quasar | cca1725d99ffece2b6c33414d35f12079a32f6c86feed3c25e73065844f00c9f

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-12-2024 06:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

dd7a806c734df62ecf4802977fa0b3e9
SHA1

42eae42e0fcfe9d9a54e493a670adde5241377da
SHA256

cca1725d99ffece2b6c33414d35f12079a32f6c86feed3c25e73065844f00c9f
SHA512

0f8e2e565b40baabdde4018db57e06aee8e8dfeb4b1491e8e02e56a20e6b55bc1130ed74a702c35e043d4886af969af5d8ca26f5caeb0e96694982ecfbc80bbf
SSDEEP

49152:yvkt62XlaSFNWPjljiFa2RoUYIO8RJ6IbR3LoGdaTHHB72eh2NT:yv462XlaSFNWPjljiFXRoUYIO8RJ6i

Score

10^/10

quasar aryszx discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Aryszx

Apichat:4782

Mutex

181f4a12-4cad-46a9-9896-1001033c5b69

Attributes

encryption_key
F4F359BEF442D9221F73F7D64267E0E300CC68CE
install_name
Runtime Broker.exe
log_directory
Logs
reconnect_delay
1
startup_key
Runtime Broker

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/3996-1-0x0000000000680000-0x00000000009A4000-memory.dmp	family_quasar
behavioral2/files/0x000c000000023b9d-6.dat	family_quasar

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Runtime Broker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Runtime Broker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Runtime Broker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Runtime Broker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Runtime Broker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Runtime Broker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Runtime Broker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Runtime Broker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Runtime Broker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Runtime Broker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Runtime Broker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Runtime Broker.exe

Executes dropped EXE 12 IoCs

pid	Process
4840	Runtime Broker.exe
4124	Runtime Broker.exe
860	Runtime Broker.exe
4892	Runtime Broker.exe
2456	Runtime Broker.exe
2636	Runtime Broker.exe
5028	Runtime Broker.exe
4124	Runtime Broker.exe
3556	Runtime Broker.exe
4368	Runtime Broker.exe
2224	Runtime Broker.exe
3084	Runtime Broker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 12 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2924	PING.EXE
1016	PING.EXE
3320	PING.EXE
3708	PING.EXE
4436	PING.EXE
2700	PING.EXE
3728	PING.EXE
2708	PING.EXE
4760	PING.EXE
632	PING.EXE
2472	PING.EXE
4040	PING.EXE

Runs ping.exe 1 TTPs 12 IoCs

Remote System Discovery

T1018

pid	Process
4760	PING.EXE
3708	PING.EXE
632	PING.EXE
1016	PING.EXE
2472	PING.EXE
4040	PING.EXE
3728	PING.EXE
2924	PING.EXE
2708	PING.EXE
3320	PING.EXE
4436	PING.EXE
2700	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4780	schtasks.exe
1412	schtasks.exe
4000	schtasks.exe
1092	schtasks.exe
968	schtasks.exe
4840	schtasks.exe
4748	schtasks.exe
2128	schtasks.exe
4476	schtasks.exe
5088	schtasks.exe
4476	schtasks.exe
2232	schtasks.exe
2752	schtasks.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	3996	Client-built.exe
Token: SeDebugPrivilege	4840	Runtime Broker.exe
Token: SeDebugPrivilege	4124	Runtime Broker.exe
Token: SeDebugPrivilege	860	Runtime Broker.exe
Token: SeDebugPrivilege	4892	Runtime Broker.exe
Token: SeDebugPrivilege	2456	Runtime Broker.exe
Token: SeDebugPrivilege	2636	Runtime Broker.exe
Token: SeDebugPrivilege	5028	Runtime Broker.exe
Token: SeDebugPrivilege	4124	Runtime Broker.exe
Token: SeDebugPrivilege	3556	Runtime Broker.exe
Token: SeDebugPrivilege	4368	Runtime Broker.exe
Token: SeDebugPrivilege	2224	Runtime Broker.exe
Token: SeDebugPrivilege	3084	Runtime Broker.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
4840	Runtime Broker.exe
4124	Runtime Broker.exe
860	Runtime Broker.exe
4892	Runtime Broker.exe
2456	Runtime Broker.exe
2636	Runtime Broker.exe
5028	Runtime Broker.exe
4124	Runtime Broker.exe
3556	Runtime Broker.exe
4368	Runtime Broker.exe
2224	Runtime Broker.exe
3084	Runtime Broker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3996 wrote to memory of 4000	3996	Client-built.exe	82
PID 3996 wrote to memory of 4000	3996	Client-built.exe	82
PID 3996 wrote to memory of 4840	3996	Client-built.exe	84
PID 3996 wrote to memory of 4840	3996	Client-built.exe	84
PID 4840 wrote to memory of 4476	4840	Runtime Broker.exe	85
PID 4840 wrote to memory of 4476	4840	Runtime Broker.exe	85
PID 4840 wrote to memory of 4940	4840	Runtime Broker.exe	89
PID 4840 wrote to memory of 4940	4840	Runtime Broker.exe	89
PID 4940 wrote to memory of 4076	4940	cmd.exe	91
PID 4940 wrote to memory of 4076	4940	cmd.exe	91
PID 4940 wrote to memory of 4436	4940	cmd.exe	92
PID 4940 wrote to memory of 4436	4940	cmd.exe	92
PID 4940 wrote to memory of 4124	4940	cmd.exe	98
PID 4940 wrote to memory of 4124	4940	cmd.exe	98
PID 4124 wrote to memory of 1092	4124	Runtime Broker.exe	99
PID 4124 wrote to memory of 1092	4124	Runtime Broker.exe	99
PID 4124 wrote to memory of 4704	4124	Runtime Broker.exe	101
PID 4124 wrote to memory of 4704	4124	Runtime Broker.exe	101
PID 4704 wrote to memory of 2876	4704	cmd.exe	103
PID 4704 wrote to memory of 2876	4704	cmd.exe	103
PID 4704 wrote to memory of 2700	4704	cmd.exe	104
PID 4704 wrote to memory of 2700	4704	cmd.exe	104
PID 4704 wrote to memory of 860	4704	cmd.exe	105
PID 4704 wrote to memory of 860	4704	cmd.exe	105
PID 860 wrote to memory of 968	860	Runtime Broker.exe	106
PID 860 wrote to memory of 968	860	Runtime Broker.exe	106
PID 860 wrote to memory of 1028	860	Runtime Broker.exe	108
PID 860 wrote to memory of 1028	860	Runtime Broker.exe	108
PID 1028 wrote to memory of 5024	1028	cmd.exe	111
PID 1028 wrote to memory of 5024	1028	cmd.exe	111
PID 1028 wrote to memory of 632	1028	cmd.exe	112
PID 1028 wrote to memory of 632	1028	cmd.exe	112
PID 1028 wrote to memory of 4892	1028	cmd.exe	114
PID 1028 wrote to memory of 4892	1028	cmd.exe	114
PID 4892 wrote to memory of 5088	4892	Runtime Broker.exe	115
PID 4892 wrote to memory of 5088	4892	Runtime Broker.exe	115
PID 4892 wrote to memory of 3320	4892	Runtime Broker.exe	117
PID 4892 wrote to memory of 3320	4892	Runtime Broker.exe	117
PID 3320 wrote to memory of 4000	3320	cmd.exe	119
PID 3320 wrote to memory of 4000	3320	cmd.exe	119
PID 3320 wrote to memory of 2472	3320	cmd.exe	120
PID 3320 wrote to memory of 2472	3320	cmd.exe	120
PID 3320 wrote to memory of 2456	3320	cmd.exe	121
PID 3320 wrote to memory of 2456	3320	cmd.exe	121
PID 2456 wrote to memory of 4476	2456	Runtime Broker.exe	122
PID 2456 wrote to memory of 4476	2456	Runtime Broker.exe	122
PID 2456 wrote to memory of 4480	2456	Runtime Broker.exe	124
PID 2456 wrote to memory of 4480	2456	Runtime Broker.exe	124
PID 4480 wrote to memory of 2528	4480	cmd.exe	126
PID 4480 wrote to memory of 2528	4480	cmd.exe	126
PID 4480 wrote to memory of 4040	4480	cmd.exe	127
PID 4480 wrote to memory of 4040	4480	cmd.exe	127
PID 4480 wrote to memory of 2636	4480	cmd.exe	128
PID 4480 wrote to memory of 2636	4480	cmd.exe	128
PID 2636 wrote to memory of 4840	2636	Runtime Broker.exe	129
PID 2636 wrote to memory of 4840	2636	Runtime Broker.exe	129
PID 2636 wrote to memory of 4352	2636	Runtime Broker.exe	131
PID 2636 wrote to memory of 4352	2636	Runtime Broker.exe	131
PID 4352 wrote to memory of 1668	4352	cmd.exe	133
PID 4352 wrote to memory of 1668	4352	cmd.exe	133
PID 4352 wrote to memory of 3728	4352	cmd.exe	134
PID 4352 wrote to memory of 3728	4352	cmd.exe	134
PID 4352 wrote to memory of 5028	4352	cmd.exe	135
PID 4352 wrote to memory of 5028	4352	cmd.exe	135

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3996
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4000
- C:\Users\Admin\AppData\Roaming\Runtime Broker.exe
  "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4840
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BeRI3HqPjtor.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4940
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:4076
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4436
  - - C:\Users\Admin\AppData\Roaming\Runtime Broker.exe
      "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4124
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1092
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hkRRnWK9d5I6.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4704
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2876
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2700
      - C:\Users\Admin\AppData\Roaming\Runtime Broker.exe
        
        "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:860
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:968
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\E0FVzTDwIpHX.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:5024
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:632
        
        C:\Users\Admin\AppData\Roaming\Runtime Broker.exe
        
        "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4892
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5088
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xKd853EpYzt0.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3320
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:4000
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2472
        
        C:\Users\Admin\AppData\Roaming\Runtime Broker.exe
        
        "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4476
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7HMI7hsYOGHh.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4480
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:2528
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4040
        
        C:\Users\Admin\AppData\Roaming\Runtime Broker.exe
        
        "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4840
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vehmyEXHwZxD.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:4352
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:1668
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3728
        
        C:\Users\Admin\AppData\Roaming\Runtime Broker.exe
        
        "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:5028
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2232
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LkGLB9Z0RvKc.bat" "
        15⤵
        
        PID:316
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:4732
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2924
        
        C:\Users\Admin\AppData\Roaming\Runtime Broker.exe
        
        "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4124
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4748
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B5Brsh0Te6V3.bat" "
        17⤵
        
        PID:1212
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:3560
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1016
        
        C:\Users\Admin\AppData\Roaming\Runtime Broker.exe
        
        "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3556
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2752
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tD89ZlvnY3jn.bat" "
        19⤵
        
        PID:2568
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1028
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2708
        
        C:\Users\Admin\AppData\Roaming\Runtime Broker.exe
        
        "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4368
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2128
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mKIB0vAEKWX6.bat" "
        21⤵
        
        PID:3256
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1756
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3320
        
        C:\Users\Admin\AppData\Roaming\Runtime Broker.exe
        
        "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2224
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4780
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WiUDhhO30EbP.bat" "
        23⤵
        
        PID:5100
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:3452
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4760
        
        C:\Users\Admin\AppData\Roaming\Runtime Broker.exe
        
        "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3084
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1412
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\spGxrDbehSQJ.bat" "
        25⤵
        
        PID:2416
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:4004
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Runtime Broker.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7HMI7hsYOGHh.bat

Filesize
208B

MD5
543a0d18b3a334338e6353ff3214ab2c

SHA1
fda765d07a3d318e71eed82c66f12e22cda19d53

SHA256
de0a717c2829f6cbcab31ef85dfc7d629c61821d1333ba0eacaaff3457ceabce

SHA512
23026b49bab3a72aa2c9120c9b353cff45c9401347d8edbe7c32a20a9479d9ada879008f0d07959b01a0399418de8cd43b323dd13adc49ad42ab7fe90647a727

Download Submit
C:\Users\Admin\AppData\Local\Temp\B5Brsh0Te6V3.bat

Filesize
208B

MD5
ceeed09cac20d0d93be211c911d32d90

SHA1
537581bd881787611f30ba17862789c1bfc8c10c

SHA256
66d616f960c62c304f50fa292d7bc706309eca951ba08861ce24b7181e4d4d71

SHA512
7826b3154cc1c2b24558ab83f31e4d00e3eba1b3bfc07baf75080d7088bec599fb816e697f020bbfedd423617cf0ff4e961fedffcdb195c00f83e45ada01e099

Download Submit
C:\Users\Admin\AppData\Local\Temp\BeRI3HqPjtor.bat

Filesize
208B

MD5
a9b32f1f587457b6f7cdfe08143e1472

SHA1
4eec4bdcd285720394979d1ffc77c2e873395837

SHA256
110b0c3b5e6c3a7ff468afea6231d8ced32df2e5485080c10b3d81f49697d910

SHA512
e570c5e95b65ca066fc914ead8a19736bf6cd5c06af011f7d1a49ca312e2bd1ad3f0c8a5fe3eff3f326d4b118f6499435e8f26f508f65770d3bc2f8f2612d799

Download Submit
C:\Users\Admin\AppData\Local\Temp\E0FVzTDwIpHX.bat

Filesize
208B

MD5
28063e67a6641e5c9572925ab6e766f9

SHA1
675c9cc4f4b7c21def1cc4d73b5cca987199c15c

SHA256
02135e9b144fc0641b640116b1296c49841d00d944bdb8738285c460aa8830a2

SHA512
3111180d65360bf921c926c486f7b21c8fa64713e2072a230ba1bdb33c87f6f2d5b4c510a5d0e6add657d00f9912f3c87c969d1e74de5ac6eb2e272f5f27da2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\LkGLB9Z0RvKc.bat

Filesize
208B

MD5
138e4482454e6c9ddb7f668295140ca3

SHA1
0c29722c0d1ba757b157ccfb58312f9324e78804

SHA256
788d5ec3d9f24709b739d16b685c35912e2eaea94e11259af92003c2f2934ae5

SHA512
1b7635892d4e8a712638273b090e54e30107cf7cbab17de6c7da41cc2c6af39b866caa1435a74f9e7b4fdaa9340041484250227f43f95b47354db7dadfc47b66

Download Submit
C:\Users\Admin\AppData\Local\Temp\WiUDhhO30EbP.bat

Filesize
208B

MD5
21cd2d555f2f002ee85dea5b2a49ca4c

SHA1
1ebeb6ba61944e6c9555935e51b3e6ff9399c865

SHA256
d29bcc13331ff1858843e6e8c450ea406ad7d48d83e60c7d4cff019a6cfe6850

SHA512
c10ced6bdf144b1cd86302662d312cea9404c8edaea33a6c8c2277fd248941c5b5f6376d9699af1c00ec1be7c4200bb3374b70ac6b1e914ed7abdc5792ba5d6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\hkRRnWK9d5I6.bat

Filesize
208B

MD5
05dd64f785a4c8a97af412c07b3dd962

SHA1
b904b45c54a359f0d81b74ace0b7dfaf15c7025d

SHA256
564fb9dc824acfd5253ce90bfe007b3e287d166dadf1f04b45a4c16e529325f1

SHA512
ae4c75f9fd74c10712f7d15e586c2958910ff5643218c1f7f52459c6898aadba5f287426c0b56afe157c0717dab3cae90665e2df7ec3ddea7a081ef8523db81a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mKIB0vAEKWX6.bat

Filesize
208B

MD5
ecb9ed2fcc19e7532213b3948e3a1454

SHA1
d2a6bbed51e636cc85ebd1f977acd7f510444985

SHA256
02787df28490be81ad21b546b6620cfbc227d038852a62ed45c3f3fd768f9dcd

SHA512
48621c49b28307959cac6c66aced8c889cc75f6880c983dcf62ee0f8259ab7d536f231516de242d0b25bc782e8db8df1186f829a8ee0fe2d594eff79033613a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\spGxrDbehSQJ.bat

Filesize
208B

MD5
53e6e58e5e6229ae4b523cc6f29357d0

SHA1
ccdff8926281187aad63ff5d6e948f781e13a102

SHA256
8c892700c174391bd98b0cee7e12fdc759aacd24cf35547a2004987fa87d88b1

SHA512
ec484d8d12ec054ff3f22ebe1ccde6785d2385a7564981a714a2765b0a94d10e75462480167487da17c6eea130774e9e681941e7dde22e247c3278ebd31813aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\tD89ZlvnY3jn.bat

Filesize
208B

MD5
92b8d0c4e1624cd16683c2b8a0e9c4d8

SHA1
6a5ad8ad58cfaeedc1845d1f1fb9bec1eb3fc136

SHA256
03b810b52953a95e42ffe3fac7f35b578668dcb4905fa15bd9d67f464c3d8b39

SHA512
fcc5a93c8d6c52648fd7e3b8676155b462f73d20f5fb10122aaa06967b64ee3becbd5e7b0d7fdd1a96725e548b2ddd6ab04803e6c1295a3eab9cd03d56c96d29

Download Submit
C:\Users\Admin\AppData\Local\Temp\vehmyEXHwZxD.bat

Filesize
208B

MD5
dc7da73d01e0897fffebf9336ada37bb

SHA1
a27f90cbec1b8038c9b0e63b4c594fb3a393010b

SHA256
e4b97744f45c868b15162b4faf81d4d1d80dce9b84d874bdb96daf847a5a85fc

SHA512
cc8ee83d995712f21d769f13e53b3acecf42485c8c209ec07fe9a3d20b54248b6bd95d2ebb3edcaeb9041ed17cd80ba2f7f02c00c21b175bf2af2f26aaf15f7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\xKd853EpYzt0.bat

Filesize
208B

MD5
a2ab530e71a7aa26aa817abc1fe27654

SHA1
1ea34048a3664c3e5219417c93897566e576226a

SHA256
5ac6f465eb336b31818931c56974c718fb0b05bfdc95d40fe220469955131c3a

SHA512
02c00de78ada4d860b7029a538aca0c849506fee559efe020de5c77aaed8b1512f40b70c5c728db10e99c2afeadc03b17a0d1e0cf8117a3becb6ff96dc32a8a4

Download Submit
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe

Filesize
3.1MB

MD5
dd7a806c734df62ecf4802977fa0b3e9

SHA1
42eae42e0fcfe9d9a54e493a670adde5241377da

SHA256
cca1725d99ffece2b6c33414d35f12079a32f6c86feed3c25e73065844f00c9f

SHA512
0f8e2e565b40baabdde4018db57e06aee8e8dfeb4b1491e8e02e56a20e6b55bc1130ed74a702c35e043d4886af969af5d8ca26f5caeb0e96694982ecfbc80bbf

Download Submit
memory/3996-0-0x00007FFCED2A3000-0x00007FFCED2A5000-memory.dmp

Filesize
8KB

Download
memory/3996-2-0x00007FFCED2A0000-0x00007FFCEDD61000-memory.dmp

Filesize
10.8MB

Download
memory/3996-1-0x0000000000680000-0x00000000009A4000-memory.dmp

Filesize
3.1MB

Download
memory/3996-9-0x00007FFCED2A0000-0x00007FFCEDD61000-memory.dmp

Filesize
10.8MB

Download
memory/4840-10-0x00007FFCED2A0000-0x00007FFCEDD61000-memory.dmp

Filesize
10.8MB

Download
memory/4840-18-0x00007FFCED2A0000-0x00007FFCEDD61000-memory.dmp

Filesize
10.8MB

Download
memory/4840-13-0x000000001DE50000-0x000000001DF02000-memory.dmp

Filesize
712KB

Download
memory/4840-12-0x000000001DD40000-0x000000001DD90000-memory.dmp

Filesize
320KB

Download
memory/4840-11-0x00007FFCED2A0000-0x00007FFCEDD61000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads