Analysis
-
max time kernel
144s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16-12-2024 06:36
Behavioral task
behavioral1
Sample
RuntimeBroker.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
RuntimeBroker.exe
Resource
win10v2004-20241007-en
General
-
Target
RuntimeBroker.exe
-
Size
3.1MB
-
MD5
b77d847b1d41cde07f81168c7addbb10
-
SHA1
2d5c614efdef7ab59fa5fb665d6ed1a79502b97f
-
SHA256
492a651e5ae2020b3b7fd51861adf68402089d050e083c3a9ef1a9866256000c
-
SHA512
6fff7c253c543e370dcb459f0cc66003f57fbc35f40af5744deca97a2c593bf0881f96c845bbc15963e9eb81a652aec78a500ea41f2d1af5fbb5f0ec04c6c9f6
-
SSDEEP
49152:nvelL26AaNeWgPhlmVqvMQ7XSKqaRJ61bR3LoGdEjTHHB72eh2NT:nvOL26AaNeWgPhlmVqkQ7XSKqaRJ6H
Malware Config
Extracted
quasar
1.4.1
RuntimeBroker
siembonik-44853.portmap.host:44853
df483a08-855b-4bf5-bdcb-174788919889
-
encryption_key
A8573AD4438B1D5F6207F7C03CCC7F1E2D4B13DF
-
install_name
RuntimeBroker.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
RuntimeBroker
-
subdirectory
am1
Signatures
-
Quasar family
-
Quasar payload 10 IoCs
resource yara_rule behavioral1/memory/3068-1-0x0000000000D10000-0x0000000001034000-memory.dmp family_quasar behavioral1/files/0x0036000000016560-6.dat family_quasar behavioral1/memory/2688-10-0x0000000000F80000-0x00000000012A4000-memory.dmp family_quasar behavioral1/memory/840-33-0x0000000000160000-0x0000000000484000-memory.dmp family_quasar behavioral1/memory/3060-44-0x0000000001130000-0x0000000001454000-memory.dmp family_quasar behavioral1/memory/692-55-0x00000000002F0000-0x0000000000614000-memory.dmp family_quasar behavioral1/memory/2032-66-0x0000000001020000-0x0000000001344000-memory.dmp family_quasar behavioral1/memory/2068-77-0x0000000001260000-0x0000000001584000-memory.dmp family_quasar behavioral1/memory/660-130-0x0000000000050000-0x0000000000374000-memory.dmp family_quasar behavioral1/memory/1824-142-0x0000000001040000-0x0000000001364000-memory.dmp family_quasar -
Executes dropped EXE 15 IoCs
pid Process 2688 RuntimeBroker.exe 2044 RuntimeBroker.exe 840 RuntimeBroker.exe 3060 RuntimeBroker.exe 692 RuntimeBroker.exe 2032 RuntimeBroker.exe 2068 RuntimeBroker.exe 2824 RuntimeBroker.exe 2112 RuntimeBroker.exe 2980 RuntimeBroker.exe 2088 RuntimeBroker.exe 660 RuntimeBroker.exe 1824 RuntimeBroker.exe 2340 RuntimeBroker.exe 2544 RuntimeBroker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2228 PING.EXE 444 PING.EXE 1716 PING.EXE 1820 PING.EXE 2540 PING.EXE 1748 PING.EXE 1804 PING.EXE 2276 PING.EXE 2684 PING.EXE 2960 PING.EXE 1332 PING.EXE 2288 PING.EXE 2832 PING.EXE 1708 PING.EXE 2692 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
pid Process 1748 PING.EXE 2228 PING.EXE 1716 PING.EXE 2276 PING.EXE 2832 PING.EXE 2684 PING.EXE 2540 PING.EXE 2288 PING.EXE 1708 PING.EXE 2960 PING.EXE 1804 PING.EXE 1332 PING.EXE 444 PING.EXE 2692 PING.EXE 1820 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1788 schtasks.exe 2180 schtasks.exe 2328 schtasks.exe 2108 schtasks.exe 1876 schtasks.exe 1676 schtasks.exe 2692 schtasks.exe 2132 schtasks.exe 2676 schtasks.exe 1948 schtasks.exe 1364 schtasks.exe 2752 schtasks.exe 3004 schtasks.exe 1932 schtasks.exe 2736 schtasks.exe 2040 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 3068 RuntimeBroker.exe Token: SeDebugPrivilege 2688 RuntimeBroker.exe Token: SeDebugPrivilege 2044 RuntimeBroker.exe Token: SeDebugPrivilege 840 RuntimeBroker.exe Token: SeDebugPrivilege 3060 RuntimeBroker.exe Token: SeDebugPrivilege 692 RuntimeBroker.exe Token: SeDebugPrivilege 2032 RuntimeBroker.exe Token: SeDebugPrivilege 2068 RuntimeBroker.exe Token: SeDebugPrivilege 2824 RuntimeBroker.exe Token: SeDebugPrivilege 2112 RuntimeBroker.exe Token: SeDebugPrivilege 2980 RuntimeBroker.exe Token: SeDebugPrivilege 2088 RuntimeBroker.exe Token: SeDebugPrivilege 660 RuntimeBroker.exe Token: SeDebugPrivilege 1824 RuntimeBroker.exe Token: SeDebugPrivilege 2340 RuntimeBroker.exe Token: SeDebugPrivilege 2544 RuntimeBroker.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3068 wrote to memory of 2752 3068 RuntimeBroker.exe 30 PID 3068 wrote to memory of 2752 3068 RuntimeBroker.exe 30 PID 3068 wrote to memory of 2752 3068 RuntimeBroker.exe 30 PID 3068 wrote to memory of 2688 3068 RuntimeBroker.exe 32 PID 3068 wrote to memory of 2688 3068 RuntimeBroker.exe 32 PID 3068 wrote to memory of 2688 3068 RuntimeBroker.exe 32 PID 2688 wrote to memory of 2736 2688 RuntimeBroker.exe 33 PID 2688 wrote to memory of 2736 2688 RuntimeBroker.exe 33 PID 2688 wrote to memory of 2736 2688 RuntimeBroker.exe 33 PID 2688 wrote to memory of 2764 2688 RuntimeBroker.exe 35 PID 2688 wrote to memory of 2764 2688 RuntimeBroker.exe 35 PID 2688 wrote to memory of 2764 2688 RuntimeBroker.exe 35 PID 2764 wrote to memory of 2660 2764 cmd.exe 37 PID 2764 wrote to memory of 2660 2764 cmd.exe 37 PID 2764 wrote to memory of 2660 2764 cmd.exe 37 PID 2764 wrote to memory of 2960 2764 cmd.exe 38 PID 2764 wrote to memory of 2960 2764 cmd.exe 38 PID 2764 wrote to memory of 2960 2764 cmd.exe 38 PID 2764 wrote to memory of 2044 2764 cmd.exe 39 PID 2764 wrote to memory of 2044 2764 cmd.exe 39 PID 2764 wrote to memory of 2044 2764 cmd.exe 39 PID 2044 wrote to memory of 2108 2044 RuntimeBroker.exe 40 PID 2044 wrote to memory of 2108 2044 RuntimeBroker.exe 40 PID 2044 wrote to memory of 2108 2044 RuntimeBroker.exe 40 PID 2044 wrote to memory of 2056 2044 RuntimeBroker.exe 42 PID 2044 wrote to memory of 2056 2044 RuntimeBroker.exe 42 PID 2044 wrote to memory of 2056 2044 RuntimeBroker.exe 42 PID 2056 wrote to memory of 1992 2056 cmd.exe 44 PID 2056 wrote to memory of 1992 2056 cmd.exe 44 PID 2056 wrote to memory of 1992 2056 cmd.exe 44 PID 2056 wrote to memory of 1748 2056 cmd.exe 45 PID 2056 wrote to memory of 1748 2056 cmd.exe 45 PID 2056 wrote to memory of 1748 2056 cmd.exe 45 PID 2056 wrote to memory of 840 2056 cmd.exe 46 PID 2056 wrote to memory of 840 2056 cmd.exe 46 PID 2056 wrote to memory of 840 2056 cmd.exe 46 PID 840 wrote to memory of 2040 840 RuntimeBroker.exe 47 PID 840 wrote to memory of 2040 840 RuntimeBroker.exe 47 PID 840 wrote to memory of 2040 840 RuntimeBroker.exe 47 PID 840 wrote to memory of 624 840 RuntimeBroker.exe 49 PID 840 wrote to memory of 624 840 RuntimeBroker.exe 49 PID 840 wrote to memory of 624 840 RuntimeBroker.exe 49 PID 624 wrote to memory of 984 624 cmd.exe 51 PID 624 wrote to memory of 984 624 cmd.exe 51 PID 624 wrote to memory of 984 624 cmd.exe 51 PID 624 wrote to memory of 2228 624 cmd.exe 52 PID 624 wrote to memory of 2228 624 cmd.exe 52 PID 624 wrote to memory of 2228 624 cmd.exe 52 PID 624 wrote to memory of 3060 624 cmd.exe 53 PID 624 wrote to memory of 3060 624 cmd.exe 53 PID 624 wrote to memory of 3060 624 cmd.exe 53 PID 3060 wrote to memory of 2132 3060 RuntimeBroker.exe 54 PID 3060 wrote to memory of 2132 3060 RuntimeBroker.exe 54 PID 3060 wrote to memory of 2132 3060 RuntimeBroker.exe 54 PID 3060 wrote to memory of 1820 3060 RuntimeBroker.exe 56 PID 3060 wrote to memory of 1820 3060 RuntimeBroker.exe 56 PID 3060 wrote to memory of 1820 3060 RuntimeBroker.exe 56 PID 1820 wrote to memory of 596 1820 cmd.exe 58 PID 1820 wrote to memory of 596 1820 cmd.exe 58 PID 1820 wrote to memory of 596 1820 cmd.exe 58 PID 1820 wrote to memory of 444 1820 cmd.exe 59 PID 1820 wrote to memory of 444 1820 cmd.exe 59 PID 1820 wrote to memory of 444 1820 cmd.exe 59 PID 1820 wrote to memory of 692 1820 cmd.exe 60 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:2752
-
-
C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2736
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Ui6Mjisw26sV.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:2660
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2960
-
-
C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:2108
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\oGqLccKdNivc.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:1992
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1748
-
-
C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:2040
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\gqWeDbsGXelu.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:984
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2228
-
-
C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:2132
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Q4qSNDPZxF9W.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:596
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:444
-
-
C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:692 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:1876
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7CGW9pp6EZHK.bat" "11⤵PID:268
-
C:\Windows\system32\chcp.comchcp 6500112⤵PID:2732
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1804
-
-
C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2032 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:3004
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\yjGvYMrkSszd.bat" "13⤵PID:2340
-
C:\Windows\system32\chcp.comchcp 6500114⤵PID:3008
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1716
-
-
C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2068 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:1788
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\rMxMAdctU6sz.bat" "15⤵PID:1732
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:2796
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2692
-
-
C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"16⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2824 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:2676
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\csaK4CjBsLrN.bat" "17⤵PID:2704
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:1764
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1332
-
-
C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2112 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:2180
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\qSYCSlYVTfGT.bat" "19⤵PID:376
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:2056
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2276
-
-
C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2980 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:1948
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\yTwR5bSDQ1kW.bat" "21⤵PID:1096
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:476
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2288
-
-
C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"22⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2088 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:1676
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\j0tvwF5v9Ws0.bat" "23⤵PID:948
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:1660
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1820
-
-
C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"24⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:660 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:1364
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\BRWdAQGptqbj.bat" "25⤵PID:1780
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:1556
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2832
-
-
C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"26⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1824 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
PID:1932
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XY56e8AD2kwQ.bat" "27⤵PID:2012
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:1808
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1708
-
-
C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"28⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2340 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
PID:2328
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\jfL4ycdPL46J.bat" "29⤵PID:2456
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:308
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2684
-
-
C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"30⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2544 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe" /rl HIGHEST /f31⤵
- Scheduled Task/Job: Scheduled Task
PID:2692
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\eA8fRTV3saPc.bat" "31⤵PID:2564
-
C:\Windows\system32\chcp.comchcp 6500132⤵PID:2144
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2540
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
211B
MD51959e96cd32effed4742604567222d02
SHA1340c10ae2dd449470684f99d6353bd4c11e76cd8
SHA2562031b1653cd6513de7c399582071757792b04f4f216ca2647b6de8c5688e23d0
SHA512d022f11b9140f19289746c8ec9d35f8681a53e43a025ce1e3863bef2a7bacdfa7bd7a88f3ebe57cbafb1c81a950cd3b80f5cf33dd5889f8a76e3d161f98d297b
-
Filesize
211B
MD534993d0543896dc21fcaee6c58ebfabd
SHA135a8cecda9e2099d5a98fa3e0850eb4fa9a4a36f
SHA256b94a32915583775d1e581b71b02998aa8ca15bf07e1d12543255d202c253a820
SHA5123efcc328a88098ebe825e05309b186389de8537fdc689221b9f7074994cf1d8f2707c1bb9517e62bb5e63d4d58764e3900532276bf3f3ccfd013e51631426617
-
Filesize
211B
MD51cba9ae1a61601ec4cc1f9977192c231
SHA17bae849413edaf2ecafa9865483d092cbc6b9d72
SHA2564e6483258ae2b8e8f92f7a93f85056450cfe31b2febcf979490278283d982fe4
SHA512aa2e869bc158a616e1c21bfdd13c6db8aea7ea79d2a8cf377fb7aade24249f2d9ee97352df25adb352bbb1800ba17dfcd443a234deffd3af2df1c0acb0fb84fd
-
Filesize
211B
MD51b02a09cff6861b82a1b7d375886fb0c
SHA1ebfc40efc6504b4b805ac904765f29986eea102a
SHA25607d12738c4fea49a732b0c39a20735d9c77db57f7166a430542cba5aa4a65632
SHA51273495669831464aeb05acb6e17ab36c0d4d24a9c20b680bdbcec89b56f46bb592e76a91629a927d36c94310becac4545ef00c934d1e11a0a21c56386a9556693
-
Filesize
211B
MD585479f1b6ccd95b8a26ee19a22267343
SHA14bdc777796a0689e24e952796c7c6868fa6dd2aa
SHA256b24d74be490bf1b32da402957217dd7f0c3b394d361ef9b16e7a8fcac4ca69c3
SHA512d27ec4936bf7a5d65c1edcda7675ca69c9a71ab72a356eb34a265bbdf6e051e006aa8245303cdac03c4ed195d91289f0b75a3be71183214c04124742865a39a5
-
Filesize
211B
MD52316241b00019b8b3d3ad95b375527c9
SHA1b692e3a7bf315207966ba8984468c2219b60ec8a
SHA256d92e38db738dbc1c76b12572f3831b027f5725fd79fb343aa54c50d31c686a24
SHA512f6efdc52ac5dab5744470fe6481f02b873ab91085053af1ed9a168ba20bb34aaac73b3bec4e6fa234eef20bf97c97244c647fd7f7379cc667d35ed1e1c9ce396
-
Filesize
211B
MD5e4952f4ba6e0958d2cf6c03cec5e15d9
SHA18fb70da34e15fbbb686f7362e762473debed3acd
SHA256012edb732342f8c575a8f151a1c99d441c9bc9d75a0acb153d61aa477ab88313
SHA512049270eba8f90eed242bec4baf3c94a710fe0c46eadeaf7f8ddfa90fa4b5bdcf3aea7eed8a952e982fd8045a0ab55f3cf002306835639ba0a7a276664660c948
-
Filesize
211B
MD509de4dc9cb30a9e9f70912c91aba983d
SHA12c500e4b86d4ee04ae6adcd46b3ef13d1c2ff66c
SHA25690a6df55955ed4050e48b5fb4ffbd823442bf3bf942d7de2151ea372474953c8
SHA51230542820c48c371742c3362e92ec9ef27f8ca897fd9c48e3660d6af89439ec75765de6d88a8ec298062aa85a81f3fb43f80f5c18c7dc8fafa9209d80f0ddc765
-
Filesize
211B
MD56c76e8daf55b282e0150365e91fd9ecf
SHA106a7743875e332c3af1ddf99a32b425d6ff99502
SHA256909c3a4ec083111fa1935a19a931d06e85c4ee11239d007e3ea6afef75d0b571
SHA512e7cfdccd2290ade2215be40ee85c272a32dab5e773b53a8a713e1b09c287ed40fa3c3557cee330a7956a1650e15498f70a674a35472e19c07d67da4f771bb4ad
-
Filesize
211B
MD5727d902a02d06df1e3185eacd34b0ff2
SHA18535bc69b08cd7770cb0361f7b188af2dcdafc50
SHA25649467b22ea9609328a5201ad61216a5da1aad5724d15abe5c6bdc1798aad5eea
SHA5124612d2aa58161fff71733d9fc37b0fc827c6493a30d5dbd1c4692866011a67ae47deac146d70ceb1c6c199fbb5bb81630e0086b67d9c36e68ecd4a8a0ffa0afb
-
Filesize
211B
MD5e635cbb60a1cd9f8c31c946d4c5255f4
SHA147aaf1780e3b13d7dddcf499bc3756f1fe789554
SHA256cade555d08f7d7aa8c37bb5dfc45d13c25c1f9d6bfed8f56f6f446f6c1fd77ee
SHA512115fad9322a72591bb156cb4871def97de5113ae1861c729f35af1c000bd4588eb6e20a8b2522d25d5f58dcbcbb08bbf8e04808270db438f8b515c42212eaa69
-
Filesize
211B
MD5dd1f53eb3363e8c9d053ef1218eedf6d
SHA1fb4efd3c778637d161fe52fc8459bb8deaeeaddc
SHA25696edbd15451f6ab94b78580383e8cbf6172b59149de4fa60ccf55de8c8cc456a
SHA512417e05f35e23f5bfc256b8591c36d5ff5e69025a6fea76f953461a891a4f8d326243bc0935fefe027edbcc215d6e01e08d671eecb4e5fadbdb270d75f6031ce8
-
Filesize
211B
MD598b9bd8bbbbe424b311f277c1ff20fd8
SHA17a62d987f3810201792b30d856a8328713e05d6d
SHA2562065ce60162f4cda5057719ce65441f4bc9a9e4aad26bc2159c9e8f71030867c
SHA512f022d0fc5a9c2f3f39d5a5f2fbd2f46ba3550e0c7549805194a16fc9dc1286812213a91287facd1fc1ae72e8059bf87bb6b65e0f677ae5ed54cd1c954780f88e
-
Filesize
211B
MD5df545a18e7ce04ffeec2619ead20bb94
SHA1e538a6011da9b7167665f906aa9447e57e50ffd2
SHA25607906db0fb08eb1d98dd15fd3d5a6dfc37de4a02d0102c7814291e471f7db057
SHA512bb3ac352ff4d540741f5510c3d70f4c7c90574dbff6ea2fc4153562ab5f1a0649528e1121871686bd699d1730024a5ae2da5ad526990afbdbf6f7c1a40a0a05c
-
Filesize
211B
MD5078dfb817b0ffe5cf872d5b11f4b44cb
SHA1bfa53ab355481080a1b9d80f36aec394cd0579b9
SHA2569b36ce005fb01758f646554efcaa8af72481ca63d36aceee24868f67267fcef7
SHA512b2358e4fd54ef3d61d38e388e9de6de4f0b76c4667b35a01de11d0088540b487947f882ed3d9f64c6b559782a9d1f0ec434760b4b0a72137d60d7e8040cbb592
-
Filesize
3.1MB
MD5b77d847b1d41cde07f81168c7addbb10
SHA12d5c614efdef7ab59fa5fb665d6ed1a79502b97f
SHA256492a651e5ae2020b3b7fd51861adf68402089d050e083c3a9ef1a9866256000c
SHA5126fff7c253c543e370dcb459f0cc66003f57fbc35f40af5744deca97a2c593bf0881f96c845bbc15963e9eb81a652aec78a500ea41f2d1af5fbb5f0ec04c6c9f6