quasar | 932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c

Analysis

max time kernel
145s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-12-2024 09:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RuntimeBroker.exe
Size

3.1MB
MD5

7ae9e9867e301a3fdd47d217b335d30f
SHA1

d8c62d8d73aeee1cbc714245f7a9a39fcfb80760
SHA256

932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c
SHA512

063648705e1817a1df82c9a595e4bbe8e0b1dbb7e31a6517df59905ebe7f22160f4acb55349d03dfe70744a14fd53c59a4c657c7a96646fcccf1c2214fc803dd
SSDEEP

49152:/vTlL26AaNeWgPhlmVqvMQ7XSKn8GE18hk/gv4oGdQTHHB72eh2NT:/vJL26AaNeWgPhlmVqkQ7XSKn8mA

Score

10^/10

quasar runtimebroker discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

RuntimeBroker

Cmaster-57540.portmap.io:57540:8080

Mutex

7d0b5d0f-c185-4da8-b709-726d2f58400c

Attributes

encryption_key
6275D618DF6119CEEF062AB381785B6186B8C0EB
install_name
RuntimeBroker.exe
log_directory
Logs
reconnect_delay
3000
startup_key
RuntimeBroker
subdirectory
devtun

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/628-1-0x0000000000BB0000-0x0000000000ED4000-memory.dmp	family_quasar
behavioral2/files/0x0007000000023cbd-4.dat	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe

Executes dropped EXE 15 IoCs

pid	Process
5068	RuntimeBroker.exe
4264	RuntimeBroker.exe
5112	RuntimeBroker.exe
1396	RuntimeBroker.exe
4848	RuntimeBroker.exe
4528	RuntimeBroker.exe
5056	RuntimeBroker.exe
3120	RuntimeBroker.exe
4128	RuntimeBroker.exe
3156	RuntimeBroker.exe
3432	RuntimeBroker.exe
5068	RuntimeBroker.exe
2320	RuntimeBroker.exe
4876	RuntimeBroker.exe
5036	RuntimeBroker.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\devtun\RuntimeBroker.exe	RuntimeBroker.exe
File opened for modification	C:\Windows\system32\devtun\RuntimeBroker.exe	RuntimeBroker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2580	PING.EXE
4484	PING.EXE
4608	PING.EXE
4168	PING.EXE
4984	PING.EXE
1524	PING.EXE
1716	PING.EXE
4956	PING.EXE
1416	PING.EXE
1328	PING.EXE
3388	PING.EXE
1008	PING.EXE
2120	PING.EXE
752	PING.EXE
3832	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
4956	PING.EXE
2120	PING.EXE
4984	PING.EXE
1524	PING.EXE
3388	PING.EXE
752	PING.EXE
1328	PING.EXE
4484	PING.EXE
2580	PING.EXE
1008	PING.EXE
1416	PING.EXE
4608	PING.EXE
4168	PING.EXE
1716	PING.EXE
3832	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
632	schtasks.exe
1532	schtasks.exe
1980	schtasks.exe
2724	schtasks.exe
4800	schtasks.exe
4680	schtasks.exe
4528	schtasks.exe
4792	schtasks.exe
2256	schtasks.exe
2936	schtasks.exe
2936	schtasks.exe
1112	schtasks.exe
1428	schtasks.exe
4836	schtasks.exe
3284	schtasks.exe
2196	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	628	RuntimeBroker.exe
Token: SeDebugPrivilege	5068	RuntimeBroker.exe
Token: SeDebugPrivilege	4264	RuntimeBroker.exe
Token: SeDebugPrivilege	5112	RuntimeBroker.exe
Token: SeDebugPrivilege	1396	RuntimeBroker.exe
Token: SeDebugPrivilege	4848	RuntimeBroker.exe
Token: SeDebugPrivilege	4528	RuntimeBroker.exe
Token: SeDebugPrivilege	5056	RuntimeBroker.exe
Token: SeDebugPrivilege	3120	RuntimeBroker.exe
Token: SeDebugPrivilege	4128	RuntimeBroker.exe
Token: SeDebugPrivilege	3156	RuntimeBroker.exe
Token: SeDebugPrivilege	3432	RuntimeBroker.exe
Token: SeDebugPrivilege	5068	RuntimeBroker.exe
Token: SeDebugPrivilege	2320	RuntimeBroker.exe
Token: SeDebugPrivilege	4876	RuntimeBroker.exe
Token: SeDebugPrivilege	5036	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 628 wrote to memory of 1112	628	RuntimeBroker.exe	84
PID 628 wrote to memory of 1112	628	RuntimeBroker.exe	84
PID 628 wrote to memory of 5068	628	RuntimeBroker.exe	86
PID 628 wrote to memory of 5068	628	RuntimeBroker.exe	86
PID 5068 wrote to memory of 4528	5068	RuntimeBroker.exe	87
PID 5068 wrote to memory of 4528	5068	RuntimeBroker.exe	87
PID 5068 wrote to memory of 4336	5068	RuntimeBroker.exe	89
PID 5068 wrote to memory of 4336	5068	RuntimeBroker.exe	89
PID 4336 wrote to memory of 1060	4336	cmd.exe	91
PID 4336 wrote to memory of 1060	4336	cmd.exe	91
PID 4336 wrote to memory of 2580	4336	cmd.exe	92
PID 4336 wrote to memory of 2580	4336	cmd.exe	92
PID 4336 wrote to memory of 4264	4336	cmd.exe	93
PID 4336 wrote to memory of 4264	4336	cmd.exe	93
PID 4264 wrote to memory of 4792	4264	RuntimeBroker.exe	94
PID 4264 wrote to memory of 4792	4264	RuntimeBroker.exe	94
PID 4264 wrote to memory of 3400	4264	RuntimeBroker.exe	96
PID 4264 wrote to memory of 3400	4264	RuntimeBroker.exe	96
PID 3400 wrote to memory of 3640	3400	cmd.exe	98
PID 3400 wrote to memory of 3640	3400	cmd.exe	98
PID 3400 wrote to memory of 3388	3400	cmd.exe	99
PID 3400 wrote to memory of 3388	3400	cmd.exe	99
PID 3400 wrote to memory of 5112	3400	cmd.exe	107
PID 3400 wrote to memory of 5112	3400	cmd.exe	107
PID 5112 wrote to memory of 2256	5112	RuntimeBroker.exe	108
PID 5112 wrote to memory of 2256	5112	RuntimeBroker.exe	108
PID 5112 wrote to memory of 1188	5112	RuntimeBroker.exe	110
PID 5112 wrote to memory of 1188	5112	RuntimeBroker.exe	110
PID 1188 wrote to memory of 2928	1188	cmd.exe	112
PID 1188 wrote to memory of 2928	1188	cmd.exe	112
PID 1188 wrote to memory of 4956	1188	cmd.exe	113
PID 1188 wrote to memory of 4956	1188	cmd.exe	113
PID 1188 wrote to memory of 1396	1188	cmd.exe	115
PID 1188 wrote to memory of 1396	1188	cmd.exe	115
PID 1396 wrote to memory of 2196	1396	RuntimeBroker.exe	116
PID 1396 wrote to memory of 2196	1396	RuntimeBroker.exe	116
PID 1396 wrote to memory of 4828	1396	RuntimeBroker.exe	118
PID 1396 wrote to memory of 4828	1396	RuntimeBroker.exe	118
PID 4828 wrote to memory of 3016	4828	cmd.exe	120
PID 4828 wrote to memory of 3016	4828	cmd.exe	120
PID 4828 wrote to memory of 1008	4828	cmd.exe	121
PID 4828 wrote to memory of 1008	4828	cmd.exe	121
PID 4828 wrote to memory of 4848	4828	cmd.exe	123
PID 4828 wrote to memory of 4848	4828	cmd.exe	123
PID 4848 wrote to memory of 1428	4848	RuntimeBroker.exe	124
PID 4848 wrote to memory of 1428	4848	RuntimeBroker.exe	124
PID 4848 wrote to memory of 2228	4848	RuntimeBroker.exe	126
PID 4848 wrote to memory of 2228	4848	RuntimeBroker.exe	126
PID 2228 wrote to memory of 4756	2228	cmd.exe	128
PID 2228 wrote to memory of 4756	2228	cmd.exe	128
PID 2228 wrote to memory of 1416	2228	cmd.exe	129
PID 2228 wrote to memory of 1416	2228	cmd.exe	129
PID 2228 wrote to memory of 4528	2228	cmd.exe	130
PID 2228 wrote to memory of 4528	2228	cmd.exe	130
PID 4528 wrote to memory of 2936	4528	RuntimeBroker.exe	131
PID 4528 wrote to memory of 2936	4528	RuntimeBroker.exe	131
PID 4528 wrote to memory of 3516	4528	RuntimeBroker.exe	133
PID 4528 wrote to memory of 3516	4528	RuntimeBroker.exe	133
PID 3516 wrote to memory of 2168	3516	cmd.exe	135
PID 3516 wrote to memory of 2168	3516	cmd.exe	135
PID 3516 wrote to memory of 1328	3516	cmd.exe	136
PID 3516 wrote to memory of 1328	3516	cmd.exe	136
PID 3516 wrote to memory of 5056	3516	cmd.exe	137
PID 3516 wrote to memory of 5056	3516	cmd.exe	137

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
"C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:628
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1112
- C:\Windows\system32\devtun\RuntimeBroker.exe
  "C:\Windows\system32\devtun\RuntimeBroker.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5068
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sqwEe5GeU6QG.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4336
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:1060
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2580
  - - C:\Windows\system32\devtun\RuntimeBroker.exe
      "C:\Windows\system32\devtun\RuntimeBroker.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4264
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4792
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SzBI0EToumyI.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3400
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:3640
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3388
      - C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5112
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2256
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ABXM6uwjlUVg.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1188
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2928
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4956
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1396
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2196
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0f396sGx2VLO.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4828
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:3016
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1008
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4848
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1428
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8qQnd9XAycCI.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:4756
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1416
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4528
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2936
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\03mFlq0UJFkJ.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:3516
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2168
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1328
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5056
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1532
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tYKEujQyUKLB.bat" "
        15⤵
        
        PID:4876
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:5116
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4608
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3120
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:632
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TijeVCCSDGci.bat" "
        17⤵
        
        PID:4680
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:4076
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4168
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4128
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1980
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MItDfYg1SdMN.bat" "
        19⤵
        
        PID:3868
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:4964
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4484
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3156
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2724
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gJC4XyLo5brs.bat" "
        21⤵
        
        PID:724
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:4672
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2120
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3432
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4800
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TmOA64QNj1d7.bat" "
        23⤵
        
        PID:3940
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2956
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4984
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5068
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2936
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0dAjPBQLRjki.bat" "
        25⤵
        
        PID:3576
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:1652
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:752
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2320
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4836
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5at3vJ18hReV.bat" "
        27⤵
        
        PID:4948
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:2840
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1524
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4876
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3284
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WGdqhiqPE2bs.bat" "
        29⤵
        
        PID:4408
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:744
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1716
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5036
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4680
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\c5yrxpHvKNbF.bat" "
        31⤵
        
        PID:1280
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:1776
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Temp\03mFlq0UJFkJ.bat

Filesize
203B

MD5
2760f4f4072e646a2941955d19c36cce

SHA1
eb4f14c598a02ae778a85dfa8d33dbeec6e5c653

SHA256
89076eddc1e5435265dcb9e3e573db2dddaebc97d70bc9954a34e183e86a9965

SHA512
73ab3b9687e00adb0743afbdb57460ff7c902b099bdaa3c6610c119e2fbf9288ad66629728703731a00f0dd38dcd6c615265e13cb34cb4216a6beaba2a7b3411

Download Submit
C:\Users\Admin\AppData\Local\Temp\0dAjPBQLRjki.bat

Filesize
203B

MD5
ba8cad8e9787101b10297af59ae9945d

SHA1
b48569ba76d8f9a4fd0ad9ba7eca18a463e0b492

SHA256
1203eb8879c5eef51a376ace76cac0dd82b7a9c606d337e0cbaa35b8a5c1061b

SHA512
71d0e0b7a5eab158e81042549607d5bbfae470a67a03b76e1629acbb60b6b47579e3428efb49df7df9c9d425152da784cfb98b2c2a9b35ce11cb14eddb098fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\0f396sGx2VLO.bat

Filesize
203B

MD5
cf82ced1eebce931f7d16341157adbf9

SHA1
48fb8a49cf94af6e3fe7034aaee9d90eed84c91f

SHA256
f6866ca7bd086a078b68feb3ad27e5fec5fdbcfe873cd3983a8a95b86aafb2f0

SHA512
257e6cb945177a59b5a28c2cf0ef1c0e43d26c6876f146d076aa4108b319473a6f7c6678ddbf255b512279d729e17b9533d32866e61ce27325a533024e2d8f63

Download Submit
C:\Users\Admin\AppData\Local\Temp\5at3vJ18hReV.bat

Filesize
203B

MD5
1223bdb2d652ecc897bf5f5d6189ca33

SHA1
bab4c777c66844ea005f5e063c2cd203379d239b

SHA256
7389d43dd00774aa5986954e21dd6bb7933465cbea2457d9f600ddb66fd488f3

SHA512
e1baf188623f32a8aa9f2b3e61dda4036239c456947b2d873d65b8c23e2c379dbbf006c036e375f4602efbe5833ef1ee0895a88095454929223000eefc513e53

Download Submit
C:\Users\Admin\AppData\Local\Temp\8qQnd9XAycCI.bat

Filesize
203B

MD5
0a6bcbaa04d6e641052e7b710eed0cd9

SHA1
d983586ca5d98ca37c5057b03187b684add20313

SHA256
c9a150c56c97a460f564f00ee78c0d06194394dae83f3e82d5975e87244248dc

SHA512
20745b16f74fdc06240e527dabffb7dc411bb343d9d8f5ac63ecc7c8e59a92ebb396df54c1c97c51add57bc604d089320152194c65a548af47d2d1a006723adb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ABXM6uwjlUVg.bat

Filesize
203B

MD5
1258566536e3918f7d8c0f4c57e3b338

SHA1
04f2d740928aef0c5b5f961d0cb5218fd011d30e

SHA256
6d3c89999a8b5339cc80beef524527b9780621829a7ce7b4c997cf9fc65d355b

SHA512
91d59923253fdc332eae47ee1f9b5e261c654e825057d9c21ead789edf8498e5ce1fe2791fdc04adc28369b99fc462f97b769feefccd7af11834df3f1dfbe886

Download Submit
C:\Users\Admin\AppData\Local\Temp\MItDfYg1SdMN.bat

Filesize
203B

MD5
983b44defbc92a5dfa4997868a51a641

SHA1
aa81951b64c51938d33a9a9731dde77fa3b62cec

SHA256
60860e5ef7983566dbda94de6837dfb8a519cdb9e8621d5e0af302c95853be5d

SHA512
4b90b126555ac0604567afc6c93496fb001af21162883bbfed78a73b7fbbb7426dfeb327f553f37a4ff80c0391dd39357989021d6f7be683ea2c45aa678b1ed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\SzBI0EToumyI.bat

Filesize
203B

MD5
eed836e40670e46ea4e788dbf5be020a

SHA1
2a15823480c3d4f6db849214a8934ed5d470393a

SHA256
ce3eba6394fc04da39569b874e81df98c60d2465fcf81729b2af0434452415da

SHA512
744db1e83e87d33ed2b004176a7bc94a68f15b04087c71a52be56b10555f590f878f569a9ea26ac566ff1202d7e66893429085b3c12c208bf3c996d898f813df

Download Submit
C:\Users\Admin\AppData\Local\Temp\TijeVCCSDGci.bat

Filesize
203B

MD5
6744185062a93820763df2f1c5e898c1

SHA1
ac4463687be81de14a7e0051a520c07e98c2b414

SHA256
61f7d0433b4addd3662d8aeee9b971f805656d6179ebdbfddeeb03b95eb27c14

SHA512
675895088d630a2729605a26586ac470806d4f53e0a00e40e0efe037d9dc863057fd93c5287571a8daa024e4a176ba4633471ac9191fbc8ec1d0665b0d90e188

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmOA64QNj1d7.bat

Filesize
203B

MD5
2a472e207765b9a273378c2350f89544

SHA1
01cc1fe92a3ec39265cb3c8a6f6ebae865a6ff8a

SHA256
6e13a6aa3307298c5f47c33c1eeb24130763b0135ecd16d1e283487cd2a70029

SHA512
6586c4acfb247cc46a4a1d450aa8cbfe643ce1b65817479275c9a38c24b05a612c14f2ea974ce1920eb8ee1f445db72242bbc4a0f11d91bd31187021a86deb30

Download Submit
C:\Users\Admin\AppData\Local\Temp\WGdqhiqPE2bs.bat

Filesize
203B

MD5
085cbff33a6d7ce6df7bca265958c993

SHA1
48ddde27555a4d3762fc1426052ec2ef2623ecbe

SHA256
241b8dc7cbfc518f15d80e59f6fe98c3e5d72c7eea69c956fae395b731eef627

SHA512
2b2d7ffd427b0045eedbebc45e706938094fbe5a6fd7f4e9b61efc424cb786c9ac396d1d44bcb5d92f25a72ac463045a52cd644328b53ee5c6510ddd09c6bc4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5yrxpHvKNbF.bat

Filesize
203B

MD5
c07f0a375f70fede2b71bc5910818b13

SHA1
f226f48e625027517c1acfef7b3ebb68b4d66472

SHA256
c7a7928a47451e0f657ab860f74de24dd30e54f893883c76ca7520fd4c3143ba

SHA512
f8aa4f2ecd43f3b8349be7f3eedb0340226fdef44159a940357cc8092584606c4f5a942ce256f8960dfe9a53c364834047fb2bd360a0f17b08110143503cdb9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gJC4XyLo5brs.bat

Filesize
203B

MD5
d66aaf5c66e925b977c736733299a41b

SHA1
28d867cf912fa0bd8c63c04018558e1045feaa70

SHA256
da5c56ddb45b5a327c43e2dbeabd1c6e2d41dc39c1dc8bb83cd2bbac7deced3d

SHA512
096ecf63db7127b1e40b7abd267c3c2bc52a989df01f3e1ba7c6fe848e30a5a473a59b7d00ef86c4290aba2c03cb66749cb32bdce491fd7d844ffd7ab73e6f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqwEe5GeU6QG.bat

Filesize
203B

MD5
c46384939534ab279b5c5b31e9f1a158

SHA1
78fa421cb1c620d8cc8e091bfee75337b7ceb4c7

SHA256
c6b5612ac88444ba308f527b853b66b2a9ee41b601dbbb1571bb9b600b9e1250

SHA512
5320e1c48f919475747017a1c5aa1b5f3c15a62010ab8566a7c57eb138f416b354f7c228baee443991e29243260277aeccf802a8fb5c979d7ade367020df214e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tYKEujQyUKLB.bat

Filesize
203B

MD5
38b687392fed9eef936c61ddc33054f6

SHA1
ec939bd2df9626d2f00ba29c53c5c20dbc63a13b

SHA256
55fe268cda954f0dc9a5f541fe190d9a461969d1ba912db2758824cd0de93dee

SHA512
68192ebfbe9b964d5a78aae713753eb24531ff97c644701518a94d8bf0cf36263b62a8c5b44e21c77835b9618f24e283d51315afefcd88a2f3e9cf728e58d32b

Download Submit
C:\Windows\System32\devtun\RuntimeBroker.exe

Filesize
3.1MB

MD5
7ae9e9867e301a3fdd47d217b335d30f

SHA1
d8c62d8d73aeee1cbc714245f7a9a39fcfb80760

SHA256
932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c

SHA512
063648705e1817a1df82c9a595e4bbe8e0b1dbb7e31a6517df59905ebe7f22160f4acb55349d03dfe70744a14fd53c59a4c657c7a96646fcccf1c2214fc803dd

Download Submit
memory/628-0-0x00007FFBC5133000-0x00007FFBC5135000-memory.dmp

Filesize
8KB

Download
memory/628-1-0x0000000000BB0000-0x0000000000ED4000-memory.dmp

Filesize
3.1MB

Download
memory/5068-9-0x000000001D450000-0x000000001D4A0000-memory.dmp

Filesize
320KB

Download
memory/5068-8-0x00007FFBC5130000-0x00007FFBC5BF1000-memory.dmp

Filesize
10.8MB

Download
memory/5068-15-0x00007FFBC5130000-0x00007FFBC5BF1000-memory.dmp

Filesize
10.8MB

Download
memory/5068-10-0x000000001D560000-0x000000001D612000-memory.dmp

Filesize
712KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads