quasar | 932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14/12/2024, 11:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c.exe
Size

3.1MB
MD5

7ae9e9867e301a3fdd47d217b335d30f
SHA1

d8c62d8d73aeee1cbc714245f7a9a39fcfb80760
SHA256

932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c
SHA512

063648705e1817a1df82c9a595e4bbe8e0b1dbb7e31a6517df59905ebe7f22160f4acb55349d03dfe70744a14fd53c59a4c657c7a96646fcccf1c2214fc803dd
SSDEEP

49152:/vTlL26AaNeWgPhlmVqvMQ7XSKn8GE18hk/gv4oGdQTHHB72eh2NT:/vJL26AaNeWgPhlmVqkQ7XSKn8mA

Score

10^/10

quasar runtimebroker discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

RuntimeBroker

Cmaster-57540.portmap.io:57540:8080

Mutex

7d0b5d0f-c185-4da8-b709-726d2f58400c

Attributes

encryption_key
6275D618DF6119CEEF062AB381785B6186B8C0EB
install_name
RuntimeBroker.exe
log_directory
Logs
reconnect_delay
3000
startup_key
RuntimeBroker
subdirectory
devtun

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/2420-1-0x00000000007C0000-0x0000000000AE4000-memory.dmp	family_quasar
behavioral2/files/0x000b000000023b78-5.dat	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe

Executes dropped EXE 15 IoCs

pid	Process
4840	RuntimeBroker.exe
3004	RuntimeBroker.exe
3532	RuntimeBroker.exe
4908	RuntimeBroker.exe
2352	RuntimeBroker.exe
3948	RuntimeBroker.exe
1056	RuntimeBroker.exe
212	RuntimeBroker.exe
2420	RuntimeBroker.exe
3196	RuntimeBroker.exe
4492	RuntimeBroker.exe
2580	RuntimeBroker.exe
1240	RuntimeBroker.exe
2908	RuntimeBroker.exe
4872	RuntimeBroker.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\devtun\RuntimeBroker.exe	932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c.exe
File opened for modification	C:\Windows\system32\devtun\RuntimeBroker.exe	932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2092	PING.EXE
624	PING.EXE
1144	PING.EXE
3688	PING.EXE
4052	PING.EXE
5008	PING.EXE
2900	PING.EXE
4864	PING.EXE
336	PING.EXE
3928	PING.EXE
1028	PING.EXE
5104	PING.EXE
3952	PING.EXE
908	PING.EXE
3200	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
3928	PING.EXE
1028	PING.EXE
5104	PING.EXE
3952	PING.EXE
908	PING.EXE
3200	PING.EXE
624	PING.EXE
336	PING.EXE
2900	PING.EXE
3688	PING.EXE
4864	PING.EXE
1144	PING.EXE
4052	PING.EXE
2092	PING.EXE
5008	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2108	schtasks.exe
4260	schtasks.exe
3220	schtasks.exe
1596	schtasks.exe
4372	schtasks.exe
2224	schtasks.exe
3752	schtasks.exe
4900	schtasks.exe
2444	schtasks.exe
3336	schtasks.exe
4132	schtasks.exe
5116	schtasks.exe
3632	schtasks.exe
3404	schtasks.exe
1612	schtasks.exe
2576	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2420	932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c.exe
Token: SeDebugPrivilege	4840	RuntimeBroker.exe
Token: SeDebugPrivilege	3004	RuntimeBroker.exe
Token: SeDebugPrivilege	3532	RuntimeBroker.exe
Token: SeDebugPrivilege	4908	RuntimeBroker.exe
Token: SeDebugPrivilege	2352	RuntimeBroker.exe
Token: SeDebugPrivilege	3948	RuntimeBroker.exe
Token: SeDebugPrivilege	1056	RuntimeBroker.exe
Token: SeDebugPrivilege	212	RuntimeBroker.exe
Token: SeDebugPrivilege	2420	RuntimeBroker.exe
Token: SeDebugPrivilege	3196	RuntimeBroker.exe
Token: SeDebugPrivilege	4492	RuntimeBroker.exe
Token: SeDebugPrivilege	2580	RuntimeBroker.exe
Token: SeDebugPrivilege	1240	RuntimeBroker.exe
Token: SeDebugPrivilege	2908	RuntimeBroker.exe
Token: SeDebugPrivilege	4872	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 3404	2420	932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c.exe	83
PID 2420 wrote to memory of 3404	2420	932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c.exe	83
PID 2420 wrote to memory of 4840	2420	932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c.exe	85
PID 2420 wrote to memory of 4840	2420	932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c.exe	85
PID 4840 wrote to memory of 2444	4840	RuntimeBroker.exe	86
PID 4840 wrote to memory of 2444	4840	RuntimeBroker.exe	86
PID 4840 wrote to memory of 820	4840	RuntimeBroker.exe	88
PID 4840 wrote to memory of 820	4840	RuntimeBroker.exe	88
PID 820 wrote to memory of 4120	820	cmd.exe	90
PID 820 wrote to memory of 4120	820	cmd.exe	90
PID 820 wrote to memory of 5104	820	cmd.exe	91
PID 820 wrote to memory of 5104	820	cmd.exe	91
PID 820 wrote to memory of 3004	820	cmd.exe	100
PID 820 wrote to memory of 3004	820	cmd.exe	100
PID 3004 wrote to memory of 3336	3004	RuntimeBroker.exe	101
PID 3004 wrote to memory of 3336	3004	RuntimeBroker.exe	101
PID 3004 wrote to memory of 1756	3004	RuntimeBroker.exe	103
PID 3004 wrote to memory of 1756	3004	RuntimeBroker.exe	103
PID 1756 wrote to memory of 4608	1756	cmd.exe	106
PID 1756 wrote to memory of 4608	1756	cmd.exe	106
PID 1756 wrote to memory of 3952	1756	cmd.exe	107
PID 1756 wrote to memory of 3952	1756	cmd.exe	107
PID 1756 wrote to memory of 3532	1756	cmd.exe	113
PID 1756 wrote to memory of 3532	1756	cmd.exe	113
PID 3532 wrote to memory of 4132	3532	RuntimeBroker.exe	114
PID 3532 wrote to memory of 4132	3532	RuntimeBroker.exe	114
PID 3532 wrote to memory of 1688	3532	RuntimeBroker.exe	116
PID 3532 wrote to memory of 1688	3532	RuntimeBroker.exe	116
PID 1688 wrote to memory of 408	1688	cmd.exe	119
PID 1688 wrote to memory of 408	1688	cmd.exe	119
PID 1688 wrote to memory of 908	1688	cmd.exe	120
PID 1688 wrote to memory of 908	1688	cmd.exe	120
PID 1688 wrote to memory of 4908	1688	cmd.exe	124
PID 1688 wrote to memory of 4908	1688	cmd.exe	124
PID 4908 wrote to memory of 4372	4908	RuntimeBroker.exe	125
PID 4908 wrote to memory of 4372	4908	RuntimeBroker.exe	125
PID 4908 wrote to memory of 3344	4908	RuntimeBroker.exe	127
PID 4908 wrote to memory of 3344	4908	RuntimeBroker.exe	127
PID 3344 wrote to memory of 2908	3344	cmd.exe	130
PID 3344 wrote to memory of 2908	3344	cmd.exe	130
PID 3344 wrote to memory of 2092	3344	cmd.exe	131
PID 3344 wrote to memory of 2092	3344	cmd.exe	131
PID 3344 wrote to memory of 2352	3344	cmd.exe	133
PID 3344 wrote to memory of 2352	3344	cmd.exe	133
PID 2352 wrote to memory of 4260	2352	RuntimeBroker.exe	134
PID 2352 wrote to memory of 4260	2352	RuntimeBroker.exe	134
PID 2352 wrote to memory of 752	2352	RuntimeBroker.exe	137
PID 2352 wrote to memory of 752	2352	RuntimeBroker.exe	137
PID 752 wrote to memory of 1736	752	cmd.exe	139
PID 752 wrote to memory of 1736	752	cmd.exe	139
PID 752 wrote to memory of 624	752	cmd.exe	140
PID 752 wrote to memory of 624	752	cmd.exe	140
PID 752 wrote to memory of 3948	752	cmd.exe	142
PID 752 wrote to memory of 3948	752	cmd.exe	142
PID 3948 wrote to memory of 3220	3948	RuntimeBroker.exe	143
PID 3948 wrote to memory of 3220	3948	RuntimeBroker.exe	143
PID 3948 wrote to memory of 1692	3948	RuntimeBroker.exe	146
PID 3948 wrote to memory of 1692	3948	RuntimeBroker.exe	146
PID 1692 wrote to memory of 2316	1692	cmd.exe	148
PID 1692 wrote to memory of 2316	1692	cmd.exe	148
PID 1692 wrote to memory of 5008	1692	cmd.exe	149
PID 1692 wrote to memory of 5008	1692	cmd.exe	149
PID 1692 wrote to memory of 1056	1692	cmd.exe	151
PID 1692 wrote to memory of 1056	1692	cmd.exe	151

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c.exe
"C:\Users\Admin\AppData\Local\Temp\932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3404
- C:\Windows\system32\devtun\RuntimeBroker.exe
  "C:\Windows\system32\devtun\RuntimeBroker.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4840
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2444
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\t0YcCT45uG7G.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:820
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:4120
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:5104
  - - C:\Windows\system32\devtun\RuntimeBroker.exe
      "C:\Windows\system32\devtun\RuntimeBroker.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3004
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3336
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xNMtSZaLOxhg.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1756
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:4608
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3952
      - C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3532
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4132
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\V2mUjpSWs1pi.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:408
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:908
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4908
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4372
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yTfCggp20K7R.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3344
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2908
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2092
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4260
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CsRlH4IidRzf.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:752
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1736
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:624
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3948
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3220
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3V06sYO3TJDc.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2316
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5008
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1056
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2224
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cePR6zrK3d1H.bat" "
        15⤵
        
        PID:2328
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:4832
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2900
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:212
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3752
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wYpDCTcmmv7Y.bat" "
        17⤵
        
        PID:1536
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2884
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3688
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2420
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1612
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Of7YZ9vIWzGe.bat" "
        19⤵
        
        PID:1892
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2460
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4864
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3196
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2576
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\USF6Uy1pjwq9.bat" "
        21⤵
        
        PID:2904
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:716
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:336
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4492
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1596
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\i7hZ0R6YoE5r.bat" "
        23⤵
        
        PID:2648
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2000
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1144
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2580
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5116
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WMACqOSBXHbD.bat" "
        25⤵
        
        PID:2388
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:1292
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4052
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1240
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4900
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xpDpk4VV9oaC.bat" "
        27⤵
        
        PID:4924
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:3492
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3200
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2908
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2108
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Juf21MAwoseT.bat" "
        29⤵
        
        PID:4252
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:3656
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3928
        
        C:\Windows\system32\devtun\RuntimeBroker.exe
        
        "C:\Windows\system32\devtun\RuntimeBroker.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4872
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3632
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yVJm90cUrsPB.bat" "
        31⤵
        
        PID:4340
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:3616
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\3V06sYO3TJDc.bat

Filesize
203B

MD5
d41a86921a5e2b5269e07f88f5a3810e

SHA1
fdc0faebc2ed784059d5e4cfdf31d1cd8124452a

SHA256
ff392d82d58a9eea62e87fd95972b83887519df15404fd6c89758da517d49a8c

SHA512
1038056e5e893f425c3b49336f18728ffd0dcc680d96e6f5dc3e51b77bcfe31de59e35edd6d8baaa5212e049bc04ac254950b479e9f5be6b0a9b954704084300

Download Submit
C:\Users\Admin\AppData\Local\Temp\CsRlH4IidRzf.bat

Filesize
203B

MD5
2228a44b0b38aeaa62f31c51717d0822

SHA1
83159826f872047edd12eceab347e5f450c26e02

SHA256
d1c75002be77a53f04bbdf05c67ffd4def7ec84da18ce202127d7ff2223a2b02

SHA512
01fa8d88f9af345bda343eab64619576562c0bc17512ebd41ef4d01ba80fa4025673ba21e27d91c3d7c189739ff04870b5c30317f07a7b9c6e8485bd6cec83b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Juf21MAwoseT.bat

Filesize
203B

MD5
d3e00a79588cda0b32ab6b5fcaf7eb3a

SHA1
27463ad1d551c41c60f700426c50cdfdfd4a5481

SHA256
0f5314656cd016df619ce6c4c13a48c286f712e731fb6b51070b19121eb324bf

SHA512
81800330f0006c703f28ac22e99b26576b908c75b30379d8c40671158c0b2992fa43228869fabe837a17383e30947c02d965278b5a3c39cb51471a32a5a4f597

Download Submit
C:\Users\Admin\AppData\Local\Temp\Of7YZ9vIWzGe.bat

Filesize
203B

MD5
81544d5be8e0ed9e0fd3f6f70f28c2db

SHA1
60025a6916d8ecaf57d1671c6be8009f982d399e

SHA256
cf7a80a197b350954ec85486672cbf3b73a130daf26a8bbb69da4219a02788c4

SHA512
5af8a9715c82cd5b1a86782572afc2ddd381ddfdb50a2a997cff90d87533930317cae9d6f6c9719d4b422984a1fe9eca22ae39eaca7b47e9f044ab17ef74bf67

Download Submit
C:\Users\Admin\AppData\Local\Temp\USF6Uy1pjwq9.bat

Filesize
203B

MD5
9b03e5f0ac43801270779d4825cf0e71

SHA1
5a816eab0e4c2156eaa40bc1c5d692db3c275e9a

SHA256
ff0b7cafa8ef9725696774e4fad8b5f01ed372b4c4c8c33b50325e73456fb0c9

SHA512
e41699592c2f1874b6dbb5acb3ceac310afb4178b100293527b516cbb58b0b10ea320304bf8bed6b7a4e3809f1454535b40e8f92d6059df88e985b40aefdb0c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\V2mUjpSWs1pi.bat

Filesize
203B

MD5
26dc1859de2153725d67b8b97ce5f762

SHA1
5ec89cd0a9ec16a624a6bb55f25893581efc3ccd

SHA256
a0e8c8fe929ca28510a0dca98d5ea0dee4002253cb384a97419dbf02b8c9269e

SHA512
890d4aa3145b7efec47e155f4c38be729ed48bfebd6b68cb4bd992bda0dfd01a15011a5c300604524e388e721f14143c5a344f0391cf76b354127c533b3ddc9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WMACqOSBXHbD.bat

Filesize
203B

MD5
62b834d0424962729d0f17cce9287263

SHA1
b1b1f9275802d62f01a7dadac4ffe3c53efea4b5

SHA256
c7cbf49ec894d3bcaaabcf0601887b96ea1d9603f545718512ec541b57058808

SHA512
9b351de1e1c95bca91d0f78e53992f2df926d6b54f12a6158aba9a7bd36ff2626007a1bea45878e0b7893284b05f1e7d1cf29ca4d65061592c959ff4409d8c8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cePR6zrK3d1H.bat

Filesize
203B

MD5
44ac9462fcab6b60e8eb9f8f76a3a1f5

SHA1
ae83ed050b3c9c68304353f0f99f9d8ff7ec3f54

SHA256
d8f141023139921ab44e7f87a38cda82d19ba5440c943c092d23bb538ceaa8c8

SHA512
7c36c4a2329afcd7723c7586446f9759db34328ac0ab9341cf2e75283911a991bf6d767b7480b191a18d51bbc0d57debb16a5cbd462bc190da33f323f8b45905

Download Submit
C:\Users\Admin\AppData\Local\Temp\i7hZ0R6YoE5r.bat

Filesize
203B

MD5
4ecb503c2fc5214d4caf37327733bb99

SHA1
bb6e26497a007e9f36ba9714ef0c9518e14fd00c

SHA256
c56ab25bed821b736958efe53b372b307c1126bd008ceeda9b4d6de734a7290e

SHA512
c40882edb16e81a9772cea85f766f626f1856ff8dd0dbfe04acedb2fd447d4e70a694ad4a836b0b29b95eda15c600b475e484c265a1f2af12582fe6f33b85d07

Download Submit
C:\Users\Admin\AppData\Local\Temp\t0YcCT45uG7G.bat

Filesize
203B

MD5
bc2c04654ddfa4262c4d88db82c133ff

SHA1
0c27e2d84187b9ee3a8f2816aebf85724571592c

SHA256
1edd808074adc408539ecacbe4ab24112eca2977a48b6108560388e74b5588b9

SHA512
7589ddba0a112a1c71c13e907e699eeb6dd0b0cda27030d9cd4a9ccdd58b8ad88ba2cbeee55471b852ba2e9aeb4e111d02ce28270fcbfa88339a1b7596ab2048

Download Submit
C:\Users\Admin\AppData\Local\Temp\wYpDCTcmmv7Y.bat

Filesize
203B

MD5
757e9c59a583c88dff4e123f9b460054

SHA1
ea3abd03e31eb9cc493fe19f9f07e0cf87cd257d

SHA256
98a373965e433248c5355369711d3fbf04a9d3193639e64871cce278b9690d26

SHA512
e87a6bd7fa6327ccc5f7aa2d199367b2879f4bd96bb33b894c94828228fc6fa44efa588b8aee7a19235ae6f4db214a03e596ce8f5374598c995d34f02a07b751

Download Submit
C:\Users\Admin\AppData\Local\Temp\xNMtSZaLOxhg.bat

Filesize
203B

MD5
82149ec453b7470d0629359ac382e09f

SHA1
5d89ed05a297d64d4fc827a5702e9e9ceccf9cae

SHA256
2ee1a9e1b68962fa26f3cedd14b37b657a262437f34a81c78677b0ace072003f

SHA512
bc0a899583ca2392c7cd4b4d0b2016560f37774f34042d41df11fb72cd8b9687641e9862bbe86237518cd8134eafdcfdae6b85769b9f8c5493bdfba723711b07

Download Submit
C:\Users\Admin\AppData\Local\Temp\xpDpk4VV9oaC.bat

Filesize
203B

MD5
bec8b83c8760d74d389d5a4d0e91b015

SHA1
769dc6a175c3cff84638a7a7346ea5b3fb8b4b42

SHA256
e6878e07f8728387e41d27313c9d16a9800ddea224db22bd9ab55e14a2409420

SHA512
7ffa5c417f0b969b8098a623cd4c9312cef9964f74405e26944e49ec14b0251384b5c554b5fbfa1de859a771bc8e182be1c5d50aadbfc9aeed95350b431bdbf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\yTfCggp20K7R.bat

Filesize
203B

MD5
dd9443de4c8f69a3dd139c668f02e3c3

SHA1
786257cb79120c366d5ac9a08757b25291665fe5

SHA256
f3b43f6811fd91e0ef2f42b8dd4b08c9e22ab6e64890ecb10cc07dc3134e4c56

SHA512
4bd5ac58e87de532af61bf83410d3c6993a94b205a830aa49e66bfc1e384cf51530afc71daf67a64d057370ae87eb58a0d8193630906401f7449e38538beb4c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\yVJm90cUrsPB.bat

Filesize
203B

MD5
d47298e48b087790bf00831cb76e35ce

SHA1
f7231b09fdbc98f979f5f77180843a89b698178f

SHA256
84ce7859c73970fe8a7193cfc316061c36b70debb1d9a152f97f978b343c804e

SHA512
cd3419eb0af872afcbba5db7afce594524a5e0399f0a19a4f40708c70bde8a3847f1907eb467b8b33ecdb3ed1a4eceb99ad7de8fdcf579aad81fdd41f7aa9ca0

Download Submit
C:\Windows\System32\devtun\RuntimeBroker.exe

Filesize
3.1MB

MD5
7ae9e9867e301a3fdd47d217b335d30f

SHA1
d8c62d8d73aeee1cbc714245f7a9a39fcfb80760

SHA256
932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c

SHA512
063648705e1817a1df82c9a595e4bbe8e0b1dbb7e31a6517df59905ebe7f22160f4acb55349d03dfe70744a14fd53c59a4c657c7a96646fcccf1c2214fc803dd

Download Submit
memory/2420-8-0x00007FFB476E0000-0x00007FFB481A1000-memory.dmp

Filesize
10.8MB

Download
memory/2420-2-0x00007FFB476E0000-0x00007FFB481A1000-memory.dmp

Filesize
10.8MB

Download
memory/2420-0-0x00007FFB476E3000-0x00007FFB476E5000-memory.dmp

Filesize
8KB

Download
memory/2420-1-0x00000000007C0000-0x0000000000AE4000-memory.dmp

Filesize
3.1MB

Download
memory/4840-11-0x000000001E930000-0x000000001E9E2000-memory.dmp

Filesize
712KB

Download
memory/4840-9-0x00007FFB476E0000-0x00007FFB481A1000-memory.dmp

Filesize
10.8MB

Download
memory/4840-10-0x000000001BF50000-0x000000001BFA0000-memory.dmp

Filesize
320KB

Download
memory/4840-16-0x00007FFB476E0000-0x00007FFB481A1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads