quasar | 492a651e5ae2020b3b7fd51861adf68402089d050e083c3a9ef1a9866256000c

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-12-2024 02:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

492a651e5ae2020b3b7fd51861adf68402089d050e083c3a9ef1a9866256000c.exe
Size

3.1MB
MD5

b77d847b1d41cde07f81168c7addbb10
SHA1

2d5c614efdef7ab59fa5fb665d6ed1a79502b97f
SHA256

492a651e5ae2020b3b7fd51861adf68402089d050e083c3a9ef1a9866256000c
SHA512

6fff7c253c543e370dcb459f0cc66003f57fbc35f40af5744deca97a2c593bf0881f96c845bbc15963e9eb81a652aec78a500ea41f2d1af5fbb5f0ec04c6c9f6
SSDEEP

49152:nvelL26AaNeWgPhlmVqvMQ7XSKqaRJ61bR3LoGdEjTHHB72eh2NT:nvOL26AaNeWgPhlmVqkQ7XSKqaRJ6H

Score

10^/10

quasar runtimebroker discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

RuntimeBroker

siembonik-44853.portmap.host:44853

Mutex

df483a08-855b-4bf5-bdcb-174788919889

Attributes

encryption_key
A8573AD4438B1D5F6207F7C03CCC7F1E2D4B13DF
install_name
RuntimeBroker.exe
log_directory
Logs
reconnect_delay
3000
startup_key
RuntimeBroker
subdirectory
am1

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/4592-1-0x0000000000410000-0x0000000000734000-memory.dmp	family_quasar
behavioral2/files/0x0007000000023cb6-6.dat	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe

Executes dropped EXE 15 IoCs

pid	Process
1372	RuntimeBroker.exe
2068	RuntimeBroker.exe
1104	RuntimeBroker.exe
1720	RuntimeBroker.exe
2848	RuntimeBroker.exe
100	RuntimeBroker.exe
4660	RuntimeBroker.exe
4808	RuntimeBroker.exe
3316	RuntimeBroker.exe
3624	RuntimeBroker.exe
4984	RuntimeBroker.exe
3992	RuntimeBroker.exe
3632	RuntimeBroker.exe
2576	RuntimeBroker.exe
1480	RuntimeBroker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2988	PING.EXE
1992	PING.EXE
4104	PING.EXE
3664	PING.EXE
1932	PING.EXE
4196	PING.EXE
1880	PING.EXE
1852	PING.EXE
1968	PING.EXE
2516	PING.EXE
968	PING.EXE
2256	PING.EXE
3492	PING.EXE
1908	PING.EXE
2848	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
1852	PING.EXE
1968	PING.EXE
2516	PING.EXE
968	PING.EXE
2848	PING.EXE
1992	PING.EXE
4196	PING.EXE
1880	PING.EXE
3664	PING.EXE
2988	PING.EXE
4104	PING.EXE
2256	PING.EXE
3492	PING.EXE
1908	PING.EXE
1932	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3016	schtasks.exe
2376	schtasks.exe
2216	schtasks.exe
3688	schtasks.exe
3448	schtasks.exe
3344	schtasks.exe
1780	schtasks.exe
3432	schtasks.exe
5064	schtasks.exe
1968	schtasks.exe
1200	schtasks.exe
4580	schtasks.exe
2676	schtasks.exe
4868	schtasks.exe
3468	schtasks.exe
4580	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	4592	492a651e5ae2020b3b7fd51861adf68402089d050e083c3a9ef1a9866256000c.exe
Token: SeDebugPrivilege	1372	RuntimeBroker.exe
Token: SeDebugPrivilege	2068	RuntimeBroker.exe
Token: SeDebugPrivilege	1104	RuntimeBroker.exe
Token: SeDebugPrivilege	1720	RuntimeBroker.exe
Token: SeDebugPrivilege	2848	RuntimeBroker.exe
Token: SeDebugPrivilege	100	RuntimeBroker.exe
Token: SeDebugPrivilege	4660	RuntimeBroker.exe
Token: SeDebugPrivilege	4808	RuntimeBroker.exe
Token: SeDebugPrivilege	3316	RuntimeBroker.exe
Token: SeDebugPrivilege	3624	RuntimeBroker.exe
Token: SeDebugPrivilege	4984	RuntimeBroker.exe
Token: SeDebugPrivilege	3992	RuntimeBroker.exe
Token: SeDebugPrivilege	3632	RuntimeBroker.exe
Token: SeDebugPrivilege	2576	RuntimeBroker.exe
Token: SeDebugPrivilege	1480	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4592 wrote to memory of 3344	4592	492a651e5ae2020b3b7fd51861adf68402089d050e083c3a9ef1a9866256000c.exe	82
PID 4592 wrote to memory of 3344	4592	492a651e5ae2020b3b7fd51861adf68402089d050e083c3a9ef1a9866256000c.exe	82
PID 4592 wrote to memory of 1372	4592	492a651e5ae2020b3b7fd51861adf68402089d050e083c3a9ef1a9866256000c.exe	84
PID 4592 wrote to memory of 1372	4592	492a651e5ae2020b3b7fd51861adf68402089d050e083c3a9ef1a9866256000c.exe	84
PID 1372 wrote to memory of 4580	1372	RuntimeBroker.exe	85
PID 1372 wrote to memory of 4580	1372	RuntimeBroker.exe	85
PID 1372 wrote to memory of 3024	1372	RuntimeBroker.exe	87
PID 1372 wrote to memory of 3024	1372	RuntimeBroker.exe	87
PID 3024 wrote to memory of 4660	3024	cmd.exe	89
PID 3024 wrote to memory of 4660	3024	cmd.exe	89
PID 3024 wrote to memory of 2988	3024	cmd.exe	90
PID 3024 wrote to memory of 2988	3024	cmd.exe	90
PID 3024 wrote to memory of 2068	3024	cmd.exe	95
PID 3024 wrote to memory of 2068	3024	cmd.exe	95
PID 2068 wrote to memory of 2676	2068	RuntimeBroker.exe	97
PID 2068 wrote to memory of 2676	2068	RuntimeBroker.exe	97
PID 2068 wrote to memory of 1492	2068	RuntimeBroker.exe	99
PID 2068 wrote to memory of 1492	2068	RuntimeBroker.exe	99
PID 1492 wrote to memory of 2928	1492	cmd.exe	101
PID 1492 wrote to memory of 2928	1492	cmd.exe	101
PID 1492 wrote to memory of 1852	1492	cmd.exe	102
PID 1492 wrote to memory of 1852	1492	cmd.exe	102
PID 1492 wrote to memory of 1104	1492	cmd.exe	105
PID 1492 wrote to memory of 1104	1492	cmd.exe	105
PID 1104 wrote to memory of 3016	1104	RuntimeBroker.exe	106
PID 1104 wrote to memory of 3016	1104	RuntimeBroker.exe	106
PID 1104 wrote to memory of 3324	1104	RuntimeBroker.exe	108
PID 1104 wrote to memory of 3324	1104	RuntimeBroker.exe	108
PID 3324 wrote to memory of 2976	3324	cmd.exe	110
PID 3324 wrote to memory of 2976	3324	cmd.exe	110
PID 3324 wrote to memory of 2256	3324	cmd.exe	111
PID 3324 wrote to memory of 2256	3324	cmd.exe	111
PID 3324 wrote to memory of 1720	3324	cmd.exe	113
PID 3324 wrote to memory of 1720	3324	cmd.exe	113
PID 1720 wrote to memory of 1780	1720	RuntimeBroker.exe	114
PID 1720 wrote to memory of 1780	1720	RuntimeBroker.exe	114
PID 1720 wrote to memory of 1984	1720	RuntimeBroker.exe	116
PID 1720 wrote to memory of 1984	1720	RuntimeBroker.exe	116
PID 1984 wrote to memory of 1032	1984	cmd.exe	118
PID 1984 wrote to memory of 1032	1984	cmd.exe	118
PID 1984 wrote to memory of 1968	1984	cmd.exe	119
PID 1984 wrote to memory of 1968	1984	cmd.exe	119
PID 1984 wrote to memory of 2848	1984	cmd.exe	121
PID 1984 wrote to memory of 2848	1984	cmd.exe	121
PID 2848 wrote to memory of 3468	2848	RuntimeBroker.exe	122
PID 2848 wrote to memory of 3468	2848	RuntimeBroker.exe	122
PID 2848 wrote to memory of 4416	2848	RuntimeBroker.exe	124
PID 2848 wrote to memory of 4416	2848	RuntimeBroker.exe	124
PID 4416 wrote to memory of 3904	4416	cmd.exe	126
PID 4416 wrote to memory of 3904	4416	cmd.exe	126
PID 4416 wrote to memory of 4196	4416	cmd.exe	127
PID 4416 wrote to memory of 4196	4416	cmd.exe	127
PID 4416 wrote to memory of 100	4416	cmd.exe	128
PID 4416 wrote to memory of 100	4416	cmd.exe	128
PID 100 wrote to memory of 2376	100	RuntimeBroker.exe	129
PID 100 wrote to memory of 2376	100	RuntimeBroker.exe	129
PID 100 wrote to memory of 3424	100	RuntimeBroker.exe	131
PID 100 wrote to memory of 3424	100	RuntimeBroker.exe	131
PID 3424 wrote to memory of 3856	3424	cmd.exe	133
PID 3424 wrote to memory of 3856	3424	cmd.exe	133
PID 3424 wrote to memory of 1880	3424	cmd.exe	134
PID 3424 wrote to memory of 1880	3424	cmd.exe	134
PID 3424 wrote to memory of 4660	3424	cmd.exe	135
PID 3424 wrote to memory of 4660	3424	cmd.exe	135

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\492a651e5ae2020b3b7fd51861adf68402089d050e083c3a9ef1a9866256000c.exe
"C:\Users\Admin\AppData\Local\Temp\492a651e5ae2020b3b7fd51861adf68402089d050e083c3a9ef1a9866256000c.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4592
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3344
- C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe
  "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1372
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YQT9xHfBt32L.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3024
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:4660
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2988
  - - C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe
      "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2068
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2676
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KKKH8Xd9C0ZE.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1492
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2928
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1852
      - C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1104
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3016
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xN8oeieQzOxL.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3324
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2976
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2256
        
        C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1720
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1780
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mFWNU34PKzKu.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:1032
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1968
        
        C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3468
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LpvApIRFaBcK.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4416
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:3904
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4196
        
        C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:100
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2376
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nGqL6ZJsqB1c.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:3424
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:3856
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1880
        
        C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4660
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3432
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BiYa078G9RyD.bat" "
        15⤵
        
        PID:680
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2676
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2516
        
        C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4808
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2216
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1TM1agnuIzwh.bat" "
        17⤵
        
        PID:4988
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2564
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3492
        
        C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3316
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3688
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dklPpgWJxCPO.bat" "
        19⤵
        
        PID:4716
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:5056
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1908
        
        C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3624
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5064
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RNGDpFObV9Xw.bat" "
        21⤵
        
        PID:548
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:3160
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:968
        
        C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4984
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1968
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DIrt0K0tRr2P.bat" "
        23⤵
        
        PID:3964
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:3596
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2848
        
        C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3992
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3448
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QavCDg27lSFH.bat" "
        25⤵
        
        PID:3732
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:4428
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1992
        
        C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3632
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4580
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\khHshd3cOgCT.bat" "
        27⤵
        
        PID:3552
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:904
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4104
        
        C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2576
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4868
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CURkWjTaNFDb.bat" "
        29⤵
        
        PID:2284
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:3952
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3664
        
        C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1480
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1200
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9qFPkyfs1hka.bat" "
        31⤵
        
        PID:3492
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:2288
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1TM1agnuIzwh.bat

Filesize
211B

MD5
0e89cf53b4a20c13da365e4cd413b881

SHA1
4621befd6cc629e83f1d41b3b548ea13a521564c

SHA256
885a8433d530247e34c98f3d3874d96dc13efca6aa3154db49fe979ac778802d

SHA512
5e0e3ede12ea2a1f1403f018439fb3182b82ef48b705660ac8d67e1861497a6e7cbec626ba47936624e3a8db1c4f7ab2363e1274afd2d572463a6c75f519db4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\9qFPkyfs1hka.bat

Filesize
211B

MD5
7bcc51d341a4d9304ec36ebe2c67230b

SHA1
5c9bf0581f01b14f9f805afdb172219eb0d924e3

SHA256
6c321d3dea4fc17221b4f7f95f287edd55e4560c8f1f4c3361d3dcd6ac35ece5

SHA512
5201c5b3fbc46dc78b245a5ec971ebcec3a3b5c38b40339adbf758615342a31d87119a52b2ab54c1e8a31dc238066b6e3f627a52d26a5d559a612cbd3d1c2259

Download Submit
C:\Users\Admin\AppData\Local\Temp\BiYa078G9RyD.bat

Filesize
211B

MD5
f3e1db65d9cbe8e19e3513faf1073ea1

SHA1
25227f894ebb2f2b6d0baa88e13db109a72c577d

SHA256
0419f91ed21495d27ea97398a61c36dc15c3eb3d1af4cf1a01dddda522b9e6c7

SHA512
dbb8510c18ba49ebfd3408c8ca1a9a21a42bdde243b8f22b49a9435c38a703f2afffe770c71ab57b77b03a42c15671f91f6a262c4a9080b2426ae29285a362be

Download Submit
C:\Users\Admin\AppData\Local\Temp\CURkWjTaNFDb.bat

Filesize
211B

MD5
5a4c134ce9447cb786d1b2cec7467070

SHA1
4dc1dc5c20e97fcdba4caddb709da3e9bc2cd228

SHA256
ccaca4f1eaf43ccc2d7dae98948a7c7a3135d5ba3f0666d9e9488b8a19994eec

SHA512
6d9de85ae65ba2a4247780ed8934474b2b13e308f563e4c43dd589354f9e89f4f250e5489b98dc27d19a1a82be45307e4f300bd19f40428544ecee277481e9bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\DIrt0K0tRr2P.bat

Filesize
211B

MD5
b4c72f8a6d074abf2236358ecb57c13d

SHA1
ea19e6ed8647376e68cd3e13691d6348fbb0f523

SHA256
80f50548105fb2227133878fc7017abe35531bc607b511763eb5c655995c20a7

SHA512
10b8930e40cf127dd7ffc2c365c5f1d853f14c3682b8d8d5270200b44b6741f87f8fd447314d63342fa60652ca69c1e3afe8ccf11a45d1de1183c4808f99dd06

Download Submit
C:\Users\Admin\AppData\Local\Temp\KKKH8Xd9C0ZE.bat

Filesize
211B

MD5
ae9581d9426075637a975db4c55e9769

SHA1
f1ffdbab390e08813a5de3a45a928cad0330e250

SHA256
a1fe7af1baa51fe48a9cdcd2037508b55cf36abc178a9458bf8540aba9386082

SHA512
93ab974181bd1e70d7c988cbe7a2edae61006a619c0fe552b2020d98f98214ecc1e9482351c5120b4b5ac49fbb5a3f37c459a9ecfbf3711654c143be9ff68c95

Download Submit
C:\Users\Admin\AppData\Local\Temp\LpvApIRFaBcK.bat

Filesize
211B

MD5
7d627c29773662f318926f704aa331a5

SHA1
70ec4feafe5d3853fb01c40acf491df19e54d12c

SHA256
4cf30f0ee89f82792f0bfd34516d90a06f0a48ae01257a16c84936cb95084f38

SHA512
307057c7600d5d645f8b2039259ab3b524e86abb152b1fa1e20dceaca09b822125d16b9d3af1469cab60cb5e72d985c6a9c77fa1649f5f34e3dfb95ea7c746cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\QavCDg27lSFH.bat

Filesize
211B

MD5
dde964e51b49181dcc003458bc3a3c51

SHA1
99013cd2187b45425571f91efdad6552ed4d5806

SHA256
aa95e8ca8423c7c24db92ec313c91c6c7b6f57eea6605b9a96e3c70dd41c6f2d

SHA512
a929897198c9c91ba389a569f73904b8ec9b5691000030df4f0834d040d6c6e74bb39fca41a8eefb4b56350da45371a5bc8bb9f8d1b775f223d2160e51478e8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RNGDpFObV9Xw.bat

Filesize
211B

MD5
716bd37c6dcb952ae480e4043dd0aeaf

SHA1
d7c167d1ded47ebb1901c8d475509cde5a1eef38

SHA256
e93c8492fac180ff8f632f5c19b095cdd3a7192b98c499237d053cd2e976d444

SHA512
7ac0b2e7d926d56c00b97381232a0bd27d4732d60f407af285e0e53ac10002a5ba6af388d8dd7117050ad50ae9a61bdbd3f817babaaa939616666cb3ff5259b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQT9xHfBt32L.bat

Filesize
211B

MD5
f089200d6526afeae3e2ad220902ada8

SHA1
f421f53895fdb279d0daeeae7be0252de8c55f0a

SHA256
fe53350df9f053885b848c69c1322e062e143840aca2cc1916cf741519db4fe5

SHA512
f136d3b753fdb46d7d7437bfc34b2cc57e72e02f3e18058d82296dd01742ff111e5f09286d9d1c6ecfd4e467424c6aeaec9d6aac2bfbbd5cefa0b77b735a6f8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\dklPpgWJxCPO.bat

Filesize
211B

MD5
aba39acdff191827f95995e916cc2fa8

SHA1
1e063538cce314d3b613270bedae46142c14d4ef

SHA256
210470c632e9db96d11d5847d5610af1035486cd7e77b51bbcde21edc5dd5248

SHA512
48bc00a2216a72d4c6aa247f0b287cd9bb37c3f6453f7f20a6b7db493f3c0d6ccdcea0ced8f04fbab0c944010e492fb0dbff9ec04025486ab3bb38cbbc8d1d38

Download Submit
C:\Users\Admin\AppData\Local\Temp\khHshd3cOgCT.bat

Filesize
211B

MD5
df72fa94108b5b39feaac609e3c217d5

SHA1
19ca614132a76e9258003cd4b4256b51598d995d

SHA256
ba2114500858b4a48b72810ebe247d25f29db909bdb00ffc149e018de6d2b622

SHA512
027233aa20244b997a2f737dec17f3c1ed6b5c1619be316eb457f7ced66283595c21ad8ce06b64cfaf0eba6e3334ddaf250c9428b6c95236fe786f238b9c64c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\mFWNU34PKzKu.bat

Filesize
211B

MD5
fa03a526d2539dfd24e4197849f65a08

SHA1
28b1c5383d127cda6529776b639b3271aa9cc997

SHA256
78dab0ebac5d1d0829675d02e13eaf74d322ab8e6e3999b5ada295216fafc6f4

SHA512
eaafda66513a439732486a8b2e0d10ac3c0b30859f87a9eed651ef39bfd3d8bd50eec700d88505cc6a67c909ce802cd0e87d795519038a7660a8c47ec91e148b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nGqL6ZJsqB1c.bat

Filesize
211B

MD5
5db6b67221942d4447a446aec467dbe5

SHA1
c56204271c9bce4ae9b0dc7898561b0173bc6008

SHA256
0a8d955c6cd143e9cddf3f789eb5de31d9e4ba5899639b3c7d9ad10caa621e72

SHA512
d14f7e8a44ebd418dac985cc9f673bd621e2fc4686364ed02bd7c7bb79cd9f88c562f45a363e42f445ee6472c1a164e711712b925cbf058c1c42d74bacc81305

Download Submit
C:\Users\Admin\AppData\Local\Temp\xN8oeieQzOxL.bat

Filesize
211B

MD5
a02cbcbf578f1449d87b58dddb15c7c5

SHA1
e609f4820c2ddae79d72faa92486c09b9be83763

SHA256
ed044da73f7a230c78179c53b5e8ab355443978c1f9ddabebebf36122fbb8cbe

SHA512
bdeaaabcaf24b3c9d52adae5b6469ac4273228ef47e2a18331919cdbb807188ef91d0df42b9541ac206224843c74b523e66d2dbf13c7a9bafd4f75266b94fecf

Download Submit
C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe

Filesize
3.1MB

MD5
b77d847b1d41cde07f81168c7addbb10

SHA1
2d5c614efdef7ab59fa5fb665d6ed1a79502b97f

SHA256
492a651e5ae2020b3b7fd51861adf68402089d050e083c3a9ef1a9866256000c

SHA512
6fff7c253c543e370dcb459f0cc66003f57fbc35f40af5744deca97a2c593bf0881f96c845bbc15963e9eb81a652aec78a500ea41f2d1af5fbb5f0ec04c6c9f6

Download Submit
memory/1372-17-0x00007FFC2E370000-0x00007FFC2EE31000-memory.dmp

Filesize
10.8MB

Download
memory/1372-12-0x000000001E680000-0x000000001E732000-memory.dmp

Filesize
712KB

Download
memory/1372-11-0x000000001E570000-0x000000001E5C0000-memory.dmp

Filesize
320KB

Download
memory/1372-10-0x00007FFC2E370000-0x00007FFC2EE31000-memory.dmp

Filesize
10.8MB

Download
memory/4592-0-0x00007FFC2E373000-0x00007FFC2E375000-memory.dmp

Filesize
8KB

Download
memory/4592-9-0x00007FFC2E370000-0x00007FFC2EE31000-memory.dmp

Filesize
10.8MB

Download
memory/4592-2-0x00007FFC2E370000-0x00007FFC2EE31000-memory.dmp

Filesize
10.8MB

Download
memory/4592-1-0x0000000000410000-0x0000000000734000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads