be8e

SHA1
f16038287eb4104f43de5c2501399ccc1ec56f75

SHA256
f2e061b99131313134e636a62a838a00997d9dafd08842257832bcda1231ce10

SHA512
d3707ff2fd14f0e15c59f2bb16cb00911534420ba2970d6265115d2047d9ee016aba054a1feed5676db975171979b0f554590eaf8d33f98ff12d2ed19c4e8919

Download Submit
C:\Users\Admin\AppData\Local\Temp\JgRmCoQFyIVc.bat

Filesize
203B

MD5
05c2257f41131e9a50e6cdf91bdbec77

SHA1
5daed9fb549bc7f3d58a4af8840a0477519a2d91

SHA256
8de8d5f32c4dbb1b57e2f63f1dc504c00ab33e3c3993e5d13974a74f86cfec98

SHA512
71c3c99515dcf4c18f83f065b3cfd33fef6968c8ce865772cf2d5ccb5dab11192f9dd09da0dd32f399ff4b8efcd0c6fc7bb0e66a8ac59047bedba02b101fa876

Download Submit
C:\Users\Admin\AppData\Local\Temp\NOVHkiEpwV3K.bat

Filesize
203B

MD5
f93bf25345714cf9e13ac60f9d694a5f

SHA1
fedc97ad6489a638b0ffcb0cd74a6ae40ceaab1a

SHA256
92f007150094de654aeb176df11e6aed749884816d87754e29a6776d8edc8a53

SHA512
f26fcb597fe19f0f343c6f3baf8b5b61a2dd685136ced4124196183ede97e5d12abaf347a20aca75fda2f6ca2a1d8ebf1bcec6c401d0869712bed41a5df453b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\O0G6I6rXBLUK.bat

Filesize
203B

MD5
3ff928f8b4003468a74646979012aa48

SHA1
9680848cf681cd2eb2d20c0c7be549ccc7889b82

SHA256
8cdd7b6b8315db4f89cbd00db91e8474d33546edd45958aa0a22747024d9b780

SHA512
e1925a0e5e0fd63e31084da28e468844b1551ffdab64af7942b989cb380c572dd0ce1dea0c0ed1fc9514ff0e5feefdf2f3ca9c78f10c8f07d238383cfd374b39

Download Submit
C:\Users\Admin\AppData\Local\Temp\OeROztwhws66.bat

Filesize
203B

MD5
4d9e7525c37353f8b245444d518744e2

SHA1
c063f008fc6acb0ff60b74866ff48944b65e0cbe

SHA256
8df80a6a4e6f54796d4e437537d2afc342c3d9f871a1d4e9871d0578d113b624

SHA512
51bf75a4e6e7d43a4e3d0dae24e96b998f87e1ee81ed571eb061564f918c43564c06894289183421593f52b5397ffd2628b0ea47db457cc49c7018b5dca957f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\R8tDMOWSgRbo.bat

Filesize
203B

MD5
8abacd34763cb496702ff806f9737df0

SHA1
57589f89aa13aa5a1704ef5274eb1e4be5509501

SHA256
88806bf5dbd2c769f04b89eece3230495633f1868f0ed808fb4337e62222189d

SHA512
b049f4114cb4c4822b790e5a21bac341fbfa57b865bc4960bd3741dffeb317b389522ffc35cd280bcd0acf49abe5c106e34f94b24f50608a3b92e7af89d15e8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\VIIKHJHzw4m9.bat

Filesize
203B

MD5
30ae1491b7e51dbe4cf00c7b15f7a30e

SHA1
45cc826013134c9c6156497ef256d03231a1cef0

SHA256
4a894bd03f751198e1965590a6a5257a056ab84a97e6c8a28eb4d6a2aa5ad89f

SHA512
a5a4eb14d9ba0e3503db9fa72e73cc840d4759e5f53ceea800a3e748ae79146350b4ae088a9eef41c05c3b428acb6e8494b771d44f54a2b11b861f20a2b892af

Download Submit
C:\Users\Admin\AppData\Local\Temp\WJmVk2Rmv0t0.bat

Filesize
203B

MD5
c42b6db4b86d9cd0548cf5d5fc80f3c2

SHA1
c1c6f475b429915c6c481373e41c20e3aa64003b

SHA256
4fb65bfecd8f18c5028de6061ee2edaf64f231632e4e057fa8e893c1dba7cdee

SHA512
0ed8c564b78dc100c6d19aaba5dae2622e9cde43862d3f0a5f3e0c7db25a7139ac6f1e61b916e2bb32024f693871d91ef25ae2d4d44e96e15b755bf463f6fb7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cfMyvs9fsCwB.bat

Filesize
203B

MD5
30cb040be11457d3ed35a77af682ab1a

SHA1
a72874dbbfa598dee93f42e067cfa9fa9578a597

SHA256
33fdbdc369ed68e6d0806368de988d84084ef39f8647476add6d2698e8151fce

SHA512
0cde9d231c862c7e353055d80468c50b49dca3febfcd23642d47318b8da82b56bded545e40192e3b453e3d3947473e941caea6db36a43052b7d1652e75c8dd0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\grv36W9GNG1C.bat

Filesize
203B

MD5
3518f1984fa7b023af0b04a44039170d

SHA1
68cf30ea9bbf91dfba0814156571cd25faa156c0

SHA256
7a5b58df7e6b8bec674d8097a34f0483fbf77526e18394c80fc63016457ef0c7

SHA512
768e01ce1d1098345c1f7e6ef338b54745e20c7f01e49c4ae537fcb91760a3d9d20f1f420047a81621277953cdd617127749f6adaa2a717339de5f4a530e095a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tvkqwWTbN7qR.bat

Filesize
203B

MD5
d35ba0fc500e5e1a79d174485e9d0046

SHA1
d4e6119bb6209c4fa79875a8fe48bc91ec35731b

SHA256
40fc9bb82208375cd81e757cfd3a4eb60560561747c7ba557b2f1d9b59ba8d92

SHA512
6ba5e8717e9fdd230896a5707e8d808e8ae0d3193cc64086e8faa71ddf1f185f042a6907b296c39cf692bb9450ab86de7e3daa0f4a1420a22602ce2ea1d8e6a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vMAlRbJPLxfG.bat

Filesize
203B

MD5
b238935052bb729bf693a05fce5460c9

SHA1
6ec77d8b505aaaccc1f25e55f647a3a6317e824a

SHA256
a357aca7395765a872d5b8cd2fbdb52d1c2fe2e70b4ab818ff82b11886ffa488

SHA512
0faa0bd9f5fd0d04e2ce83c065ebe9c15d446d818e528fbc8ce1e81a5d635e598aec88c28237f2ffbc677928c0d6e14a90d5507564e718ed1fdc82633ab6d0f9

Download Submit
C:\Windows\System32\devtun\RuntimeBroker.exe

Filesize
3.1MB

MD5
7ae9e9867e301a3fdd47d217b335d30f

SHA1
d8c62d8d73aeee1cbc714245f7a9a39fcfb80760

SHA256
932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c

SHA512
063648705e1817a1df82c9a595e4bbe8e0b1dbb7e31a6517df59905ebe7f22160f4acb55349d03dfe70744a14fd53c59a4c657c7a96646fcccf1c2214fc803dd

Download Submit
memory/1504-56-0x0000000001310000-0x0000000001634000-memory.dmp

Filesize
3.1MB

Download
memory/1732-33-0x00000000002F0000-0x0000000000614000-memory.dmp

Filesize
3.1MB

Download
memory/2368-0-0x000007FEF5983000-0x000007FEF5984000-memory.dmp

Filesize
4KB

Download
memory/2368-1-0x0000000001290000-0x00000000015B4000-memory.dmp

Filesize
3.1MB

Download
memory/2368-2-0x000007FEF5980000-0x000007FEF636C000-memory.dmp

Filesize
9.9MB

Download
memory/2368-9-0x000007FEF5980000-0x000007FEF636C000-memory.dmp

Filesize
9.9MB

Download
memory/2528-45-0x0000000001050000-0x0000000001374000-memory.dmp

Filesize
3.1MB

Download
memory/2920-22-0x00000000003C0000-0x00000000006E4000-memory.dmp

Filesize
3.1MB

Download
memory/2932-10-0x000007FEF5980000-0x000007FEF636C000-memory.dmp

Filesize
9.9MB

Download
memory/2932-7-0x000007FEF5980000-0x000007FEF636C000-memory.dmp

Filesize
9.9MB

Download
memory/2932-8-0x0000000000CF0000-0x0000000001014000-memory.dmp

Filesize
3.1MB

Download
memory/2932-20-0x000007FEF5980000-0x000007FEF636C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads