quasar | 4e2877d8f39535f2a6073174952795bb2f7587f4343a8c449b64cc211ee683bd

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-01-2025 02:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4e2877d8f39535f2a6073174952795bb2f7587f4343a8c449b64cc211ee683bd.exe
Size

3.1MB
MD5

bdec971d6eb3ebfa2000191a40525746
SHA1

59f362a302cd3fba7c10c16ffac83eb2f099104f
SHA256

4e2877d8f39535f2a6073174952795bb2f7587f4343a8c449b64cc211ee683bd
SHA512

c8a7e7bc180c6634732b3e4f42cc5029523882348d43272ac598f6640b9fb927b302ba2f35933e3c21efb77a1e902e66791a08a3fdc3b2677b15e306f4c664cd
SSDEEP

49152:Tv/lL26AaNeWgPhlmVqvMQ7XSKOJu6cBxXCoGdJTHHB72eh2NT:TvNL26AaNeWgPhlmVqkQ7XSKV6x

Score

10^/10

quasar runtimebroker discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

RuntimeBroker

hahalol-49745.portmap.host:49745

Mutex

6ba66483-7407-4bb1-85ea-d79258d3bf46

Attributes

encryption_key
AAFD116557051025FAE9863551E989343167ADDF
install_name
RuntimeBroker.exe
log_directory
Logs
reconnect_delay
3000
startup_key
RuntimeBroker
subdirectory
a5

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/1964-1-0x0000000000C90000-0x0000000000FB4000-memory.dmp	family_quasar
behavioral2/files/0x000a000000023b6c-6.dat	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe

Executes dropped EXE 15 IoCs

pid	Process
2260	RuntimeBroker.exe
4224	RuntimeBroker.exe
3440	RuntimeBroker.exe
5048	RuntimeBroker.exe
868	RuntimeBroker.exe
1640	RuntimeBroker.exe
2684	RuntimeBroker.exe
4924	RuntimeBroker.exe
516	RuntimeBroker.exe
1596	RuntimeBroker.exe
2756	RuntimeBroker.exe
4964	RuntimeBroker.exe
4104	RuntimeBroker.exe
2544	RuntimeBroker.exe
3732	RuntimeBroker.exe

Drops file in System32 directory 33 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\a5	RuntimeBroker.exe
File opened for modification	C:\Windows\system32\a5\RuntimeBroker.exe	RuntimeBroker.exe
File opened for modification	C:\Windows\system32\a5	RuntimeBroker.exe
File opened for modification	C:\Windows\system32\a5	RuntimeBroker.exe
File opened for modification	C:\Windows\system32\a5	RuntimeBroker.exe
File opened for modification	C:\Windows\system32\a5	RuntimeBroker.exe
File opened for modification	C:\Windows\system32\a5\RuntimeBroker.exe	RuntimeBroker.exe
File opened for modification	C:\Windows\system32\a5	4e2877d8f39535f2a6073174952795bb2f7587f4343a8c449b64cc211ee683bd.exe
File opened for modification	C:\Windows\system32\a5\RuntimeBroker.exe	RuntimeBroker.exe
File opened for modification	C:\Windows\system32\a5	RuntimeBroker.exe
File opened for modification	C:\Windows\system32\a5\RuntimeBroker.exe	RuntimeBroker.exe
File opened for modification	C:\Windows\system32\a5\RuntimeBroker.exe	RuntimeBroker.exe
File opened for modification	C:\Windows\system32\a5\RuntimeBroker.exe	RuntimeBroker.exe
File opened for modification	C:\Windows\system32\a5\RuntimeBroker.exe	RuntimeBroker.exe
File opened for modification	C:\Windows\system32\a5	RuntimeBroker.exe
File opened for modification	C:\Windows\system32\a5\RuntimeBroker.exe	RuntimeBroker.exe
File created	C:\Windows\system32\a5\RuntimeBroker.exe	4e2877d8f39535f2a6073174952795bb2f7587f4343a8c449b64cc211ee683bd.exe
File opened for modification	C:\Windows\system32\a5\RuntimeBroker.exe	4e2877d8f39535f2a6073174952795bb2f7587f4343a8c449b64cc211ee683bd.exe
File opened for modification	C:\Windows\system32\a5	RuntimeBroker.exe
File opened for modification	C:\Windows\system32\a5	RuntimeBroker.exe
File opened for modification	C:\Windows\system32\a5\RuntimeBroker.exe	RuntimeBroker.exe
File opened for modification	C:\Windows\system32\a5	RuntimeBroker.exe
File opened for modification	C:\Windows\system32\a5	RuntimeBroker.exe
File opened for modification	C:\Windows\system32\a5\RuntimeBroker.exe	RuntimeBroker.exe
File opened for modification	C:\Windows\system32\a5	RuntimeBroker.exe
File opened for modification	C:\Windows\system32\a5\RuntimeBroker.exe	RuntimeBroker.exe
File opened for modification	C:\Windows\system32\a5\RuntimeBroker.exe	RuntimeBroker.exe
File opened for modification	C:\Windows\system32\a5	RuntimeBroker.exe
File opened for modification	C:\Windows\system32\a5\RuntimeBroker.exe	RuntimeBroker.exe
File opened for modification	C:\Windows\system32\a5\RuntimeBroker.exe	RuntimeBroker.exe
File opened for modification	C:\Windows\system32\a5	RuntimeBroker.exe
File opened for modification	C:\Windows\system32\a5	RuntimeBroker.exe
File opened for modification	C:\Windows\system32\a5\RuntimeBroker.exe	RuntimeBroker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3128	PING.EXE
2036	PING.EXE
3724	PING.EXE
4388	PING.EXE
3984	PING.EXE
3504	PING.EXE
516	PING.EXE
3988	PING.EXE
3644	PING.EXE
2096	PING.EXE
2840	PING.EXE
3772	PING.EXE
4908	PING.EXE
528	PING.EXE
1064	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
3988	PING.EXE
3984	PING.EXE
3772	PING.EXE
3724	PING.EXE
4908	PING.EXE
4388	PING.EXE
3644	PING.EXE
2036	PING.EXE
3504	PING.EXE
2096	PING.EXE
3128	PING.EXE
516	PING.EXE
528	PING.EXE
1064	PING.EXE
2840	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3444	schtasks.exe
1048	schtasks.exe
3112	schtasks.exe
4872	schtasks.exe
3468	schtasks.exe
4596	schtasks.exe
4176	schtasks.exe
3864	schtasks.exe
4552	schtasks.exe
1964	schtasks.exe
1392	schtasks.exe
876	schtasks.exe
2328	schtasks.exe
3548	schtasks.exe
3644	schtasks.exe
5008	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	1964	4e2877d8f39535f2a6073174952795bb2f7587f4343a8c449b64cc211ee683bd.exe
Token: SeDebugPrivilege	2260	RuntimeBroker.exe
Token: SeDebugPrivilege	4224	RuntimeBroker.exe
Token: SeDebugPrivilege	3440	RuntimeBroker.exe
Token: SeDebugPrivilege	5048	RuntimeBroker.exe
Token: SeDebugPrivilege	868	RuntimeBroker.exe
Token: SeDebugPrivilege	1640	RuntimeBroker.exe
Token: SeDebugPrivilege	2684	RuntimeBroker.exe
Token: SeDebugPrivilege	4924	RuntimeBroker.exe
Token: SeDebugPrivilege	516	RuntimeBroker.exe
Token: SeDebugPrivilege	1596	RuntimeBroker.exe
Token: SeDebugPrivilege	2756	RuntimeBroker.exe
Token: SeDebugPrivilege	4964	RuntimeBroker.exe
Token: SeDebugPrivilege	4104	RuntimeBroker.exe
Token: SeDebugPrivilege	2544	RuntimeBroker.exe
Token: SeDebugPrivilege	3732	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 3444	1964	4e2877d8f39535f2a6073174952795bb2f7587f4343a8c449b64cc211ee683bd.exe	82
PID 1964 wrote to memory of 3444	1964	4e2877d8f39535f2a6073174952795bb2f7587f4343a8c449b64cc211ee683bd.exe	82
PID 1964 wrote to memory of 2260	1964	4e2877d8f39535f2a6073174952795bb2f7587f4343a8c449b64cc211ee683bd.exe	84
PID 1964 wrote to memory of 2260	1964	4e2877d8f39535f2a6073174952795bb2f7587f4343a8c449b64cc211ee683bd.exe	84
PID 2260 wrote to memory of 3468	2260	RuntimeBroker.exe	85
PID 2260 wrote to memory of 3468	2260	RuntimeBroker.exe	85
PID 2260 wrote to memory of 2996	2260	RuntimeBroker.exe	87
PID 2260 wrote to memory of 2996	2260	RuntimeBroker.exe	87
PID 2996 wrote to memory of 4832	2996	cmd.exe	89
PID 2996 wrote to memory of 4832	2996	cmd.exe	89
PID 2996 wrote to memory of 3724	2996	cmd.exe	90
PID 2996 wrote to memory of 3724	2996	cmd.exe	90
PID 2996 wrote to memory of 4224	2996	cmd.exe	96
PID 2996 wrote to memory of 4224	2996	cmd.exe	96
PID 4224 wrote to memory of 4552	4224	RuntimeBroker.exe	99
PID 4224 wrote to memory of 4552	4224	RuntimeBroker.exe	99
PID 4224 wrote to memory of 4220	4224	RuntimeBroker.exe	101
PID 4224 wrote to memory of 4220	4224	RuntimeBroker.exe	101
PID 4220 wrote to memory of 5060	4220	cmd.exe	103
PID 4220 wrote to memory of 5060	4220	cmd.exe	103
PID 4220 wrote to memory of 4908	4220	cmd.exe	104
PID 4220 wrote to memory of 4908	4220	cmd.exe	104
PID 4220 wrote to memory of 3440	4220	cmd.exe	105
PID 4220 wrote to memory of 3440	4220	cmd.exe	105
PID 3440 wrote to memory of 4596	3440	RuntimeBroker.exe	106
PID 3440 wrote to memory of 4596	3440	RuntimeBroker.exe	106
PID 3440 wrote to memory of 652	3440	RuntimeBroker.exe	108
PID 3440 wrote to memory of 652	3440	RuntimeBroker.exe	108
PID 652 wrote to memory of 908	652	cmd.exe	110
PID 652 wrote to memory of 908	652	cmd.exe	110
PID 652 wrote to memory of 528	652	cmd.exe	111
PID 652 wrote to memory of 528	652	cmd.exe	111
PID 652 wrote to memory of 5048	652	cmd.exe	113
PID 652 wrote to memory of 5048	652	cmd.exe	113
PID 5048 wrote to memory of 5008	5048	RuntimeBroker.exe	114
PID 5048 wrote to memory of 5008	5048	RuntimeBroker.exe	114
PID 5048 wrote to memory of 956	5048	RuntimeBroker.exe	116
PID 5048 wrote to memory of 956	5048	RuntimeBroker.exe	116
PID 956 wrote to memory of 2972	956	cmd.exe	118
PID 956 wrote to memory of 2972	956	cmd.exe	118
PID 956 wrote to memory of 3988	956	cmd.exe	119
PID 956 wrote to memory of 3988	956	cmd.exe	119
PID 956 wrote to memory of 868	956	cmd.exe	121
PID 956 wrote to memory of 868	956	cmd.exe	121
PID 868 wrote to memory of 1964	868	RuntimeBroker.exe	122
PID 868 wrote to memory of 1964	868	RuntimeBroker.exe	122
PID 868 wrote to memory of 1992	868	RuntimeBroker.exe	124
PID 868 wrote to memory of 1992	868	RuntimeBroker.exe	124
PID 1992 wrote to memory of 2260	1992	cmd.exe	126
PID 1992 wrote to memory of 2260	1992	cmd.exe	126
PID 1992 wrote to memory of 4388	1992	cmd.exe	127
PID 1992 wrote to memory of 4388	1992	cmd.exe	127
PID 1992 wrote to memory of 1640	1992	cmd.exe	128
PID 1992 wrote to memory of 1640	1992	cmd.exe	128
PID 1640 wrote to memory of 1048	1640	RuntimeBroker.exe	129
PID 1640 wrote to memory of 1048	1640	RuntimeBroker.exe	129
PID 1640 wrote to memory of 4252	1640	RuntimeBroker.exe	131
PID 1640 wrote to memory of 4252	1640	RuntimeBroker.exe	131
PID 4252 wrote to memory of 4216	4252	cmd.exe	133
PID 4252 wrote to memory of 4216	4252	cmd.exe	133
PID 4252 wrote to memory of 3984	4252	cmd.exe	134
PID 4252 wrote to memory of 3984	4252	cmd.exe	134
PID 4252 wrote to memory of 2684	4252	cmd.exe	135
PID 4252 wrote to memory of 2684	4252	cmd.exe	135

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4e2877d8f39535f2a6073174952795bb2f7587f4343a8c449b64cc211ee683bd.exe
"C:\Users\Admin\AppData\Local\Temp\4e2877d8f39535f2a6073174952795bb2f7587f4343a8c449b64cc211ee683bd.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\a5\RuntimeBroker.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3444
- C:\Windows\system32\a5\RuntimeBroker.exe
  "C:\Windows\system32\a5\RuntimeBroker.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2260
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\a5\RuntimeBroker.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AnGLU5LHskq4.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2996
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:4832
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3724
  - - C:\Windows\system32\a5\RuntimeBroker.exe
      "C:\Windows\system32\a5\RuntimeBroker.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4224
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\a5\RuntimeBroker.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4552
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3Y75SzuxMnj9.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4220
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:5060
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4908
      - C:\Windows\system32\a5\RuntimeBroker.exe
        
        "C:\Windows\system32\a5\RuntimeBroker.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3440
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\a5\RuntimeBroker.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4596
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8lPZ2dGhXqOj.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:652
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:908
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:528
        
        C:\Windows\system32\a5\RuntimeBroker.exe
        
        "C:\Windows\system32\a5\RuntimeBroker.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\a5\RuntimeBroker.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5008
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dxjbALCrPpvZ.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:956
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2972
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3988
        
        C:\Windows\system32\a5\RuntimeBroker.exe
        
        "C:\Windows\system32\a5\RuntimeBroker.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:868
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\a5\RuntimeBroker.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1964
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\72i95Nf0k09W.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:2260
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4388
        
        C:\Windows\system32\a5\RuntimeBroker.exe
        
        "C:\Windows\system32\a5\RuntimeBroker.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\a5\RuntimeBroker.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1048
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5f8jMcCo7Flu.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:4252
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:4216
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3984
        
        C:\Windows\system32\a5\RuntimeBroker.exe
        
        "C:\Windows\system32\a5\RuntimeBroker.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2684
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\a5\RuntimeBroker.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1392
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HaErEO8znLu6.bat" "
        15⤵
        
        PID:1248
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2900
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1064
        
        C:\Windows\system32\a5\RuntimeBroker.exe
        
        "C:\Windows\system32\a5\RuntimeBroker.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4924
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\a5\RuntimeBroker.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4176
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\J2Q25QLTUKmA.bat" "
        17⤵
        
        PID:3588
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:4068
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3644
        
        C:\Windows\system32\a5\RuntimeBroker.exe
        
        "C:\Windows\system32\a5\RuntimeBroker.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:516
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\a5\RuntimeBroker.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:876
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\g5AFKWmSjKLi.bat" "
        19⤵
        
        PID:5112
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2856
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2840
        
        C:\Windows\system32\a5\RuntimeBroker.exe
        
        "C:\Windows\system32\a5\RuntimeBroker.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1596
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\a5\RuntimeBroker.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3864
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dTLy18sa5MCS.bat" "
        21⤵
        
        PID:1476
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:5016
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2096
        
        C:\Windows\system32\a5\RuntimeBroker.exe
        
        "C:\Windows\system32\a5\RuntimeBroker.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2756
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\a5\RuntimeBroker.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2328
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qAzdlI5yfdPo.bat" "
        23⤵
        
        PID:800
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:4084
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3128
        
        C:\Windows\system32\a5\RuntimeBroker.exe
        
        "C:\Windows\system32\a5\RuntimeBroker.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4964
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\a5\RuntimeBroker.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3112
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0zz7oWf38y4s.bat" "
        25⤵
        
        PID:2560
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:4252
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2036
        
        C:\Windows\system32\a5\RuntimeBroker.exe
        
        "C:\Windows\system32\a5\RuntimeBroker.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4104
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\a5\RuntimeBroker.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4872
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ALBmllvE02fX.bat" "
        27⤵
        
        PID:3920
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:2920
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3504
        
        C:\Windows\system32\a5\RuntimeBroker.exe
        
        "C:\Windows\system32\a5\RuntimeBroker.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2544
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\a5\RuntimeBroker.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3548
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5etSJpew010z.bat" "
        29⤵
        
        PID:4472
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:3580
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3772
        
        C:\Windows\system32\a5\RuntimeBroker.exe
        
        "C:\Windows\system32\a5\RuntimeBroker.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3732
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\a5\RuntimeBroker.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3644
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\n8DSO73UGQRS.bat" "
        31⤵
        
        PID:4704
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:3624
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\0zz7oWf38y4s.bat

Filesize
199B

MD5
3f62bb3e7f155b01cbc665799bd88072

SHA1
d32a0e9080a64dfc35978802f01343f478b4cb46

SHA256
099a5bfad7ade62e2bdb215891b3db6ef6b636b3e8e0d6cb4de3d718d1549452

SHA512
3e3b922442279fa0c2c029e229afa303cb909383463acf9c283d003974be4ce64bad89549d0c147ac2e9451d69244f5ec842201b8a03b8b1efed6521846e463f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3Y75SzuxMnj9.bat

Filesize
199B

MD5
d24de28b83ec19109effbd562c701e87

SHA1
d1154e63ade7c1f6c010431fce320463977bc309

SHA256
6919c4dd12f0ef432a4af6e33815ae0241e6e2130144391f1a684f49317fd764

SHA512
babefd937aaca43b66f7a420c11a8609ff9f0e71c387e90f3f0988a371ed5edf9ff93adc450c9126473470553a08545f45c69abecb7d9b19fab827509005d3bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\5etSJpew010z.bat

Filesize
199B

MD5
2b9057ba0db69f190480b4b71bd887af

SHA1
02043474df79e09a2f4c8563abb12c0233cfbf08

SHA256
7e3d388711b7334a2a1078cb0dacaeb58cd55d16d60c1613999c496697a5759d

SHA512
1c0197fa6ea4a4ac7dc6f2fa57f006bf7f308fbe9bfd957d93cc749f4df640f2398cd3968a76f72e992eedb632795385ea37b2feb395b29c7d4b702c67a79348

Download Submit
C:\Users\Admin\AppData\Local\Temp\5f8jMcCo7Flu.bat

Filesize
199B

MD5
bc68c16376ab5dcf88a6f4258a481a11

SHA1
572ffdd39567651d9687a3939a8cc4ed3f367bdf

SHA256
d853bc484673adc363334db1664ee3fff3a9ee6409400037abf3fe8004c9b3b2

SHA512
00f6db14863e961232453a2503db46f3c0c891ada4e493275575d1409b26d7eb172440b309e39d90c7044c09e8ce8f71aa61b53e5c64cb80379f82241ff2d4e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\72i95Nf0k09W.bat

Filesize
199B

MD5
1247e657649dd116d24e880c000f63df

SHA1
df78e46de39bcce175eca7ea600f8f0026a672b7

SHA256
7507dc124f0058e3b3806283c23418bcf586e09428f8f83297269c48ddee091e

SHA512
e688ee7c2bd35f9cf1064415f489abb405b9b2d4957e24d60bcecbc09531771aeaa2acd9b5a676cf7984c1c3b0492b7ec947930b83da3d22529358a72f502244

Download Submit
C:\Users\Admin\AppData\Local\Temp\8lPZ2dGhXqOj.bat

Filesize
199B

MD5
8bdf2ab3e34ac3f21b60eacb34f40345

SHA1
b4911ed912563248432d0868b483095668d476b4

SHA256
256bc5d4456b11c3575406d4b4fe3b2df9c052f482bd00018736f447c11cc48b

SHA512
c9d161104cbe284e8cc160a626ca82ac8b852a2f63e77e4a95336cee791a9eaef576ca7a2f52a6a9f435470c72608d639e145207c1d5e09dad303f71e87c0651

Download Submit
C:\Users\Admin\AppData\Local\Temp\ALBmllvE02fX.bat

Filesize
199B

MD5
35ab33875f20066424aafda29424d92f

SHA1
c1daf8be32a75c2a95b9d0b22bc0123d8a421d19

SHA256
ed7af6885c52e3fb028cfcb014e878185de5bfa001f115b20e6c149677009fc0

SHA512
7cf4feb848e5adaa1df4232de86e139a385ae1ef2810ff47293e5b93e9f5df98b75e2c62be3e64d285982641ad3a6c5e6b3a611ab140e7f700b810b886cb15cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\AnGLU5LHskq4.bat

Filesize
199B

MD5
6ff753a883875fee3c115942daedc9a0

SHA1
dae5a4e5258b092156a3e00bc62268b9adb23bc5

SHA256
ae746e2baa5b4a28408f8a88338559cd6ce63f1701fb0615d2a9f6d56090028b

SHA512
6d483e75051f2fc107124ca121967173f462ea02e026f97dba0f342e1b90f029623822dfc954925ecdff4f2e8f90a45f0c80d724861f13d1a7dfd0a7056c845a

Download Submit
C:\Users\Admin\AppData\Local\Temp\HaErEO8znLu6.bat

Filesize
199B

MD5
592a15908ab9380efac127957e647fc4

SHA1
8cb50b4e5a110f1cdd3c43aa253ee9fea89c5ccd

SHA256
dfa5a80f1a7507d1ad720d60ae4c261d04c7e04201cfc30fb0537e01c7da01bd

SHA512
fea46676869e9971e11410a2c3136447def7f8d241238b4f61ff1dfbaaf100bdffcd3048f025c09ec60d63df4d692b3c11184151970be2aa2363d38450024c7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\J2Q25QLTUKmA.bat

Filesize
199B

MD5
c045f78b0319e694be4841196f03c1bf

SHA1
24fe9a8210d6863519690e77bb1dc546e06a5cc8

SHA256
4b70f4b09f953d92e18b64236c58239ab17730ab2ed134824d559035dcfb4b1a

SHA512
22e895d012c8b412423ebfccfe4a715c958d045e3a87086f63a2fa806faf86f44eea65bcbd1025d88da9415820a76f19c2e67a26515943040f463c77f0db19ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\dTLy18sa5MCS.bat

Filesize
199B

MD5
e5aa5fd702ebb95bed91e3f354501a9a

SHA1
8228b69a51d6ce4ea27348b319fdf0352ca344c5

SHA256
e6da053cc4653b03b1cdf77bb323eeeca616a482227ec00a5358f4fbf1a67c6e

SHA512
2d6114cf9ff35b7195232bf1f639ddaf062d6a44f206cda74a70998916345102699e548cdd22022fc26ab99e5b1ee9a6843837de648b39bfd93f734befff0f7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dxjbALCrPpvZ.bat

Filesize
199B

MD5
c122d1f1162de4dda51282a687e4304a

SHA1
d21a2d171d47cbd27d2c47067d20dd8c25e3be72

SHA256
175b3cb20da531c7708062392a147d8952f99c1aac176ade12c55e28d64b70ec

SHA512
7f6f495b113d435078b95deea2539c587a03b4b27066ac7502d04970b916430d7c5863d328bd3fae416a414f5c80990bae55e6922048364655470aa28089857d

Download Submit
C:\Users\Admin\AppData\Local\Temp\g5AFKWmSjKLi.bat

Filesize
199B

MD5
4e623de6fbee40d2a05b6be5fbd465fc

SHA1
752b27d8b410201adf29b7dfd5eed3ee0258ecd5

SHA256
a789bc80603b16153fa300ce31cfc8815b59a57f12a00fe226cbb6b26539fa05

SHA512
94ebf148a129c9ead1eaa77d2ee2408e30aed6227c0f8097da6f85e101455c39aa488f069de0add97514168c7c694eda0c9413efd4e12fd187e0dcfc157158b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\n8DSO73UGQRS.bat

Filesize
199B

MD5
52eca13defca28a9db2ff35806aa7b59

SHA1
d25dc59b16f74330fb9313a341d56ee4bf79d1b7

SHA256
860aa5dd33953126f7b142b5f42aeb2d17f84e140ecad2f78524547e5941e169

SHA512
f32ce345e9b9bdcb1e6b79327c99d39d5bb703686d389f87531474ef4e2d7929e34e85f83c5e59c61dfb6ceb9e434f6f661e4e7e1785aa404ca1cfe7be15a3e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\qAzdlI5yfdPo.bat

Filesize
199B

MD5
d52288cbcbb3e23fe40a7b52443384fc

SHA1
1b331d65c49c0a913c6d9292c58cd622ee1faab9

SHA256
a113ad8539cba1e70acd34e592b3dc8dd5d8c0170fa12c51d5344eb0b411316c

SHA512
d295e3e7f8443c7bd6bd5fd19ea5e1da5e1e551e57be907aea66594e03c5403d71d56802027cef28100c224297f519114b95eb681d6ec8126a0caf7ff05a5063

Download Submit
C:\Windows\System32\a5\RuntimeBroker.exe

Filesize
3.1MB

MD5
bdec971d6eb3ebfa2000191a40525746

SHA1
59f362a302cd3fba7c10c16ffac83eb2f099104f

SHA256
4e2877d8f39535f2a6073174952795bb2f7587f4343a8c449b64cc211ee683bd

SHA512
c8a7e7bc180c6634732b3e4f42cc5029523882348d43272ac598f6640b9fb927b302ba2f35933e3c21efb77a1e902e66791a08a3fdc3b2677b15e306f4c664cd

Download Submit
memory/1964-0-0x00007FF916683000-0x00007FF916685000-memory.dmp

Filesize
8KB

Download
memory/1964-10-0x00007FF916680000-0x00007FF917141000-memory.dmp

Filesize
10.8MB

Download
memory/1964-2-0x00007FF916680000-0x00007FF917141000-memory.dmp

Filesize
10.8MB

Download
memory/1964-1-0x0000000000C90000-0x0000000000FB4000-memory.dmp

Filesize
3.1MB

Download
memory/2260-17-0x00007FF916680000-0x00007FF917141000-memory.dmp

Filesize
10.8MB

Download
memory/2260-12-0x000000001CB80000-0x000000001CC32000-memory.dmp

Filesize
712KB

Download
memory/2260-11-0x000000001C3A0000-0x000000001C3F0000-memory.dmp

Filesize
320KB

Download
memory/2260-9-0x00007FF916680000-0x00007FF917141000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads