Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-12-2024 06:27
Behavioral task
behavioral1
Sample
runtimebroker.exe
Resource
win7-20240903-en
General
-
Target
runtimebroker.exe
-
Size
3.1MB
-
MD5
a29d070abe87b2be24892421e0c763bb
-
SHA1
383104c7c6956a98ae5f63c743250f737700f509
-
SHA256
00bdef606eb20070701dfc27ed4578c25f5e3357e969ef25ba07ab251450c636
-
SHA512
6d2a161e8193ed3e05443bd76652b958990f01d2cc2452185f58a5bff3031d268e2fe71c009fa4938ac1cbc914ba2163133079f8218f1c67b0758f594a67f969
-
SSDEEP
49152:Pvht62XlaSFNWPjljiFa2RoUYIygJCKI/nwoGdYTHHB72eh2NT:PvL62XlaSFNWPjljiFXRoUYIygJCi
Malware Config
Extracted
quasar
1.4.1
Office04
interestingsigma.hopto.org:20
11bbf22e-826e-486b-b024-adbd86228a9e
-
encryption_key
7A589EDBC6A581E125BF830EF0D05FC74BB75E30
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
ctfmon
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/4768-1-0x0000000000590000-0x00000000008B4000-memory.dmp family_quasar behavioral2/files/0x000a000000023b7e-5.dat family_quasar -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Client.exe -
Executes dropped EXE 15 IoCs
pid Process 336 Client.exe 780 Client.exe 644 Client.exe 1044 Client.exe 752 Client.exe 4560 Client.exe 1396 Client.exe 3164 Client.exe 3744 Client.exe 3392 Client.exe 4276 Client.exe 4512 Client.exe 1860 Client.exe 2840 Client.exe 2208 Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2576 PING.EXE 3132 PING.EXE 4488 PING.EXE 1464 PING.EXE 1552 PING.EXE 2824 PING.EXE 2008 PING.EXE 2404 PING.EXE 1504 PING.EXE 1572 PING.EXE 1036 PING.EXE 1004 PING.EXE 4620 PING.EXE 3264 PING.EXE 4796 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
pid Process 1004 PING.EXE 4620 PING.EXE 3132 PING.EXE 4796 PING.EXE 1552 PING.EXE 1504 PING.EXE 1572 PING.EXE 2824 PING.EXE 1036 PING.EXE 3264 PING.EXE 4488 PING.EXE 2404 PING.EXE 1464 PING.EXE 2576 PING.EXE 2008 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2284 schtasks.exe 4444 schtasks.exe 2308 schtasks.exe 1296 schtasks.exe 1964 schtasks.exe 2936 schtasks.exe 3252 schtasks.exe 1036 schtasks.exe 4400 schtasks.exe 4752 schtasks.exe 3748 schtasks.exe 2628 schtasks.exe 2136 schtasks.exe 1484 schtasks.exe 4448 schtasks.exe 4524 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 4768 runtimebroker.exe Token: SeDebugPrivilege 336 Client.exe Token: SeDebugPrivilege 780 Client.exe Token: SeDebugPrivilege 644 Client.exe Token: SeDebugPrivilege 1044 Client.exe Token: SeDebugPrivilege 752 Client.exe Token: SeDebugPrivilege 4560 Client.exe Token: SeDebugPrivilege 1396 Client.exe Token: SeDebugPrivilege 3164 Client.exe Token: SeDebugPrivilege 3744 Client.exe Token: SeDebugPrivilege 3392 Client.exe Token: SeDebugPrivilege 4276 Client.exe Token: SeDebugPrivilege 4512 Client.exe Token: SeDebugPrivilege 1860 Client.exe Token: SeDebugPrivilege 2840 Client.exe Token: SeDebugPrivilege 2208 Client.exe -
Suspicious use of FindShellTrayWindow 15 IoCs
pid Process 336 Client.exe 780 Client.exe 644 Client.exe 1044 Client.exe 752 Client.exe 4560 Client.exe 1396 Client.exe 3164 Client.exe 3744 Client.exe 3392 Client.exe 4276 Client.exe 4512 Client.exe 1860 Client.exe 2840 Client.exe 2208 Client.exe -
Suspicious use of SendNotifyMessage 15 IoCs
pid Process 336 Client.exe 780 Client.exe 644 Client.exe 1044 Client.exe 752 Client.exe 4560 Client.exe 1396 Client.exe 3164 Client.exe 3744 Client.exe 3392 Client.exe 4276 Client.exe 4512 Client.exe 1860 Client.exe 2840 Client.exe 2208 Client.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4768 wrote to memory of 2136 4768 runtimebroker.exe 82 PID 4768 wrote to memory of 2136 4768 runtimebroker.exe 82 PID 4768 wrote to memory of 336 4768 runtimebroker.exe 84 PID 4768 wrote to memory of 336 4768 runtimebroker.exe 84 PID 336 wrote to memory of 3748 336 Client.exe 85 PID 336 wrote to memory of 3748 336 Client.exe 85 PID 336 wrote to memory of 1216 336 Client.exe 87 PID 336 wrote to memory of 1216 336 Client.exe 87 PID 1216 wrote to memory of 4084 1216 cmd.exe 89 PID 1216 wrote to memory of 4084 1216 cmd.exe 89 PID 1216 wrote to memory of 1036 1216 cmd.exe 90 PID 1216 wrote to memory of 1036 1216 cmd.exe 90 PID 1216 wrote to memory of 780 1216 cmd.exe 96 PID 1216 wrote to memory of 780 1216 cmd.exe 96 PID 780 wrote to memory of 3252 780 Client.exe 97 PID 780 wrote to memory of 3252 780 Client.exe 97 PID 780 wrote to memory of 1272 780 Client.exe 99 PID 780 wrote to memory of 1272 780 Client.exe 99 PID 1272 wrote to memory of 2876 1272 cmd.exe 101 PID 1272 wrote to memory of 2876 1272 cmd.exe 101 PID 1272 wrote to memory of 1004 1272 cmd.exe 102 PID 1272 wrote to memory of 1004 1272 cmd.exe 102 PID 1272 wrote to memory of 644 1272 cmd.exe 105 PID 1272 wrote to memory of 644 1272 cmd.exe 105 PID 644 wrote to memory of 2308 644 Client.exe 106 PID 644 wrote to memory of 2308 644 Client.exe 106 PID 644 wrote to memory of 2644 644 Client.exe 108 PID 644 wrote to memory of 2644 644 Client.exe 108 PID 2644 wrote to memory of 2016 2644 cmd.exe 110 PID 2644 wrote to memory of 2016 2644 cmd.exe 110 PID 2644 wrote to memory of 1464 2644 cmd.exe 111 PID 2644 wrote to memory of 1464 2644 cmd.exe 111 PID 2644 wrote to memory of 1044 2644 cmd.exe 113 PID 2644 wrote to memory of 1044 2644 cmd.exe 113 PID 1044 wrote to memory of 1484 1044 Client.exe 114 PID 1044 wrote to memory of 1484 1044 Client.exe 114 PID 1044 wrote to memory of 3892 1044 Client.exe 116 PID 1044 wrote to memory of 3892 1044 Client.exe 116 PID 3892 wrote to memory of 4868 3892 cmd.exe 118 PID 3892 wrote to memory of 4868 3892 cmd.exe 118 PID 3892 wrote to memory of 1552 3892 cmd.exe 119 PID 3892 wrote to memory of 1552 3892 cmd.exe 119 PID 3892 wrote to memory of 752 3892 cmd.exe 121 PID 3892 wrote to memory of 752 3892 cmd.exe 121 PID 752 wrote to memory of 4448 752 Client.exe 122 PID 752 wrote to memory of 4448 752 Client.exe 122 PID 752 wrote to memory of 4640 752 Client.exe 124 PID 752 wrote to memory of 4640 752 Client.exe 124 PID 4640 wrote to memory of 1300 4640 cmd.exe 126 PID 4640 wrote to memory of 1300 4640 cmd.exe 126 PID 4640 wrote to memory of 2576 4640 cmd.exe 127 PID 4640 wrote to memory of 2576 4640 cmd.exe 127 PID 4640 wrote to memory of 4560 4640 cmd.exe 128 PID 4640 wrote to memory of 4560 4640 cmd.exe 128 PID 4560 wrote to memory of 1296 4560 Client.exe 129 PID 4560 wrote to memory of 1296 4560 Client.exe 129 PID 4560 wrote to memory of 1584 4560 Client.exe 131 PID 4560 wrote to memory of 1584 4560 Client.exe 131 PID 1584 wrote to memory of 3384 1584 cmd.exe 133 PID 1584 wrote to memory of 3384 1584 cmd.exe 133 PID 1584 wrote to memory of 4620 1584 cmd.exe 134 PID 1584 wrote to memory of 4620 1584 cmd.exe 134 PID 1584 wrote to memory of 1396 1584 cmd.exe 135 PID 1584 wrote to memory of 1396 1584 cmd.exe 135 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe"C:\Users\Admin\AppData\Local\Temp\runtimebroker.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:2136
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:336 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:3748
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\koRPlbqIzybn.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:4084
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1036
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:3252
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eSG7bMClcsjw.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:2876
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1004
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:2308
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CLRjYO4Atty0.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:2016
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1464
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:1484
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\W9DgtkbAix3I.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:3892 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:4868
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1552
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:752 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:4448
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6yFJ8JVtcDVq.bat" "11⤵
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Windows\system32\chcp.comchcp 6500112⤵PID:1300
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2576
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:1296
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\E70BSEhP5IAA.bat" "13⤵
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\system32\chcp.comchcp 6500114⤵PID:3384
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4620
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1396 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:1036
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sGXqXnmXyhoF.bat" "15⤵PID:3216
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:2896
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3132
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3164 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:4524
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kk2llVyDnSGu.bat" "17⤵PID:1524
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:1152
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3264
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3744 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:1964
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wmCRfDMzQeuF.bat" "19⤵PID:4788
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:2544
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4796
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3392 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:4400
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\O3j87eTQff4F.bat" "21⤵PID:1144
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:4592
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4488
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4276 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:2936
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wCsgsOlZP9RB.bat" "23⤵PID:1412
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:4564
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2404
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4512 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:4752
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\u3bslgGKTlJa.bat" "25⤵PID:2196
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:720
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1504
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1860 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
PID:2628
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Z30NzlJiTKra.bat" "27⤵PID:3256
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:5116
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2824
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2840 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
PID:2284
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8q6xPoAoTRg3.bat" "29⤵PID:2960
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:3200
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1572
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2208 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f31⤵
- Scheduled Task/Job: Scheduled Task
PID:4444
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1jJh4S4QiXgm.bat" "31⤵PID:4904
-
C:\Windows\system32\chcp.comchcp 6500132⤵PID:2244
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2008
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD58f0271a63446aef01cf2bfc7b7c7976b
SHA1b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA51278a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5
-
Filesize
207B
MD5dd613cadd6040cf9ddd2c6751bbeee44
SHA19fbdaa90f1f2e6b3986951357863e98227fd4fcc
SHA256710a7901fc9dd964a8ff8c7d938d9321a3df16fbb226bb3b4060cb8456d53a3d
SHA5125f18e392ccfc74d8d4a6934d8cf27ebfb4a2ec16260a65a538081f13fc56044e8deb71b5d41a2d4c497daed38875a2f1fd357cc5ba3c95460b84d68734d16427
-
Filesize
207B
MD5eca03d845294a5a9793282af4b56bd29
SHA1ece11fb9bbaee62d27b2e731131c199792bc851c
SHA2566fafcab908ac64be891c496d1afed28b0dcdd9d1aa370512e2a3b833801f6296
SHA512bc222a98c71e4b8673c97b007613e002480b8b4873a05fe1608ff401b6f7d7202abe08475e2851b748a14c81e7e9bfb353671a71a15e9edc956c596c4132b3ac
-
Filesize
207B
MD5184420839645e52709d6cfecf039fce2
SHA104848b37dccffb018feec8d4812455bf5ee5b919
SHA25698172ddf7f4dcf5d15fc1aa5d42b6d472d5b2d986a1719ba2ac7bf7e78636744
SHA5126d9cd55249c8b5620cca3d49acf0bb9cb19de528752eb627f47b48a115165ddf57ddd8936e9fff76bdda9f9e6db13078c703c7d2b0607dacb7d854892fe77911
-
Filesize
207B
MD573e740a9d13344757270577982daf61b
SHA197e8a3604d74e68ff8e2f63b797d9ce67fb90512
SHA256f0b84b825aaf217a701756b34da7a9b9f4c575725d16eb177bb3a9387073433c
SHA512de7a2dd5e33c636de74d346ec511d281d8243d3fe998cd595c8275cdc4c732d94ba11c40daa461b3bafc85f40098d639a0de98b5ccaf867334c91adcd44f3cc6
-
Filesize
207B
MD5dcdda56fce520b79ce8d99b4d4a3fb79
SHA150c6bc4df0f33a8e99884b8f7d1cc0f60a016f84
SHA2567529d20e29c2cae18e58e7aa00f390937a5b95fc2377aea3e51733f29ad06bec
SHA5126b964ea43cf3e235e9f40703f4736fe32044052d99764977ebb3d3f2e177b1a488656a17055ff835f893c33ab3e64e74813921f43247d6c42533d828ac6bf505
-
Filesize
207B
MD5ece5b7217d42fcac0bb37dcce70af819
SHA1bc63ff7c53c804286e2b42fa6ee39876eb1f614a
SHA256fa275f4fdd5301df03e3448a448b0b73029a8c725932c5c5360503ffcda10c83
SHA51282f46e6decc9e48fe501e99e86e0826fdd2bc02a6a05a19eaefcb7b783ad77a0032f3f66ed97a6ea30d93c48c647637b4490cae80cae93a0996a01fb9830b449
-
Filesize
207B
MD5acb96788a6d75c9a1c233b571ff07b86
SHA1a0a94dfe78e290655390d6158ade125dcdf8a493
SHA256c52d6d313c21acbf3b87c4b4566b14c1cfc0eaaf53654bf370c70838d3f20e84
SHA5122195da1caad42cd66f72f205a2ae37d41ff08f33101e3f5acdca6844fbae9f354340b00f593a27285b2a1c54d1f46f813977aec2e8a21a435c1ff15783ae7266
-
Filesize
207B
MD502ebef2595c6dbd9c15d7ba0d73d1423
SHA17691ad21a68b33a74a5079b283feedf09fbefd73
SHA2560be4c1bf7d40b454e1f3a69b1d0b0607f2fd08987b72226612eee355b0d8a84a
SHA512d7d177109b7bb6d3c2b614368d90fa05a2f375ed2f963719bde055ec5a686ec933f8b3d3e9f596e071d48563d8c2f1b7c02527a72687d1cd2b4bd4678812c00c
-
Filesize
207B
MD554da737590feeb304b1954fabce3cf43
SHA13b5f9b79b3a3af1571d045ebb670b036e08d7268
SHA25671b7bd1c0623e7d997aff28edd5f3de41f27137f831bca26d0b6159433ae0a43
SHA5124c0a1ffb0279f9243ab1b816ecaece7660f1679428a4e8cf6d73ac0ae95af9f382a8337da3c4a27f821d098d35c522d2d26c136ad8cddb2099973f51db9d15b3
-
Filesize
207B
MD58929f09479e815b12a12e032e0de5797
SHA1799b188a5cfac8acb615e3d9e9d4f93beda3e422
SHA256724af45dd8408e7c031933827feab9f5984240d3c36b4918c3c4ec3a387384de
SHA512e43f4a6d9f225a035d55e7877e0e69c1ec504a2712070c3e3b206af9a7b9b6097251fcf0a572ff2ad9c1ca89888fce6db210c3fded113c5d8b849eb1e5bfff6e
-
Filesize
207B
MD5a290fcf473caa55c219405b39ab84252
SHA1ff9473f917822e160aa20ad3ecd02065a5c98633
SHA2567393b8b3183e709a5fb364d4677aa2e3e6ffaabf986d362efa1b7d25b0492dff
SHA5124d6af279a4d671f2e4c40d6b75b7a32229aeb6ab490125cc4aaf7d3dd46e937e84f01758423f0a816d8451bbd3ed3307cc5be6ba55dd8c1095e825311f590ce1
-
Filesize
207B
MD5618e12d03dd50d7b36f0a513da051b75
SHA1d618c01e224ce3a6c9197dc7bc8c3785086764b2
SHA25616a7adc2113178d5ed8bbf1b25432e9a6fdebe360316f9e7ad33b7d70661fbb7
SHA512db8b25b79e5fda4b5bb42b89a547fc5617b77919f4fb8a08e78366ae11ab71589a50d3eb8e5730b3005a49ce0acaeeb1b97b8636c8f07f11a8943b7dc4507ba9
-
Filesize
207B
MD56ec0dd41011c17085c60ec996e379b3f
SHA1b3950ffd39c4158b8b066a4616d1b719d72c4227
SHA2561aab3b881f7c1f2d503f44bb05ec4a7955fd987d2d7501eaa1e685ec0fd924ad
SHA51256b0a399366d7a8302333295da96776bbd33918441f23f8c17995676c96bd752776224c53402a6b5579fa8883969fc2fef22ed9b9565a5a572fcb43a48088c42
-
Filesize
207B
MD5a7c1f599174d3f395fbea964a6d79fb0
SHA1c71cccf22179a6c199dead10f597b901584ec382
SHA256abf5328b3b55050bbe087f1a05fc14b4aee043d925350af2c0eda937d8ba06da
SHA5126ca9b66a8b0a4562fdc9664568b38c49c7d598f749f53ee1bb4a1e91410d1abe8a8b10bb06c24c8c7eb40543f46173d92d6ad9c08233356407de0f36ca1bed3e
-
Filesize
207B
MD583df98a5389ab499d1e43e9d172118b6
SHA1c037eb6ad4683848632ce2835850ecdf1acb3010
SHA256993ae23998047bcd028a5a53455ff884cbf01d643dfe6c95f7a659159478ced0
SHA512545b173b3f718dfab14e368f2f083e2228b3994506c2fbe8cf7ae4976a5d546984ddc09372c0a198c7948d83e538ade1adfd54be72557387ce8821ebaad3f722
-
Filesize
3.1MB
MD5a29d070abe87b2be24892421e0c763bb
SHA1383104c7c6956a98ae5f63c743250f737700f509
SHA25600bdef606eb20070701dfc27ed4578c25f5e3357e969ef25ba07ab251450c636
SHA5126d2a161e8193ed3e05443bd76652b958990f01d2cc2452185f58a5bff3031d268e2fe71c009fa4938ac1cbc914ba2163133079f8218f1c67b0758f594a67f969