quasar | 932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-12-2024 23:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c.exe
Size

3.1MB
MD5

7ae9e9867e301a3fdd47d217b335d30f
SHA1

d8c62d8d73aeee1cbc714245f7a9a39fcfb80760
SHA256

932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c
SHA512

063648705e1817a1df82c9a595e4bbe8e0b1dbb7e31a6517df59905ebe7f22160f4acb55349d03dfe70744a14fd53c59a4c657c7a96646fcccf1c2214fc803dd
SSDEEP

49152:/vTlL26AaNeWgPhlmVqvMQ7XSKn8GE18hk/gv4oGdQTHHB72eh2NT:/vJL26AaNeWgPhlmVqkQ7XSKn8mA

Score

10^/10

quasar runtimebroker discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

RuntimeBroker

Cmaster-57540.portmap.io:57540:8080

Mutex

7d0b5d0f-c185-4da8-b709-726d2f58400c

Attributes

encryption_key
6275D618DF6119CEEF062AB381785B6186B8C0EB
install_name
RuntimeBroker.exe
log_directory
Logs
reconnect_delay
3000
startup_key
RuntimeBroker
subdirectory
devtun

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/620-1-0x0000000000990000-0x0000000000CB4000-memory.dmp	family_quasar
behavioral2/files/0x000a000000023b97-5.dat	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe

Executes dropped EXE 15 IoCs

pid	Process
712	RuntimeBroker.exe
2812	RuntimeBroker.exe
4912	RuntimeBroker.exe
4404	RuntimeBroker.exe
3656	RuntimeBroker.exe
4864	RuntimeBroker.exe
2904	RuntimeBroker.exe
2072	RuntimeBroker.exe
3872	RuntimeBroker.exe
2700	RuntimeBroker.exe
4348	RuntimeBroker.exe
2316	RuntimeBroker.exe
1936	RuntimeBroker.exe
4028	RuntimeBroker.exe
4920	RuntimeBroker.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\devtun\RuntimeBroker.exe	932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c.exe
File created	C:\Windows\system32\devtun\RuntimeBroker.exe	932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1044	PING.EXE
1492	PING.EXE
4072	PING.EXE
5112	PING.EXE
4552	PING.EXE
2400	PING.EXE
4772	PING.EXE
624	PING.EXE
3508	PING.EXE
1892	PING.EXE
1876	PING.EXE
4896	PING.EXE
3084	PING.EXE
4608	PING.EXE
3216	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
2400	PING.EXE
1044	PING.EXE
3508	PING.EXE
1892	PING.EXE
624	PING.EXE
4072	PING.EXE
3084	PING.EXE
4772	PING.EXE
1876	PING.EXE
4608	PING.EXE
5112	PING.EXE
3216	PING.EXE
1492	PING.EXE
4896	PING.EXE
4552	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1392	schtasks.exe
1080	schtasks.exe
1472	schtasks.exe
1036	schtasks.exe
3364	schtasks.exe
1720	schtasks.exe
3616	schtasks.exe
5000	schtasks.exe
3404	schtasks.exe
3684	schtasks.exe
1832	schtasks.exe
1016	schtasks.exe
4168	schtasks.exe
620	schtasks.exe
3196	schtasks.exe
1428	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	620	932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c.exe
Token: SeDebugPrivilege	712	RuntimeBroker.exe
Token: SeDebugPrivilege	2812	RuntimeBroker.exe
Token: SeDebugPrivilege	4912	RuntimeBroker.exe
Token: SeDebugPrivilege	4404	RuntimeBroker.exe
Token: SeDebugPrivilege	3656	RuntimeBroker.exe
Token: SeDebugPrivilege	4864	RuntimeBroker.exe
Token: SeDebugPrivilege	2904	RuntimeBroker.exe
Token: SeDebugPrivilege	2072	RuntimeBroker.exe
Token: SeDebugPrivilege	3872	RuntimeBroker.exe
Token: SeDebugPrivilege	2700	RuntimeBroker.exe
Token: SeDebugPrivilege	4348	RuntimeBroker.exe
Token: SeDebugPrivilege	2316	RuntimeBroker.exe
Token: SeDebugPrivilege	1936	RuntimeBroker.exe
Token: SeDebugPrivilege	4028	RuntimeBroker.exe
Token: SeDebugPrivilege	4920	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 620 wrote to memory of 3196	620	932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c.exe	82
PID 620 wrote to memory of 3196	620	932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c.exe	82
PID 620 wrote to memory of 712	620	932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c.exe	84
PID 620 wrote to memory of 712	620	932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c.exe	84
PID 712 wrote to memory of 3616	712	RuntimeBroker.exe	85
PID 712 wrote to memory of 3616	712	RuntimeBroker.exe	85
PID 712 wrote to memory of 1240	712	RuntimeBroker.exe	87
PID 712 wrote to memory of 1240	712	RuntimeBroker.exe	87
PID 1240 wrote to memory of 5012	1240	cmd.exe	89
PID 1240 wrote to memory of 5012	1240	cmd.exe	89
PID 1240 wrote to memory of 5112	1240	cmd.exe	90
PID 1240 wrote to memory of 5112	1240	cmd.exe	90
PID 1240 wrote to memory of 2812	1240	cmd.exe	98
PID 1240 wrote to memory of 2812	1240	cmd.exe	98
PID 2812 wrote to memory of 1832	2812	RuntimeBroker.exe	99
PID 2812 wrote to memory of 1832	2812	RuntimeBroker.exe	99
PID 2812 wrote to memory of 2652	2812	RuntimeBroker.exe	101
PID 2812 wrote to memory of 2652	2812	RuntimeBroker.exe	101
PID 2652 wrote to memory of 368	2652	cmd.exe	103
PID 2652 wrote to memory of 368	2652	cmd.exe	103
PID 2652 wrote to memory of 4552	2652	cmd.exe	104
PID 2652 wrote to memory of 4552	2652	cmd.exe	104
PID 2652 wrote to memory of 4912	2652	cmd.exe	105
PID 2652 wrote to memory of 4912	2652	cmd.exe	105
PID 4912 wrote to memory of 1080	4912	RuntimeBroker.exe	106
PID 4912 wrote to memory of 1080	4912	RuntimeBroker.exe	106
PID 4912 wrote to memory of 1916	4912	RuntimeBroker.exe	108
PID 4912 wrote to memory of 1916	4912	RuntimeBroker.exe	108
PID 1916 wrote to memory of 3960	1916	cmd.exe	110
PID 1916 wrote to memory of 3960	1916	cmd.exe	110
PID 1916 wrote to memory of 1892	1916	cmd.exe	111
PID 1916 wrote to memory of 1892	1916	cmd.exe	111
PID 1916 wrote to memory of 4404	1916	cmd.exe	114
PID 1916 wrote to memory of 4404	1916	cmd.exe	114
PID 4404 wrote to memory of 1428	4404	RuntimeBroker.exe	115
PID 4404 wrote to memory of 1428	4404	RuntimeBroker.exe	115
PID 4404 wrote to memory of 3952	4404	RuntimeBroker.exe	117
PID 4404 wrote to memory of 3952	4404	RuntimeBroker.exe	117
PID 3952 wrote to memory of 2392	3952	cmd.exe	119
PID 3952 wrote to memory of 2392	3952	cmd.exe	119
PID 3952 wrote to memory of 2400	3952	cmd.exe	120
PID 3952 wrote to memory of 2400	3952	cmd.exe	120
PID 3952 wrote to memory of 3656	3952	cmd.exe	121
PID 3952 wrote to memory of 3656	3952	cmd.exe	121
PID 3656 wrote to memory of 1016	3656	RuntimeBroker.exe	122
PID 3656 wrote to memory of 1016	3656	RuntimeBroker.exe	122
PID 3656 wrote to memory of 2896	3656	RuntimeBroker.exe	124
PID 3656 wrote to memory of 2896	3656	RuntimeBroker.exe	124
PID 2896 wrote to memory of 936	2896	cmd.exe	126
PID 2896 wrote to memory of 936	2896	cmd.exe	126
PID 2896 wrote to memory of 3216	2896	cmd.exe	127
PID 2896 wrote to memory of 3216	2896	cmd.exe	127
PID 2896 wrote to memory of 4864	2896	cmd.exe	128
PID 2896 wrote to memory of 4864	2896	cmd.exe	128
PID 4864 wrote to memory of 4168	4864	RuntimeBroker.exe	129
PID 4864 wrote to memory of 4168	4864	RuntimeBroker.exe	129
PID 4864 wrote to memory of 3900	4864	RuntimeBroker.exe	131
PID 4864 wrote to memory of 3900	4864	RuntimeBroker.exe	131
PID 3900 wrote to memory of 1976	3900	cmd.exe	133
PID 3900 wrote to memory of 1976	3900	cmd.exe	133
PID 3900 wrote to memory of 4772	3900	cmd.exe	134
PID 3900 wrote to memory of 4772	3900	cmd.exe	134
PID 3900 wrote to memory of 2904	3900	cmd.exe	135
PID 3900 wrote to memory of 2904	3900	cmd.exe	135

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c.exe
"C:\Users\Admin\AppData\Local\Temp\932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:620
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3196
- C:\Windows\system32\devtun\RuntimeBroker.exe
  "C:\Windows\system32\devtun\RuntimeBroker.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:712
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\g4rzkrdIQthV.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1240
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:5012
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:5112
  - - C:\Windows\system32\devtun\RuntimeBroker.exe
      "C:\Windows\system32\devtun\RuntimeBroker.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2812
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1832
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GrfuZMF4V0AA.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2652
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:368
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4552
      - C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1080
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\USBnrIUiVNHE.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:3960
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1892
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4404
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1428
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zrbvKfUBblWc.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3952
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2392
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2400
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3656
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1016
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\w66blDtjoACV.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:936
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3216
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4864
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4168
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xXKbAEblzSGG.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:3900
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:1976
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4772
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2904
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1472
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UXdoOkBo2yjl.bat" "
        15⤵
        
        PID:3632
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:3032
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:624
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2072
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5000
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qJVIao2OjtsR.bat" "
        17⤵
        
        PID:660
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:1112
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1044
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3872
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3404
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6HFZ1Aeh41ob.bat" "
        19⤵
        
        PID:4960
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:5084
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1876
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1036
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2hZRNfdsv8cu.bat" "
        21⤵
        
        PID:4808
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:880
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1492
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4348
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:620
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lLUw7TBcTfPA.bat" "
        23⤵
        
        PID:2492
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2032
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4896
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2316
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3364
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ig8SIMPchvCG.bat" "
        25⤵
        
        PID:3236
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2208
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4072
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1936
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1720
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZBzspIqTNs8D.bat" "
        27⤵
        
        PID:968
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:4800
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3084
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4028
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3684
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XfTbsfmjtJtB.bat" "
        29⤵
        
        PID:1340
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:428
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3508
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4920
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1392
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mXV4a5qND5gO.bat" "
        31⤵
        
        PID:1044
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:2564
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2hZRNfdsv8cu.bat

Filesize
203B

MD5
352df97c8183f9df61fd52552eeca5f0

SHA1
c769395d2d313dd80c9adb5c9b1a080310412b68

SHA256
3a26407a0f539e7e0eb17c576be611c7674593feac07343d6d38a09294cdf0e1

SHA512
d755d9777d7c203bcc6653693d98d83f084591a9c17aaa61e3caa7bb29aad816ad46dad78a9f2b941a9786e7c8667305bac1f5c2e286d7ade6c12c2a5421a7cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\6HFZ1Aeh41ob.bat

Filesize
203B

MD5
72828b6071473ac71fadfcfc288c3fb7

SHA1
3431e5fbafa221581575db195c8d5c0d910b4a13

SHA256
a0bd7aaec347dd3222287300f99d72c31fb7e5ad2c256c45e8df2c2c5a98b81d

SHA512
7fa749b8e000f00c8b8de2b2531b6cf23a50c4fa6308143f16e106727ff9321fd1e2e15876ec5104d4b93937059b8adf9587782a5be55b23c1c5da88a5a277b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\GrfuZMF4V0AA.bat

Filesize
203B

MD5
54e194aa7cf521f0d03fe0bfdc04898c

SHA1
685a78ad0e47aff202a879eeeb5d1ee7be77a31a

SHA256
039d026777612a97d3c5187203ed3a8e0d8e9755617d9dae4f9e7581eb237a19

SHA512
e77ce13e2c3b734cda742ccbe740f3166fd54f0529d42cb6b4da47a72bff39f9875d3d8c2cb30adeb2c80742045604ea7b5dfc24442d0962fe96f776509209e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\USBnrIUiVNHE.bat

Filesize
203B

MD5
aa267d65f10adbce2d7a1f6e7cecd9d8

SHA1
970864b19c7bf30e46c6e429f5036cdc7e6fba21

SHA256
4fa6abab66ecaca574712cc642219ffa08a1b2e88fde5c3c23cd5a7504c0f76b

SHA512
bf426c0626a6f861e0206880fa87a0879ccf8c1141e184594844b1f6a8f64721cae91f4c5ea590891ae9d50ad6c0db1ab428ebe90599ab6358f12b3f11282f00

Download Submit
C:\Users\Admin\AppData\Local\Temp\UXdoOkBo2yjl.bat

Filesize
203B

MD5
52740d50435bd41e1f8c60a79902d237

SHA1
9e87e7909a9d6565514056365a5effad95ad3fae

SHA256
bc0c92a421b3433dfa3ee09a6194e6f3f941712f44b2c371f5624c51f5049448

SHA512
c2060f59a8668a09d8790e6d8bac16cfb5908569af6b4b1c401477b3b79dbb72bdbec6091c673b146534089a67dc1616ca2f0e63b8697bab6c9c7ada78aeb6fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XfTbsfmjtJtB.bat

Filesize
203B

MD5
a4698ab4b19fba64fe789c20e0e60646

SHA1
88dd1b18c6bd93cce556487b9b6c1c2f85760fbc

SHA256
67667a64b3f0b5baea56d70b971f4ea933d0bd03a9bdac3215962183a2eb3aa0

SHA512
d67124c8007bf91990cee4a78371e10c210e9673650b6d226c6e8a71e028b006674025d7ebdcc1444c7d599e518db9a33325f2f040437a209317840a27597f45

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZBzspIqTNs8D.bat

Filesize
203B

MD5
8b8a5bbdcf6f90e98c0c29f49eee62df

SHA1
60293731ae20797abf6d0950f24e352133d2400f

SHA256
5e835ce0ef558a514939f1344ea8c81cb3f0e8e8220069c0bff70698685fbc78

SHA512
29b7ec3f1c05dd9ffa166c826d46afdd96053b7c7d6c07dbd26fc16f014fd81c53e71a42ca554f225c03b45a68e12a10d4e209f4e7abac4ecd3089cd664b5e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\g4rzkrdIQthV.bat

Filesize
203B

MD5
cd21449addcf5e06ce4d5cf9c14cdc73

SHA1
3356f1984ff8ec7105644ef86bc183cac81f0636

SHA256
f06ba7cc3c5b0725d03a3d7089490a7a93d16d82879c8f4745462d673200c8c6

SHA512
95552e52b1351e86e0b78e3366b7d9b77bdd12229ef225262bfb562b9a1b37f4b7f67a9a47816b989e30d737eec8a020b6fb4c310ff647bf1a00ec8ec22cbe04

Download Submit
C:\Users\Admin\AppData\Local\Temp\ig8SIMPchvCG.bat

Filesize
203B

MD5
6264d56bc5a69edddd195af760c49469

SHA1
9306229d1e7ed02d97ebbedb0e06c6890e090ca6

SHA256
819900d91b450c80c4ba5bc422ae92edc327b68f5c8225313fcd5725ef7bcb1d

SHA512
f32679508bdd04f0d7a599112e0a32e42afb13de235d17f16b47842dd16fa07deb902d6673758b1745a8341c6adcd7cf4e039e36a26f198a5ef929b10f0a5e10

Download Submit
C:\Users\Admin\AppData\Local\Temp\lLUw7TBcTfPA.bat

Filesize
203B

MD5
867b585c9875c5b953602bc7b7a558c1

SHA1
955ebee133baa3b366be0aee1dd82188a6200076

SHA256
0cc2930444655bd3521a5af0974bb6441f192cc89225f725491302b803e9484f

SHA512
e0f47399af9389ebe5f745d0376048a9b7d3b2bf396af15bdf484825473517cf3c6bf770eccab0cfa75b17e882c0ca423e218bd98efc699e8ab402f260e298dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\mXV4a5qND5gO.bat

Filesize
203B

MD5
66c7afe9b3a0c0a986d3e7f5622940a0

SHA1
321f04e793023111d94461bea180fe890fa59be7

SHA256
0d25b8b2675f89867316905b530329be5dbba50e32b89ee4684b65da4c190587

SHA512
e66cb633ed28e209cf33fa819dcc810a198db021fc703563dcabbe5a763f9033598f09566b48ece4ec7fca2cfab8c2faf92885341e3716a4b44fdef4fd89eb20

Download Submit
C:\Users\Admin\AppData\Local\Temp\qJVIao2OjtsR.bat

Filesize
203B

MD5
f41bdb99d2ed03f788562a6697d5454f

SHA1
54e68c41e91dfe0ca160ed497722ba239fa9f4a2

SHA256
d5c437dd1b5662dfe0e66227369dddb6389c89bfd774d47d03778ba694bc39d6

SHA512
338af190b8e0fef1955e5173b499e12184421e59599c6de0160fd1773f920849896d26bc4da2556d3e3a05ca8981bae48720d5f8de812ec66ec314f9a380f03b

Download Submit
C:\Users\Admin\AppData\Local\Temp\w66blDtjoACV.bat

Filesize
203B

MD5
1a5e6d90c4a059c680cd7236235b05b4

SHA1
fb7de91672191ef7b9959ae017a54b7bc1e554fd

SHA256
5e2a4237ebb1ca52bd81ef0e5991d7e942a0ecf709d0dd0074ded2224206290c

SHA512
1a072097bfc210fc1e8ce43715a896a47fd788739b4b139db25b36fb75961d408b3cb939d7c2d8a87becbc2e8512c644bd32c8e801ae4006186675f45c220a10

Download Submit
C:\Users\Admin\AppData\Local\Temp\xXKbAEblzSGG.bat

Filesize
203B

MD5
2bad115d9d9b5670250e3cb68716b708

SHA1
6eb24757a6f564062747265e81a004b23f5dd286

SHA256
655369add4a1f8c4c8dff595e8ea642ef8992639720579434add54caac597c9c

SHA512
62e89ca90e75db22ec5634c8a677d78952efe3729f1f12e32288d60901be59fef1fb7818eac95e892bcd0a7222ee4d1fbbb16c8293919a75bc3ee3ac91fc595b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zrbvKfUBblWc.bat

Filesize
203B

MD5
fd9fcc1089dcfb41633c924e00942ef7

SHA1
b2ce8b517657bacd000552c17732b16d7972f2f3

SHA256
be1bbf0a2ed44713d2059079e3f4e4319d0fdf91e38ec3cb65a0f3bc4d4519a3

SHA512
da49e7a4933af0060ceeaf72a2fdee63736916e0f2fdf9cbe866a85402ee2198984752369dbc098270212cb4dff3207575062aafd44cf56a1e9d958db66eba01

Download Submit
C:\Windows\System32\devtun\RuntimeBroker.exe

Filesize
3.1MB

MD5
7ae9e9867e301a3fdd47d217b335d30f

SHA1
d8c62d8d73aeee1cbc714245f7a9a39fcfb80760

SHA256
932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c

SHA512
063648705e1817a1df82c9a595e4bbe8e0b1dbb7e31a6517df59905ebe7f22160f4acb55349d03dfe70744a14fd53c59a4c657c7a96646fcccf1c2214fc803dd

Download Submit
memory/620-0-0x00007FFEE8973000-0x00007FFEE8975000-memory.dmp

Filesize
8KB

Download
memory/620-2-0x00007FFEE8970000-0x00007FFEE9431000-memory.dmp

Filesize
10.8MB

Download
memory/620-1-0x0000000000990000-0x0000000000CB4000-memory.dmp

Filesize
3.1MB

Download
memory/620-8-0x00007FFEE8970000-0x00007FFEE9431000-memory.dmp

Filesize
10.8MB

Download
memory/712-9-0x00007FFEE8970000-0x00007FFEE9431000-memory.dmp

Filesize
10.8MB

Download
memory/712-16-0x00007FFEE8970000-0x00007FFEE9431000-memory.dmp

Filesize
10.8MB

Download
memory/712-11-0x000000001D3C0000-0x000000001D472000-memory.dmp

Filesize
712KB

Download
memory/712-10-0x000000001BBA0000-0x000000001BBF0000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads