Analysis
-
max time kernel
167s -
max time network
171s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
19-04-2024 12:23
Behavioral task
behavioral1
Sample
Client-built.exe
Resource
win7-20240221-en
General
-
Target
Client-built.exe
-
Size
3.1MB
-
MD5
2c1fba8d6624adf6c582fb2d5fb43b28
-
SHA1
bd45ee984e9476d604824f83c6cf6111a9db2467
-
SHA256
a5473ea4c4ef75c217e0d252d1c7d235b781a75810b7e731a97ed78b45646840
-
SHA512
cc85b5f1c2765c49f34c236634dcbfdfd6cc62e0b954b74c12b0d89dc29044dff88a9840e5c02a39e140564283074c78359dd70dfc7f426daefb75f195f14e19
-
SSDEEP
49152:nvVG42pda6D+/PjlLOlg6yQipV6iRJ67bR3LoGdTqTHHB72eh2NT:nvM42pda6D+/PjlLOlZyQipV6iRJ6ND
Malware Config
Extracted
quasar
1.4.1
Office04
funlink.ddns.net:4444
quasarhost1.ddns.net:4444
c363b2f8-fc6a-4abd-a753-cff1aad2a173
-
encryption_key
CE5FBAC1A56C8C780C74FE8E7CD5CBCF8ABD6C8D
-
install_name
updale.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
windows av startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3508-0-0x0000000000320000-0x0000000000644000-memory.dmp family_quasar C:\Windows\System32\SubDir\updale.exe family_quasar -
Checks computer location settings 2 TTPs 12 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
updale.exeupdale.exeupdale.exeupdale.exeupdale.exeupdale.exeupdale.exeupdale.exeupdale.exeupdale.exeupdale.exeupdale.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Control Panel\International\Geo\Nation updale.exe Key value queried \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Control Panel\International\Geo\Nation updale.exe Key value queried \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Control Panel\International\Geo\Nation updale.exe Key value queried \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Control Panel\International\Geo\Nation updale.exe Key value queried \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Control Panel\International\Geo\Nation updale.exe Key value queried \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Control Panel\International\Geo\Nation updale.exe Key value queried \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Control Panel\International\Geo\Nation updale.exe Key value queried \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Control Panel\International\Geo\Nation updale.exe Key value queried \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Control Panel\International\Geo\Nation updale.exe Key value queried \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Control Panel\International\Geo\Nation updale.exe Key value queried \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Control Panel\International\Geo\Nation updale.exe Key value queried \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Control Panel\International\Geo\Nation updale.exe -
Executes dropped EXE 13 IoCs
Processes:
updale.exeupdale.exeupdale.exeupdale.exeupdale.exeupdale.exeupdale.exeupdale.exeupdale.exeupdale.exeupdale.exeupdale.exeupdale.exepid process 1572 updale.exe 3488 updale.exe 3100 updale.exe 2388 updale.exe 2404 updale.exe 4020 updale.exe 2520 updale.exe 1804 updale.exe 368 updale.exe 1424 updale.exe 1608 updale.exe 2936 updale.exe 3624 updale.exe -
Drops file in System32 directory 21 IoCs
Processes:
updale.exeupdale.exeupdale.exeupdale.exeupdale.exeupdale.exeupdale.exeClient-built.exeupdale.exeupdale.exedescription ioc process File opened for modification C:\Windows\system32\SubDir\updale.exe updale.exe File opened for modification C:\Windows\system32\SubDir updale.exe File opened for modification C:\Windows\system32\SubDir updale.exe File opened for modification C:\Windows\system32\SubDir\updale.exe updale.exe File opened for modification C:\Windows\system32\SubDir updale.exe File opened for modification C:\Windows\system32\SubDir updale.exe File opened for modification C:\Windows\system32\SubDir updale.exe File opened for modification C:\Windows\system32\SubDir updale.exe File opened for modification C:\Windows\system32\SubDir\updale.exe updale.exe File opened for modification C:\Windows\system32\SubDir updale.exe File opened for modification C:\Windows\system32\SubDir\updale.exe updale.exe File opened for modification C:\Windows\system32\SubDir\updale.exe Client-built.exe File opened for modification C:\Windows\system32\SubDir Client-built.exe File opened for modification C:\Windows\system32\SubDir\updale.exe updale.exe File opened for modification C:\Windows\system32\SubDir updale.exe File created C:\Windows\system32\SubDir\updale.exe Client-built.exe File opened for modification C:\Windows\system32\SubDir\updale.exe updale.exe File opened for modification C:\Windows\system32\SubDir\updale.exe updale.exe File opened for modification C:\Windows\system32\SubDir updale.exe File opened for modification C:\Windows\system32\SubDir\updale.exe updale.exe File opened for modification C:\Windows\system32\SubDir\updale.exe updale.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 13 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4556 schtasks.exe 3224 schtasks.exe 3972 schtasks.exe 1724 schtasks.exe 4976 schtasks.exe 648 schtasks.exe 3148 schtasks.exe 5084 schtasks.exe 2556 schtasks.exe 2648 schtasks.exe 2040 schtasks.exe 2928 schtasks.exe 2876 schtasks.exe -
Runs ping.exe 1 TTPs 12 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 2612 PING.EXE 1552 PING.EXE 4008 PING.EXE 3876 PING.EXE 3420 PING.EXE 3640 PING.EXE 2872 PING.EXE 2108 PING.EXE 4876 PING.EXE 4532 PING.EXE 3648 PING.EXE 3696 PING.EXE -
Suspicious use of AdjustPrivilegeToken 13 IoCs
Processes:
Client-built.exeupdale.exeupdale.exeupdale.exeupdale.exeupdale.exeupdale.exeupdale.exeupdale.exeupdale.exeupdale.exeupdale.exeupdale.exedescription pid process Token: SeDebugPrivilege 3508 Client-built.exe Token: SeDebugPrivilege 1572 updale.exe Token: SeDebugPrivilege 3488 updale.exe Token: SeDebugPrivilege 3100 updale.exe Token: SeDebugPrivilege 2388 updale.exe Token: SeDebugPrivilege 2404 updale.exe Token: SeDebugPrivilege 4020 updale.exe Token: SeDebugPrivilege 2520 updale.exe Token: SeDebugPrivilege 1804 updale.exe Token: SeDebugPrivilege 368 updale.exe Token: SeDebugPrivilege 1424 updale.exe Token: SeDebugPrivilege 1608 updale.exe Token: SeDebugPrivilege 2936 updale.exe -
Suspicious use of FindShellTrayWindow 12 IoCs
Processes:
updale.exeupdale.exeupdale.exeupdale.exeupdale.exeupdale.exeupdale.exeupdale.exeupdale.exeupdale.exeupdale.exeupdale.exepid process 1572 updale.exe 3488 updale.exe 3100 updale.exe 2388 updale.exe 2404 updale.exe 4020 updale.exe 2520 updale.exe 1804 updale.exe 368 updale.exe 1424 updale.exe 1608 updale.exe 2936 updale.exe -
Suspicious use of SendNotifyMessage 12 IoCs
Processes:
updale.exeupdale.exeupdale.exeupdale.exeupdale.exeupdale.exeupdale.exeupdale.exeupdale.exeupdale.exeupdale.exeupdale.exepid process 1572 updale.exe 3488 updale.exe 3100 updale.exe 2388 updale.exe 2404 updale.exe 4020 updale.exe 2520 updale.exe 1804 updale.exe 368 updale.exe 1424 updale.exe 1608 updale.exe 2936 updale.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Client-built.exeupdale.execmd.exeupdale.execmd.exeupdale.execmd.exeupdale.execmd.exeupdale.execmd.exeupdale.execmd.exedescription pid process target process PID 3508 wrote to memory of 2876 3508 Client-built.exe schtasks.exe PID 3508 wrote to memory of 2876 3508 Client-built.exe schtasks.exe PID 3508 wrote to memory of 1572 3508 Client-built.exe updale.exe PID 3508 wrote to memory of 1572 3508 Client-built.exe updale.exe PID 1572 wrote to memory of 2648 1572 updale.exe schtasks.exe PID 1572 wrote to memory of 2648 1572 updale.exe schtasks.exe PID 1572 wrote to memory of 4512 1572 updale.exe cmd.exe PID 1572 wrote to memory of 4512 1572 updale.exe cmd.exe PID 4512 wrote to memory of 4864 4512 cmd.exe chcp.com PID 4512 wrote to memory of 4864 4512 cmd.exe chcp.com PID 4512 wrote to memory of 1552 4512 cmd.exe PING.EXE PID 4512 wrote to memory of 1552 4512 cmd.exe PING.EXE PID 4512 wrote to memory of 3488 4512 cmd.exe updale.exe PID 4512 wrote to memory of 3488 4512 cmd.exe updale.exe PID 3488 wrote to memory of 3224 3488 updale.exe schtasks.exe PID 3488 wrote to memory of 3224 3488 updale.exe schtasks.exe PID 3488 wrote to memory of 448 3488 updale.exe cmd.exe PID 3488 wrote to memory of 448 3488 updale.exe cmd.exe PID 448 wrote to memory of 1336 448 cmd.exe chcp.com PID 448 wrote to memory of 1336 448 cmd.exe chcp.com PID 448 wrote to memory of 4876 448 cmd.exe PING.EXE PID 448 wrote to memory of 4876 448 cmd.exe PING.EXE PID 448 wrote to memory of 3100 448 cmd.exe updale.exe PID 448 wrote to memory of 3100 448 cmd.exe updale.exe PID 3100 wrote to memory of 2040 3100 updale.exe schtasks.exe PID 3100 wrote to memory of 2040 3100 updale.exe schtasks.exe PID 3100 wrote to memory of 4392 3100 updale.exe cmd.exe PID 3100 wrote to memory of 4392 3100 updale.exe cmd.exe PID 4392 wrote to memory of 1616 4392 cmd.exe chcp.com PID 4392 wrote to memory of 1616 4392 cmd.exe chcp.com PID 4392 wrote to memory of 4008 4392 cmd.exe PING.EXE PID 4392 wrote to memory of 4008 4392 cmd.exe PING.EXE PID 4392 wrote to memory of 2388 4392 cmd.exe updale.exe PID 4392 wrote to memory of 2388 4392 cmd.exe updale.exe PID 2388 wrote to memory of 2928 2388 updale.exe schtasks.exe PID 2388 wrote to memory of 2928 2388 updale.exe schtasks.exe PID 2388 wrote to memory of 1564 2388 updale.exe cmd.exe PID 2388 wrote to memory of 1564 2388 updale.exe cmd.exe PID 1564 wrote to memory of 2472 1564 cmd.exe chcp.com PID 1564 wrote to memory of 2472 1564 cmd.exe chcp.com PID 1564 wrote to memory of 3876 1564 cmd.exe PING.EXE PID 1564 wrote to memory of 3876 1564 cmd.exe PING.EXE PID 1564 wrote to memory of 2404 1564 cmd.exe updale.exe PID 1564 wrote to memory of 2404 1564 cmd.exe updale.exe PID 2404 wrote to memory of 4556 2404 updale.exe schtasks.exe PID 2404 wrote to memory of 4556 2404 updale.exe schtasks.exe PID 2404 wrote to memory of 380 2404 updale.exe cmd.exe PID 2404 wrote to memory of 380 2404 updale.exe cmd.exe PID 380 wrote to memory of 2108 380 cmd.exe chcp.com PID 380 wrote to memory of 2108 380 cmd.exe chcp.com PID 380 wrote to memory of 4532 380 cmd.exe PING.EXE PID 380 wrote to memory of 4532 380 cmd.exe PING.EXE PID 380 wrote to memory of 4020 380 cmd.exe updale.exe PID 380 wrote to memory of 4020 380 cmd.exe updale.exe PID 4020 wrote to memory of 648 4020 updale.exe schtasks.exe PID 4020 wrote to memory of 648 4020 updale.exe schtasks.exe PID 4020 wrote to memory of 4480 4020 updale.exe cmd.exe PID 4020 wrote to memory of 4480 4020 updale.exe cmd.exe PID 4480 wrote to memory of 3268 4480 cmd.exe chcp.com PID 4480 wrote to memory of 3268 4480 cmd.exe chcp.com PID 4480 wrote to memory of 3420 4480 cmd.exe PING.EXE PID 4480 wrote to memory of 3420 4480 cmd.exe PING.EXE PID 4480 wrote to memory of 2520 4480 cmd.exe updale.exe PID 4480 wrote to memory of 2520 4480 cmd.exe updale.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3508 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "windows av startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\updale.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:2876 -
C:\Windows\system32\SubDir\updale.exe"C:\Windows\system32\SubDir\updale.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "windows av startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\updale.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:2648 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5zfxQv3P3FOm.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:4864
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
PID:1552 -
C:\Windows\system32\SubDir\updale.exe"C:\Windows\system32\SubDir\updale.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3488 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "windows av startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\updale.exe" /rl HIGHEST /f5⤵
- Creates scheduled task(s)
PID:3224 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IByO6bjmGYWG.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:1336
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- Runs ping.exe
PID:4876 -
C:\Windows\system32\SubDir\updale.exe"C:\Windows\system32\SubDir\updale.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "windows av startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\updale.exe" /rl HIGHEST /f7⤵
- Creates scheduled task(s)
PID:2040 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\11zxtJoZP7ko.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:4392 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:1616
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- Runs ping.exe
PID:4008 -
C:\Windows\system32\SubDir\updale.exe"C:\Windows\system32\SubDir\updale.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "windows av startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\updale.exe" /rl HIGHEST /f9⤵
- Creates scheduled task(s)
PID:2928 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yRDmMr2oxmgi.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:2472
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- Runs ping.exe
PID:3876 -
C:\Windows\system32\SubDir\updale.exe"C:\Windows\system32\SubDir\updale.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "windows av startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\updale.exe" /rl HIGHEST /f11⤵
- Creates scheduled task(s)
PID:4556 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wN4rgD6N2kKh.bat" "11⤵
- Suspicious use of WriteProcessMemory
PID:380 -
C:\Windows\system32\chcp.comchcp 6500112⤵PID:2108
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- Runs ping.exe
PID:4532 -
C:\Windows\system32\SubDir\updale.exe"C:\Windows\system32\SubDir\updale.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "windows av startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\updale.exe" /rl HIGHEST /f13⤵
- Creates scheduled task(s)
PID:648 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mhMyYoXaA1wg.bat" "13⤵
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Windows\system32\chcp.comchcp 6500114⤵PID:3268
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- Runs ping.exe
PID:3420 -
C:\Windows\system32\SubDir\updale.exe"C:\Windows\system32\SubDir\updale.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2520 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "windows av startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\updale.exe" /rl HIGHEST /f15⤵
- Creates scheduled task(s)
PID:4976 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4i38FtXZqQ2V.bat" "15⤵PID:2912
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:2948
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- Runs ping.exe
PID:3648 -
C:\Windows\system32\SubDir\updale.exe"C:\Windows\system32\SubDir\updale.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1804 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "windows av startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\updale.exe" /rl HIGHEST /f17⤵
- Creates scheduled task(s)
PID:3148 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kryaRc1hmuL6.bat" "17⤵PID:4076
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:4392
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- Runs ping.exe
PID:3640 -
C:\Windows\system32\SubDir\updale.exe"C:\Windows\system32\SubDir\updale.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:368 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "windows av startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\updale.exe" /rl HIGHEST /f19⤵
- Creates scheduled task(s)
PID:3972 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gEPBlnW6GfND.bat" "19⤵PID:4368
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:2392
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- Runs ping.exe
PID:2872 -
C:\Windows\system32\SubDir\updale.exe"C:\Windows\system32\SubDir\updale.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1424 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "windows av startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\updale.exe" /rl HIGHEST /f21⤵
- Creates scheduled task(s)
PID:1724 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TswFZMvUadHL.bat" "21⤵PID:4348
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:1060
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- Runs ping.exe
PID:2108 -
C:\Windows\system32\SubDir\updale.exe"C:\Windows\system32\SubDir\updale.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1608 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "windows av startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\updale.exe" /rl HIGHEST /f23⤵
- Creates scheduled task(s)
PID:5084 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KB80t4wqmUjA.bat" "23⤵PID:1620
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:5080
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- Runs ping.exe
PID:3696 -
C:\Windows\system32\SubDir\updale.exe"C:\Windows\system32\SubDir\updale.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2936 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "windows av startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\updale.exe" /rl HIGHEST /f25⤵
- Creates scheduled task(s)
PID:2556 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kKaj9oFFIvr6.bat" "25⤵PID:1260
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:2264
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- Runs ping.exe
PID:2612 -
C:\Windows\system32\SubDir\updale.exe"C:\Windows\system32\SubDir\updale.exe"26⤵
- Executes dropped EXE
PID:3624
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD58f0271a63446aef01cf2bfc7b7c7976b
SHA1b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA51278a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5
-
Filesize
196B
MD5ef21d4d800901b5e6326eb60981c7cfd
SHA1918052088e5c867ad07f2a2413cc69c805e2ef3e
SHA256251be42dac57bcc39e065e08a20a794cece5736bd48e1e4e35aea15f525d5426
SHA5124a1388ab68b881b605e2ced0f2c7d30a8c0b95d6058e05ff2ffff481e5f8c29a5697cdf757baff053ff9806946951fe56ce9c476b24bd5060a86950c7e940100
-
Filesize
196B
MD557cc79d6533121f2bd3b9c6e6acea3cd
SHA1428db93505bcd17edf2348736b9428630533f45b
SHA2560dc1deb8996604205abac3e08e77148f513f18421caf005193782211419bdc35
SHA5123ba0c9ba42652bf866713bf09425d2c31afac3ee424f548be721c3e2be15af9f38c5112c91a170daf7dbfaa651525747536448d1f1a5294382ea43f7d9cf77cb
-
Filesize
196B
MD5a42e60a92090c57943662d06f82fde12
SHA11cba4c3ff6bcb6c28af628d7723102a863e9d667
SHA256f5343c696bb9c52b48b23ac21285635b8377171d8106dce81dfd05382f9cd926
SHA512f7497929932d61f6d0ca8fb8ee193fce055fb823b090b478bad607702c218c6404cf7b10bc5ac5e97bd410ca25db6c7c2f55e8085a180dc7d0a0dd4a6b9f6019
-
Filesize
196B
MD5cd24b6521d4a01301690019d910098dc
SHA17fba29d4989d0a220be7a63472eabadd318e9508
SHA256779fc465eba0075657f2b4128e1b1207d65dfc6fb678b5b7af5cd13836c597e9
SHA5128b3a3a025dde91f7dd88580d5be9c257066a0eb9c64aaa954eb50329d59e83f209c4015c730a17590c2e1956658c7c1bc7ede03ac12b341015df0a97be3e8066
-
Filesize
196B
MD5784c5f59cf27858f4eaa696bc66945ea
SHA140f8dc1643c4737a7f0d917a05aeb276c5b2fd6c
SHA2569f0d75df246229cff7abb951eb3683774c25bac34603a901449c1e08b99eb54d
SHA512fa6ecedecabae291ebf9be7b3b4a08be13a3e240ed1259754a5733a37726a8547e177f2edfb730cc540a28d9568c78de60b63f65f727874313b6e03e89825d14
-
Filesize
196B
MD57608b75f8543f2566d64404742b0a331
SHA1e06718e91cb5fe052169eca28604094bdcb423f6
SHA256af04d59cca3ac595de7f820d7a402d0cf243a601c44fb7a962865fca48d94323
SHA5126e902ad2443936a18497cb104564bc935a48affb2597a15c1a04c9416c8019f065d2ee00c66b1dad187929dc797fc77358fffac273edce5359d2847fb7ca37bb
-
Filesize
196B
MD521a875d945940a44e1c56f227390de13
SHA1a2880b5723f4cba3d2184ecdfde37e4f316951b8
SHA256e50477f41a9e863036c60fd6f4fc16c54ab6b2b76d7b302e406446842554b985
SHA512aaa119f6550868fba834e950083ce6770dd27abf0a74ea536dd301efcfa4d8ab63829db8117422e1fd4f5553d652f746025a878b3d24b65aa81991b157eea5ee
-
Filesize
196B
MD5f69793efe6d7c7d1da28bb05c8ff9f34
SHA1a9b060ea70aeb131d6f53979791417441be53d62
SHA2569d527194dfd7faf4cd9e36be4d358b769577df462f3d5e41ce796cca47846c3a
SHA5128dac41593bcfcf8cd045f7efe5b7fee35464633bef249188f4b6e32fa4a310931642170c36bbaa51dd47be6fdc5cb6d77705e59e5d86e74afec87c4251e5a63a
-
Filesize
196B
MD51a22196a0d0889c1115a7ac87cf1dde5
SHA12dc0583d644ed0b186438be68d6d55b449850ada
SHA256880a62edb0cb52319e870619a98783dc7c11907968d08493994dbcc266df0ec7
SHA5129a62ab9d2459f5087b67e474753d44b6bf68b8cde6fe339c9a09fc926abb78a8b9acc4712335e1c7144c01664132d89f6beb90eb151d7a1c8ce5c2917313d899
-
Filesize
196B
MD561e7c0963cdeb85568e65a1f8111d92a
SHA19e87c2669baa2ca0e0533e649731a175760eb463
SHA256ef383e51ef1e3fcd36916f5621e4be4417fb63b2f595e8cac699d97c4b93b9d4
SHA512f13846c8b095057430a68dc787b3e5e2f4d3ba002669a075e1ac19b59b06ce7f20c1c04ebb7f52fe3caf2f9782d04dff89229f70e0fe13b885e3db323ac4035d
-
Filesize
196B
MD5e50fb78689662cbe7f8e7461956e44ea
SHA1481e12210070a9169bfc4feb7ebde3d970afeb21
SHA2565b7eca6c154b285568dfd41f904be5e3a67fd925360083477da244c1e27ce08f
SHA512fc7eb3602054a704f40e2aa9c114a8aa1277dcecd92f26e9d1ad10f55660146616d5b849c6492d482ff98b5e4a41c058b622ed89f47789a5c795b431780241a6
-
Filesize
196B
MD5b74fe6be7837149660a92f18934d4668
SHA1970cf47f5baf28659f841b8d6088ffae8dbd6cc4
SHA2568b7c4073a7a4f3b4babf16207f79ccba798444efc246301f4b218b53e1b0fb2f
SHA5128bee6cf39b351cdf3fa77abe9aa4314b0e83066d5eb30d4b62caa9326e89261ea8d32ae3b4d8bfb0724d6ffcfb1d6725b0aed49af4521d34d4004ea70aa601fa
-
Filesize
3.1MB
MD52c1fba8d6624adf6c582fb2d5fb43b28
SHA1bd45ee984e9476d604824f83c6cf6111a9db2467
SHA256a5473ea4c4ef75c217e0d252d1c7d235b781a75810b7e731a97ed78b45646840
SHA512cc85b5f1c2765c49f34c236634dcbfdfd6cc62e0b954b74c12b0d89dc29044dff88a9840e5c02a39e140564283074c78359dd70dfc7f426daefb75f195f14e19