Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18-12-2024 06:22
Behavioral task
behavioral1
Sample
RuntimeBroker.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
RuntimeBroker.exe
Resource
win10v2004-20241007-en
General
-
Target
RuntimeBroker.exe
-
Size
3.1MB
-
MD5
82761cf21801c5a88775b5b82bce7dcd
-
SHA1
8e4bb300478b689915d241a18b8a9da5ba21b2b9
-
SHA256
e170577ede5b14116b8e2b3f4ccfa7865927aac68613cfd2676eef4f43819ddf
-
SHA512
2c45966635f2cc9bc53af8bb9070c4bd3f7d403f81fc40f58c0a0f2b04bfcd0a150092ae7a78971a9596ae0499cff98df0748eae8caacfabdfd522141b967425
-
SSDEEP
98304:bvNL26AaNeWgPhlmVqkQ7XSK46lRJ6jzr:Tb4SY2
Malware Config
Extracted
quasar
1.4.1
RuntimeBroker
dovefey735-52034.portmap.host:52034
c1457435-328d-4da4-8379-23c8e51865c6
-
encryption_key
BEDD596FBA59B01D6913DA83A0452739FD858DE1
-
install_name
RuntimeBroker.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
RuntimeBroker
-
subdirectory
a7
Signatures
-
Quasar family
-
Quasar payload 3 IoCs
resource yara_rule behavioral1/memory/1968-1-0x0000000000FB0000-0x00000000012D4000-memory.dmp family_quasar behavioral1/files/0x000700000001945b-6.dat family_quasar behavioral1/memory/2548-9-0x0000000000F40000-0x0000000001264000-memory.dmp family_quasar -
Executes dropped EXE 1 IoCs
pid Process 2548 RuntimeBroker.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File opened for modification C:\Windows\system32\a7 RuntimeBroker.exe File created C:\Windows\system32\a7\RuntimeBroker.exe RuntimeBroker.exe File opened for modification C:\Windows\system32\a7\RuntimeBroker.exe RuntimeBroker.exe File opened for modification C:\Windows\system32\a7 RuntimeBroker.exe File opened for modification C:\Windows\system32\a7\RuntimeBroker.exe RuntimeBroker.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1936 schtasks.exe 2192 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1968 RuntimeBroker.exe Token: SeDebugPrivilege 2548 RuntimeBroker.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2548 RuntimeBroker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1968 wrote to memory of 1936 1968 RuntimeBroker.exe 30 PID 1968 wrote to memory of 1936 1968 RuntimeBroker.exe 30 PID 1968 wrote to memory of 1936 1968 RuntimeBroker.exe 30 PID 1968 wrote to memory of 2548 1968 RuntimeBroker.exe 32 PID 1968 wrote to memory of 2548 1968 RuntimeBroker.exe 32 PID 1968 wrote to memory of 2548 1968 RuntimeBroker.exe 32 PID 2548 wrote to memory of 2192 2548 RuntimeBroker.exe 33 PID 2548 wrote to memory of 2192 2548 RuntimeBroker.exe 33 PID 2548 wrote to memory of 2192 2548 RuntimeBroker.exe 33 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\a7\RuntimeBroker.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:1936
-
-
C:\Windows\system32\a7\RuntimeBroker.exe"C:\Windows\system32\a7\RuntimeBroker.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\a7\RuntimeBroker.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2192
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD582761cf21801c5a88775b5b82bce7dcd
SHA18e4bb300478b689915d241a18b8a9da5ba21b2b9
SHA256e170577ede5b14116b8e2b3f4ccfa7865927aac68613cfd2676eef4f43819ddf
SHA5122c45966635f2cc9bc53af8bb9070c4bd3f7d403f81fc40f58c0a0f2b04bfcd0a150092ae7a78971a9596ae0499cff98df0748eae8caacfabdfd522141b967425