Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 06:22
Behavioral task
behavioral1
Sample
RuntimeBroker.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
RuntimeBroker.exe
Resource
win10v2004-20241007-en
General
-
Target
RuntimeBroker.exe
-
Size
3.1MB
-
MD5
82761cf21801c5a88775b5b82bce7dcd
-
SHA1
8e4bb300478b689915d241a18b8a9da5ba21b2b9
-
SHA256
e170577ede5b14116b8e2b3f4ccfa7865927aac68613cfd2676eef4f43819ddf
-
SHA512
2c45966635f2cc9bc53af8bb9070c4bd3f7d403f81fc40f58c0a0f2b04bfcd0a150092ae7a78971a9596ae0499cff98df0748eae8caacfabdfd522141b967425
-
SSDEEP
98304:bvNL26AaNeWgPhlmVqkQ7XSK46lRJ6jzr:Tb4SY2
Malware Config
Extracted
quasar
1.4.1
RuntimeBroker
dovefey735-52034.portmap.host:52034
c1457435-328d-4da4-8379-23c8e51865c6
-
encryption_key
BEDD596FBA59B01D6913DA83A0452739FD858DE1
-
install_name
RuntimeBroker.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
RuntimeBroker
-
subdirectory
a7
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/5012-1-0x0000000000460000-0x0000000000784000-memory.dmp family_quasar behavioral2/files/0x000a000000023ba1-5.dat family_quasar -
Executes dropped EXE 1 IoCs
pid Process 1940 RuntimeBroker.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File created C:\Windows\system32\a7\RuntimeBroker.exe RuntimeBroker.exe File opened for modification C:\Windows\system32\a7\RuntimeBroker.exe RuntimeBroker.exe File opened for modification C:\Windows\system32\a7 RuntimeBroker.exe File opened for modification C:\Windows\system32\a7\RuntimeBroker.exe RuntimeBroker.exe File opened for modification C:\Windows\system32\a7 RuntimeBroker.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1524 schtasks.exe 4984 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 5012 RuntimeBroker.exe Token: SeDebugPrivilege 1940 RuntimeBroker.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1940 RuntimeBroker.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 5012 wrote to memory of 1524 5012 RuntimeBroker.exe 82 PID 5012 wrote to memory of 1524 5012 RuntimeBroker.exe 82 PID 5012 wrote to memory of 1940 5012 RuntimeBroker.exe 84 PID 5012 wrote to memory of 1940 5012 RuntimeBroker.exe 84 PID 1940 wrote to memory of 4984 1940 RuntimeBroker.exe 85 PID 1940 wrote to memory of 4984 1940 RuntimeBroker.exe 85 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\a7\RuntimeBroker.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:1524
-
-
C:\Windows\system32\a7\RuntimeBroker.exe"C:\Windows\system32\a7\RuntimeBroker.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\a7\RuntimeBroker.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:4984
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
3.1MB
MD582761cf21801c5a88775b5b82bce7dcd
SHA18e4bb300478b689915d241a18b8a9da5ba21b2b9
SHA256e170577ede5b14116b8e2b3f4ccfa7865927aac68613cfd2676eef4f43819ddf
SHA5122c45966635f2cc9bc53af8bb9070c4bd3f7d403f81fc40f58c0a0f2b04bfcd0a150092ae7a78971a9596ae0499cff98df0748eae8caacfabdfd522141b967425