quasar | 932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-12-2024 09:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RuntimeBroker.exe
Size

3.1MB
MD5

7ae9e9867e301a3fdd47d217b335d30f
SHA1

d8c62d8d73aeee1cbc714245f7a9a39fcfb80760
SHA256

932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c
SHA512

063648705e1817a1df82c9a595e4bbe8e0b1dbb7e31a6517df59905ebe7f22160f4acb55349d03dfe70744a14fd53c59a4c657c7a96646fcccf1c2214fc803dd
SSDEEP

49152:/vTlL26AaNeWgPhlmVqvMQ7XSKn8GE18hk/gv4oGdQTHHB72eh2NT:/vJL26AaNeWgPhlmVqkQ7XSKn8mA

Score

10^/10

quasar runtimebroker discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

RuntimeBroker

Cmaster-57540.portmap.io:57540:8080

Mutex

7d0b5d0f-c185-4da8-b709-726d2f58400c

Attributes

encryption_key
6275D618DF6119CEEF062AB381785B6186B8C0EB
install_name
RuntimeBroker.exe
log_directory
Logs
reconnect_delay
3000
startup_key
RuntimeBroker
subdirectory
devtun

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 9 IoCs

resource	yara_rule
behavioral1/memory/2372-1-0x0000000000210000-0x0000000000534000-memory.dmp	family_quasar
behavioral1/files/0x0008000000016d36-5.dat	family_quasar
behavioral1/memory/2360-8-0x0000000001050000-0x0000000001374000-memory.dmp	family_quasar
behavioral1/memory/2992-112-0x00000000000C0000-0x00000000003E4000-memory.dmp	family_quasar
behavioral1/memory/2076-123-0x00000000008B0000-0x0000000000BD4000-memory.dmp	family_quasar
behavioral1/memory/1772-134-0x0000000000A30000-0x0000000000D54000-memory.dmp	family_quasar
behavioral1/memory/2412-145-0x0000000001340000-0x0000000001664000-memory.dmp	family_quasar
behavioral1/memory/2404-156-0x0000000000200000-0x0000000000524000-memory.dmp	family_quasar
behavioral1/memory/2868-168-0x00000000008E0000-0x0000000000C04000-memory.dmp	family_quasar

Executes dropped EXE 16 IoCs

pid	Process
2360	RuntimeBroker.exe
1916	RuntimeBroker.exe
1492	RuntimeBroker.exe
2020	RuntimeBroker.exe
836	RuntimeBroker.exe
1520	RuntimeBroker.exe
112	RuntimeBroker.exe
2184	RuntimeBroker.exe
2244	RuntimeBroker.exe
2816	RuntimeBroker.exe
2992	RuntimeBroker.exe
2076	RuntimeBroker.exe
1772	RuntimeBroker.exe
2412	RuntimeBroker.exe
2404	RuntimeBroker.exe
2868	RuntimeBroker.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\devtun\RuntimeBroker.exe	RuntimeBroker.exe
File opened for modification	C:\Windows\system32\devtun\RuntimeBroker.exe	RuntimeBroker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1664	PING.EXE
2336	PING.EXE
2716	PING.EXE
860	PING.EXE
2540	PING.EXE
2144	PING.EXE
2924	PING.EXE
2960	PING.EXE
1704	PING.EXE
2728	PING.EXE
656	PING.EXE
1720	PING.EXE
1684	PING.EXE
584	PING.EXE
1964	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
1964	PING.EXE
2728	PING.EXE
2144	PING.EXE
2336	PING.EXE
656	PING.EXE
860	PING.EXE
1684	PING.EXE
1720	PING.EXE
2540	PING.EXE
2960	PING.EXE
584	PING.EXE
1704	PING.EXE
1664	PING.EXE
2716	PING.EXE
2924	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2504	schtasks.exe
2804	schtasks.exe
344	schtasks.exe
916	schtasks.exe
2664	schtasks.exe
3004	schtasks.exe
2676	schtasks.exe
932	schtasks.exe
2416	schtasks.exe
2604	schtasks.exe
568	schtasks.exe
2764	schtasks.exe
2388	schtasks.exe
1040	schtasks.exe
2516	schtasks.exe
2128	schtasks.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	2372	RuntimeBroker.exe
Token: SeDebugPrivilege	2360	RuntimeBroker.exe
Token: SeDebugPrivilege	1916	RuntimeBroker.exe
Token: SeDebugPrivilege	1492	RuntimeBroker.exe
Token: SeDebugPrivilege	2020	RuntimeBroker.exe
Token: SeDebugPrivilege	836	RuntimeBroker.exe
Token: SeDebugPrivilege	1520	RuntimeBroker.exe
Token: SeDebugPrivilege	112	RuntimeBroker.exe
Token: SeDebugPrivilege	2184	RuntimeBroker.exe
Token: SeDebugPrivilege	2244	RuntimeBroker.exe
Token: SeDebugPrivilege	2816	RuntimeBroker.exe
Token: SeDebugPrivilege	2992	RuntimeBroker.exe
Token: SeDebugPrivilege	2076	RuntimeBroker.exe
Token: SeDebugPrivilege	1772	RuntimeBroker.exe
Token: SeDebugPrivilege	2412	RuntimeBroker.exe
Token: SeDebugPrivilege	2404	RuntimeBroker.exe
Token: SeDebugPrivilege	2868	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2664	2372	RuntimeBroker.exe	30
PID 2372 wrote to memory of 2664	2372	RuntimeBroker.exe	30
PID 2372 wrote to memory of 2664	2372	RuntimeBroker.exe	30
PID 2372 wrote to memory of 2360	2372	RuntimeBroker.exe	32
PID 2372 wrote to memory of 2360	2372	RuntimeBroker.exe	32
PID 2372 wrote to memory of 2360	2372	RuntimeBroker.exe	32
PID 2360 wrote to memory of 2516	2360	RuntimeBroker.exe	33
PID 2360 wrote to memory of 2516	2360	RuntimeBroker.exe	33
PID 2360 wrote to memory of 2516	2360	RuntimeBroker.exe	33
PID 2360 wrote to memory of 2836	2360	RuntimeBroker.exe	35
PID 2360 wrote to memory of 2836	2360	RuntimeBroker.exe	35
PID 2360 wrote to memory of 2836	2360	RuntimeBroker.exe	35
PID 2836 wrote to memory of 2840	2836	cmd.exe	37
PID 2836 wrote to memory of 2840	2836	cmd.exe	37
PID 2836 wrote to memory of 2840	2836	cmd.exe	37
PID 2836 wrote to memory of 2728	2836	cmd.exe	38
PID 2836 wrote to memory of 2728	2836	cmd.exe	38
PID 2836 wrote to memory of 2728	2836	cmd.exe	38
PID 2836 wrote to memory of 1916	2836	cmd.exe	40
PID 2836 wrote to memory of 1916	2836	cmd.exe	40
PID 2836 wrote to memory of 1916	2836	cmd.exe	40
PID 1916 wrote to memory of 2604	1916	RuntimeBroker.exe	41
PID 1916 wrote to memory of 2604	1916	RuntimeBroker.exe	41
PID 1916 wrote to memory of 2604	1916	RuntimeBroker.exe	41
PID 1916 wrote to memory of 2084	1916	RuntimeBroker.exe	43
PID 1916 wrote to memory of 2084	1916	RuntimeBroker.exe	43
PID 1916 wrote to memory of 2084	1916	RuntimeBroker.exe	43
PID 2084 wrote to memory of 620	2084	cmd.exe	45
PID 2084 wrote to memory of 620	2084	cmd.exe	45
PID 2084 wrote to memory of 620	2084	cmd.exe	45
PID 2084 wrote to memory of 1664	2084	cmd.exe	46
PID 2084 wrote to memory of 1664	2084	cmd.exe	46
PID 2084 wrote to memory of 1664	2084	cmd.exe	46
PID 2084 wrote to memory of 1492	2084	cmd.exe	47
PID 2084 wrote to memory of 1492	2084	cmd.exe	47
PID 2084 wrote to memory of 1492	2084	cmd.exe	47
PID 1492 wrote to memory of 2764	1492	RuntimeBroker.exe	48
PID 1492 wrote to memory of 2764	1492	RuntimeBroker.exe	48
PID 1492 wrote to memory of 2764	1492	RuntimeBroker.exe	48
PID 1492 wrote to memory of 2820	1492	RuntimeBroker.exe	50
PID 1492 wrote to memory of 2820	1492	RuntimeBroker.exe	50
PID 1492 wrote to memory of 2820	1492	RuntimeBroker.exe	50
PID 2820 wrote to memory of 1636	2820	cmd.exe	52
PID 2820 wrote to memory of 1636	2820	cmd.exe	52
PID 2820 wrote to memory of 1636	2820	cmd.exe	52
PID 2820 wrote to memory of 656	2820	cmd.exe	53
PID 2820 wrote to memory of 656	2820	cmd.exe	53
PID 2820 wrote to memory of 656	2820	cmd.exe	53
PID 2820 wrote to memory of 2020	2820	cmd.exe	54
PID 2820 wrote to memory of 2020	2820	cmd.exe	54
PID 2820 wrote to memory of 2020	2820	cmd.exe	54
PID 2020 wrote to memory of 3004	2020	RuntimeBroker.exe	55
PID 2020 wrote to memory of 3004	2020	RuntimeBroker.exe	55
PID 2020 wrote to memory of 3004	2020	RuntimeBroker.exe	55
PID 2020 wrote to memory of 2072	2020	RuntimeBroker.exe	57
PID 2020 wrote to memory of 2072	2020	RuntimeBroker.exe	57
PID 2020 wrote to memory of 2072	2020	RuntimeBroker.exe	57
PID 2072 wrote to memory of 1908	2072	cmd.exe	59
PID 2072 wrote to memory of 1908	2072	cmd.exe	59
PID 2072 wrote to memory of 1908	2072	cmd.exe	59
PID 2072 wrote to memory of 1720	2072	cmd.exe	60
PID 2072 wrote to memory of 1720	2072	cmd.exe	60
PID 2072 wrote to memory of 1720	2072	cmd.exe	60
PID 2072 wrote to memory of 836	2072	cmd.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
"C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2664
- C:\Windows\system32\devtun\RuntimeBroker.exe
  "C:\Windows\system32\devtun\RuntimeBroker.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2516
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\OWfwih1lZGpN.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2840
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2728
  - - C:\Windows\system32\devtun\RuntimeBroker.exe
      "C:\Windows\system32\devtun\RuntimeBroker.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1916
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2604
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rjgS4HDjonks.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2084
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:620
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1664
      - C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1492
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2764
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\8Z3hzBJMSLbO.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1636
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:656
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3004
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hVOmfOOGo7vx.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2072
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:1908
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1720
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:836
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2128
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Le7vC0zzYO4S.bat" "
        11⤵
        
        PID:1052
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1232
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2540
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1520
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:568
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mJpUTY1OnoKC.bat" "
        13⤵
        
        PID:2348
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2012
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2144
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:112
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2388
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TYDfY4D1oSte.bat" "
        15⤵
        
        PID:2120
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:1952
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2336
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2184
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2676
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\R0mYutXaQLf0.bat" "
        17⤵
        
        PID:1780
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2900
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2716
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2244
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2504
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\o5jWoHhsGVfz.bat" "
        19⤵
        
        PID:2644
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2608
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2924
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2816
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2804
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\U1rDddBwOrj7.bat" "
        21⤵
        
        PID:2832
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1032
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2960
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2992
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:344
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kofJU8irBEKh.bat" "
        23⤵
        
        PID:2624
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:408
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:860
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2076
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:916
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\0kAC0LME5LHS.bat" "
        25⤵
        
        PID:1276
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:1212
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1684
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1772
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:932
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\A1jtqKyDdI0B.bat" "
        27⤵
        
        PID:1044
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:2144
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:584
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2412
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1040
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EDHfWcmCFb8u.bat" "
        29⤵
        
        PID:1600
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:2904
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1964
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2404
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2416
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rzDZM7RIoke0.bat" "
        31⤵
        
        PID:3060
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:2648
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1704
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        32⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0kAC0LME5LHS.bat

Filesize
203B

MD5
9ffda177ec434f874fa11084c3d1bdd7

SHA1
77c340cd234540624cced50b065c20763b9ddb8b

SHA256
9ecf343d8594a40b1da8e64e53a0e0f80f94721e20b5033c50e770af9a0758ed

SHA512
2317e88269a8217f7fad19f470c431f2ee484a8762ad776ecf6f850fc2719cf477d2541ce79a6df78173f7471bc0778a5c1d5e5baf4bfd45c49a6f9f3ed54dbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\8Z3hzBJMSLbO.bat

Filesize
203B

MD5
b951cf0066f91024e9b1a641d9515d86

SHA1
564d6103fe7943c2b9de28d76de0d4454b43826c

SHA256
477f7198536be6a282dd199b8de087e6360308cca68a88c9bb531db8fefbfc23

SHA512
fb44b7b411dd49879100d1869f2c113674814f6ac21e374fcd30e157b268bd80bbe522c84ca44f75c0e54d85621b4ac47b8da393efd689bcc9341dd2d8478de0

Download Submit
C:\Users\Admin\AppData\Local\Temp\A1jtqKyDdI0B.bat

Filesize
203B

MD5
dbfca832ce868ed13c92e5b45b85aa85

SHA1
04be3acc34d5f5879f693b5031a38e82e16f4eb3

SHA256
1181afc8d57db563e0a0bfe702b4c6d791dfbab6d09f87421432bd817505e06d

SHA512
8dd946bf40bff164e0ab2fbe180d37c1f86a5874763ab769ec7649d6d1a9e04d1232b0276ef9dcf5a13d366e1cdd4cc820043901cec774095f2a5d0807d06e43

Download Submit
C:\Users\Admin\AppData\Local\Temp\EDHfWcmCFb8u.bat

Filesize
203B

MD5
4902496b2b1783cc6cda9d3c37ba5e80

SHA1
84757917f7b5510e868bd713c5c6bc56ceeea25b

SHA256
7a97a5aca801fc1aef15e9f8b7b4cda76c9c594791bb1e0f2846d18f1099b3ab

SHA512
9d73e15b5c961b1de18cdb2261e21f40fd43da7a499f446a241749c77f459d6f1892b4269f2d3081a5c3bf6e0b4a494f2b6821ade16f0e294c0de889c5bec584

Download Submit
C:\Users\Admin\AppData\Local\Temp\Le7vC0zzYO4S.bat

Filesize
203B

MD5
d1016ca7665d53a9251e2052fc740c8d

SHA1
debd35507b507e25120c36485f62af5770afc2cc

SHA256
19f643c0cbd458481835acfd69b56ada7356776b00cfbb1bcb5425620f3c3780

SHA512
40bbcf14e229e0422a3574be90dcbc58ceb62a3d8299f0ba98815bb63327e931007d23c8759ff9f60f8fe63b252878b0f10926e787190a87a1e65a651f7074ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\OWfwih1lZGpN.bat

Filesize
203B

MD5
a56e415e3bcc96baff5498d72807c089

SHA1
dccc495f2cbbd4c21ef0c5f0938c26ed41c55778

SHA256
8b0a9d6f773a208b4f794b6da7c04851d5dd3a6cb77eef01cdbbafdc1ec44b34

SHA512
63d5f4a7de5bbe57c1c1e99d536200b98484eeb8bfac451a42a7bc0362d24dbdd2e4914c23587f734d286e55b35c94baf07a48c646c927370069545367199520

Download Submit
C:\Users\Admin\AppData\Local\Temp\R0mYutXaQLf0.bat

Filesize
203B

MD5
58040d388189574ae9abd2294b37896c

SHA1
3a7e08e4f39ba3d0460c790cfd5660ce96d53abf

SHA256
5038f898825b5d04eec7045b1ec9af267bacda911e82f083802590d06b00e914

SHA512
6453f693a287ffb082f1f37b81c18c89b1ee0386ede995db6a96552fd8b0fbefab306f1bfcbd8e5e6e743e63d385ae1bc50ccc8297545c885e2bfce4f20b24a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\TYDfY4D1oSte.bat

Filesize
203B

MD5
58d1893d72580d8329f34f743d0bfbc3

SHA1
d781e23c1fab013d8d374908df6318aefa17fb59

SHA256
2e61830cb8e275bb715f3399b871bcb90cffa352721d5b18ac6418886517de33

SHA512
77e1ea6c0455a8cad4806ac3b523f1e76a9a600b1bb4e42c294ea7ebda9effa98dad4aa12934d5f77a0b0c1f2f956ca78fccba31c13a6a705b030867b8a65dd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\U1rDddBwOrj7.bat

Filesize
203B

MD5
bfc4825383fbd61b76c8553c83a6a58e

SHA1
865c0eac39a3e6de7ee06da746b20f85a0790dec

SHA256
93d6a1c8a2233457dc24fb6225391ab01a636e2c97a6207553f0aa57a74033f6

SHA512
3f494ee99d5f1984d8c465f9c845635c7e2b7d379497692cec65eb28594c736fabd9b2d2d17eaa82cacd5bd43878dd587b8fb2e51c780eba57231f66357d61b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\hVOmfOOGo7vx.bat

Filesize
203B

MD5
5d13dcd1a382d33ae7319ee1343bb02c

SHA1
31b75bde6a89656ea8603a24ddae86ea7c6a6e9e

SHA256
5173d17e6517a5bc75d99eb2638fb1fca3ad77ef856ae1e4c7f7c26b70c40a5d

SHA512
4f9d07f7b109db165bf750a20a3d2ef81d0528152e95c000bc54d3a1ff3d024a9a33a2e1004e72c728827f091f14eaf7106d49f44055565415fdd7ebd5952846

Download Submit
C:\Users\Admin\AppData\Local\Temp\kofJU8irBEKh.bat

Filesize
203B

MD5
dc834a7d78190fc9884600448d13940e

SHA1
2f8ce1cd2bb4df84ed734939a77b6282c1ea8f5d

SHA256
b0dfaed78f099991be8aa2a3494ab07f8ec913a74f2febde062eabd1d3341157

SHA512
de28608acb2a8042da2af0425d396313f7b37c72ba9814bcbefca49269f7e5a22e4655c83246ca2e8dbf90ad2e8f3ff983c0ff5cb6c71f2206bd367bab6eb493

Download Submit
C:\Users\Admin\AppData\Local\Temp\mJpUTY1OnoKC.bat

Filesize
203B

MD5
3b42959335fa7bb8cfd2274515cd51b3

SHA1
01cdeacd4dfb5f574712834851fc89e581cc25d5

SHA256
93d1edf3bdfc49f7ad560317ec343d04ce8a5c8423f9f237278d2ed0aa8ba8db

SHA512
6195aca4eb3e348e76940b605d4e8d2012e45ba232b181332484d9453e36b195208e0eaf5d3123c4cc89d228f365d8e320584b96902b49f920d6de856065fa05

Download Submit
C:\Users\Admin\AppData\Local\Temp\o5jWoHhsGVfz.bat

Filesize
203B

MD5
b3081f9af69f7dacb832e6e54cd22f38

SHA1
22dd482ad08b44c1c6b1c04c7d3397d89c16b92f

SHA256
a123cd5483de701513c65e15ab2239b925304664194311e8711713cf380d15fd

SHA512
31dde00ac1df017201955ec0c8bf3145b3f15cf6f656633b1d243fab48e7ec81f9f77a5a2852c97aa91d2c872f319edaf035e036c17a438fdfdf8fa22a07de84

Download Submit
C:\Users\Admin\AppData\Local\Temp\rjgS4HDjonks.bat

Filesize
203B

MD5
a51868b647cd80b18c9069aa8a70e8de

SHA1
cd922f945a838ee44c6e1b300b5c28e9d43bc3df

SHA256
522c1e3418f5f2e68a7d49d3b0defdcc975c49ff77478bfc289cef2dfc210979

SHA512
ac9670ff7ac5cdc7f23279c622b2af144479e7d73d2aa748a307792e9fb28dcc161955c3de39370d8b5014fd0cf7af52c6266319a590bea2d00f2788036f1c83

Download Submit
C:\Users\Admin\AppData\Local\Temp\rzDZM7RIoke0.bat

Filesize
203B

MD5
1c0e8d9cdcc3efb6d9abcc142f932015

SHA1
e4353aa14e10041085bc331eea63d58ae2b6a42b

SHA256
bdca1782e000f38b47a9389a6dcad79db5b7f219e941d768b5d20578ee0f9183

SHA512
6487628d4f7d6f2f08e2f8c798675acfcdf501d6ec9ab3555241bd6cd9ebeb23faaff0a19abab75cb185583cdb57c067bd2b6aac67b7e32ea57f8f5798cc2f40

Download Submit
C:\Windows\System32\devtun\RuntimeBroker.exe

Filesize
3.1MB

MD5
7ae9e9867e301a3fdd47d217b335d30f

SHA1
d8c62d8d73aeee1cbc714245f7a9a39fcfb80760

SHA256
932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c

SHA512
063648705e1817a1df82c9a595e4bbe8e0b1dbb7e31a6517df59905ebe7f22160f4acb55349d03dfe70744a14fd53c59a4c657c7a96646fcccf1c2214fc803dd

Download Submit
memory/1772-134-0x0000000000A30000-0x0000000000D54000-memory.dmp

Filesize
3.1MB

Download
memory/2076-123-0x00000000008B0000-0x0000000000BD4000-memory.dmp

Filesize
3.1MB

Download
memory/2360-20-0x000007FEF5990000-0x000007FEF637C000-memory.dmp

Filesize
9.9MB

Download
memory/2360-8-0x0000000001050000-0x0000000001374000-memory.dmp

Filesize
3.1MB

Download
memory/2360-9-0x000007FEF5990000-0x000007FEF637C000-memory.dmp

Filesize
9.9MB

Download
memory/2360-10-0x000007FEF5990000-0x000007FEF637C000-memory.dmp

Filesize
9.9MB

Download
memory/2372-0-0x000007FEF5993000-0x000007FEF5994000-memory.dmp

Filesize
4KB

Download
memory/2372-7-0x000007FEF5990000-0x000007FEF637C000-memory.dmp

Filesize
9.9MB

Download
memory/2372-2-0x000007FEF5990000-0x000007FEF637C000-memory.dmp

Filesize
9.9MB

Download
memory/2372-1-0x0000000000210000-0x0000000000534000-memory.dmp

Filesize
3.1MB

Download
memory/2404-156-0x0000000000200000-0x0000000000524000-memory.dmp

Filesize
3.1MB

Download
memory/2412-145-0x0000000001340000-0x0000000001664000-memory.dmp

Filesize
3.1MB

Download
memory/2868-168-0x00000000008E0000-0x0000000000C04000-memory.dmp

Filesize
3.1MB

Download
memory/2992-112-0x00000000000C0000-0x00000000003E4000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads