Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16-12-2024 06:29
Behavioral task
behavioral1
Sample
RuntimeBroker.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
RuntimeBroker.exe
Resource
win10v2004-20241007-en
General
-
Target
RuntimeBroker.exe
-
Size
3.1MB
-
MD5
b77d847b1d41cde07f81168c7addbb10
-
SHA1
2d5c614efdef7ab59fa5fb665d6ed1a79502b97f
-
SHA256
492a651e5ae2020b3b7fd51861adf68402089d050e083c3a9ef1a9866256000c
-
SHA512
6fff7c253c543e370dcb459f0cc66003f57fbc35f40af5744deca97a2c593bf0881f96c845bbc15963e9eb81a652aec78a500ea41f2d1af5fbb5f0ec04c6c9f6
-
SSDEEP
49152:nvelL26AaNeWgPhlmVqvMQ7XSKqaRJ61bR3LoGdEjTHHB72eh2NT:nvOL26AaNeWgPhlmVqkQ7XSKqaRJ6H
Malware Config
Extracted
quasar
1.4.1
RuntimeBroker
siembonik-44853.portmap.host:44853
df483a08-855b-4bf5-bdcb-174788919889
-
encryption_key
A8573AD4438B1D5F6207F7C03CCC7F1E2D4B13DF
-
install_name
RuntimeBroker.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
RuntimeBroker
-
subdirectory
am1
Signatures
-
Quasar family
-
Quasar payload 13 IoCs
resource yara_rule behavioral1/memory/2324-1-0x0000000000B50000-0x0000000000E74000-memory.dmp family_quasar behavioral1/files/0x0008000000016276-6.dat family_quasar behavioral1/memory/2396-8-0x0000000000C80000-0x0000000000FA4000-memory.dmp family_quasar behavioral1/memory/596-33-0x0000000000340000-0x0000000000664000-memory.dmp family_quasar behavioral1/memory/2916-44-0x0000000000090000-0x00000000003B4000-memory.dmp family_quasar behavioral1/memory/2516-55-0x0000000000C40000-0x0000000000F64000-memory.dmp family_quasar behavioral1/memory/2024-76-0x00000000012F0000-0x0000000001614000-memory.dmp family_quasar behavioral1/memory/2684-87-0x00000000001C0000-0x00000000004E4000-memory.dmp family_quasar behavioral1/memory/2624-98-0x0000000000BE0000-0x0000000000F04000-memory.dmp family_quasar behavioral1/memory/2148-119-0x0000000000D40000-0x0000000001064000-memory.dmp family_quasar behavioral1/memory/752-141-0x00000000013A0000-0x00000000016C4000-memory.dmp family_quasar behavioral1/memory/2392-152-0x00000000002D0000-0x00000000005F4000-memory.dmp family_quasar behavioral1/memory/2384-163-0x0000000001350000-0x0000000001674000-memory.dmp family_quasar -
Executes dropped EXE 16 IoCs
pid Process 2396 RuntimeBroker.exe 2604 RuntimeBroker.exe 596 RuntimeBroker.exe 2916 RuntimeBroker.exe 2516 RuntimeBroker.exe 1600 RuntimeBroker.exe 2024 RuntimeBroker.exe 2684 RuntimeBroker.exe 2624 RuntimeBroker.exe 1652 RuntimeBroker.exe 2148 RuntimeBroker.exe 1944 RuntimeBroker.exe 752 RuntimeBroker.exe 2392 RuntimeBroker.exe 2384 RuntimeBroker.exe 2764 RuntimeBroker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2904 PING.EXE 3040 PING.EXE 2988 PING.EXE 760 PING.EXE 560 PING.EXE 2968 PING.EXE 3028 PING.EXE 1440 PING.EXE 2400 PING.EXE 776 PING.EXE 2820 PING.EXE 2944 PING.EXE 1252 PING.EXE 2280 PING.EXE 2652 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
pid Process 2988 PING.EXE 1252 PING.EXE 2652 PING.EXE 760 PING.EXE 560 PING.EXE 3028 PING.EXE 2400 PING.EXE 2904 PING.EXE 2968 PING.EXE 2944 PING.EXE 1440 PING.EXE 776 PING.EXE 3040 PING.EXE 2280 PING.EXE 2820 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2808 schtasks.exe 2236 schtasks.exe 1300 schtasks.exe 2184 schtasks.exe 2152 schtasks.exe 1420 schtasks.exe 2196 schtasks.exe 2560 schtasks.exe 1852 schtasks.exe 2300 schtasks.exe 3028 schtasks.exe 2140 schtasks.exe 1708 schtasks.exe 1672 schtasks.exe 1664 schtasks.exe 1532 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
description pid Process Token: SeDebugPrivilege 2324 RuntimeBroker.exe Token: SeDebugPrivilege 2396 RuntimeBroker.exe Token: SeDebugPrivilege 2604 RuntimeBroker.exe Token: SeDebugPrivilege 596 RuntimeBroker.exe Token: SeDebugPrivilege 2916 RuntimeBroker.exe Token: SeDebugPrivilege 2516 RuntimeBroker.exe Token: SeDebugPrivilege 1600 RuntimeBroker.exe Token: SeDebugPrivilege 2024 RuntimeBroker.exe Token: SeDebugPrivilege 2684 RuntimeBroker.exe Token: SeDebugPrivilege 2624 RuntimeBroker.exe Token: SeDebugPrivilege 1652 RuntimeBroker.exe Token: SeDebugPrivilege 2148 RuntimeBroker.exe Token: SeDebugPrivilege 1944 RuntimeBroker.exe Token: SeDebugPrivilege 752 RuntimeBroker.exe Token: SeDebugPrivilege 2392 RuntimeBroker.exe Token: SeDebugPrivilege 2384 RuntimeBroker.exe Token: SeDebugPrivilege 2764 RuntimeBroker.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2324 wrote to memory of 2184 2324 RuntimeBroker.exe 31 PID 2324 wrote to memory of 2184 2324 RuntimeBroker.exe 31 PID 2324 wrote to memory of 2184 2324 RuntimeBroker.exe 31 PID 2324 wrote to memory of 2396 2324 RuntimeBroker.exe 33 PID 2324 wrote to memory of 2396 2324 RuntimeBroker.exe 33 PID 2324 wrote to memory of 2396 2324 RuntimeBroker.exe 33 PID 2396 wrote to memory of 2152 2396 RuntimeBroker.exe 34 PID 2396 wrote to memory of 2152 2396 RuntimeBroker.exe 34 PID 2396 wrote to memory of 2152 2396 RuntimeBroker.exe 34 PID 2396 wrote to memory of 2308 2396 RuntimeBroker.exe 36 PID 2396 wrote to memory of 2308 2396 RuntimeBroker.exe 36 PID 2396 wrote to memory of 2308 2396 RuntimeBroker.exe 36 PID 2308 wrote to memory of 2584 2308 cmd.exe 38 PID 2308 wrote to memory of 2584 2308 cmd.exe 38 PID 2308 wrote to memory of 2584 2308 cmd.exe 38 PID 2308 wrote to memory of 2652 2308 cmd.exe 39 PID 2308 wrote to memory of 2652 2308 cmd.exe 39 PID 2308 wrote to memory of 2652 2308 cmd.exe 39 PID 2308 wrote to memory of 2604 2308 cmd.exe 40 PID 2308 wrote to memory of 2604 2308 cmd.exe 40 PID 2308 wrote to memory of 2604 2308 cmd.exe 40 PID 2604 wrote to memory of 2560 2604 RuntimeBroker.exe 41 PID 2604 wrote to memory of 2560 2604 RuntimeBroker.exe 41 PID 2604 wrote to memory of 2560 2604 RuntimeBroker.exe 41 PID 2604 wrote to memory of 788 2604 RuntimeBroker.exe 43 PID 2604 wrote to memory of 788 2604 RuntimeBroker.exe 43 PID 2604 wrote to memory of 788 2604 RuntimeBroker.exe 43 PID 788 wrote to memory of 2860 788 cmd.exe 45 PID 788 wrote to memory of 2860 788 cmd.exe 45 PID 788 wrote to memory of 2860 788 cmd.exe 45 PID 788 wrote to memory of 2944 788 cmd.exe 46 PID 788 wrote to memory of 2944 788 cmd.exe 46 PID 788 wrote to memory of 2944 788 cmd.exe 46 PID 788 wrote to memory of 596 788 cmd.exe 47 PID 788 wrote to memory of 596 788 cmd.exe 47 PID 788 wrote to memory of 596 788 cmd.exe 47 PID 596 wrote to memory of 1852 596 RuntimeBroker.exe 48 PID 596 wrote to memory of 1852 596 RuntimeBroker.exe 48 PID 596 wrote to memory of 1852 596 RuntimeBroker.exe 48 PID 596 wrote to memory of 2084 596 RuntimeBroker.exe 50 PID 596 wrote to memory of 2084 596 RuntimeBroker.exe 50 PID 596 wrote to memory of 2084 596 RuntimeBroker.exe 50 PID 2084 wrote to memory of 1612 2084 cmd.exe 52 PID 2084 wrote to memory of 1612 2084 cmd.exe 52 PID 2084 wrote to memory of 1612 2084 cmd.exe 52 PID 2084 wrote to memory of 1440 2084 cmd.exe 53 PID 2084 wrote to memory of 1440 2084 cmd.exe 53 PID 2084 wrote to memory of 1440 2084 cmd.exe 53 PID 2084 wrote to memory of 2916 2084 cmd.exe 54 PID 2084 wrote to memory of 2916 2084 cmd.exe 54 PID 2084 wrote to memory of 2916 2084 cmd.exe 54 PID 2916 wrote to memory of 1708 2916 RuntimeBroker.exe 55 PID 2916 wrote to memory of 1708 2916 