quasar | 76741ecdd14996115907fb61b4727a102321b829f37f027acb5bf6bd9eaf736b

Analysis

max time kernel
144s
max time network
138s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
21-04-2024 00:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Rebuild.exe
Size

3.1MB
MD5

3eedcddc5146178740acb8f2f03b17c5
SHA1

8825064b4e3780f9f291d1d15bc819bd77f84570
SHA256

76741ecdd14996115907fb61b4727a102321b829f37f027acb5bf6bd9eaf736b
SHA512

23d5f4065a34730a9a3689f3d9141ebf408f324b1f9d01daec78e4e33ae4df5c1a51ca4819c33ea317d95d6862090e5b9a5ace0055a0c54d856ab5f47d05db31
SSDEEP

49152:XvVuf2NUaNmwzPWlvdaKM7ZxTwIydumzGgoGdjTHHB72eh2NT:Xvgf2NUaNmwzPWlvdaB7ZxTwIydN

Score

10^/10

quasar slave spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

SLAVE

uk2.localto.net:44425:44425

uk2.localto.net:44425

Mutex

cc0a2b76-665e-4e16-b318-5ee02270fbcd

Attributes

encryption_key
D7F09F1F0B9CECC640BA0B3D8975FBE5CED725B5
install_name
UpdateHost.exe
log_directory
Error Logs
reconnect_delay
3000
startup_key
WOS64
subdirectory
Windows

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/600-0-0x00000000004D0000-0x00000000007F4000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe	family_quasar

Executes dropped EXE 15 IoCs

Processes:

UpdateHost.exeUpdateHost.exeUpdateHost.exeUpdateHost.exeUpdateHost.exeUpdateHost.exeUpdateHost.exeUpdateHost.exeUpdateHost.exeUpdateHost.exeUpdateHost.exeUpdateHost.exeUpdateHost.exeUpdateHost.exeUpdateHost.exe

pid	process
364	UpdateHost.exe
3032	UpdateHost.exe
1828	UpdateHost.exe
3236	UpdateHost.exe
4444	UpdateHost.exe
3608	UpdateHost.exe
2140	UpdateHost.exe
3228	UpdateHost.exe
5112	UpdateHost.exe
4492	UpdateHost.exe
1680	UpdateHost.exe
4436	UpdateHost.exe
4264	UpdateHost.exe
2240	UpdateHost.exe
3220	UpdateHost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1344	schtasks.exe
4320	schtasks.exe
4540	schtasks.exe
5008	schtasks.exe
4292	schtasks.exe
3832	schtasks.exe
3504	schtasks.exe
3916	schtasks.exe
3268	schtasks.exe
4236	schtasks.exe
4584	schtasks.exe
4752	schtasks.exe
224	schtasks.exe
1012	schtasks.exe
2168	schtasks.exe
1096	schtasks.exe

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
2796	PING.EXE
316	PING.EXE
4804	PING.EXE
4492	PING.EXE
1808	PING.EXE
3120	PING.EXE
3612	PING.EXE
344	PING.EXE
2852	PING.EXE
5052	PING.EXE
3132	PING.EXE
4292	PING.EXE
4992	PING.EXE
4980	PING.EXE
4932	PING.EXE

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

Rebuild.exeUpdateHost.exeUpdateHost.exeUpdateHost.exeUpdateHost.exeUpdateHost.exeUpdateHost.exeUpdateHost.exeUpdateHost.exeUpdateHost.exeUpdateHost.exeUpdateHost.exeUpdateHost.exeUpdateHost.exeUpdateHost.exeUpdateHost.exe

description	pid	process
Token: SeDebugPrivilege	600	Rebuild.exe
Token: SeDebugPrivilege	364	UpdateHost.exe
Token: SeDebugPrivilege	3032	UpdateHost.exe
Token: SeDebugPrivilege	1828	UpdateHost.exe
Token: SeDebugPrivilege	3236	UpdateHost.exe
Token: SeDebugPrivilege	4444	UpdateHost.exe
Token: SeDebugPrivilege	3608	UpdateHost.exe
Token: SeDebugPrivilege	2140	UpdateHost.exe
Token: SeDebugPrivilege	3228	UpdateHost.exe
Token: SeDebugPrivilege	5112	UpdateHost.exe
Token: SeDebugPrivilege	4492	UpdateHost.exe
Token: SeDebugPrivilege	1680	UpdateHost.exe
Token: SeDebugPrivilege	4436	UpdateHost.exe
Token: SeDebugPrivilege	4264	UpdateHost.exe
Token: SeDebugPrivilege	2240	UpdateHost.exe
Token: SeDebugPrivilege	3220	UpdateHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Rebuild.exeUpdateHost.execmd.exeUpdateHost.execmd.exeUpdateHost.execmd.exeUpdateHost.execmd.exeUpdateHost.execmd.exeUpdateHost.execmd.exe

description	pid	process	target process
PID 600 wrote to memory of 3832	600	Rebuild.exe	schtasks.exe
PID 600 wrote to memory of 3832	600	Rebuild.exe	schtasks.exe
PID 600 wrote to memory of 364	600	Rebuild.exe	UpdateHost.exe
PID 600 wrote to memory of 364	600	Rebuild.exe	UpdateHost.exe
PID 364 wrote to memory of 224	364	UpdateHost.exe	schtasks.exe
PID 364 wrote to memory of 224	364	UpdateHost.exe	schtasks.exe
PID 364 wrote to memory of 5116	364	UpdateHost.exe	cmd.exe
PID 364 wrote to memory of 5116	364	UpdateHost.exe	cmd.exe
PID 5116 wrote to memory of 4800	5116	cmd.exe	chcp.com
PID 5116 wrote to memory of 4800	5116	cmd.exe	chcp.com
PID 5116 wrote to memory of 4804	5116	cmd.exe	PING.EXE
PID 5116 wrote to memory of 4804	5116	cmd.exe	PING.EXE
PID 5116 wrote to memory of 3032	5116	cmd.exe	UpdateHost.exe
PID 5116 wrote to memory of 3032	5116	cmd.exe	UpdateHost.exe
PID 3032 wrote to memory of 3504	3032	UpdateHost.exe	schtasks.exe
PID 3032 wrote to memory of 3504	3032	UpdateHost.exe	schtasks.exe
PID 3032 wrote to memory of 2056	3032	UpdateHost.exe	cmd.exe
PID 3032 wrote to memory of 2056	3032	UpdateHost.exe	cmd.exe
PID 2056 wrote to memory of 2124	2056	cmd.exe	chcp.com
PID 2056 wrote to memory of 2124	2056	cmd.exe	chcp.com
PID 2056 wrote to memory of 4492	2056	cmd.exe	PING.EXE
PID 2056 wrote to memory of 4492	2056	cmd.exe	PING.EXE
PID 2056 wrote to memory of 1828	2056	cmd.exe	UpdateHost.exe
PID 2056 wrote to memory of 1828	2056	cmd.exe	UpdateHost.exe
PID 1828 wrote to memory of 3268	1828	UpdateHost.exe	schtasks.exe
PID 1828 wrote to memory of 3268	1828	UpdateHost.exe	schtasks.exe
PID 1828 wrote to memory of 4972	1828	UpdateHost.exe	cmd.exe
PID 1828 wrote to memory of 4972	1828	UpdateHost.exe	cmd.exe
PID 4972 wrote to memory of 3688	4972	cmd.exe	chcp.com
PID 4972 wrote to memory of 3688	4972	cmd.exe	chcp.com
PID 4972 wrote to memory of 5052	4972	cmd.exe	PING.EXE
PID 4972 wrote to memory of 5052	4972	cmd.exe	PING.EXE
PID 4972 wrote to memory of 3236	4972	cmd.exe	UpdateHost.exe
PID 4972 wrote to memory of 3236	4972	cmd.exe	UpdateHost.exe
PID 3236 wrote to memory of 1012	3236	UpdateHost.exe	schtasks.exe
PID 3236 wrote to memory of 1012	3236	UpdateHost.exe	schtasks.exe
PID 3236 wrote to memory of 1952	3236	UpdateHost.exe	cmd.exe
PID 3236 wrote to memory of 1952	3236	UpdateHost.exe	cmd.exe
PID 1952 wrote to memory of 4932	1952	cmd.exe	chcp.com
PID 1952 wrote to memory of 4932	1952	cmd.exe	chcp.com
PID 1952 wrote to memory of 2796	1952	cmd.exe	PING.EXE
PID 1952 wrote to memory of 2796	1952	cmd.exe	PING.EXE
PID 1952 wrote to memory of 4444	1952	cmd.exe	UpdateHost.exe
PID 1952 wrote to memory of 4444	1952	cmd.exe	UpdateHost.exe
PID 4444 wrote to memory of 2168	4444	UpdateHost.exe	schtasks.exe
PID 4444 wrote to memory of 2168	4444	UpdateHost.exe	schtasks.exe
PID 4444 wrote to memory of 2572	4444	UpdateHost.exe	cmd.exe
PID 4444 wrote to memory of 2572	4444	UpdateHost.exe	cmd.exe
PID 2572 wrote to memory of 4064	2572	cmd.exe	chcp.com
PID 2572 wrote to memory of 4064	2572	cmd.exe	chcp.com
PID 2572 wrote to memory of 3132	2572	cmd.exe	PING.EXE
PID 2572 wrote to memory of 3132	2572	cmd.exe	PING.EXE
PID 2572 wrote to memory of 3608	2572	cmd.exe	UpdateHost.exe
PID 2572 wrote to memory of 3608	2572	cmd.exe	UpdateHost.exe
PID 3608 wrote to memory of 1096	3608	UpdateHost.exe	schtasks.exe
PID 3608 wrote to memory of 1096	3608	UpdateHost.exe	schtasks.exe
PID 3608 wrote to memory of 5004	3608	UpdateHost.exe	cmd.exe
PID 3608 wrote to memory of 5004	3608	UpdateHost.exe	cmd.exe
PID 5004 wrote to memory of 5092	5004	cmd.exe	chcp.com
PID 5004 wrote to memory of 5092	5004	cmd.exe	chcp.com
PID 5004 wrote to memory of 4292	5004	cmd.exe	PING.EXE
PID 5004 wrote to memory of 4292	5004	cmd.exe	PING.EXE
PID 5004 wrote to memory of 2140	5004	cmd.exe	UpdateHost.exe
PID 5004 wrote to memory of 2140	5004	cmd.exe	UpdateHost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Rebuild.exe
"C:\Users\Admin\AppData\Local\Temp\Rebuild.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:600

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:3832

C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe
"C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:364

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sGOvth7uYq74.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:5116

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:4800

C:\Windows\system32\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:4804

C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe
"C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3032

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:3504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DJ5zzc3fjiqB.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:2056

C:\Windows\system32\chcp.com
chcp 65001
6⤵
PID:2124

C:\Windows\system32\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:4492

C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe
"C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1828

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:3268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\R1ukujS6aHdz.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:4972

C:\Windows\system32\chcp.com
chcp 65001
8⤵
PID:3688

C:\Windows\system32\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:5052

C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe
"C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe"
8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3236

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe" /rl HIGHEST /f
9⤵
- Creates scheduled task(s)
PID:1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Pr37SydbKYD7.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:1952

C:\Windows\system32\chcp.com
chcp 65001
10⤵
PID:4932

C:\Windows\system32\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:2796

C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe
"C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe"
10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4444

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe" /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:2168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KEs7LQLsip0v.bat" "
11⤵
- Suspicious use of WriteProcessMemory
PID:2572

C:\Windows\system32\chcp.com
chcp 65001
12⤵
PID:4064

C:\Windows\system32\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:3132

C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe
"C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe"
12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3608

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe" /rl HIGHEST /f
13⤵
- Creates scheduled task(s)
PID:1096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uU2JIvnx9PKJ.bat" "
13⤵
- Suspicious use of WriteProcessMemory
PID:5004

C:\Windows\system32\chcp.com
chcp 65001
14⤵
PID:5092

C:\Windows\system32\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:4292

C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe
"C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe"
14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2140

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe" /rl HIGHEST /f
15⤵
- Creates scheduled task(s)
PID:4320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Tgc0VijbabX3.bat" "
15⤵
PID:1356

C:\Windows\system32\chcp.com
chcp 65001
16⤵
PID:4968

C:\Windows\system32\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:3120

C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe
"C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe"
16⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3228

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe" /rl HIGHEST /f
17⤵
- Creates scheduled task(s)
PID:4540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cGBF5wEo5ADP.bat" "
17⤵
PID:3196

C:\Windows\system32\chcp.com
chcp 65001
18⤵
PID:4468

C:\Windows\system32\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:4992

C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe
"C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe"
18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5112

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe" /rl HIGHEST /f
19⤵
- Creates scheduled task(s)
PID:3916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yE5xwo4hwS3a.bat" "
19⤵
PID:2352

C:\Windows\system32\chcp.com
chcp 65001
20⤵
PID:1480

C:\Windows\system32\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:3612

C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe
"C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe"
20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4492

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe" /rl HIGHEST /f
21⤵
- Creates scheduled task(s)
PID:5008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\f2MCz8ZQCsEq.bat" "
21⤵
PID:4408

C:\Windows\system32\chcp.com
chcp 65001
22⤵
PID:3932

C:\Windows\system32\PING.EXE
ping -n 10 localhost
22⤵
- Runs ping.exe
PID:4980

C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe
"C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe"
22⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1680

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe" /rl HIGHEST /f
23⤵
- Creates scheduled task(s)
PID:4236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\l8VgYEyszvGR.bat" "
23⤵
PID:5060

C:\Windows\system32\chcp.com
chcp 65001
24⤵
PID:5032

C:\Windows\system32\PING.EXE
ping -n 10 localhost
24⤵
- Runs ping.exe
PID:4932

C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe
"C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe"
24⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4436

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe" /rl HIGHEST /f
25⤵
- Creates scheduled task(s)
PID:4584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\13vLQSJTImrx.bat" "
25⤵
PID:2120

C:\Windows\system32\chcp.com
chcp 65001
26⤵
PID:2156

C:\Windows\system32\PING.EXE
ping -n 10 localhost
26⤵
- Runs ping.exe
PID:2852

C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe
"C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe"
26⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4264

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe" /rl HIGHEST /f
27⤵
- Creates scheduled task(s)
PID:4752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mIjdRpgBxcDL.bat" "
27⤵
PID:4284

C:\Windows\system32\chcp.com
chcp 65001
28⤵
PID:4424

C:\Windows\system32\PING.EXE
ping -n 10 localhost
28⤵
- Runs ping.exe
PID:1808

C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe
"C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe"
28⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2240

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe" /rl HIGHEST /f
29⤵
- Creates scheduled task(s)
PID:4292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uz40dM6HsxGV.bat" "
29⤵
PID:4652

C:\Windows\system32\chcp.com
chcp 65001
30⤵
PID:2612

C:\Windows\system32\PING.EXE
ping -n 10 localhost
30⤵
- Runs ping.exe
PID:344

C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe
"C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe"
30⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3220

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe" /rl HIGHEST /f
31⤵
- Creates scheduled task(s)
PID:1344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\M8AREO4YiMgl.bat" "
31⤵
PID:1368

C:\Windows\system32\chcp.com
chcp 65001
32⤵
PID:4468

C:\Windows\system32\PING.EXE
ping -n 10 localhost
32⤵
- Runs ping.exe
PID:316

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\UpdateHost.exe.log
Filesize
2KB

MD5
1dcda70572487b230bb9e47148a0946d

SHA1
06f9b414b54eb9a816d9b37a2b54c82a94197a05

SHA256
9e6e954e3f620c078e96da9f741090719a3b6b282704a1e54942b683223de4ed

SHA512
7de9c424f82129e049ca6830c6ae1f23489738d487999e773f1593494f1caddc9dd9c77f85c3a01e05ee37653de3ab17da8c3fdf75adc0c0c2fb38a938246179

Download Submit
C:\Users\Admin\AppData\Local\Temp\13vLQSJTImrx.bat
Filesize
212B

MD5
08f704348cce641e4143c747c207fec0

SHA1
fb31252bfe4ade182147ec0ac6606a714b0ec6b4

SHA256
51a53a863f520d4934f98dbabbab9f3ec894e3d425c5c344f99f6d86038fafb0

SHA512
ae3fb580516a7bd4852ca50b83b3667bcf1518a0cc88c3bd71efd863e9d208bd3901580582804080eebb16e370012c77ce0400a3e9a896133dade35ca8c58fc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DJ5zzc3fjiqB.bat
Filesize
212B

MD5
d0b8869deeef81285b3af20b8e7478b7

SHA1
db6185f5c4d63529e0e740cdef8ac8f92d16ab96

SHA256
d25b74203143db15616a2da2f095d758f00a41d0cd3df61fa0a4c5b149ed2af2

SHA512
063f2005e984373bd39df59fcad12d77364b737357456bb1d9dd0afd69304d1af9c24deb8bc65b52f01119567dc773ffbd16f85b2f01fc8c3ea2774129fc90ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\KEs7LQLsip0v.bat
Filesize
212B

MD5
4f89c8989494a9ee962a4c2d447acb01

SHA1
7ae8aaeef300259bf45126549e6731c0d4687deb

SHA256
846b737063af9f54ec657fcce675d841e3f761bd8933d290b12cb4606d7d6395

SHA512
686646cd2e2f453a4218f16145f368e128a224a5a38d9eace0e415ade9b0beba668503b4fb0b8e5f9b426e5401a225da2c39ecb46405121582cbedec4492553b

Download Submit
C:\Users\Admin\AppData\Local\Temp\M8AREO4YiMgl.bat
Filesize
212B

MD5
be150e128cc4df45a6ce752d0ba8d092

SHA1
a6f6829490b99f4a972356eaa91554e0e00c592b

SHA256
d28452d1561332589ff754055a9fcf4ef8d2b470880e7934409a0f651a29a44c

SHA512
414c14ace61a4ec08638d9ffb49b3166f775f928e35b6f405c24a2dce9c27b3cc840d75a6c569588c14b00f75a4ecb852d6867ad19ebbe7924dfabccb318de9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pr37SydbKYD7.bat
Filesize
212B

MD5
8bf5dd3c21f1a8a971b4a33fac6d1b59

SHA1
d0fc1e58e69d9d5baede8fee74642205c92884c7

SHA256
66665a60d7abde3c76338e2d9789355608e57051d0ebd00cd9d2b5c10ce09bad

SHA512
bf2d7f6f3f20f75973e557aa46c24ddd5b0c600da7815ef05e3e7e0114fcb8d5355b82c9417518d347ed7e48aa648a00a7c054069c25f179847515d9eaf11107

Download Submit
C:\Users\Admin\AppData\Local\Temp\R1ukujS6aHdz.bat
Filesize
212B

MD5
921715008223f5b285931b356a5f6e75

SHA1
cdc2586e0c173a7de475dc86ee68c90170d31f90

SHA256
7359886cea7b06f787bb4b9b7975d6fecf94f664243c93198960a7ce19f2cd5a

SHA512
3d76f841ab80fc9c7baf5dff60ada9acf95a51e4f37c612295bf3ac2b91e8b9392f7b077cea0b2c8e0900b3d2b6845a8a24203c347dfe5d0766f0ef67850d456

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tgc0VijbabX3.bat
Filesize
212B

MD5
5656632aa0d49b2236b83dce5582418d

SHA1
260e062cd2dabcf33b9db3404ad58a8b895373a5

SHA256
6381cd9e202c7ea955133f8325df3f8e791076451d6d0f837fa5dd99ccff39a9

SHA512
2626797709f3eb3975bfdae92be5f05d59a6189918ff6f153ecb1e3eb2a2793ffcbfed7562ed6d40b55d060bb00de6da89eed4a0e02947b17fbee772cc530676

Download Submit
C:\Users\Admin\AppData\Local\Temp\cGBF5wEo5ADP.bat
Filesize
212B

MD5
1c8dcd6a5be2b5afc3e86cea56e62dcd

SHA1
e502ba20ed866c6187eac7d108c1688590f82490

SHA256
67f6e1170d380dc02ee831a3b0e7535962874a616af7fa2a74840fd4f085c23c

SHA512
f30751210e3a9cc6ff7163aa103a2618e2447b047f042a33c72fb6635d9d438fa9ad24da63546e09c3d546941d579c150868c74a06a31c4273ee505e32bbce7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\f2MCz8ZQCsEq.bat
Filesize
212B

MD5
b1b85ee097fd76939cbcbdda0779ce0d

SHA1
9482a6d8b855c1a2a4e1b787a580b2d7a9a4b25a

SHA256
e1f2b7e366a7be50045552399e3007df21cb67a56faee2a96bf00d48bb5cabdf

SHA512
dde79f8c1d9f15dcdfd92103f2a75a0fc8b941ca0cc438b9cf36a9de8423bdd3beb370082eb651af0fe5981e61e62d73dbf957d4c78511adbd9b91970f2bba32

Download Submit
C:\Users\Admin\AppData\Local\Temp\l8VgYEyszvGR.bat
Filesize
212B

MD5
504fca4ad85b782264efdf0206a64b1f

SHA1
b6cb3f580d0f03488cd904ddd254f671ce19528f

SHA256
93a8ef14cac6d50f294204d2e22b9785a85d30ad0b35000164c553439419ef91

SHA512
77df870b3e9b7c6fdebdccf29f5b0437efe781950db3fcfb7ea21f529ed7c1cc124aeee23ed177916d71cfe512f9567d9c68af0a10db3f1e5d2217635b17fe0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mIjdRpgBxcDL.bat
Filesize
212B

MD5
6e5bb7e044db5c767799d82757730a5a

SHA1
b8264ceea5fb40da80dc0df4da6a4b02aa213dee

SHA256
bb06efb6b96370d6549a66f552ae57391d1b0f876ca17e643d85763877fa3fad

SHA512
0f0de419bca1e50b7ba6cb894cbda6b517c7c7aed439b432599da5e1664c94fa1f831c498e1257390dbd320d29859db6e2d3924cd37e2a50cbacab47e18f07c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\sGOvth7uYq74.bat
Filesize
212B

MD5
dddc0ef8c39bdb38e201e8ba31cd2d17

SHA1
2309bf6ddbe88492cff098c132f45a684df21a9b

SHA256
56923e31eeac876c0d1f1462fe7dddeb7e5f0abcd81cfad9d451d5706d3efee3

SHA512
5f959b66e475a713efc1dc342e00511f1e94ff1a3c904862714a5595a518d4e6277198a9f402b49dab56b230a86295d3e6d024ceb4a8aa67618f3e444e91b62e

Download Submit
C:\Users\Admin\AppData\Local\Temp\uU2JIvnx9PKJ.bat
Filesize
212B

MD5
798ae5f210e183e696c677ec34268d4e

SHA1
956e389f10527b196ecc8887d9a0b13684085600

SHA256
fc7695ee4020100b5c88884e5c4713f5039d65a96b56d050917e2ba602317e17

SHA512
50223d0a0a074afe9226f8881bfa91bd816ab9f0b1312c4b7059b0ee101fe246097462a943b0c35ea8db5fb45c2f6fdb9c1585f29abc6ce0b2c888c6407399f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\uz40dM6HsxGV.bat
Filesize
212B

MD5
9e1fee5e8d3fea79a64363b73fd47d5e

SHA1
7e4199495d90a52a48df35e1ed9542a4941c84bc

SHA256
9a17e5151ee7ecf13f80ad1447f054b58f7d4ef3956cf4b4417a73f7eb2bde3e

SHA512
de46410723809a507234b7c4b8fabcacc5545eecfcd2f57f6e2caa11fdd18334db0fa576a386886d418cc68de58cf226e4f919b3fe9dd9b748dbf30983070621

Download Submit
C:\Users\Admin\AppData\Local\Temp\yE5xwo4hwS3a.bat
Filesize
212B

MD5
22f075c5a38d6544a490baf2b2bd916f

SHA1
dd52671939ce3ff4af288147cbdb9b385e060906

SHA256
c3d0e6ebb68393532a6d18621d3e0c374750dd5c8829599a922a4c2175972fdb

SHA512
730468ad93b3006cff6019cae7e569b3458ac780632d9ceb7a36ba2ceaef641cea55875ee9a6ad45df9e049a1ea298fa865ef570a671ae45b7e0ae029435b096

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe
Filesize
3.1MB

MD5
3eedcddc5146178740acb8f2f03b17c5

SHA1
8825064b4e3780f9f291d1d15bc819bd77f84570

SHA256
76741ecdd14996115907fb61b4727a102321b829f37f027acb5bf6bd9eaf736b

SHA512
23d5f4065a34730a9a3689f3d9141ebf408f324b1f9d01daec78e4e33ae4df5c1a51ca4819c33ea317d95d6862090e5b9a5ace0055a0c54d856ab5f47d05db31

Download Submit
memory/364-11-0x000000001B660000-0x000000001B6B0000-memory.dmp

Filesize
320KB

Download
memory/364-18-0x00007FFF3A570000-0x00007FFF3AF5C000-memory.dmp

Filesize
9.9MB

Download
memory/364-12-0x000000001B770000-0x000000001B822000-memory.dmp

Filesize
712KB

Download
memory/364-10-0x000000001B050000-0x000000001B060000-memory.dmp

Filesize
64KB

Download
memory/364-9-0x00007FFF3A570000-0x00007FFF3AF5C000-memory.dmp

Filesize
9.9MB

Download
memory/600-0-0x00000000004D0000-0x00000000007F4000-memory.dmp

Filesize
3.1MB

Download
memory/600-8-0x00007FFF3A570000-0x00007FFF3AF5C000-memory.dmp

Filesize
9.9MB

Download
memory/600-2-0x000000001B3D0000-0x000000001B3E0000-memory.dmp

Filesize
64KB

Download
memory/600-1-0x00007FFF3A570000-0x00007FFF3AF5C000-memory.dmp

Filesize
9.9MB

Download
memory/1680-98-0x00007FFF3A570000-0x00007FFF3AF5C000-memory.dmp

Filesize
9.9MB

Download
memory/1680-94-0x000000001B1F0000-0x000000001B200000-memory.dmp

Filesize
64KB

Download
memory/1680-93-0x00007FFF3A570000-0x00007FFF3AF5C000-memory.dmp

Filesize
9.9MB

Download
memory/1828-29-0x00007FFF3A570000-0x00007FFF3AF5C000-memory.dmp

Filesize
9.9MB

Download
memory/1828-30-0x000000001B280000-0x000000001B290000-memory.dmp

Filesize
64KB

Download
memory/1828-34-0x00007FFF3A570000-0x00007FFF3AF5C000-memory.dmp

Filesize
9.9MB

Download
memory/2140-61-0x00007FFF3A570000-0x00007FFF3AF5C000-memory.dmp

Filesize
9.9MB

Download
memory/2140-62-0x000000001B910000-0x000000001B920000-memory.dmp

Filesize
64KB

Download
memory/2140-66-0x00007FFF3A570000-0x00007FFF3AF5C000-memory.dmp

Filesize
9.9MB

Download
memory/2240-117-0x00007FFF3A570000-0x00007FFF3AF5C000-memory.dmp

Filesize
9.9MB

Download
memory/2240-121-0x00007FFF3A570000-0x00007FFF3AF5C000-memory.dmp

Filesize
9.9MB

Download
memory/3032-26-0x00007FFF3A570000-0x00007FFF3AF5C000-memory.dmp

Filesize
9.9MB

Download
memory/3032-22-0x000000001AFE0000-0x000000001AFF0000-memory.dmp

Filesize
64KB

Download
memory/3032-21-0x00007FFF3A570000-0x00007FFF3AF5C000-memory.dmp

Filesize
9.9MB

Download
memory/3220-129-0x00007FFF3A570000-0x00007FFF3AF5C000-memory.dmp

Filesize
9.9MB

Download
memory/3220-125-0x00000000026D0000-0x00000000026E0000-memory.dmp

Filesize
64KB

Download
memory/3220-124-0x00007FFF3A570000-0x00007FFF3AF5C000-memory.dmp

Filesize
9.9MB

Download
memory/3228-74-0x00007FFF3A570000-0x00007FFF3AF5C000-memory.dmp

Filesize
9.9MB

Download
memory/3228-70-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

Filesize
64KB

Download
memory/3228-69-0x00007FFF3A570000-0x00007FFF3AF5C000-memory.dmp

Filesize
9.9MB

Download
memory/3236-43-0x00007FFF3A570000-0x00007FFF3AF5C000-memory.dmp

Filesize
9.9MB

Download
memory/3236-38-0x000000001BAB0000-0x000000001BAC0000-memory.dmp

Filesize
64KB

Download
memory/3236-37-0x00007FFF3A570000-0x00007FFF3AF5C000-memory.dmp

Filesize
9.9MB

Download
memory/3608-53-0x00007FFF3A570000-0x00007FFF3AF5C000-memory.dmp

Filesize
9.9MB

Download
memory/3608-58-0x00007FFF3A570000-0x00007FFF3AF5C000-memory.dmp

Filesize
9.9MB

Download
memory/3608-54-0x000000001B200000-0x000000001B210000-memory.dmp

Filesize
64KB

Download
memory/4264-110-0x000000001B7B0000-0x000000001B7C0000-memory.dmp

Filesize
64KB

Download
memory/4264-115-0x00007FFF3A570000-0x00007FFF3AF5C000-memory.dmp

Filesize
9.9MB

Download
memory/4264-109-0x00007FFF3A570000-0x00007FFF3AF5C000-memory.dmp

Filesize
9.9MB

Download
memory/4436-107-0x00007FFF3A570000-0x00007FFF3AF5C000-memory.dmp

Filesize
9.9MB

Download
memory/4436-101-0x00007FFF3A570000-0x00007FFF3AF5C000-memory.dmp

Filesize
9.9MB

Download
memory/4436-102-0x000000001BCC0000-0x000000001BCD0000-memory.dmp

Filesize
64KB

Download
memory/4444-45-0x00007FFF3A570000-0x00007FFF3AF5C000-memory.dmp

Filesize
9.9MB

Download
memory/4444-46-0x000000001B5C0000-0x000000001B5D0000-memory.dmp

Filesize
64KB

Download
memory/4444-50-0x00007FFF3A570000-0x00007FFF3AF5C000-memory.dmp

Filesize
9.9MB

Download
memory/4492-90-0x00007FFF3A570000-0x00007FFF3AF5C000-memory.dmp

Filesize
9.9MB

Download
memory/4492-86-0x0000000002B10000-0x0000000002B20000-memory.dmp

Filesize
64KB

Download
memory/4492-85-0x00007FFF3A570000-0x00007FFF3AF5C000-memory.dmp

Filesize
9.9MB

Download
memory/5112-82-0x00007FFF3A570000-0x00007FFF3AF5C000-memory.dmp

Filesize
9.9MB

Download
memory/5112-78-0x000000001BE00000-0x000000001BE10000-memory.dmp

Filesize
64KB

Download
memory/5112-77-0x00007FFF3A570000-0x00007FFF3AF5C000-memory.dmp

Filesize
9.9MB

Download