Analysis

  • max time kernel
    147s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18-12-2024 06:22

General

  • Target

    RuntimeBroker.exe

  • Size

    3.1MB

  • MD5

    82761cf21801c5a88775b5b82bce7dcd

  • SHA1

    8e4bb300478b689915d241a18b8a9da5ba21b2b9

  • SHA256

    e170577ede5b14116b8e2b3f4ccfa7865927aac68613cfd2676eef4f43819ddf

  • SHA512

    2c45966635f2cc9bc53af8bb9070c4bd3f7d403f81fc40f58c0a0f2b04bfcd0a150092ae7a78971a9596ae0499cff98df0748eae8caacfabdfd522141b967425

  • SSDEEP

    98304:bvNL26AaNeWgPhlmVqkQ7XSK46lRJ6jzr:Tb4SY2

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

RuntimeBroker

C2

dovefey735-52034.portmap.host:52034

Mutex

c1457435-328d-4da4-8379-23c8e51865c6

Attributes
  • encryption_key

    BEDD596FBA59B01D6913DA83A0452739FD858DE1

  • install_name

    RuntimeBroker.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    RuntimeBroker

  • subdirectory

    a7

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar family
  • Quasar payload 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 5 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
    "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1968
    • C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\a7\RuntimeBroker.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:1936
    • C:\Windows\system32\a7\RuntimeBroker.exe
      "C:\Windows\system32\a7\RuntimeBroker.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2548
      • C:\Windows\system32\schtasks.exe
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\a7\RuntimeBroker.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2192

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\System32\a7\RuntimeBroker.exe

    Filesize

    3.1MB

    MD5

    82761cf21801c5a88775b5b82bce7dcd

    SHA1

    8e4bb300478b689915d241a18b8a9da5ba21b2b9

    SHA256

    e170577ede5b14116b8e2b3f4ccfa7865927aac68613cfd2676eef4f43819ddf

    SHA512

    2c45966635f2cc9bc53af8bb9070c4bd3f7d403f81fc40f58c0a0f2b04bfcd0a150092ae7a78971a9596ae0499cff98df0748eae8caacfabdfd522141b967425

  • memory/1968-0-0x000007FEF5DC3000-0x000007FEF5DC4000-memory.dmp

    Filesize

    4KB

  • memory/1968-1-0x0000000000FB0000-0x00000000012D4000-memory.dmp

    Filesize

    3.1MB

  • memory/1968-2-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp

    Filesize

    9.9MB

  • memory/1968-8-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp

    Filesize

    9.9MB

  • memory/2548-10-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp

    Filesize

    9.9MB

  • memory/2548-9-0x0000000000F40000-0x0000000001264000-memory.dmp

    Filesize

    3.1MB

  • memory/2548-11-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp

    Filesize

    9.9MB

  • memory/2548-12-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp

    Filesize

    9.9MB