quasar | 932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c

Analysis

max time kernel
142s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-12-2024 01:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c.exe
Size

3.1MB
MD5

7ae9e9867e301a3fdd47d217b335d30f
SHA1

d8c62d8d73aeee1cbc714245f7a9a39fcfb80760
SHA256

932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c
SHA512

063648705e1817a1df82c9a595e4bbe8e0b1dbb7e31a6517df59905ebe7f22160f4acb55349d03dfe70744a14fd53c59a4c657c7a96646fcccf1c2214fc803dd
SSDEEP

49152:/vTlL26AaNeWgPhlmVqvMQ7XSKn8GE18hk/gv4oGdQTHHB72eh2NT:/vJL26AaNeWgPhlmVqkQ7XSKn8mA

Score

10^/10

quasar runtimebroker discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

RuntimeBroker

Cmaster-57540.portmap.io:57540:8080

Mutex

7d0b5d0f-c185-4da8-b709-726d2f58400c

Attributes

encryption_key
6275D618DF6119CEEF062AB381785B6186B8C0EB
install_name
RuntimeBroker.exe
log_directory
Logs
reconnect_delay
3000
startup_key
RuntimeBroker
subdirectory
devtun

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 11 IoCs

resource	yara_rule
behavioral1/memory/2924-1-0x00000000010F0000-0x0000000001414000-memory.dmp	family_quasar
behavioral1/files/0x000c00000001659b-5.dat	family_quasar
behavioral1/memory/2832-9-0x00000000003E0000-0x0000000000704000-memory.dmp	family_quasar
behavioral1/memory/2384-22-0x00000000002A0000-0x00000000005C4000-memory.dmp	family_quasar
behavioral1/memory/2272-33-0x0000000000960000-0x0000000000C84000-memory.dmp	family_quasar
behavioral1/memory/1500-44-0x0000000000D30000-0x0000000001054000-memory.dmp	family_quasar
behavioral1/memory/2784-55-0x0000000000E50000-0x0000000001174000-memory.dmp	family_quasar
behavioral1/memory/2164-128-0x0000000000080000-0x00000000003A4000-memory.dmp	family_quasar
behavioral1/memory/1676-139-0x00000000002D0000-0x00000000005F4000-memory.dmp	family_quasar
behavioral1/memory/2476-150-0x0000000000300000-0x0000000000624000-memory.dmp	family_quasar
behavioral1/memory/2324-161-0x0000000000A40000-0x0000000000D64000-memory.dmp	family_quasar

Executes dropped EXE 15 IoCs

pid	Process
2832	RuntimeBroker.exe
2384	RuntimeBroker.exe
2272	RuntimeBroker.exe
1500	RuntimeBroker.exe
2784	RuntimeBroker.exe
2508	RuntimeBroker.exe
3044	RuntimeBroker.exe
2756	RuntimeBroker.exe
1296	RuntimeBroker.exe
2928	RuntimeBroker.exe
2768	RuntimeBroker.exe
2164	RuntimeBroker.exe
1676	RuntimeBroker.exe
2476	RuntimeBroker.exe
2324	RuntimeBroker.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\devtun\RuntimeBroker.exe	932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c.exe
File created	C:\Windows\system32\devtun\RuntimeBroker.exe	932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3044	PING.EXE
2936	PING.EXE
2820	PING.EXE
336	PING.EXE
2008	PING.EXE
448	PING.EXE
664	PING.EXE
2864	PING.EXE
2612	PING.EXE
2484	PING.EXE
2732	PING.EXE
2540	PING.EXE
804	PING.EXE
1128	PING.EXE
1388	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
2864	PING.EXE
1128	PING.EXE
2936	PING.EXE
1388	PING.EXE
2540	PING.EXE
336	PING.EXE
2484	PING.EXE
804	PING.EXE
2008	PING.EXE
2732	PING.EXE
448	PING.EXE
664	PING.EXE
2820	PING.EXE
3044	PING.EXE
2612	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1328	schtasks.exe
2688	schtasks.exe
2024	schtasks.exe
2656	schtasks.exe
2852	schtasks.exe
1476	schtasks.exe
2180	schtasks.exe
2084	schtasks.exe
2960	schtasks.exe
496	schtasks.exe
2900	schtasks.exe
2808	schtasks.exe
860	schtasks.exe
1632	schtasks.exe
2716	schtasks.exe
1132	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2924	932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c.exe
Token: SeDebugPrivilege	2832	RuntimeBroker.exe
Token: SeDebugPrivilege	2384	RuntimeBroker.exe
Token: SeDebugPrivilege	2272	RuntimeBroker.exe
Token: SeDebugPrivilege	1500	RuntimeBroker.exe
Token: SeDebugPrivilege	2784	RuntimeBroker.exe
Token: SeDebugPrivilege	2508	RuntimeBroker.exe
Token: SeDebugPrivilege	3044	RuntimeBroker.exe
Token: SeDebugPrivilege	2756	RuntimeBroker.exe
Token: SeDebugPrivilege	1296	RuntimeBroker.exe
Token: SeDebugPrivilege	2928	RuntimeBroker.exe
Token: SeDebugPrivilege	2768	RuntimeBroker.exe
Token: SeDebugPrivilege	2164	RuntimeBroker.exe
Token: SeDebugPrivilege	1676	RuntimeBroker.exe
Token: SeDebugPrivilege	2476	RuntimeBroker.exe
Token: SeDebugPrivilege	2324	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 2716	2924	932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c.exe	30
PID 2924 wrote to memory of 2716	2924	932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c.exe	30
PID 2924 wrote to memory of 2716	2924	932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c.exe	30
PID 2924 wrote to memory of 2832	2924	932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c.exe	32
PID 2924 wrote to memory of 2832	2924	932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c.exe	32
PID 2924 wrote to memory of 2832	2924	932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c.exe	32
PID 2832 wrote to memory of 2688	2832	RuntimeBroker.exe	33
PID 2832 wrote to memory of 2688	2832	RuntimeBroker.exe	33
PID 2832 wrote to memory of 2688	2832	RuntimeBroker.exe	33
PID 2832 wrote to memory of 2624	2832	RuntimeBroker.exe	35
PID 2832 wrote to memory of 2624	2832	RuntimeBroker.exe	35
PID 2832 wrote to memory of 2624	2832	RuntimeBroker.exe	35
PID 2624 wrote to memory of 2588	2624	cmd.exe	37
PID 2624 wrote to memory of 2588	2624	cmd.exe	37
PID 2624 wrote to memory of 2588	2624	cmd.exe	37
PID 2624 wrote to memory of 2612	2624	cmd.exe	38
PID 2624 wrote to memory of 2612	2624	cmd.exe	38
PID 2624 wrote to memory of 2612	2624	cmd.exe	38
PID 2624 wrote to memory of 2384	2624	cmd.exe	39
PID 2624 wrote to memory of 2384	2624	cmd.exe	39
PID 2624 wrote to memory of 2384	2624	cmd.exe	39
PID 2384 wrote to memory of 2024	2384	RuntimeBroker.exe	40
PID 2384 wrote to memory of 2024	2384	RuntimeBroker.exe	40
PID 2384 wrote to memory of 2024	2384	RuntimeBroker.exe	40
PID 2384 wrote to memory of 2868	2384	RuntimeBroker.exe	42
PID 2384 wrote to memory of 2868	2384	RuntimeBroker.exe	42
PID 2384 wrote to memory of 2868	2384	RuntimeBroker.exe	42
PID 2868 wrote to memory of 372	2868	cmd.exe	44
PID 2868 wrote to memory of 372	2868	cmd.exe	44
PID 2868 wrote to memory of 372	2868	cmd.exe	44
PID 2868 wrote to memory of 2936	2868	cmd.exe	45
PID 2868 wrote to memory of 2936	2868	cmd.exe	45
PID 2868 wrote to memory of 2936	2868	cmd.exe	45
PID 2868 wrote to memory of 2272	2868	cmd.exe	46
PID 2868 wrote to memory of 2272	2868	cmd.exe	46
PID 2868 wrote to memory of 2272	2868	cmd.exe	46
PID 2272 wrote to memory of 2900	2272	RuntimeBroker.exe	47
PID 2272 wrote to memory of 2900	2272	RuntimeBroker.exe	47
PID 2272 wrote to memory of 2900	2272	RuntimeBroker.exe	47
PID 2272 wrote to memory of 1228	2272	RuntimeBroker.exe	49
PID 2272 wrote to memory of 1228	2272	RuntimeBroker.exe	49
PID 2272 wrote to memory of 1228	2272	RuntimeBroker.exe	49
PID 1228 wrote to memory of 1496	1228	cmd.exe	51
PID 1228 wrote to memory of 1496	1228	cmd.exe	51
PID 1228 wrote to memory of 1496	1228	cmd.exe	51
PID 1228 wrote to memory of 448	1228	cmd.exe	52
PID 1228 wrote to memory of 448	1228	cmd.exe	52
PID 1228 wrote to memory of 448	1228	cmd.exe	52
PID 1228 wrote to memory of 1500	1228	cmd.exe	53
PID 1228 wrote to memory of 1500	1228	cmd.exe	53
PID 1228 wrote to memory of 1500	1228	cmd.exe	53
PID 1500 wrote to memory of 2808	1500	RuntimeBroker.exe	54
PID 1500 wrote to memory of 2808	1500	RuntimeBroker.exe	54
PID 1500 wrote to memory of 2808	1500	RuntimeBroker.exe	54
PID 1500 wrote to memory of 1760	1500	RuntimeBroker.exe	56
PID 1500 wrote to memory of 1760	1500	RuntimeBroker.exe	56
PID 1500 wrote to memory of 1760	1500	RuntimeBroker.exe	56
PID 1760 wrote to memory of 2184	1760	cmd.exe	58
PID 1760 wrote to memory of 2184	1760	cmd.exe	58
PID 1760 wrote to memory of 2184	1760	cmd.exe	58
PID 1760 wrote to memory of 2484	1760	cmd.exe	59
PID 1760 wrote to memory of 2484	1760	cmd.exe	59
PID 1760 wrote to memory of 2484	1760	cmd.exe	59
PID 1760 wrote to memory of 2784	1760	cmd.exe	60

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c.exe
"C:\Users\Admin\AppData\Local\Temp\932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2716
- C:\Windows\system32\devtun\RuntimeBroker.exe
  "C:\Windows\system32\devtun\RuntimeBroker.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2688
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\pkDhC7OrTCnZ.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2588
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2612
  - - C:\Windows\system32\devtun\RuntimeBroker.exe
      "C:\Windows\system32\devtun\RuntimeBroker.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2384
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2024
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\U94OhZ4EnPDd.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2868
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:372
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2936
      - C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2900
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HpjOx530cBpQ.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1228
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1496
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:448
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1500
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2808
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UCtJoQWD0OkN.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1760
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2184
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2484
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2784
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1132
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\29mtuxSDeTrS.bat" "
        11⤵
        
        PID:688
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:624
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:804
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2508
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2084
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FIhlLs0yDM1d.bat" "
        13⤵
        
        PID:2428
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:1984
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:664
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3044
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:860
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AmxWO1SU3NHt.bat" "
        15⤵
        
        PID:1580
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2728
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2864
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2756
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1328
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FI6geRO2jX82.bat" "
        17⤵
        
        PID:2872
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2412
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2820
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1296
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1476
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\o085wdLeVU2V.bat" "
        19⤵
        
        PID:2896
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1820
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2008
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2928
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1632
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\33oqa2fRJimJ.bat" "
        21⤵
        
        PID:1496
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1096
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1128
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2768
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2180
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\39H8BGf8Ma1B.bat" "
        23⤵
        
        PID:2184
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2432
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1388
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2164
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2960
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rT2xGmDthoIq.bat" "
        25⤵
        
        PID:2796
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:924
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2540
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1676
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:496
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Rd7fC07OM8l1.bat" "
        27⤵
        
        PID:1672
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:2316
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:336
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2476
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2656
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\9TcQvE3oyoU9.bat" "
        29⤵
        
        PID:268
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:1144
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3044
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2324
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2852
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\akUXhauMgJEt.bat" "
        31⤵
        
        PID:2584
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:3004
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\29mtuxSDeTrS.bat

Filesize
203B

MD5
909d97c7b0136a21b0cd8083d34781ba

SHA1
099f174aa89f60dfaa89015cfb81dc13e6ffaea9

SHA256
78023ec94cc037bc44eb33b6464d979d3d14852d82e46bbe2673cc2da772a3be

SHA512
7f8f66a101ce55bc253e363232f1cff4aacc5a0960cb2b255f2f22708c03b84b7e67db07412581df0e9996483e5cf6cc84344572848e3c8a6f75f15ef691ba66

Download Submit
C:\Users\Admin\AppData\Local\Temp\33oqa2fRJimJ.bat

Filesize
203B

MD5
d7f11cc52959ea6ae2e7806433317af5

SHA1
45869d8ed72087bb3b8efc9db1fb1fc4828c4d8e

SHA256
c551c9b961e160ece9c2f86c676abe43d5141861a4d841599716eac7e0f31773

SHA512
82400cbe28e0d98061c2c97bb7c105a4284860b2f98a794426beee47f106549ec66d003fd54964ce80fb744cab82ffbaceca53835d66fb6f05a0fa851f55ec28

Download Submit
C:\Users\Admin\AppData\Local\Temp\39H8BGf8Ma1B.bat

Filesize
203B

MD5
ce943085294377bbe5288450ed0faf62

SHA1
51e4d8115ba1aa193feeab2ff1d2c0cce9cc5252

SHA256
e38f8106dc133a69216f0afbdc619ab10ff7ef9eed99cde5993e855b0eb6a25d

SHA512
a89d672b880fcca90c122fdd85dd0bb59f8f216261066fee76f3fb1a5cc6fd63485c80e45a355298fe8ef5ef1f89bfb4902feb895b1f255b49c829f831a4a524

Download Submit
C:\Users\Admin\AppData\Local\Temp\9TcQvE3oyoU9.bat

Filesize
203B

MD5
bd91ee0ffd90935bdeb259420650f2a9

SHA1
c74e4260c2772ec4bc1702c489226144073bf45b

SHA256
e7f634ce7f3ac2938e908ca7d897341af4646d82167f2981f181a80aad0f065f

SHA512
5af6b7f7b3433a770adc4a1678ac7a9e53b5b859abf6f614243f87bc43dd9a54a022545e3bbd443546f8bec35a13f331bea7f7d9f33865e1b0b6fdd728d0cdb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\AmxWO1SU3NHt.bat

Filesize
203B

MD5
5d9a4d1bcf20ab40fdb486dec37399ea

SHA1
9fbb1651506c792f38288e58ded10ce944f42141

SHA256
1ef1a0b25b23f4c4d20116b329a0099b315bc434e2daee05153a6a1b0225da9a

SHA512
4283330a010f92dbc1fb4d5c43b7479cf5d9c5a059f6eaf3622e435330898b6f9c5e0690b1e3b36858034789262dbaa3302e81ec7524e0fd2f2bc0abfc3c3f54

Download Submit
C:\Users\Admin\AppData\Local\Temp\FI6geRO2jX82.bat

Filesize
203B

MD5
9a07fa3ad00016bfc922e44c6df79178

SHA1
83f8f25e27f92011eca45005b7858ab04e41ad15

SHA256
e8114cf4328a781b913d30a5b2f9361219dd8555ec9c229d48f75d07c75e8ebd

SHA512
3055955d69eb4d12ba1b7ee4224bf41c2b37b131f317199893c653c064dde761575a96ece3b8bb740e78d01ef78c3db3c01e6d93d3a3aaf5ada184bf0ac3a922

Download Submit
C:\Users\Admin\AppData\Local\Temp\FIhlLs0yDM1d.bat

Filesize
203B

MD5
fcceb2dd3dad552cd38046627b0eafbf

SHA1
fe2eb37f7ae778b5b235bb7b297272bd70280c41

SHA256
3f74de06d1f88ad73ab55dbf14b612c5ddb79de852db52bc9b3194c3b85b5a75

SHA512
67830015712a33bdaac2a3c08a7b00adb827720cd5166f1ca1760c890e81b1a8db303c8e5aaa47f3fa2f4092197687f2171c81f08c74400dcbf9386233ca4d50

Download Submit
C:\Users\Admin\AppData\Local\Temp\HpjOx530cBpQ.bat

Filesize
203B

MD5
90e56df27efd41e490987ac39eab43e8

SHA1
27cba73da29537be88d4f24d922e63ae35c03b42

SHA256
7877d239dafc388a92651ffbb58b9a40932b4f0dfd97aeb623f8f24fc574bd59

SHA512
284c12f40c841426d72567d39563b535afc2057dda884c7bbeb6fc31d356afbe4fb1ce43574009e13c64865cb10ef92cd0d2851aee0cc5f6d7fb7a0d0e4a22a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rd7fC07OM8l1.bat

Filesize
203B

MD5
78a35455ae591fa07b5af3dfb6c1b5fb

SHA1
2e42911b84fa7676528a5d8736e7e4d3e2b461b9

SHA256
a8c480c895f40d357bc708674fa75b702aa6073bf270263f6f11085fa3060855

SHA512
8f315f46a2ef0fafed61afdc20346770b3053a495bf243e93645442a4108dd02cb7ab692e01e99ed5fc2576895546fecda76ec0ca7f36252a9441e944c134183

Download Submit
C:\Users\Admin\AppData\Local\Temp\U94OhZ4EnPDd.bat

Filesize
203B

MD5
f854f403e15c6742ba9eb5292487ba7e

SHA1
1f9aee468724f7e68a00e30dca39d452ef3fc848

SHA256
3f9a7f5b0a8c754b1cec224fd64c26595767034c1752359c38284f0ecd1edfe0

SHA512
010da47c4d7c6b182846caeeab6d77507b627c145168b42042146281683e794ee0213ad9f86f89f204c65f153d11541c1185fe3b7b5ca03334549b0010eb277d

Download Submit
C:\Users\Admin\AppData\Local\Temp\UCtJoQWD0OkN.bat

Filesize
203B

MD5
5af997d1aef0e2b0e307aac3ef2ffcdc

SHA1
65e771299bd8994c5acb9a78ab8b3a82fa4bafa9

SHA256
ba86c3e13e5b00ec11976545d8532049d246a6ca22a65858b27c5306765ba842

SHA512
9edb4fcb37f20a943493e905f9e42746c36d5eb9cbdd6da1dbc2528052e3d10647045cd9c3c51670006b6198fb54acf213e67187e9b45314ddbf4483958783e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\akUXhauMgJEt.bat

Filesize
203B

MD5
d92c38a647222c3c877103fd1d9a628a

SHA1
611cb172d031dbb31362cedd601054b5a2e90c17

SHA256
81e312f5e1e8cca276ed64fb30e807a399cd27c302b3aa1803270ce26a1bc90e

SHA512
630ec7cfab841d68c9057e809de824d6bf5d685e8d75bda37fd778aa9e4cc382e99e36d1c1cfbf4700145ccd24d032923c849849823d740c6e19b20e16b0d015

Download Submit
C:\Users\Admin\AppData\Local\Temp\o085wdLeVU2V.bat

Filesize
203B

MD5
c8dce2a10b7a7ddf54c08043e5348cd9

SHA1
b28979cbb823b673bc570f9ac2abad8daf0ebca9

SHA256
0525e4adad1ed6b748e02875661d28c929e92406ece5abfe7566ba8b6c3a81ba

SHA512
906b605346390339b9edfc0d94536ba2171795d1af1e076bd9dd7a285e55705fa273fe5b47c6842087e7debdfb08add333058ff70fc490098e88f40390119b35

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkDhC7OrTCnZ.bat

Filesize
203B

MD5
a81a1a8b0a1a3bcd30ba2593b69ef89b

SHA1
f436269ce0ccebaf44ead97ccda743655a4a1d7e

SHA256
a27a8eda527612bc6ad092619ae875cd010fc24b3ada2419f89ba240ef5e1bc1

SHA512
f2b029783fb07145d61e7eb78b8e6b9a5dc11994cd6c9638c912da4aa1b8335d54a559431b3a372dfbe580096b9e0de4b85ad441a9f774fb24b690c2daa5bab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\rT2xGmDthoIq.bat

Filesize
203B

MD5
67f713dca7289ef7a2ad50c7899da2ea

SHA1
46593de4c0bfc2139d459291ff99c0c8ad4f42a3

SHA256
ee7984cc5eddabbffe3edd9c0e69065cbb7c2393343af49bb86086ddf2862a3b

SHA512
401c68deec33ae17ae7789f2210cdcdae65b15307723a0dc358ad93a57578b2c3bd85d64bea694e24c53e4f6ee5c58d3d53bf6c7d4bb71807a27dd5354acd1d9

Download Submit
C:\Windows\System32\devtun\RuntimeBroker.exe

Filesize
3.1MB

MD5
7ae9e9867e301a3fdd47d217b335d30f

SHA1
d8c62d8d73aeee1cbc714245f7a9a39fcfb80760

SHA256
932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c

SHA512
063648705e1817a1df82c9a595e4bbe8e0b1dbb7e31a6517df59905ebe7f22160f4acb55349d03dfe70744a14fd53c59a4c657c7a96646fcccf1c2214fc803dd

Download Submit
memory/1500-44-0x0000000000D30000-0x0000000001054000-memory.dmp

Filesize
3.1MB

Download
memory/1676-139-0x00000000002D0000-0x00000000005F4000-memory.dmp

Filesize
3.1MB

Download
memory/2164-128-0x0000000000080000-0x00000000003A4000-memory.dmp

Filesize
3.1MB

Download
memory/2272-33-0x0000000000960000-0x0000000000C84000-memory.dmp

Filesize
3.1MB

Download
memory/2324-161-0x0000000000A40000-0x0000000000D64000-memory.dmp

Filesize
3.1MB

Download
memory/2384-22-0x00000000002A0000-0x00000000005C4000-memory.dmp

Filesize
3.1MB

Download
memory/2476-150-0x0000000000300000-0x0000000000624000-memory.dmp

Filesize
3.1MB

Download
memory/2784-55-0x0000000000E50000-0x0000000001174000-memory.dmp

Filesize
3.1MB

Download
memory/2832-8-0x000007FEF6160000-0x000007FEF6B4C000-memory.dmp

Filesize
9.9MB

Download
memory/2832-9-0x00000000003E0000-0x0000000000704000-memory.dmp

Filesize
3.1MB

Download
memory/2832-10-0x000007FEF6160000-0x000007FEF6B4C000-memory.dmp

Filesize
9.9MB

Download
memory/2832-20-0x000007FEF6160000-0x000007FEF6B4C000-memory.dmp

Filesize
9.9MB

Download
memory/2924-7-0x000007FEF6160000-0x000007FEF6B4C000-memory.dmp

Filesize
9.9MB

Download
memory/2924-0-0x000007FEF6163000-0x000007FEF6164000-memory.dmp

Filesize
4KB

Download
memory/2924-2-0x000007FEF6160000-0x000007FEF6B4C000-memory.dmp

Filesize
9.9MB

Download
memory/2924-1-0x00000000010F0000-0x0000000001414000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads