quasar | 932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c

Analysis

max time kernel
148s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/12/2024, 01:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c.exe
Size

3.1MB
MD5

7ae9e9867e301a3fdd47d217b335d30f
SHA1

d8c62d8d73aeee1cbc714245f7a9a39fcfb80760
SHA256

932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c
SHA512

063648705e1817a1df82c9a595e4bbe8e0b1dbb7e31a6517df59905ebe7f22160f4acb55349d03dfe70744a14fd53c59a4c657c7a96646fcccf1c2214fc803dd
SSDEEP

49152:/vTlL26AaNeWgPhlmVqvMQ7XSKn8GE18hk/gv4oGdQTHHB72eh2NT:/vJL26AaNeWgPhlmVqkQ7XSKn8mA

Score

10^/10

quasar runtimebroker discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

RuntimeBroker

Cmaster-57540.portmap.io:57540:8080

Mutex

7d0b5d0f-c185-4da8-b709-726d2f58400c

Attributes

encryption_key
6275D618DF6119CEEF062AB381785B6186B8C0EB
install_name
RuntimeBroker.exe
log_directory
Logs
reconnect_delay
3000
startup_key
RuntimeBroker
subdirectory
devtun

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/4904-1-0x00000000008E0000-0x0000000000C04000-memory.dmp	family_quasar
behavioral2/files/0x0007000000023c96-5.dat	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe

Executes dropped EXE 15 IoCs

pid	Process
1112	RuntimeBroker.exe
1300	RuntimeBroker.exe
4168	RuntimeBroker.exe
4128	RuntimeBroker.exe
1080	RuntimeBroker.exe
4904	RuntimeBroker.exe
4784	RuntimeBroker.exe
4832	RuntimeBroker.exe
2116	RuntimeBroker.exe
4084	RuntimeBroker.exe
4392	RuntimeBroker.exe
2484	RuntimeBroker.exe
628	RuntimeBroker.exe
3172	RuntimeBroker.exe
3648	RuntimeBroker.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\devtun\RuntimeBroker.exe	932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c.exe
File opened for modification	C:\Windows\system32\devtun\RuntimeBroker.exe	932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4072	PING.EXE
4848	PING.EXE
5028	PING.EXE
4072	PING.EXE
5096	PING.EXE
2912	PING.EXE
2692	PING.EXE
1616	PING.EXE
1136	PING.EXE
2892	PING.EXE
2200	PING.EXE
4904	PING.EXE
2264	PING.EXE
1200	PING.EXE
4508	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
2912	PING.EXE
2692	PING.EXE
4072	PING.EXE
5028	PING.EXE
4848	PING.EXE
1616	PING.EXE
1136	PING.EXE
5096	PING.EXE
2892	PING.EXE
4904	PING.EXE
4508	PING.EXE
2264	PING.EXE
4072	PING.EXE
1200	PING.EXE
2200	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2476	schtasks.exe
4336	schtasks.exe
2568	schtasks.exe
2132	schtasks.exe
4020	schtasks.exe
2340	schtasks.exe
1712	schtasks.exe
4192	schtasks.exe
380	schtasks.exe
3376	schtasks.exe
528	schtasks.exe
2964	schtasks.exe
400	schtasks.exe
632	schtasks.exe
1028	schtasks.exe
3240	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	4904	932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c.exe
Token: SeDebugPrivilege	1112	RuntimeBroker.exe
Token: SeDebugPrivilege	1300	RuntimeBroker.exe
Token: SeDebugPrivilege	4168	RuntimeBroker.exe
Token: SeDebugPrivilege	4128	RuntimeBroker.exe
Token: SeDebugPrivilege	1080	RuntimeBroker.exe
Token: SeDebugPrivilege	4904	RuntimeBroker.exe
Token: SeDebugPrivilege	4784	RuntimeBroker.exe
Token: SeDebugPrivilege	4832	RuntimeBroker.exe
Token: SeDebugPrivilege	2116	RuntimeBroker.exe
Token: SeDebugPrivilege	4084	RuntimeBroker.exe
Token: SeDebugPrivilege	4392	RuntimeBroker.exe
Token: SeDebugPrivilege	2484	RuntimeBroker.exe
Token: SeDebugPrivilege	628	RuntimeBroker.exe
Token: SeDebugPrivilege	3172	RuntimeBroker.exe
Token: SeDebugPrivilege	3648	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4904 wrote to memory of 2568	4904	932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c.exe	82
PID 4904 wrote to memory of 2568	4904	932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c.exe	82
PID 4904 wrote to memory of 1112	4904	932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c.exe	84
PID 4904 wrote to memory of 1112	4904	932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c.exe	84
PID 1112 wrote to memory of 380	1112	RuntimeBroker.exe	85
PID 1112 wrote to memory of 380	1112	RuntimeBroker.exe	85
PID 1112 wrote to memory of 4000	1112	RuntimeBroker.exe	87
PID 1112 wrote to memory of 4000	1112	RuntimeBroker.exe	87
PID 4000 wrote to memory of 928	4000	cmd.exe	89
PID 4000 wrote to memory of 928	4000	cmd.exe	89
PID 4000 wrote to memory of 1136	4000	cmd.exe	90
PID 4000 wrote to memory of 1136	4000	cmd.exe	90
PID 4000 wrote to memory of 1300	4000	cmd.exe	95
PID 4000 wrote to memory of 1300	4000	cmd.exe	95
PID 1300 wrote to memory of 2132	1300	RuntimeBroker.exe	97
PID 1300 wrote to memory of 2132	1300	RuntimeBroker.exe	97
PID 1300 wrote to memory of 4424	1300	RuntimeBroker.exe	99
PID 1300 wrote to memory of 4424	1300	RuntimeBroker.exe	99
PID 4424 wrote to memory of 4884	4424	cmd.exe	101
PID 4424 wrote to memory of 4884	4424	cmd.exe	101
PID 4424 wrote to memory of 2264	4424	cmd.exe	102
PID 4424 wrote to memory of 2264	4424	cmd.exe	102
PID 4424 wrote to memory of 4168	4424	cmd.exe	105
PID 4424 wrote to memory of 4168	4424	cmd.exe	105
PID 4168 wrote to memory of 3376	4168	RuntimeBroker.exe	106
PID 4168 wrote to memory of 3376	4168	RuntimeBroker.exe	106
PID 4168 wrote to memory of 3540	4168	RuntimeBroker.exe	108
PID 4168 wrote to memory of 3540	4168	RuntimeBroker.exe	108
PID 3540 wrote to memory of 3988	3540	cmd.exe	110
PID 3540 wrote to memory of 3988	3540	cmd.exe	110
PID 3540 wrote to memory of 5028	3540	cmd.exe	111
PID 3540 wrote to memory of 5028	3540	cmd.exe	111
PID 3540 wrote to memory of 4128	3540	cmd.exe	114
PID 3540 wrote to memory of 4128	3540	cmd.exe	114
PID 4128 wrote to memory of 2476	4128	RuntimeBroker.exe	115
PID 4128 wrote to memory of 2476	4128	RuntimeBroker.exe	115
PID 4128 wrote to memory of 2884	4128	RuntimeBroker.exe	117
PID 4128 wrote to memory of 2884	4128	RuntimeBroker.exe	117
PID 2884 wrote to memory of 1988	2884	cmd.exe	119
PID 2884 wrote to memory of 1988	2884	cmd.exe	119
PID 2884 wrote to memory of 4072	2884	cmd.exe	120
PID 2884 wrote to memory of 4072	2884	cmd.exe	120
PID 2884 wrote to memory of 1080	2884	cmd.exe	121
PID 2884 wrote to memory of 1080	2884	cmd.exe	121
PID 1080 wrote to memory of 4020	1080	RuntimeBroker.exe	122
PID 1080 wrote to memory of 4020	1080	RuntimeBroker.exe	122
PID 1080 wrote to memory of 3316	1080	RuntimeBroker.exe	124
PID 1080 wrote to memory of 3316	1080	RuntimeBroker.exe	124
PID 3316 wrote to memory of 3152	3316	cmd.exe	126
PID 3316 wrote to memory of 3152	3316	cmd.exe	126
PID 3316 wrote to memory of 5096	3316	cmd.exe	127
PID 3316 wrote to memory of 5096	3316	cmd.exe	127
PID 3316 wrote to memory of 4904	3316	cmd.exe	128
PID 3316 wrote to memory of 4904	3316	cmd.exe	128
PID 4904 wrote to memory of 528	4904	RuntimeBroker.exe	129
PID 4904 wrote to memory of 528	4904	RuntimeBroker.exe	129
PID 4904 wrote to memory of 3872	4904	RuntimeBroker.exe	131
PID 4904 wrote to memory of 3872	4904	RuntimeBroker.exe	131
PID 3872 wrote to memory of 3620	3872	cmd.exe	133
PID 3872 wrote to memory of 3620	3872	cmd.exe	133
PID 3872 wrote to memory of 1200	3872	cmd.exe	134
PID 3872 wrote to memory of 1200	3872	cmd.exe	134
PID 3872 wrote to memory of 4784	3872	cmd.exe	135
PID 3872 wrote to memory of 4784	3872	cmd.exe	135

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c.exe
"C:\Users\Admin\AppData\Local\Temp\932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4904
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2568
- C:\Windows\system32\devtun\RuntimeBroker.exe
  "C:\Windows\system32\devtun\RuntimeBroker.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1112
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ueMTNHj1swpQ.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4000
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:928
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1136
  - - C:\Windows\system32\devtun\RuntimeBroker.exe
      "C:\Windows\system32\devtun\RuntimeBroker.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1300
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2132
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Twap5uRJEwqU.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4424
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:4884
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2264
      - C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4168
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3376
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JxHmt9pZRrJz.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3540
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:3988
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5028
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4128
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2476
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pgctnpkmeyVW.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:1988
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4072
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1080
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4020
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ddn88lihDbmJ.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:3316
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:3152
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5096
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4904
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:528
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4ioR1lMBMtOp.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:3872
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:3620
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1200
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4784
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2340
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Hk5XpswxQ0GL.bat" "
        15⤵
        
        PID:4136
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:3244
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2912
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4832
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1712
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\S4inROJof245.bat" "
        17⤵
        
        PID:4244
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:1504
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2692
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2116
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:400
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\L2F91Lpay9nq.bat" "
        19⤵
        
        PID:4272
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1368
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2892
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4084
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4336
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GGcWs4yerOp9.bat" "
        21⤵
        
        PID:1384
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:3848
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4072
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4392
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:632
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DXDbmvnaQsIg.bat" "
        23⤵
        
        PID:5108
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:4428
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2200
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2484
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2964
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mbQekgJP7Adh.bat" "
        25⤵
        
        PID:1524
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2092
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4904
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:628
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1028
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\utMLJnMoa5ub.bat" "
        27⤵
        
        PID:2876
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:4552
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4508
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3172
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4192
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ux9j3dccIWv1.bat" "
        29⤵
        
        PID:3516
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:2420
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4848
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3648
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3240
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OQTo1uqpBxnF.bat" "
        31⤵
        
        PID:656
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:4412
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\4ioR1lMBMtOp.bat

Filesize
203B

MD5
a1889ca1f1522b8e096f1354e8bb9253

SHA1
f9e2a11627997efd33004404764d7757aea23ba2

SHA256
87e5f92d925407fbb14a762b56887c07948296adc8708a3ba7f21c88b40ab8d0

SHA512
68d9a84973fb08abd3ca8674120a380206bbcf1237a5fbafa51be2b2b4196c38cd473fa30f341efcee18ff4b2aa4f59a2cd70f5e01b2baafbebd3bc40d8d6dda

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXDbmvnaQsIg.bat

Filesize
203B

MD5
b560a76aa8e273a66bbf37d235ab6d96

SHA1
7f00bbbe47bb79d5baf5922d6cb209c8eed3e9f3

SHA256
4d216843caf7dfe200d30f424d8559bdabce3c3e75101dcf7387447363844c72

SHA512
6e41f8b2d4c4dd509a3d90eb935b9df02567ed9b3d39656399e7b75b2e4af40490910e141485bba9f5f96faceaa0027d8f0b16caa3a896c8ccb775ddf5280a08

Download Submit
C:\Users\Admin\AppData\Local\Temp\GGcWs4yerOp9.bat

Filesize
203B

MD5
0298dce460e8468b7d14f6ec7f325b0c

SHA1
6c5ce3246dd04c955352acb465adcd733aadee8c

SHA256
bf6fdc7171b31d749f0adddf37cc3f49260de95d19b1b7a3e6ae0139a855c37c

SHA512
bbca8cb0c01ce2ed0b81dcbdfe50733fae13119eabe0ca2e082eba66dbc41ee45ba89984cbae3e6687a02318ddd53705f3a504aff88c9bbe1f18c122d6c97142

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hk5XpswxQ0GL.bat

Filesize
203B

MD5
de53f6e616dbee92a5fb20b228cbb174

SHA1
474c939d89a3eba46569fcc7ef098e84a24eb2cb

SHA256
0520ac7e29859a4c33c0c075478c0018b359a4a5a2c38c2253ac0e9652b69203

SHA512
d7f846ed623c3452c490dabaa2ddcf21a83aebecb8451ab3cab37b60dd0cae642a8bde412784a4c7fe9f33a1169d7cc96eff89fc202bc0f8cc378d7bd0266988

Download Submit
C:\Users\Admin\AppData\Local\Temp\JxHmt9pZRrJz.bat

Filesize
203B

MD5
12102b9c540ac18a98155f518dd024cd

SHA1
8f8aa864196fbdee21ac80fd9bd10e200bf6a33b

SHA256
a43e8c875bf440299caee5f6bdf5e4c49be702e3a9cb87dde62e0ce1ae65dc38

SHA512
c30cccea7c7019c16e76552abe928167e728f6993ba8497919cbe6a36b5ebbf28d9f512ae3a7bf3414ec56c9ff9229816e5575bfb2c5792740fb8af0f51184fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\L2F91Lpay9nq.bat

Filesize
203B

MD5
de50048c7d891b2cee26bda753e810ce

SHA1
46a863af26c9c4e06b24199db89abf419cb51279

SHA256
3189c15ffbb48e860890aa44d285abc33ac6da63f6391fe51f18e71be57e96d4

SHA512
1a64c45eca009c5ccb5e2597164142731b34d47e2c8c86813a49cc2b94c7ea87cdc7aced795f71a3aed308c3b4bbae1cd7d6e0cf265cac435b0f2444fa82d6c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\OQTo1uqpBxnF.bat

Filesize
203B

MD5
a481cb9d80f601421bd8d3932e632f54

SHA1
e9a200e79e7c74e35b865db85215119bd29df22b

SHA256
00edcecbc66408a43810604914d4b6ffb8d6f81bf6922ee55bbedd1f2f50711d

SHA512
fd557927c63e667b00bd97120e8ed59b700829ecb6ce46e7718558094d283322b72dc67be36d10372bbc08add371c9ad7e17646058f13a91ce1793b800e34820

Download Submit
C:\Users\Admin\AppData\Local\Temp\S4inROJof245.bat

Filesize
203B

MD5
c76599c99381c07cc3c46b31ad515d52

SHA1
d47b6b5bb080e9e427615536904a44b7912efc95

SHA256
8dcb60fea1af8bd6ec223541f7a4fe53cded97066e3753ee14c61c6b15a6753d

SHA512
6ad3915e4d31aca86367145579ce95abaef8ff24ac09d2d5752f39f5bb9c063893a3b5a744930c00684ce9b2e23ff89afc0c1c11964f78d7a396dea680d119ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\Twap5uRJEwqU.bat

Filesize
203B

MD5
b6365fa78217399f8f650c320d078f3d

SHA1
80f5bed66c450bfbd89b68fb4e32fb9336c40ee8

SHA256
6c254e5e46980587f6a8582401929fce21dd0aa2312dcda34ddc8b75dd9ba27f

SHA512
c8cb4d5480adad7ec1bec2d8b81a093dd122d2511810ae74f4b1b57935a051f7938dae0a72d43c7ba44893459cd7e797d7a36152fa46de94b0a08cc055970643

Download Submit
C:\Users\Admin\AppData\Local\Temp\ddn88lihDbmJ.bat

Filesize
203B

MD5
15a943b7815843975d9d6b8064d6bd09

SHA1
4701c3bf2b7dae7d43ba2bbad5c0bd4c5ff67e40

SHA256
4cf20c7df31e86c4fddd1bcbd5515c5493257f85e51562acaebb702135926c7b

SHA512
a68d18f19d470d4dec79c740b9e542f888620cb9467a440d0f35405976d737aa18ad15327ec80e20c6a21fcd87c5288fbbfb343c90ffb78847a97e01676ef951

Download Submit
C:\Users\Admin\AppData\Local\Temp\mbQekgJP7Adh.bat

Filesize
203B

MD5
7f93f2d30dc87969252be7f7e4efbdcb

SHA1
3908f1e2d4d5edfa6427553cebe1b4937f4a4af0

SHA256
bdcaf5e2f9b4844e5923664b765166e038936a8c3b385f2c8c93e1ddc2d0cbbe

SHA512
617401ffc186178a9fdd4224321bf7a406f952829760158f1963288ca1beaa3de767aa4844b978ba9727a34d087baaa4bdb5831feaff20d8e5538acd61c40551

Download Submit
C:\Users\Admin\AppData\Local\Temp\pgctnpkmeyVW.bat

Filesize
203B

MD5
6361a284454893e6d2955ac5397a01c7

SHA1
9ea1446aa12ce255875e1d69f52112cac481e8c4

SHA256
5d89f9eaae7cdc1330e68c27d4ebf541c873cb7e225bbb3f1940501b0e8a2ec2

SHA512
cda4d81e6a655e00a0a987f7514c99a50d4866e116d34604aa0149229f188c2f0c3802f3afb5e3611aa610b4c5c538fa23e23b4e1fca7bcab085d95046423d68

Download Submit
C:\Users\Admin\AppData\Local\Temp\ueMTNHj1swpQ.bat

Filesize
203B

MD5
a976f579d187df154aed823a9bd287b8

SHA1
860990a36cd78def49e59e96ba41cd9d0c6f426b

SHA256
90227af6ec835cf1969d4ee4cf976f28ea0614cc586e0cd565ff2c4c551eb76b

SHA512
d9276f2a9355b8712860c38c24f2bf8b5f656a4fe42738d4261575c1987ade3ee9324bb5aca137c79a67a89de8b2582ef7848e00be859e1a93ed96301574229b

Download Submit
C:\Users\Admin\AppData\Local\Temp\utMLJnMoa5ub.bat

Filesize
203B

MD5
1f289a126734cb1e031c2d815aecda21

SHA1
3d85742163157c69edf65f15b49098cc18e4f017

SHA256
a707877f9146eafc9f3cc554508a75cd7517c4eb229529e9dcec2a06cfb05de1

SHA512
c7e4e809dff4cab5ecce0237223b24267de53df5bb617ef504b349970ceed2bf94cc46b56f041aae8b5e3a8995facff1e12e5a5a254429820dca36e7f6871b81

Download Submit
C:\Users\Admin\AppData\Local\Temp\ux9j3dccIWv1.bat

Filesize
203B

MD5
6c1d98ab4318adda5eeea9f11b00b0c1

SHA1
a9e6704182603ebf52816d686c52207e19922040

SHA256
b3bc5aa0cd9a04899b986774790bdf227f633b1b6151972bbee1c17489b02068

SHA512
c8fa1b32a87143667537a8ca923eb04cf22258e87d4424952942efd1caf935ebf2e3619b34816201b662b47524d56d271890484c885ab2844a565eb88d73dc4f

Download Submit
C:\Windows\System32\devtun\RuntimeBroker.exe

Filesize
3.1MB

MD5
7ae9e9867e301a3fdd47d217b335d30f

SHA1
d8c62d8d73aeee1cbc714245f7a9a39fcfb80760

SHA256
932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c

SHA512
063648705e1817a1df82c9a595e4bbe8e0b1dbb7e31a6517df59905ebe7f22160f4acb55349d03dfe70744a14fd53c59a4c657c7a96646fcccf1c2214fc803dd

Download Submit
memory/1112-9-0x00007FFBAC560000-0x00007FFBAD021000-memory.dmp

Filesize
10.8MB

Download
memory/1112-11-0x000000001D810000-0x000000001D8C2000-memory.dmp

Filesize
712KB

Download
memory/1112-10-0x000000001BD60000-0x000000001BDB0000-memory.dmp

Filesize
320KB

Download
memory/1112-16-0x00007FFBAC560000-0x00007FFBAD021000-memory.dmp

Filesize
10.8MB

Download
memory/4904-0-0x00007FFBAC563000-0x00007FFBAC565000-memory.dmp

Filesize
8KB

Download
memory/4904-2-0x00007FFBAC560000-0x00007FFBAD021000-memory.dmp

Filesize
10.8MB

Download
memory/4904-1-0x00000000008E0000-0x0000000000C04000-memory.dmp

Filesize
3.1MB

Download
memory/4904-8-0x00007FFBAC560000-0x00007FFBAD021000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads