Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
13-12-2024 10:05
General
-
Target
RuntimeBroker.exe
-
Size
3.1MB
-
MD5
93b0fa3d2291d7d09ceed2411f99596b
-
SHA1
1551e1ccc18576463e0b8c72aa6df57dd0dc935e
-
SHA256
16898c06cd100b7132bb2cde538cd45ae691cd87045f2ef05727261cb4328730
-
SHA512
c530a129d4684c77bf42c6d1d9dffa428297f9279e273ecb3b358b24b618ca5a64d269225260930c740a37046ccd330e385fbab71f78c364d7ea0641f853722b
-
SSDEEP
49152:6vxI22SsaNYfdPBldt698dBcjHW7HkmztEoGdyNdTHHB72eh2NT:6vi22SsaNYfdPBldt6+dBcjHW7HQi
Malware Config
Extracted
quasar
1.4.1
RuntimeBroker
Cmaster-57540.portmap.io:57540
2b1bd80e-8434-44d0-8591-7df9c98096ff
-
encryption_key
25413ECFFC7EFB26F72ADF36F586C28A365109DC
-
install_name
RuntimeBroker.exe
-
log_directory
Logs
-
reconnect_delay
1500
-
startup_key
RuntimeBroker
-
subdirectory
winrn
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload 3 IoCs
-
Executes dropped EXE 1 IoCs
-
Drops file in System32 directory 5 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\winrn\RuntimeBroker.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\winrn\RuntimeBroker.exe"C:\Windows\system32\winrn\RuntimeBroker.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\winrn\RuntimeBroker.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD593b0fa3d2291d7d09ceed2411f99596b
SHA11551e1ccc18576463e0b8c72aa6df57dd0dc935e
SHA25616898c06cd100b7132bb2cde538cd45ae691cd87045f2ef05727261cb4328730
SHA512c530a129d4684c77bf42c6d1d9dffa428297f9279e273ecb3b358b24b618ca5a64d269225260930c740a37046ccd330e385fbab71f78c364d7ea0641f853722b
-
Filesize
4KB
-
Filesize
3.1MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
3.1MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
9.9MB