RuntimeBroker.exe 55 PID 2916 wrote to memory of 1708 2916 RuntimeBroker.exe 55 PID 2916 wrote to memory of 1548 2916 RuntimeBroker.exe 57 PID 2916 wrote to memory of 1548 2916 RuntimeBroker.exe 57 PID 2916 wrote to memory of 1548 2916 RuntimeBroker.exe 57 PID 1548 wrote to memory of 620 1548 cmd.exe 59 PID 1548 wrote to memory of 620 1548 cmd.exe 59 PID 1548 wrote to memory of 620 1548 cmd.exe 59 PID 1548 wrote to memory of 760 1548 cmd.exe 60 PID 1548 wrote to memory of 760 1548 cmd.exe 60 PID 1548 wrote to memory of 760 1548 cmd.exe 60 PID 1548 wrote to memory of 2516 1548 cmd.exe 61 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:2184
-
-
C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2152
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\x09oQ1bsYDSa.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:2584
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2652
-
-
C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:2560
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\hCQPOEveNsWa.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:788 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:2860
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2944
-
-
C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:596 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:1852
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\kWTXk2TCKJLZ.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:1612
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1440
-
-
C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:1708
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\qSmb468Y9hev.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:620
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:760
-
-
C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2516 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:1672
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\TMkCd8J4koH5.bat" "11⤵PID:1660
-
C:\Windows\system32\chcp.comchcp 6500112⤵PID:2984
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2400
-
-
C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1600 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:3028
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XORqvzJ3j4Or.bat" "13⤵PID:1896
-
C:\Windows\system32\chcp.comchcp 6500114⤵PID:1584
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:560
-
-
C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2024 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:1420
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XjeSwGGZHkIc.bat" "15⤵PID:2284
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:2496
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2988
-
-
C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"16⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2684 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:1664
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\IYfZtkrvHum2.bat" "17⤵PID:1616
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:2728
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2904
-
-
C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2624 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:2196
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\a7licpD657na.bat" "19⤵PID:2860
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:2512
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:776
-
-
C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1652 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:2808
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\vJCfxtGlXEIu.bat" "21⤵PID:2960
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:2940
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2968
-
-
C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"22⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2148 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:2236
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\UmSd4ihxtYWD.bat" "23⤵PID:620
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:1224
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1252
-
-
C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"24⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1944 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:1300
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\HHHrPpGf7yUL.bat" "25⤵PID:884
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:316
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3028
-
-
C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"26⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:752 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
PID:2300
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\e0Dsuox97BRc.bat" "27⤵PID:804
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:1740
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3040
-
-
C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"28⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2392 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
PID:1532
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\JeUZrqBYKrei.bat" "29⤵PID:928
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:588
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2280
-
-
C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"30⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2384 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe" /rl HIGHEST /f31⤵
- Scheduled Task/Job: Scheduled Task
PID:2140
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\IO2GaJf7uVu1.bat" "31⤵PID:1904
-
C:\Windows\system32\chcp.comchcp 6500132⤵PID:2396
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2820
-
-
C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"32⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2764
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
211B
MD5861d49286c3b98302727ffc4d23279c5
SHA1a7b3e2dc75bdc47454c67fed9e75132d5194d320
SHA2563973510645ead15442ed3ac7fe8a7d160d57e01a2327b570a946f7ff809f0624
SHA5126ee41d04184e341d1d15e92524b146f98fb0f5eb645ea4acc2038122dbd423481466e6ca2d49e966e935a483fb22a3dd54b397016e43cb1407b352fbba757773
-
Filesize
211B
MD5cebbdf10632cd63e864a0750fd333335
SHA1b7fe56b63e01b3e898e13ad88ecc7219cd161afa
SHA256921ef9d8a57f25f47d8118177e4427cb7b3aef8ebbf0c064c881dcdf9e3b205a
SHA51241563f45f4d86a80639daef1994f1c56be9cc179a5d986791d05bb11f1f5a89621a29b814a68d64a34e03d584c13783bdc702a7c5029e6955a7d272dcd3872e4
-
Filesize
211B
MD5524e5443c7691e24444ae2123f2a267a
SHA1016d2cd65520bce4734a9ae667e54149def26e99
SHA2569ee9d42aa2db3b0bedce27d7608de9a68d55d02651476fa3b21316a57a226251
SHA51286902fc210a16f37cb8b15d9e0227c98168d1996a021308bd6446bd0352d46f3da719bf315ada731ed58520dac7464f01fe6241cbad6b84838ff794613453327
-
Filesize
211B
MD587950835cebae4eeddb27ebeece98e4a
SHA148af81a7049e714992d5ff1799ec054ea5384e65
SHA2567fbd621d7fcfa39c7b6ef97f73234cd637887b361f1dbeab4eadb1506b10c677
SHA5122d7ea7c5608fae2d251333255887620cf74ca061402c55acb80e20589f77243f45c6dbb1dbbaac0eff72f8cf018d982cf89b0458ee2f31f1d89add74e612e4c3
-
Filesize
211B
MD50f9d13c96ccff6729f461f56fab76265
SHA12f40c9072edb398c2ef96cf2b2a59ccd57dcf384
SHA2568a1ff2044fb30e9d438f2dfbe0ab55c06760a17ef5dd416d12537b3d8b1932c8
SHA512afeef219b9388669a14720bc6279245dbbc075821d8e26bce356fa7b52d6e31f8cc566a5057146aa908572cf109e90eac863c44eb219b9349cc9db2cc1e632c2
-
Filesize
211B
MD5c58c5d84a332b0e17d7ef9a9e7ac160c
SHA1f7db3070175aa87660693be6706b2178740ba160
SHA256030c3e97f14614959b3df622090c918c23f922f80246b083e14fb919dba5c683
SHA512d59fb1a75fe56341c0aeaaba1eca4050f9cd921494fc09783b5ad3a78add27ad6754f49b469568bca4f25876948b37b5b9b7c0d1f400d90e136ca67e7cb08311
-
Filesize
211B
MD56d671c21c26699ddfca193a37e6e580d
SHA13c30e2a747ca19e2c60bcf3798a7a31879c138f6
SHA256f85e2f9469b34ee1d215d3ac709f3fa084986b67bfd13350fdfbcda173268a9f
SHA512064e552f32b8f3fc80d6f1f359250713365167f1e982c604a4dc396194ffc8057bbe4f64146176e9eaa297ba12ac9ad66a20cdab4e1ed3e8f7f4cf9cf8ffd274
-
Filesize
211B
MD5ee14023da34578af755242ef15247860
SHA1287e7038d0cd2c37c8438daabf64310d72a09c11
SHA2569156206e1aa22d930d0b0517ab73b74137901b1a4dd442249b42726539c9e62a
SHA51259831d217e0315630a839919ea68786b9a774c7d12749be85909a72cc54dedfcea253bc936f371f4744c4067b40ef500b9250a67f0511947574433c18e7fcdbb
-
Filesize
211B
MD5249b33eb00837fd99a4aa0fec9bcee56
SHA1fda7b5181fd25b2376466d8310bafd046eb74dab
SHA256c421f1cd95afaa46a9ccb14ff9cf2b9ab1ac3cca1292cd7d9eb5e704a84d703d
SHA512738bb872abbd3bcd5b3e239d3cc1c757becd764133d78c5ebe9c5fd27ebe0bca1e917fa84e288ab19dbd817af4623ea0af63d520a1d81ca47b9313d2ea93d5f7
-
Filesize
211B
MD5a3e22746b72581a0e3e54fe354777160
SHA1d75a9f5ef03b8a4916e869d9fec9eac10050d119
SHA2565b2aac1cb5f1f91df5a63f686f1c0de4f33b3a5d9dd85489ac4b81ecf54e89bd
SHA512077b6933ddcec9c05a61ae1debe20abf0efa907de8893944a161a051261bbf90b48c272405d443e74c3e4e488df28a3341c2e6f4d820145f0a8124375a460c69
-
Filesize
211B
MD5473de8e1921378bbb31f9f4506dc6064
SHA1b412430c16f8b6490e6ecad32ac23358fe3dceb1
SHA2562ed99c3692ad072f236b94802d4dd4ae182516637601dc3e4aa114f0f28d2730
SHA512cf2bb9dba8ea633e07afc944e5711ef8eb70965694d1bd9aae971bd6ae2573ee5f73e87106af0e592a0544cffc68b4d4a4461fe320abd0fc9c18f182c3a55ee8
-
Filesize
211B
MD56086e71ae5bcc5bd4c8530f93c0f32b6
SHA115d11c3a4051e7e59b7e05356c3134b4118c1bb1
SHA256b39cca15c2aa2834b4ca27da2ebd9310ee3063674831db64c541f6ffd4ecabac
SHA512201b1efed62654526939d15bb63b2cde87dea736711ccc531073b343fd8a0c0237d225fb0a045ab525419238e0e31fb7aa87c0bb5a688bc2c7649bf3e9070bfe
-
Filesize
211B
MD594e41f118a5d6323a178078cbd7e8973
SHA1938f1848c5bae3bd6160e3fc4efa45a6c409f420
SHA256695205cf56efff13b52563ccc32ece427923b1a0f0070e4b7cd5b483ae0d17dd
SHA5126f09cd264f4b73e4f6f8a889c7ce3c475a1fc60c6a2feb6e42199435bb92ea4d43979adb3fe1d25f4913ad318a1f8c8c729d010273f0177e38199b5cc827d4f5
-
Filesize
211B
MD504df6b5b286ea9b25fd6a053a26cacb3
SHA1002068d11dba05b0c4d252dcfbfde5f770437ed3
SHA2569ab07356883875790eef445db361a3293e6d6d3e9d601c50f34a51d68e5cfa31
SHA51214fe3e0a2b5d4387b8f78fa70f1aaf1e47af9d9ad667535801204c35136ea31bdcdb299edf77a3f03300dbd39b9b2a82d1a0c5417d036b6657a31b75c24e3cbb
-
Filesize
211B
MD5d7078686faf56234c08c854fccfdfabb
SHA1de622e17ee6cea90898cd6f23102c85ffd759e73
SHA2566cc1426581cb3c2478f5c4f027bea0bb97d371538ec2625e7c33a7ef35f6a574
SHA51225b35b8885db1a2dc6630c3fa7cc4677510e32d12184f75efeabc3c564048af1fc14010d303545ac235dccbbe03eb87c894fa0a01f62bde29e9c8b6e04c3b4d4
-
Filesize
3.1MB
MD5b77d847b1d41cde07f81168c7addbb10
SHA12d5c614efdef7ab59fa5fb665d6ed1a79502b97f
SHA256492a651e5ae2020b3b7fd51861adf68402089d050e083c3a9ef1a9866256000c
SHA5126fff7c253c543e370dcb459f0cc66003f57fbc35f40af5744deca97a2c593bf0881f96c845bbc15963e9eb81a652aec78a500ea41f2d1af5fbb5f0ec04c6c9f6