quasar | cca1725d99ffece2b6c33414d35f12079a32f6c86feed3c25e73065844f00c9f

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-12-2024 04:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cca1725d99ffece2b6c33414d35f12079a32f6c86feed3c25e73065844f00c9f.exe
Size

3.1MB
MD5

dd7a806c734df62ecf4802977fa0b3e9
SHA1

42eae42e0fcfe9d9a54e493a670adde5241377da
SHA256

cca1725d99ffece2b6c33414d35f12079a32f6c86feed3c25e73065844f00c9f
SHA512

0f8e2e565b40baabdde4018db57e06aee8e8dfeb4b1491e8e02e56a20e6b55bc1130ed74a702c35e043d4886af969af5d8ca26f5caeb0e96694982ecfbc80bbf
SSDEEP

49152:yvkt62XlaSFNWPjljiFa2RoUYIO8RJ6IbR3LoGdaTHHB72eh2NT:yv462XlaSFNWPjljiFXRoUYIO8RJ6i

Score

10^/10

quasar aryszx discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Aryszx

Apichat:4782

Mutex

181f4a12-4cad-46a9-9896-1001033c5b69

Attributes

encryption_key
F4F359BEF442D9221F73F7D64267E0E300CC68CE
install_name
Runtime Broker.exe
log_directory
Logs
reconnect_delay
1
startup_key
Runtime Broker

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/372-1-0x0000000000630000-0x0000000000954000-memory.dmp	family_quasar
behavioral2/files/0x000b000000023b76-6.dat	family_quasar

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Runtime Broker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Runtime Broker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Runtime Broker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Runtime Broker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Runtime Broker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Runtime Broker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Runtime Broker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Runtime Broker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Runtime Broker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Runtime Broker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Runtime Broker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Runtime Broker.exe

Executes dropped EXE 12 IoCs

pid	Process
840	Runtime Broker.exe
1460	Runtime Broker.exe
2104	Runtime Broker.exe
1620	Runtime Broker.exe
2092	Runtime Broker.exe
3264	Runtime Broker.exe
1292	Runtime Broker.exe
2740	Runtime Broker.exe
5028	Runtime Broker.exe
3664	Runtime Broker.exe
2112	Runtime Broker.exe
2452	Runtime Broker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 12 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2824	PING.EXE
3136	PING.EXE
1232	PING.EXE
1832	PING.EXE
4224	PING.EXE
4688	PING.EXE
3152	PING.EXE
2848	PING.EXE
2652	PING.EXE
1476	PING.EXE
1744	PING.EXE
412	PING.EXE

Runs ping.exe 1 TTPs 12 IoCs

Remote System Discovery

T1018

pid	Process
1476	PING.EXE
412	PING.EXE
4688	PING.EXE
4224	PING.EXE
3152	PING.EXE
3136	PING.EXE
2652	PING.EXE
1232	PING.EXE
2824	PING.EXE
2848	PING.EXE
1744	PING.EXE
1832	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2360	schtasks.exe
116	schtasks.exe
3964	schtasks.exe
3548	schtasks.exe
4552	schtasks.exe
2580	schtasks.exe
2304	schtasks.exe
2632	schtasks.exe
2112	schtasks.exe
4800	schtasks.exe
1252	schtasks.exe
3080	schtasks.exe
4588	schtasks.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	372	cca1725d99ffece2b6c33414d35f12079a32f6c86feed3c25e73065844f00c9f.exe
Token: SeDebugPrivilege	840	Runtime Broker.exe
Token: SeDebugPrivilege	1460	Runtime Broker.exe
Token: SeDebugPrivilege	2104	Runtime Broker.exe
Token: SeDebugPrivilege	1620	Runtime Broker.exe
Token: SeDebugPrivilege	3264	Runtime Broker.exe
Token: SeDebugPrivilege	1292	Runtime Broker.exe
Token: SeDebugPrivilege	2740	Runtime Broker.exe
Token: SeDebugPrivilege	5028	Runtime Broker.exe
Token: SeDebugPrivilege	3664	Runtime Broker.exe
Token: SeDebugPrivilege	2112	Runtime Broker.exe
Token: SeDebugPrivilege	2452	Runtime Broker.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
840	Runtime Broker.exe
1460	Runtime Broker.exe
2104	Runtime Broker.exe
1620	Runtime Broker.exe
3264	Runtime Broker.exe
1292	Runtime Broker.exe
2740	Runtime Broker.exe
5028	Runtime Broker.exe
3664	Runtime Broker.exe
2112	Runtime Broker.exe
2452	Runtime Broker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 372 wrote to memory of 2360	372	cca1725d99ffece2b6c33414d35f12079a32f6c86feed3c25e73065844f00c9f.exe	82
PID 372 wrote to memory of 2360	372	cca1725d99ffece2b6c33414d35f12079a32f6c86feed3c25e73065844f00c9f.exe	82
PID 372 wrote to memory of 840	372	cca1725d99ffece2b6c33414d35f12079a32f6c86feed3c25e73065844f00c9f.exe	84
PID 372 wrote to memory of 840	372	cca1725d99ffece2b6c33414d35f12079a32f6c86feed3c25e73065844f00c9f.exe	84
PID 840 wrote to memory of 2304	840	Runtime Broker.exe	85
PID 840 wrote to memory of 2304	840	Runtime Broker.exe	85
PID 840 wrote to memory of 1284	840	Runtime Broker.exe	87
PID 840 wrote to memory of 1284	840	Runtime Broker.exe	87
PID 1284 wrote to memory of 2856	1284	cmd.exe	89
PID 1284 wrote to memory of 2856	1284	cmd.exe	89
PID 1284 wrote to memory of 3136	1284	cmd.exe	90
PID 1284 wrote to memory of 3136	1284	cmd.exe	90
PID 1284 wrote to memory of 1460	1284	cmd.exe	98
PID 1284 wrote to memory of 1460	1284	cmd.exe	98
PID 1460 wrote to memory of 2632	1460	Runtime Broker.exe	99
PID 1460 wrote to memory of 2632	1460	Runtime Broker.exe	99
PID 1460 wrote to memory of 1312	1460	Runtime Broker.exe	101
PID 1460 wrote to memory of 1312	1460	Runtime Broker.exe	101
PID 1312 wrote to memory of 2400	1312	cmd.exe	103
PID 1312 wrote to memory of 2400	1312	cmd.exe	103
PID 1312 wrote to memory of 2652	1312	cmd.exe	104
PID 1312 wrote to memory of 2652	1312	cmd.exe	104
PID 1312 wrote to memory of 2104	1312	cmd.exe	105
PID 1312 wrote to memory of 2104	1312	cmd.exe	105
PID 2104 wrote to memory of 116	2104	Runtime Broker.exe	106
PID 2104 wrote to memory of 116	2104	Runtime Broker.exe	106
PID 2104 wrote to memory of 3244	2104	Runtime Broker.exe	109
PID 2104 wrote to memory of 3244	2104	Runtime Broker.exe	109
PID 3244 wrote to memory of 1628	3244	cmd.exe	111
PID 3244 wrote to memory of 1628	3244	cmd.exe	111
PID 3244 wrote to memory of 1232	3244	cmd.exe	112
PID 3244 wrote to memory of 1232	3244	cmd.exe	112
PID 3244 wrote to memory of 1620	3244	cmd.exe	114
PID 3244 wrote to memory of 1620	3244	cmd.exe	114
PID 1620 wrote to memory of 3964	1620	Runtime Broker.exe	115
PID 1620 wrote to memory of 3964	1620	Runtime Broker.exe	115
PID 1620 wrote to memory of 1308	1620	Runtime Broker.exe	117
PID 1620 wrote to memory of 1308	1620	Runtime Broker.exe	117
PID 1308 wrote to memory of 2192	1308	cmd.exe	119
PID 1308 wrote to memory of 2192	1308	cmd.exe	119
PID 1308 wrote to memory of 1476	1308	cmd.exe	120
PID 1308 wrote to memory of 1476	1308	cmd.exe	120
PID 1308 wrote to memory of 2092	1308	cmd.exe	121
PID 1308 wrote to memory of 2092	1308	cmd.exe	121
PID 3908 wrote to memory of 2060	3908	cmd.exe	126
PID 3908 wrote to memory of 2060	3908	cmd.exe	126
PID 3908 wrote to memory of 1744	3908	cmd.exe	127
PID 3908 wrote to memory of 1744	3908	cmd.exe	127
PID 3908 wrote to memory of 3264	3908	cmd.exe	128
PID 3908 wrote to memory of 3264	3908	cmd.exe	128
PID 3264 wrote to memory of 4800	3264	Runtime Broker.exe	129
PID 3264 wrote to memory of 4800	3264	Runtime Broker.exe	129
PID 3264 wrote to memory of 3316	3264	Runtime Broker.exe	131
PID 3264 wrote to memory of 3316	3264	Runtime Broker.exe	131
PID 3316 wrote to memory of 1316	3316	cmd.exe	133
PID 3316 wrote to memory of 1316	3316	cmd.exe	133
PID 3316 wrote to memory of 1832	3316	cmd.exe	134
PID 3316 wrote to memory of 1832	3316	cmd.exe	134
PID 3316 wrote to memory of 1292	3316	cmd.exe	135
PID 3316 wrote to memory of 1292	3316	cmd.exe	135
PID 1292 wrote to memory of 1252	1292	Runtime Broker.exe	136
PID 1292 wrote to memory of 1252	1292	Runtime Broker.exe	136
PID 1292 wrote to memory of 3004	1292	Runtime Broker.exe	138
PID 1292 wrote to memory of 3004	1292	Runtime Broker.exe	138

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\cca1725d99ffece2b6c33414d35f12079a32f6c86feed3c25e73065844f00c9f.exe
"C:\Users\Admin\AppData\Local\Temp\cca1725d99ffece2b6c33414d35f12079a32f6c86feed3c25e73065844f00c9f.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:372
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2360
- C:\Users\Admin\AppData\Roaming\Runtime Broker.exe
  "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:840
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2304
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ec5mYNLuXHuk.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1284
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2856
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3136
  - - C:\Users\Admin\AppData\Roaming\Runtime Broker.exe
      "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1460
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2632
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0hQksm2EDgsf.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1312
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2400
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2652
      - C:\Users\Admin\AppData\Roaming\Runtime Broker.exe
        
        "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:116
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wC8LUX3n8Lqr.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3244
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1628
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1232
        
        C:\Users\Admin\AppData\Roaming\Runtime Broker.exe
        
        "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3964
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mjqBzB7MeeDi.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1308
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2192
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1476
        
        C:\Users\Admin\AppData\Roaming\Runtime Broker.exe
        
        "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2092
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2112
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Vfew1NBslQv0.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:3908
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:2060
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1744
        
        C:\Users\Admin\AppData\Roaming\Runtime Broker.exe
        
        "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3264
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4800
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tOaPJcPWO7hw.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:3316
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:1316
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1832
        
        C:\Users\Admin\AppData\Roaming\Runtime Broker.exe
        
        "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1292
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1252
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aAcwlb3rOZCC.bat" "
        15⤵
        
        PID:3004
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:5052
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:412
        
        C:\Users\Admin\AppData\Roaming\Runtime Broker.exe
        
        "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2740
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3548
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VAwt9gOb1jsb.bat" "
        17⤵
        
        PID:440
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:1248
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4688
        
        C:\Users\Admin\AppData\Roaming\Runtime Broker.exe
        
        "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:5028
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3080
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XTz1H3z2yBU7.bat" "
        19⤵
        
        PID:3468
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1684
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4224
        
        C:\Users\Admin\AppData\Roaming\Runtime Broker.exe
        
        "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3664
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4588
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JUPiPIF8RuZb.bat" "
        21⤵
        
        PID:1764
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:2236
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3152
        
        C:\Users\Admin\AppData\Roaming\Runtime Broker.exe
        
        "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2112
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4552
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\d2cZoHEJoeGE.bat" "
        23⤵
        
        PID:2364
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:552
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2824
        
        C:\Users\Admin\AppData\Roaming\Runtime Broker.exe
        
        "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2452
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2580
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KeFf5HhuEb4J.bat" "
        25⤵
        
        PID:1724
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:3456
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Runtime Broker.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\0hQksm2EDgsf.bat

Filesize
208B

MD5
beeaa17926b2b69a6d01ce75521f974a

SHA1
4f357bae6d1c2f5a6d9e3a91d0d246ae55918919

SHA256
388a63bc992897686e1cfe3a02e2b6b36ad520551c6d1f33530dab6fb347fafc

SHA512
2f85cbd0056583bea7feb8e6bcf78ff08c0a065381b7e7aac62deec61d70b83e0598c527dcd1dfd217212b82140c89b28b4266facba50ba02f19f0d4006b2aaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\JUPiPIF8RuZb.bat

Filesize
208B

MD5
b1d4f281d6da1f973d89c889892dc7ad

SHA1
0a8709537ad2aea8dcb3970ddfb13c058b4b8aef

SHA256
525f7d3c8bf1d3274c82e359adba0db12e26d446219361d849dd0ccabbb816ad

SHA512
97f2802b4443ccfb36f4058cc2baf4eab2e59c2e26f33736374fe2442d0ee435e2a00db1f040c9fff40a158e580b419f705ad3fecb0367ca6d6e0ddc810c0838

Download Submit
C:\Users\Admin\AppData\Local\Temp\KeFf5HhuEb4J.bat

Filesize
208B

MD5
1afe1a4ce634a85ae246a26ca53a7a77

SHA1
460b52fdfb9c71e437cfc57753e77c7498a08d47

SHA256
32c118125b56bf37538ac738edb34373ecf55a8ef58ae71b10c8a71be0b2192a

SHA512
9fa66153d7b3986e790bbddc34a3eb202606d0082e2db4daef0f79f0b8cb6a4ae7270968a743c7cb4492257dc4b16838482d37b03e64f96ca9f8996747d89441

Download Submit
C:\Users\Admin\AppData\Local\Temp\VAwt9gOb1jsb.bat

Filesize
208B

MD5
1f41b5cc2b8f94a3cf3fa56d9f1aa5c9

SHA1
3657f9069ee9a60d7dfba2bdb3be7d8e914c4ab9

SHA256
f7b1928a3f43780ec9d10cf82a9b923852ed7364baa17ef1ed625402a96c8e98

SHA512
20551ac53f2114fceb9ae56ca08e1b55ffd31fdbd3234e20b7b1461bdc5376a4cf61e10f401947030e2c09bc9e45452765ec20a1e5576793fd3fef9f776ef0fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\XTz1H3z2yBU7.bat

Filesize
208B

MD5
f78e68e0945b3ca0cda727c940168b44

SHA1
f3aa0e4655434990faa0342df7e6c41e16aca468

SHA256
ab00bb3ab10c0aa0e99f7b0a6aa089f459f76d9d978216ad955c2aae01f089fb

SHA512
d2745c53e8f37923a49e481fc0544ad47f1df865c9d4e4ec15cd828dc30d02b6946e432e82714d0cc3b75b1589ac1ded7b35ab1d780218c8ae517424fd55b2e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\aAcwlb3rOZCC.bat

Filesize
208B

MD5
3d4675a3e85f4bfb8c6b8984c17794b7

SHA1
d8ad791faefc036553f6b81481efb91371c3620d

SHA256
ba0f7754744e5eb958fe91ec2b97b8e5d025b982704e98cf669fd7d421d73e11

SHA512
3d446b71044ad040e6f2aadba960ca4bd9ff2b7a6ea4eff1ff93731df1e6e173366d4609b3279c4d0d5aa4cbf73316d17a89e7f0a569e6bf437c3594e6aa0b34

Download Submit
C:\Users\Admin\AppData\Local\Temp\d2cZoHEJoeGE.bat

Filesize
208B

MD5
b4592899161c8da3865e560f8b6bb61a

SHA1
ec182032e278cd65b2287f064b6dbab4941cf70f

SHA256
bfe1a6d7e51e047887a20f459d70272dc5986cd2e194dff2fc725d903c825879

SHA512
aa23935f1f26f94533b6d2f46038e40801658d8f0e194d474fee0c56a8824b5259c9e1ed4f890f0b2d74f2ccf99d009dddc89f527a68764e627b35d299f5a33b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec5mYNLuXHuk.bat

Filesize
208B

MD5
77c17a47fd8cf4e8502b3c9d1b8dfc19

SHA1
0b0df650ab90202e1d465f74f39c03f00dac517a

SHA256
b124b7329cd7287a883b157d4610f3df08329aeb8a9e1370484374504444061f

SHA512
1b922d9a5f0cad42af8600d6b614c7eed9c657ff8e292e64abedd8c39e7b90a55388a6e20bb5af721900b9257a6ac341b17ef0ff0356ba55b145985f34e07204

Download Submit
C:\Users\Admin\AppData\Local\Temp\mjqBzB7MeeDi.bat

Filesize
208B

MD5
b71c97435c71a10cf42aba90b13bc247

SHA1
0fd17b7421ce208ab72143f951def7353fc58a24

SHA256
eb55f3e2a30234ec7d3522624d782275b9c0c46a276f5fd406a5a52113fd627f

SHA512
6a70b8ce12868087860eb8ac608dcd0664ad6efbcb16149925cdf888389c73ff49959e312d167d7dd81863c72a53664db380a2e983c0f6d977b8d0c166fe3e1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tOaPJcPWO7hw.bat

Filesize
208B

MD5
b622e3f87817ce2bea7a8accbfb0358c

SHA1
cf16c204ea38d6e46564dbeec69d8592856e6d23

SHA256
616e055f686be8131ced0d116ac923d2cdc2e7031a85d731e2a6c11d3cc7a3b4

SHA512
a0323fb4a585154a0d973ac9a12953f44d5cb6958d47937a3097136d24d9bdac30f051c236fa1b607e0ffeaa982ac329fd71a4f8fcecfa5b608e3677e5420906

Download Submit
C:\Users\Admin\AppData\Local\Temp\wC8LUX3n8Lqr.bat

Filesize
208B

MD5
2155de345f8401321480ca20e4873d0e

SHA1
567b523285f51fa1536f477d8c398d1b5cf81c61

SHA256
d7b9acf9517c50ed0e3b3186566236aa9b5f3da71a83a519543e875a73d1797e

SHA512
62d461aeec51a5316678b361a45cc000d81c01c31dffe110e240f08f2ec025f91c173e2f4fa18b9ba42e1b4be304c669c54943545c7fc637cdc40ea1325bd5e7

Download Submit
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe

Filesize
3.1MB

MD5
dd7a806c734df62ecf4802977fa0b3e9

SHA1
42eae42e0fcfe9d9a54e493a670adde5241377da

SHA256
cca1725d99ffece2b6c33414d35f12079a32f6c86feed3c25e73065844f00c9f

SHA512
0f8e2e565b40baabdde4018db57e06aee8e8dfeb4b1491e8e02e56a20e6b55bc1130ed74a702c35e043d4886af969af5d8ca26f5caeb0e96694982ecfbc80bbf

Download Submit
memory/372-0-0x00007FFCFD083000-0x00007FFCFD085000-memory.dmp

Filesize
8KB

Download
memory/372-9-0x00007FFCFD080000-0x00007FFCFDB41000-memory.dmp

Filesize
10.8MB

Download
memory/372-2-0x00007FFCFD080000-0x00007FFCFDB41000-memory.dmp

Filesize
10.8MB

Download
memory/372-1-0x0000000000630000-0x0000000000954000-memory.dmp

Filesize
3.1MB

Download
memory/840-18-0x00007FFCFD080000-0x00007FFCFDB41000-memory.dmp

Filesize
10.8MB

Download
memory/840-13-0x000000001C180000-0x000000001C232000-memory.dmp

Filesize
712KB

Download
memory/840-12-0x000000001B8B0000-0x000000001B900000-memory.dmp

Filesize
320KB

Download
memory/840-11-0x00007FFCFD080000-0x00007FFCFDB41000-memory.dmp

Filesize
10.8MB

Download
memory/840-10-0x00007FFCFD080000-0x00007FFCFDB41000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads