Analysis
-
max time kernel
147s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16-12-2024 06:27
Behavioral task
behavioral1
Sample
runtimebroker.exe
Resource
win7-20240903-en
General
-
Target
runtimebroker.exe
-
Size
3.1MB
-
MD5
a29d070abe87b2be24892421e0c763bb
-
SHA1
383104c7c6956a98ae5f63c743250f737700f509
-
SHA256
00bdef606eb20070701dfc27ed4578c25f5e3357e969ef25ba07ab251450c636
-
SHA512
6d2a161e8193ed3e05443bd76652b958990f01d2cc2452185f58a5bff3031d268e2fe71c009fa4938ac1cbc914ba2163133079f8218f1c67b0758f594a67f969
-
SSDEEP
49152:Pvht62XlaSFNWPjljiFa2RoUYIygJCKI/nwoGdYTHHB72eh2NT:PvL62XlaSFNWPjljiFXRoUYIygJCi
Malware Config
Extracted
quasar
1.4.1
Office04
interestingsigma.hopto.org:20
11bbf22e-826e-486b-b024-adbd86228a9e
-
encryption_key
7A589EDBC6A581E125BF830EF0D05FC74BB75E30
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
ctfmon
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 6 IoCs
resource yara_rule behavioral1/memory/2160-1-0x0000000000DB0000-0x00000000010D4000-memory.dmp family_quasar behavioral1/files/0x0009000000015d7e-6.dat family_quasar behavioral1/memory/2332-9-0x00000000003C0000-0x00000000006E4000-memory.dmp family_quasar behavioral1/memory/2840-33-0x0000000000FA0000-0x00000000012C4000-memory.dmp family_quasar behavioral1/memory/1920-108-0x0000000000350000-0x0000000000674000-memory.dmp family_quasar behavioral1/memory/3024-119-0x0000000001190000-0x00000000014B4000-memory.dmp family_quasar -
Executes dropped EXE 15 IoCs
pid Process 2332 Client.exe 1912 Client.exe 2840 Client.exe 1776 Client.exe 2836 Client.exe 2144 Client.exe 2608 Client.exe 2740 Client.exe 2632 Client.exe 1920 Client.exe 3024 Client.exe 2816 Client.exe 2568 Client.exe 1268 Client.exe 948 Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2800 PING.EXE 1000 PING.EXE 2808 PING.EXE 2684 PING.EXE 784 PING.EXE 2600 PING.EXE 1208 PING.EXE 1868 PING.EXE 3012 PING.EXE 1900 PING.EXE 2448 PING.EXE 2976 PING.EXE 1844 PING.EXE 2792 PING.EXE 772 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
pid Process 2800 PING.EXE 1208 PING.EXE 772 PING.EXE 2684 PING.EXE 2600 PING.EXE 2976 PING.EXE 1900 PING.EXE 2792 PING.EXE 1000 PING.EXE 1868 PING.EXE 1844 PING.EXE 2448 PING.EXE 2808 PING.EXE 784 PING.EXE 3012 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1572 schtasks.exe 2652 schtasks.exe 2864 schtasks.exe 1632 schtasks.exe 2064 schtasks.exe 2148 schtasks.exe 3012 schtasks.exe 1696 schtasks.exe 1592 schtasks.exe 1464 schtasks.exe 2800 schtasks.exe 2180 schtasks.exe 1108 schtasks.exe 2500 schtasks.exe 2692 schtasks.exe 1064 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 2160 runtimebroker.exe Token: SeDebugPrivilege 2332 Client.exe Token: SeDebugPrivilege 1912 Client.exe Token: SeDebugPrivilege 2840 Client.exe Token: SeDebugPrivilege 1776 Client.exe Token: SeDebugPrivilege 2836 Client.exe Token: SeDebugPrivilege 2144 Client.exe Token: SeDebugPrivilege 2608 Client.exe Token: SeDebugPrivilege 2740 Client.exe Token: SeDebugPrivilege 2632 Client.exe Token: SeDebugPrivilege 1920 Client.exe Token: SeDebugPrivilege 3024 Client.exe Token: SeDebugPrivilege 2816 Client.exe Token: SeDebugPrivilege 2568 Client.exe Token: SeDebugPrivilege 1268 Client.exe Token: SeDebugPrivilege 948 Client.exe -
Suspicious use of FindShellTrayWindow 15 IoCs
pid Process 2332 Client.exe 1912 Client.exe 2840 Client.exe 1776 Client.exe 2836 Client.exe 2144 Client.exe 2608 Client.exe 2740 Client.exe 2632 Client.exe 1920 Client.exe 3024 Client.exe 2816 Client.exe 2568 Client.exe 1268 Client.exe 948 Client.exe -
Suspicious use of SendNotifyMessage 15 IoCs
pid Process 2332 Client.exe 1912 Client.exe 2840 Client.exe 1776 Client.exe 2836 Client.exe 2144 Client.exe 2608 Client.exe 2740 Client.exe 2632 Client.exe 1920 Client.exe 3024 Client.exe 2816 Client.exe 2568 Client.exe 1268 Client.exe 948 Client.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 2332 Client.exe 2144 Client.exe 2608 Client.exe 2632 Client.exe 2568 Client.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2160 wrote to memory of 1464 2160 runtimebroker.exe 30 PID 2160 wrote to memory of 1464 2160 runtimebroker.exe 30 PID 2160 wrote to memory of 1464 2160 runtimebroker.exe 30 PID 2160 wrote to memory of 2332 2160 runtimebroker.exe 32 PID 2160 wrote to memory of 2332 2160 runtimebroker.exe 32 PID 2160 wrote to memory of 2332 2160 runtimebroker.exe 32 PID 2332 wrote to memory of 2500 2332 Client.exe 33 PID 2332 wrote to memory of 2500 2332 Client.exe 33 PID 2332 wrote to memory of 2500 2332 Client.exe 33 PID 2332 wrote to memory of 2108 2332 Client.exe 35 PID 2332 wrote to memory of 2108 2332 Client.exe 35 PID 2332 wrote to memory of 2108 2332 Client.exe 35 PID 2108 wrote to memory of 2748 2108 cmd.exe 37 PID 2108 wrote to memory of 2748 2108 cmd.exe 37 PID 2108 wrote to memory of 2748 2108 cmd.exe 37 PID 2108 wrote to memory of 2448 2108 cmd.exe 38 PID 2108 wrote to memory of 2448 2108 cmd.exe 38 PID 2108 wrote to memory of 2448 2108 cmd.exe 38 PID 2108 wrote to memory of 1912 2108 cmd.exe 40 PID 2108 wrote to memory of 1912 2108 cmd.exe 40 PID 2108 wrote to memory of 1912 2108 cmd.exe 40 PID 1912 wrote to memory of 2652 1912 Client.exe 41 PID 1912 wrote to memory of 2652 1912 Client.exe 41 PID 1912 wrote to memory of 2652 1912 Client.exe 41 PID 1912 wrote to memory of 1836 1912 Client.exe 43 PID 1912 wrote to memory of 1836 1912 Client.exe 43 PID 1912 wrote to memory of 1836 1912 Client.exe 43 PID 1836 wrote to memory of 560 1836 cmd.exe 45 PID 1836 wrote to memory of 560 1836 cmd.exe 45 PID 1836 wrote to memory of 560 1836 cmd.exe 45 PID 1836 wrote to memory of 1208 1836 cmd.exe 46 PID 1836 wrote to memory of 1208 1836 cmd.exe 46 PID 1836 wrote to memory of 1208 1836 cmd.exe 46 PID 1836 wrote to memory of 2840 1836 cmd.exe 47 PID 1836 wrote to memory of 2840 1836 cmd.exe 47 PID 1836 wrote to memory of 2840 1836 cmd.exe 47 PID 2840 wrote to memory of 2692 2840 Client.exe 48 PID 2840 wrote to memory of 2692 2840 Client.exe 48 PID 2840 wrote to memory of 2692 2840 Client.exe 48 PID 2840 wrote to memory of 2876 2840 Client.exe 50 PID 2840 wrote to memory of 2876 2840 Client.exe 50 PID 2840 wrote to memory of 2876 2840 Client.exe 50 PID 2876 wrote to memory of 448 2876 cmd.exe 52 PID 2876 wrote to memory of 448 2876 cmd.exe 52 PID 2876 wrote to memory of 448 2876 cmd.exe 52 PID 2876 wrote to memory of 2976 2876 cmd.exe 53 PID 2876 wrote to memory of 2976 2876 cmd.exe 53 PID 2876 wrote to memory of 2976 2876 cmd.exe 53 PID 2876 wrote to memory of 1776 2876 cmd.exe 54 PID 2876 wrote to memory of 1776 2876 cmd.exe 54 PID 2876 wrote to memory of 1776 2876 cmd.exe 54 PID 1776 wrote to memory of 3012 1776 Client.exe 55 PID 1776 wrote to memory of 3012 1776 Client.exe 55 PID 1776 wrote to memory of 3012 1776 Client.exe 55 PID 1776 wrote to memory of 2428 1776 Client.exe 57 PID 1776 wrote to memory of 2428 1776 Client.exe 57 PID 1776 wrote to memory of 2428 1776 Client.exe 57 PID 2428 wrote to memory of 2248 2428 cmd.exe 59 PID 2428 wrote to memory of 2248 2428 cmd.exe 59 PID 2428 wrote to memory of 2248 2428 cmd.exe 59 PID 2428 wrote to memory of 1000 2428 cmd.exe 60 PID 2428 wrote to memory of 1000 2428 cmd.exe 60 PID 2428 wrote to memory of 1000 2428 cmd.exe 60 PID 2428 wrote to memory of 2836 2428 cmd.exe 61 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe"C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:1464
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2500
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\vFCmQovl2ruB.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:2748
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2448
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:2652
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Af7Dvcd2WkPw.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:560
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1208
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:2692
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Ryi1fYmAcQB8.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:448
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2976
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:3012
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\KoXs7BddeUxp.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:2248
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1000
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2836 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:1064
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\WY4wBvLSSlS2.bat" "11⤵PID:1568
-
C:\Windows\system32\chcp.comchcp 6500112⤵PID:2128
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:772
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2144 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:1696
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\JU4brH9X4qhq.bat" "13⤵PID:2564
-
C:\Windows\system32\chcp.comchcp 6500114⤵PID:1292
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2808
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2608 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:1592
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\LWvIl0HO7knB.bat" "15⤵PID:2412
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:2812
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1868
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"16⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2740 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:2180
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\6bdsRNBSvalT.bat" "17⤵PID:2960
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:2664
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2684
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2632 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:2800
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\AJaX5NmQaM7M.bat" "19⤵PID:2968
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:852
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:784
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1920 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:2864
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\QBAy75oN2xTF.bat" "21⤵PID:2876
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:3004
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3012
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"22⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3024 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:1632
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\pncjyqp5xUNm.bat" "23⤵PID:2208
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:1548
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1900
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"24⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2816 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:1572
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\aV2YjnMmQf9G.bat" "25⤵PID:2544
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:1564
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1844
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"26⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2568 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
PID:1108
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\CYKcLA1eOQYN.bat" "27⤵PID:1372
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:1624
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2600
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"28⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1268 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
PID:2064
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\MghnKiKTLZD5.bat" "29⤵PID:2472
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:2180
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2792
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"30⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:948 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f31⤵
- Scheduled Task/Job: Scheduled Task
PID:2148
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\bncj6HwxEq45.bat" "31⤵PID:2756
-
C:\Windows\system32\chcp.comchcp 6500132⤵PID:2644
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2800
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
207B
MD53671abf0e4a8adfb82ccb2099372ca06
SHA13485617e37dfa81bc6d2eb428797084dd1a2a338
SHA256496b9f408a74d44756f52e51a2a8ea57de927ae005f2b74c7533393a50e9a8f7
SHA5124edb332224e27e89b6dbbc48ad4d58b67766abb3e997e29643a84799de76dfce51955655695ff6c8b56f73c7c2fd80caa52363ccc7a8c4dc23fbc0b2a151ca5b
-
Filesize
207B
MD5241575a4ebf4ce72283ca50c6def38be
SHA1d05e9981288c0e37b77d23949a62a2106ea2ed15
SHA2562179c205484846797df0ba4449a517b63173505c4a5050532f58f3e78e8bbd5c
SHA51207a026ae61b3158d2a00d4bac5f58e1efbb22ee3bb831ed55e14e616fd4c4f677605335e3d565c53d25936b723eff85fd07afdf8fbb2ee345e6f82dd4e913f97
-
Filesize
207B
MD590fd4fcc7a1fd616d6b469cdb9f4798a
SHA1f529191c41a3d7b31e4f9620708658c56398731d
SHA256f42e9d40764abec24f9d2d8f8be5b71d28d926639038872280bf561d9bbdd9e1
SHA5127f5708a7f2bf635c5ceae17d1a4755c5a056ed2572df764a7ef11447a7c8f9cdaf50ef41591212093c523a1e6b6d3ef02da9ca0053031e894e5db7ec509ba175
-
Filesize
207B
MD5b6b97428ea87abf5dcab41cf5e768a0c
SHA16c10577816752a8c4e275a819422df3a1e25b5c3
SHA25670895424ab4f51e63e250c5043aa9ac70f334e77dff4ad9fb03b1a5325bff11a
SHA5124904e8b8d53af45e563bed9031daa216036c0d897b27382ecb330ebdc4eb881a0ab6c7dc748bed359d48b87e10acbb056bc9ee351d375ed4990dbe23eb7479b2
-
Filesize
207B
MD5114616efa961d035facf38d828700064
SHA1d26199143e353058739514730d2494128a8c88ac
SHA256922af10cc6766ff53ae198e3c0dcd184ac0dc67b69eb3108eba09a6d94f2bb3d
SHA5128998218d5cfabb6d2ffd86ca16aa1edd3e578b7026ae9aa3531ddf2efe2f8d2dde1ad25f112318e18850b093f4db651d5af1a4725f1ffbc63b06d00c2a597d53
-
Filesize
207B
MD57a8bb8c0fad46d6efaada6b7fec029ec
SHA12e8f7f399c07479a04f04fa7e61269255d7787ca
SHA256e9ae69e1c8275f8b69594a60b314d0c173fc18c9769db55b91db3e2ba3e0fe26
SHA512045a99f0e71abe366e233e2d0a43fd00a480dbc035b72f3de4fd8cbc86de393538685615d416bddf66a8ee663ed40cdb3b13df28bfa9e7baa0a04e80f987b5a9
-
Filesize
207B
MD5d968e4d085e1aa52aaed56fc90fa075a
SHA1af6967b9be9f804b3823f917080ac54cd23b567a
SHA2562e09283b69aff243aea728cdcad2f9e235622753b511c01ba5b0768967e7fed2
SHA512cdfe3f1597326159f0f4587764f6a599ad97f867d5e8bbdbbdc1a777f865d10d9c96efdb3d6f18960577c4db5eaf68bc4e4af2f9877a2f2a35e3ed53692c65fc
-
Filesize
207B
MD5a81b1d6107016537be0f8a998cabd758
SHA16b17d968f0c238067366b5c47bd4e48d5958a62b
SHA256a6dd03aa183087b0eed3ad8ffc5d248c15eb9cec9b9139cc9bb902dadf0ac66c
SHA512e642cceda4498d5ce8e0662cb19208f9fe17449484b8f8eb51882ee3df8d0520c00e883a3c22e9c33ba859fe0ad51ab8bf35663e9f6725b149de61406dc07e93
-
Filesize
207B
MD5e36b399a09cc69e30e80fd5d9222fc1a
SHA1ad319f1695b7ea107d741209ecaf8200a3432813
SHA2564812c40d5e75941bd17bdb67c796c40d2c3f8c4406c174413530fdf6029670cc
SHA51265dc6f4a84f23d2fabbfe911191c13bda66ed45024235bcb20ead4f92781a4b58b51afb4dc8854ac2cc6acc770c6679a8feb71f2fa3b097efb88000497412e68
-
Filesize
207B
MD53f881b4d8b02b7f81afa2f034db75f5c
SHA16cd5145a8c40fde1dd86389fa38075d9905e422e
SHA256fb045b0686e9ac581ba4cd2703dc5210d82a538e38bb50248b52baa493e3dee4
SHA512a6e955d9710d0a97456c85dd7239af533bad2211fa9274b0828d690e499dd93437ae95f8d653aae0e48a99a87764f245193fd77d83212ebb8240b6261b238ba4
-
Filesize
207B
MD5e32371d76df4e0fb3b6d59f5aa632249
SHA1d3f31a2cb3326c0428ce4042652a82d8e45d82b1
SHA2560eba4362ef1fa628a1a832148d892c581c105a8e11eddba7776062ef0a0a8dfe
SHA512006693b7a706cdaa7cb4f3d941d673ea0fe0800e501091b25ae376f5b6a5aa427f0362d09b2391dae21f245602cba64a2d5270a523606d4333f79d3a9ef14f7a
-
Filesize
207B
MD58a2353dc7565bfb401363c6dcff07444
SHA13092c730ed016bb6e50457523b98d1c0b83acd79
SHA256da4b863ca3f9b8d4ecce8bc84454281137a39752fa8a36a5773da957f43d02c3
SHA512f19a691e77b4012f9be454afb423d3e922d68787f87a4813f38234a8e43317cfb049f20fb50068bc982ea8d74fa637caa0db31d8e156d73099b351b1cba8bc2d
-
Filesize
207B
MD5cbf9f337982ee0c9bb70a52774c02c16
SHA1507297d7cedc47caabf23eea089971c6fc4ceec8
SHA25607a8d97109780945d6662ed64038312720a10b9d7f96c9e8476745f2ced9a1a0
SHA512cda8e56dc5069d7889f163aaa8ec68a7979aecb0c837e7fc1b852a83af561dfb4d80d4ea5d28eb7468b6654b313b8c111a3967060dc5f0cf3742dff18c0f3c0b
-
Filesize
207B
MD55ab0ca638af7b3711d99c1c1b93ca543
SHA16dba0d6c918e31d449a91dea27553f77d00abdf5
SHA2562486689a508c1682dc9c6f0531dc60ccc3185fe19293794a85e43307dfe295e9
SHA512ef3c476d23c9511e7009b7a2019b61b8b12017d24f486224bb08fa92c85db554a275e7561dd8ff873f1212d030b22a17a3bd40bb3c8e08e528b6244b60536589
-
Filesize
207B
MD55b9c9c186613adaa61ada3825bf54d15
SHA1fc25946861c27ee5c6e3fdbf09f5984005a42e53
SHA25642393a730e3575132ac57e94a9c5162ecc7f6991d418cbc55ef6054f63a73b98
SHA512a5905afe7a322046d5b9e7ed33f3d555405aea804ba3ba4a0ec7c9e6afe7c4568b08a0b525a819d9b5e7104662f5ca2b5b22e46202f4bdf377879a05f42bf83e
-
Filesize
3.1MB
MD5a29d070abe87b2be24892421e0c763bb
SHA1383104c7c6956a98ae5f63c743250f737700f509
SHA25600bdef606eb20070701dfc27ed4578c25f5e3357e969ef25ba07ab251450c636
SHA5126d2a161e8193ed3e05443bd76652b958990f01d2cc2452185f58a5bff3031d268e2fe71c009fa4938ac1cbc914ba2163133079f8218f1c67b0758f594a67f969