quasar | e170577ede5b14116b8e2b3f4ccfa7865927aac68613cfd2676eef4f43819ddf

Analysis

max time kernel
146s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2024 04:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e170577ede5b14116b8e2b3f4ccfa7865927aac68613cfd2676eef4f43819ddf.exe
Size

3.1MB
MD5

82761cf21801c5a88775b5b82bce7dcd
SHA1

8e4bb300478b689915d241a18b8a9da5ba21b2b9
SHA256

e170577ede5b14116b8e2b3f4ccfa7865927aac68613cfd2676eef4f43819ddf
SHA512

2c45966635f2cc9bc53af8bb9070c4bd3f7d403f81fc40f58c0a0f2b04bfcd0a150092ae7a78971a9596ae0499cff98df0748eae8caacfabdfd522141b967425
SSDEEP

98304:bvNL26AaNeWgPhlmVqkQ7XSK46lRJ6jzr:Tb4SY2

Score

10^/10

quasar runtimebroker discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

RuntimeBroker

dovefey735-52034.portmap.host:52034

Mutex

c1457435-328d-4da4-8379-23c8e51865c6

Attributes

encryption_key
BEDD596FBA59B01D6913DA83A0452739FD858DE1
install_name
RuntimeBroker.exe
log_directory
Logs
reconnect_delay
3000
startup_key
RuntimeBroker
subdirectory
a7

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/1144-1-0x0000000000970000-0x0000000000C94000-memory.dmp	family_quasar
behavioral2/files/0x000a000000023b93-8.dat	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe

Executes dropped EXE 15 IoCs

pid	Process
4312	RuntimeBroker.exe
1252	RuntimeBroker.exe
4160	RuntimeBroker.exe
1312	RuntimeBroker.exe
1732	RuntimeBroker.exe
812	RuntimeBroker.exe
2680	RuntimeBroker.exe
4704	RuntimeBroker.exe
3032	RuntimeBroker.exe
5032	RuntimeBroker.exe
812	RuntimeBroker.exe
4328	RuntimeBroker.exe
1168	RuntimeBroker.exe
3272	RuntimeBroker.exe
2016	RuntimeBroker.exe

Drops file in System32 directory 33 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\a7\RuntimeBroker.exe	RuntimeBroker.exe
File opened for modification	C:\Windows\system32\a7	RuntimeBroker.exe
File opened for modification	C:\Windows\system32\a7	RuntimeBroker.exe
File opened for modification	C:\Windows\system32\a7	RuntimeBroker.exe
File opened for modification	C:\Windows\system32\a7\RuntimeBroker.exe	RuntimeBroker.exe
File opened for modification	C:\Windows\system32\a7	e170577ede5b14116b8e2b3f4ccfa7865927aac68613cfd2676eef4f43819ddf.exe
File opened for modification	C:\Windows\system32\a7	RuntimeBroker.exe
File opened for modification	C:\Windows\system32\a7	RuntimeBroker.exe
File opened for modification	C:\Windows\system32\a7	RuntimeBroker.exe
File opened for modification	C:\Windows\system32\a7	RuntimeBroker.exe
File opened for modification	C:\Windows\system32\a7	RuntimeBroker.exe
File created	C:\Windows\system32\a7\RuntimeBroker.exe	e170577ede5b14116b8e2b3f4ccfa7865927aac68613cfd2676eef4f43819ddf.exe
File opened for modification	C:\Windows\system32\a7\RuntimeBroker.exe	RuntimeBroker.exe
File opened for modification	C:\Windows\system32\a7\RuntimeBroker.exe	RuntimeBroker.exe
File opened for modification	C:\Windows\system32\a7\RuntimeBroker.exe	RuntimeBroker.exe
File opened for modification	C:\Windows\system32\a7\RuntimeBroker.exe	RuntimeBroker.exe
File opened for modification	C:\Windows\system32\a7	RuntimeBroker.exe
File opened for modification	C:\Windows\system32\a7\RuntimeBroker.exe	RuntimeBroker.exe
File opened for modification	C:\Windows\system32\a7	RuntimeBroker.exe
File opened for modification	C:\Windows\system32\a7\RuntimeBroker.exe	e170577ede5b14116b8e2b3f4ccfa7865927aac68613cfd2676eef4f43819ddf.exe
File opened for modification	C:\Windows\system32\a7\RuntimeBroker.exe	RuntimeBroker.exe
File opened for modification	C:\Windows\system32\a7\RuntimeBroker.exe	RuntimeBroker.exe
File opened for modification	C:\Windows\system32\a7\RuntimeBroker.exe	RuntimeBroker.exe
File opened for modification	C:\Windows\system32\a7	RuntimeBroker.exe
File opened for modification	C:\Windows\system32\a7\RuntimeBroker.exe	RuntimeBroker.exe
File opened for modification	C:\Windows\system32\a7\RuntimeBroker.exe	RuntimeBroker.exe
File opened for modification	C:\Windows\system32\a7	RuntimeBroker.exe
File opened for modification	C:\Windows\system32\a7\RuntimeBroker.exe	RuntimeBroker.exe
File opened for modification	C:\Windows\system32\a7	RuntimeBroker.exe
File opened for modification	C:\Windows\system32\a7\RuntimeBroker.exe	RuntimeBroker.exe
File opened for modification	C:\Windows\system32\a7\RuntimeBroker.exe	RuntimeBroker.exe
File opened for modification	C:\Windows\system32\a7	RuntimeBroker.exe
File opened for modification	C:\Windows\system32\a7	RuntimeBroker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
436	PING.EXE
2592	PING.EXE
3752	PING.EXE
1816	PING.EXE
816	PING.EXE
2560	PING.EXE
456	PING.EXE
3668	PING.EXE
3704	PING.EXE
4496	PING.EXE
4960	PING.EXE
3184	PING.EXE
1680	PING.EXE
3392	PING.EXE
2568	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
436	PING.EXE
3668	PING.EXE
2592	PING.EXE
3752	PING.EXE
3392	PING.EXE
3704	PING.EXE
816	PING.EXE
1816	PING.EXE
2568	PING.EXE
3184	PING.EXE
1680	PING.EXE
4496	PING.EXE
4960	PING.EXE
2560	PING.EXE
456	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3596	schtasks.exe
4816	schtasks.exe
1940	schtasks.exe
4376	schtasks.exe
2408	schtasks.exe
2164	schtasks.exe
2592	schtasks.exe
4240	schtasks.exe
2636	schtasks.exe
3748	schtasks.exe
4796	schtasks.exe
4988	schtasks.exe
1320	schtasks.exe
3224	schtasks.exe
1684	schtasks.exe
3764	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	1144	e170577ede5b14116b8e2b3f4ccfa7865927aac68613cfd2676eef4f43819ddf.exe
Token: SeDebugPrivilege	4312	RuntimeBroker.exe
Token: SeDebugPrivilege	1252	RuntimeBroker.exe
Token: SeDebugPrivilege	4160	RuntimeBroker.exe
Token: SeDebugPrivilege	1312	RuntimeBroker.exe
Token: SeDebugPrivilege	1732	RuntimeBroker.exe
Token: SeDebugPrivilege	812	RuntimeBroker.exe
Token: SeDebugPrivilege	2680	RuntimeBroker.exe
Token: SeDebugPrivilege	4704	RuntimeBroker.exe
Token: SeDebugPrivilege	3032	RuntimeBroker.exe
Token: SeDebugPrivilege	5032	RuntimeBroker.exe
Token: SeDebugPrivilege	812	RuntimeBroker.exe
Token: SeDebugPrivilege	4328	RuntimeBroker.exe
Token: SeDebugPrivilege	1168	RuntimeBroker.exe
Token: SeDebugPrivilege	3272	RuntimeBroker.exe
Token: SeDebugPrivilege	2016	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1144 wrote to memory of 3596	1144	e170577ede5b14116b8e2b3f4ccfa7865927aac68613cfd2676eef4f43819ddf.exe	83
PID 1144 wrote to memory of 3596	1144	e170577ede5b14116b8e2b3f4ccfa7865927aac68613cfd2676eef4f43819ddf.exe	83
PID 1144 wrote to memory of 4312	1144	e170577ede5b14116b8e2b3f4ccfa7865927aac68613cfd2676eef4f43819ddf.exe	85
PID 1144 wrote to memory of 4312	1144	e170577ede5b14116b8e2b3f4ccfa7865927aac68613cfd2676eef4f43819ddf.exe	85
PID 4312 wrote to memory of 1320	4312	RuntimeBroker.exe	86
PID 4312 wrote to memory of 1320	4312	RuntimeBroker.exe	86
PID 4312 wrote to memory of 4776	4312	RuntimeBroker.exe	88
PID 4312 wrote to memory of 4776	4312	RuntimeBroker.exe	88
PID 4776 wrote to memory of 860	4776	cmd.exe	90
PID 4776 wrote to memory of 860	4776	cmd.exe	90
PID 4776 wrote to memory of 3752	4776	cmd.exe	91
PID 4776 wrote to memory of 3752	4776	cmd.exe	91
PID 4776 wrote to memory of 1252	4776	cmd.exe	93
PID 4776 wrote to memory of 1252	4776	cmd.exe	93
PID 1252 wrote to memory of 3224	1252	RuntimeBroker.exe	94
PID 1252 wrote to memory of 3224	1252	RuntimeBroker.exe	94
PID 1252 wrote to memory of 368	1252	RuntimeBroker.exe	97
PID 1252 wrote to memory of 368	1252	RuntimeBroker.exe	97
PID 368 wrote to memory of 3256	368	cmd.exe	99
PID 368 wrote to memory of 3256	368	cmd.exe	99
PID 368 wrote to memory of 1816	368	cmd.exe	100
PID 368 wrote to memory of 1816	368	cmd.exe	100
PID 368 wrote to memory of 4160	368	cmd.exe	113
PID 368 wrote to memory of 4160	368	cmd.exe	113
PID 4160 wrote to memory of 4240	4160	RuntimeBroker.exe	115
PID 4160 wrote to memory of 4240	4160	RuntimeBroker.exe	115
PID 4160 wrote to memory of 5064	4160	RuntimeBroker.exe	118
PID 4160 wrote to memory of 5064	4160	RuntimeBroker.exe	118
PID 5064 wrote to memory of 2104	5064	cmd.exe	120
PID 5064 wrote to memory of 2104	5064	cmd.exe	120
PID 5064 wrote to memory of 4496	5064	cmd.exe	121
PID 5064 wrote to memory of 4496	5064	cmd.exe	121
PID 5064 wrote to memory of 1312	5064	cmd.exe	125
PID 5064 wrote to memory of 1312	5064	cmd.exe	125
PID 1312 wrote to memory of 1684	1312	RuntimeBroker.exe	126
PID 1312 wrote to memory of 1684	1312	RuntimeBroker.exe	126
PID 1312 wrote to memory of 632	1312	RuntimeBroker.exe	129
PID 1312 wrote to memory of 632	1312	RuntimeBroker.exe	129
PID 632 wrote to memory of 3920	632	cmd.exe	131
PID 632 wrote to memory of 3920	632	cmd.exe	131
PID 632 wrote to memory of 436	632	cmd.exe	132
PID 632 wrote to memory of 436	632	cmd.exe	132
PID 632 wrote to memory of 1732	632	cmd.exe	134
PID 632 wrote to memory of 1732	632	cmd.exe	134
PID 1732 wrote to memory of 1940	1732	RuntimeBroker.exe	135
PID 1732 wrote to memory of 1940	1732	RuntimeBroker.exe	135
PID 1732 wrote to memory of 5092	1732	RuntimeBroker.exe	138
PID 1732 wrote to memory of 5092	1732	RuntimeBroker.exe	138
PID 5092 wrote to memory of 5032	5092	cmd.exe	140
PID 5092 wrote to memory of 5032	5092	cmd.exe	140
PID 5092 wrote to memory of 4960	5092	cmd.exe	141
PID 5092 wrote to memory of 4960	5092	cmd.exe	141
PID 5092 wrote to memory of 812	5092	cmd.exe	142
PID 5092 wrote to memory of 812	5092	cmd.exe	142
PID 812 wrote to memory of 4376	812	RuntimeBroker.exe	143
PID 812 wrote to memory of 4376	812	RuntimeBroker.exe	143
PID 812 wrote to memory of 1388	812	RuntimeBroker.exe	146
PID 812 wrote to memory of 1388	812	RuntimeBroker.exe	146
PID 1388 wrote to memory of 3864	1388	cmd.exe	148
PID 1388 wrote to memory of 3864	1388	cmd.exe	148
PID 1388 wrote to memory of 3668	1388	cmd.exe	149
PID 1388 wrote to memory of 3668	1388	cmd.exe	149
PID 1388 wrote to memory of 2680	1388	cmd.exe	151
PID 1388 wrote to memory of 2680	1388	cmd.exe	151

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e170577ede5b14116b8e2b3f4ccfa7865927aac68613cfd2676eef4f43819ddf.exe
"C:\Users\Admin\AppData\Local\Temp\e170577ede5b14116b8e2b3f4ccfa7865927aac68613cfd2676eef4f43819ddf.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1144
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\a7\RuntimeBroker.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3596
- C:\Windows\system32\a7\RuntimeBroker.exe
  "C:\Windows\system32\a7\RuntimeBroker.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4312
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\a7\RuntimeBroker.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1320
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PnuFZIISn3jD.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4776
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:860
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3752
  - - C:\Windows\system32\a7\RuntimeBroker.exe
      "C:\Windows\system32\a7\RuntimeBroker.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1252
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\a7\RuntimeBroker.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3224
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\l0OSZL9tf592.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:368
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:3256
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1816
      - C:\Windows\system32\a7\RuntimeBroker.exe
        
        "C:\Windows\system32\a7\RuntimeBroker.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4160
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\a7\RuntimeBroker.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4240
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\74DWYBH2PL7i.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:5064
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2104
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4496
        
        C:\Windows\system32\a7\RuntimeBroker.exe
        
        "C:\Windows\system32\a7\RuntimeBroker.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1312
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\a7\RuntimeBroker.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1684
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\a9E9j7vC1LWZ.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:632
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:3920
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:436
        
        C:\Windows\system32\a7\RuntimeBroker.exe
        
        "C:\Windows\system32\a7\RuntimeBroker.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\a7\RuntimeBroker.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1940
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\obhjexFPsXzU.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:5092
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:5032
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4960
        
        C:\Windows\system32\a7\RuntimeBroker.exe
        
        "C:\Windows\system32\a7\RuntimeBroker.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:812
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\a7\RuntimeBroker.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4376
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4Q6CvfYS5v9M.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:3864
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3668
        
        C:\Windows\system32\a7\RuntimeBroker.exe
        
        "C:\Windows\system32\a7\RuntimeBroker.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\a7\RuntimeBroker.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4816
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xpUQcat7RsUG.bat" "
        15⤵
        
        PID:2252
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:3352
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3392
        
        C:\Windows\system32\a7\RuntimeBroker.exe
        
        "C:\Windows\system32\a7\RuntimeBroker.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4704
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\a7\RuntimeBroker.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2408
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wRRgWjtX3r95.bat" "
        17⤵
        
        PID:2076
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:4340
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2568
        
        C:\Windows\system32\a7\RuntimeBroker.exe
        
        "C:\Windows\system32\a7\RuntimeBroker.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3032
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\a7\RuntimeBroker.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2636
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6y2M1Fw4No3U.bat" "
        19⤵
        
        PID:1600
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2656
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2592
        
        C:\Windows\system32\a7\RuntimeBroker.exe
        
        "C:\Windows\system32\a7\RuntimeBroker.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:5032
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\a7\RuntimeBroker.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3748
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\G8Nf4xiAS7KY.bat" "
        21⤵
        
        PID:4964
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:2272
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3704
        
        C:\Windows\system32\a7\RuntimeBroker.exe
        
        "C:\Windows\system32\a7\RuntimeBroker.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:812
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\a7\RuntimeBroker.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2164
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IdeX2RHNQXwX.bat" "
        23⤵
        
        PID:1552
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:4072
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2560
        
        C:\Windows\system32\a7\RuntimeBroker.exe
        
        "C:\Windows\system32\a7\RuntimeBroker.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4328
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\a7\RuntimeBroker.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4796
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UhuaKMpkc8CL.bat" "
        25⤵
        
        PID:3412
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:1616
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3184
        
        C:\Windows\system32\a7\RuntimeBroker.exe
        
        "C:\Windows\system32\a7\RuntimeBroker.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1168
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\a7\RuntimeBroker.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3764
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\m0e1z5iyHWSm.bat" "
        27⤵
        
        PID:5064
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:1684
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:456
        
        C:\Windows\system32\a7\RuntimeBroker.exe
        
        "C:\Windows\system32\a7\RuntimeBroker.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3272
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\a7\RuntimeBroker.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4988
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwL6W6CadQAW.bat" "
        29⤵
        
        PID:988
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:1340
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1680
        
        C:\Windows\system32\a7\RuntimeBroker.exe
        
        "C:\Windows\system32\a7\RuntimeBroker.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2016
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\a7\RuntimeBroker.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2592
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\R4DU94YImW6Y.bat" "
        31⤵
        
        PID:3604
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:4376
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\4Q6CvfYS5v9M.bat

Filesize
199B

MD5
7a0d21d9785d73d059f71a5438b7def0

SHA1
517fd2b850aac0566a2cef7fd64dd627e9a221d8

SHA256
bb5f48d1e87964499fbee09402ad1acee4ba57b0a2b741932985468c3e2e1392

SHA512
823b888d138b741649fc41ed419c23b2aafa6b02f5564141b1169769fc9699d76757001180668dccf1c3987d7f1873e21560a6bdcfc7e15bbd3d44bb93ff114f

Download Submit
C:\Users\Admin\AppData\Local\Temp\6y2M1Fw4No3U.bat

Filesize
199B

MD5
6030fa55256ac0759defcc087f17c706

SHA1
f1c322c3caa13dfdd151acc6b505bbbb4cb4ec39

SHA256
678d16a15d251a013d4cb02954b1633452cad5b56db2fafa3a432f366e0f79a1

SHA512
e2bef46413bfdc35bca1f39e5be795655b8549062f5f1bb7bba3c71d42b5b7e6bda18cf2a82afda5b95a7117b7dee1192382fcfdbd28e93c92859a2798f060cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\74DWYBH2PL7i.bat

Filesize
199B

MD5
213850c99b05e6c709662ea2949f74e2

SHA1
3a36eb76f1c382b7fb4a71d1c5074bdc696021bd

SHA256
c7d615fbc177ec09887bb040145c929856c26f25521ef5517d727cd5f9b3bcde

SHA512
fb09c469bde4ce1698b0ea5c50185b97d672bc947f367e49d7a0b0cd9cc305b823e47b7af1af89cbaeae03340872870706c5f6801d163f9517b53ea2b284e523

Download Submit
C:\Users\Admin\AppData\Local\Temp\EwL6W6CadQAW.bat

Filesize
199B

MD5
6b02a7ef393f40190acb04a1d0544628

SHA1
c75965c4cca1418dffb7934a1ce049ccd42e571a

SHA256
4408e68f5cddf0a0b146320f5600d6437967b76bb0bb1d114238e4cf9e62668b

SHA512
4967a5a15d9eb5927728c116905c8aecd08e5522d4b82d47b51f80764b999c6283330c99a8412ac0e3b50432877d9263e1219da376ff0412e931f4963cae5e74

Download Submit
C:\Users\Admin\AppData\Local\Temp\G8Nf4xiAS7KY.bat

Filesize
199B

MD5
65b784789e3b4f5a63fd36ad44789611

SHA1
43b13d2007d14c9bc9a4c8fdd452d9e8d57b8715

SHA256
7e6d396e75dba51739cd85e8ac8af3437a91326ffa19b346a8df82439b515ceb

SHA512
879bfb5ea17ee09fadeeb8074906e92bfc78758eccd9919d0871f7e9ee7d7d3c1819c73e7c91b19524ea972b4f5d9bd92e2ef662aa94cadb1288333b98ab4972

Download Submit
C:\Users\Admin\AppData\Local\Temp\IdeX2RHNQXwX.bat

Filesize
199B

MD5
c4e11cc33546b75d723d3439c32e57de

SHA1
e93623c9236787d3278cf272a1a35bc6ed95172e

SHA256
a5e0bca56b57f3dffe221328d9e2750d2a584a2650e731f0c4614df8ddec04fd

SHA512
e6cfac4666fe0861bd9c2b1ec3a495918c6c6e068871d7e2c75ef5fd1a168a7cb7964ef99184ff2e82fed08093d807551e9ade1a287a8906ee804e89eac836cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\PnuFZIISn3jD.bat

Filesize
199B

MD5
b2ccaae2bb2944339202a199dc917e03

SHA1
11969e402e42fd900857cfd3c7b56ddcb35cfa54

SHA256
718d09e251d8295b16ae408b63b846e436a4cd6d34bd1429eb4838e86b8be8af

SHA512
aa38a153b512cc4391cb2a1177c68ac69efce656e53eecbf10773ce796cc8b040d1ba47b9850c52d6f142bc3aea57a1abef2ff57120d73ba8b92cb0ab7dc491f

Download Submit
C:\Users\Admin\AppData\Local\Temp\R4DU94YImW6Y.bat

Filesize
199B

MD5
792544b9ec9ed8fc501a26d0b0ae8ac2

SHA1
8ddbc49c27b033b1f71538b979ae53cc57f2ae90

SHA256
d044e077e02f68d013153d66a24f9217189e3c7be8d42af9912c535273078ba1

SHA512
01476bf6c472d29fc7602279ebf97ac58d31d5ef9cc8a3fb7fe9155d3b01da6a74ea8572877e793d651f0d51ba1ebab12e50711b9839d81b8bafd7d2bbbb256e

Download Submit
C:\Users\Admin\AppData\Local\Temp\UhuaKMpkc8CL.bat

Filesize
199B

MD5
c3adfbdec6cf464b085eca9107052d84

SHA1
eaf406c7f47d24215b375fc27cc86e2668114651

SHA256
a6a0a5a94919cc669bf53c7d39432644a19c8b0fcfc85531975dcd96d26ad6c2

SHA512
e78024f7e1fd0b5fce0578b9cc1b325c2bdf169b5d997fc0acae4805509c643419b12b6871bd73b8aa5ba32e00db59e2f7bb80e2646b4d00facb0bc25c6ff6eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9E9j7vC1LWZ.bat

Filesize
199B

MD5
e0c97d4dae9046d5c36e1c42135c4d18

SHA1
537bffd071a60af516e198ca212d6243c26bf6b8

SHA256
d92f89d64fa27c2006182fa1b77099f814e6bc4565e7e89db5172f42fc5237d5

SHA512
6d4f47988f72bed92959707b47023e8c028b25fa9ede82f28ff740174127f2fb0e8067a138ddd1f801cc6826c6808cea97beee062dcf43a3c250a0a2328178a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\l0OSZL9tf592.bat

Filesize
199B

MD5
fb39c8ed3aa8b5708aa287e77663dd29

SHA1
7cf3a7304622df91d808f22c33eb8188767ec4d1

SHA256
fd79ab36d0cbfe61ae9811fcd20f4fdaca31c5858cb6ad78fdd17689778c2ee4

SHA512
272583cd1759f2a389a63324442d964bb452797472499bbb92476a0db9183d7ec5c532abe6686a8c54d8000549e2d6ee23d9cfb71e6f5a680e20e7f6c99fd7c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\m0e1z5iyHWSm.bat

Filesize
199B

MD5
75310f04d06d2f38ddb1a2b98d7b69ab

SHA1
721b4f85206fbe12c0395ab6ac6710671ff32d99

SHA256
68ccee8da59941939d290d4fca0e306482e22429be0392e3cb5c8a1402b53a48

SHA512
7acf6f94e38489f6e1ba8b3b53befff2498cfc3e430d3f9b5e3d6e763bd9347d52d8a8e51feb78a276708a7a8070dc23dd94a725e4b7ad6356c3253820d16f9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\obhjexFPsXzU.bat

Filesize
199B

MD5
26e8e43b2b6497c377adaa52dc1ef0f8

SHA1
fd406b75c93b0695142c1f8650e7f8346b9886b4

SHA256
a31e715f86cd1ca1e8982f9101212eac7178a4d293baa97313fa0d615eba843f

SHA512
9522d43139f82eb188c2e0761fe5874e1a9f822f3d5fb37f3048fe9e9ed1c9f4505d907152c2c1d73b2e510f0942b2657b596beabb3230d22536fc4e5a4ba600

Download Submit
C:\Users\Admin\AppData\Local\Temp\wRRgWjtX3r95.bat

Filesize
199B

MD5
d1add6fb38d0791de827dbfec13b58c1

SHA1
803c3421a7fbcff22c00651a2184e177c25c110d

SHA256
3db62cfa316f548ec3e7dcd600da2369d842896f89fe19b99c6f9bd2097ea483

SHA512
c18afca2d7c169d01343732885308328c11c640c744080e589384d8ef8ef42e9634f5f96420fea4f8418c97582f485586dfa6fa1507d11c40fe1f734f247e796

Download Submit
C:\Users\Admin\AppData\Local\Temp\xpUQcat7RsUG.bat

Filesize
199B

MD5
cfa9076cd5cf959f4b60dd7bfc96c5b0

SHA1
6ef29086701a2ccf607f020d6a95e1747c32afff

SHA256
af885c6c5b9048681e72dd556c6b549d27a981b163d76ed5ae9947be0a0c31ff

SHA512
f47ab6dc0fc06343a9aad05c2aa76615f50c3bd5608353109bed750b10b9d6d4ee47965fd4494c87a7160fa7117bd38ef55efbf75fa8f5415c1037c82a1a6081

Download Submit
C:\Windows\system32\a7\RuntimeBroker.exe

Filesize
3.1MB

MD5
82761cf21801c5a88775b5b82bce7dcd

SHA1
8e4bb300478b689915d241a18b8a9da5ba21b2b9

SHA256
e170577ede5b14116b8e2b3f4ccfa7865927aac68613cfd2676eef4f43819ddf

SHA512
2c45966635f2cc9bc53af8bb9070c4bd3f7d403f81fc40f58c0a0f2b04bfcd0a150092ae7a78971a9596ae0499cff98df0748eae8caacfabdfd522141b967425

Download Submit
memory/1144-1-0x0000000000970000-0x0000000000C94000-memory.dmp

Filesize
3.1MB

Download
memory/1144-0-0x00007FFCA1613000-0x00007FFCA1615000-memory.dmp

Filesize
8KB

Download
memory/1144-2-0x00007FFCA1610000-0x00007FFCA20D1000-memory.dmp

Filesize
10.8MB

Download
memory/1144-9-0x00007FFCA1610000-0x00007FFCA20D1000-memory.dmp

Filesize
10.8MB

Download
memory/4312-12-0x000000001D510000-0x000000001D5C2000-memory.dmp

Filesize
712KB

Download
memory/4312-11-0x000000001D400000-0x000000001D450000-memory.dmp

Filesize
320KB

Download
memory/4312-18-0x00007FFCA1610000-0x00007FFCA20D1000-memory.dmp

Filesize
10.8MB

Download
memory/4312-10-0x00007FFCA1610000-0x00007FFCA20D1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads