quasar | 76741ecdd14996115907fb61b4727a102321b829f37f027acb5bf6bd9eaf736b

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
21-04-2024 00:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Rebuild.exe
Size

3.1MB
MD5

3eedcddc5146178740acb8f2f03b17c5
SHA1

8825064b4e3780f9f291d1d15bc819bd77f84570
SHA256

76741ecdd14996115907fb61b4727a102321b829f37f027acb5bf6bd9eaf736b
SHA512

23d5f4065a34730a9a3689f3d9141ebf408f324b1f9d01daec78e4e33ae4df5c1a51ca4819c33ea317d95d6862090e5b9a5ace0055a0c54d856ab5f47d05db31
SSDEEP

49152:XvVuf2NUaNmwzPWlvdaKM7ZxTwIydumzGgoGdjTHHB72eh2NT:Xvgf2NUaNmwzPWlvdaB7ZxTwIydN

Score

10^/10

quasar slave spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

SLAVE

uk2.localto.net:44425:44425

uk2.localto.net:44425

Mutex

cc0a2b76-665e-4e16-b318-5ee02270fbcd

Attributes

encryption_key
D7F09F1F0B9CECC640BA0B3D8975FBE5CED725B5
install_name
UpdateHost.exe
log_directory
Error Logs
reconnect_delay
3000
startup_key
WOS64
subdirectory
Windows

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5008-0-0x0000000000CE0000-0x0000000001004000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

UpdateHost.exeUpdateHost.exeUpdateHost.exeUpdateHost.exeUpdateHost.exeUpdateHost.exeUpdateHost.exeUpdateHost.exeUpdateHost.exeUpdateHost.exeUpdateHost.exeUpdateHost.exeUpdateHost.exeUpdateHost.exeUpdateHost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	UpdateHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	UpdateHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	UpdateHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	UpdateHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	UpdateHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	UpdateHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	UpdateHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	UpdateHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	UpdateHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	UpdateHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	UpdateHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	UpdateHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	UpdateHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	UpdateHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	UpdateHost.exe

Executes dropped EXE 15 IoCs

Processes:

pid	process
3184	UpdateHost.exe
3648	UpdateHost.exe
928	UpdateHost.exe
4540	UpdateHost.exe
1356	UpdateHost.exe
3452	UpdateHost.exe
1972	UpdateHost.exe
464	UpdateHost.exe
2268	UpdateHost.exe
1120	UpdateHost.exe
396	UpdateHost.exe
4336	UpdateHost.exe
2020	UpdateHost.exe
3052	UpdateHost.exe
1096	UpdateHost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3020	schtasks.exe
2392	schtasks.exe
2200	schtasks.exe
2404	schtasks.exe
2664	schtasks.exe
4980	schtasks.exe
3232	schtasks.exe
2172	schtasks.exe
848	schtasks.exe
4712	schtasks.exe
4588	schtasks.exe
2692	schtasks.exe
3712	schtasks.exe
3288	schtasks.exe
4388	schtasks.exe
4408	schtasks.exe

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
4456	PING.EXE
4436	PING.EXE
1488	PING.EXE
3676	PING.EXE
4400	PING.EXE
1396	PING.EXE
1388	PING.EXE
5016	PING.EXE
4336	PING.EXE
988	PING.EXE
2108	PING.EXE
2200	PING.EXE
3700	PING.EXE
4796	PING.EXE
2848	PING.EXE

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

Rebuild.exeUpdateHost.exeUpdateHost.exeUpdateHost.exeUpdateHost.exeUpdateHost.exeUpdateHost.exeUpdateHost.exeUpdateHost.exeUpdateHost.exeUpdateHost.exeUpdateHost.exeUpdateHost.exeUpdateHost.exeUpdateHost.exeUpdateHost.exe

description	pid	process
Token: SeDebugPrivilege	5008	Rebuild.exe
Token: SeDebugPrivilege	3184	UpdateHost.exe
Token: SeDebugPrivilege	3648	UpdateHost.exe
Token: SeDebugPrivilege	928	UpdateHost.exe
Token: SeDebugPrivilege	4540	UpdateHost.exe
Token: SeDebugPrivilege	1356	UpdateHost.exe
Token: SeDebugPrivilege	3452	UpdateHost.exe
Token: SeDebugPrivilege	1972	UpdateHost.exe
Token: SeDebugPrivilege	464	UpdateHost.exe
Token: SeDebugPrivilege	2268	UpdateHost.exe
Token: SeDebugPrivilege	1120	UpdateHost.exe
Token: SeDebugPrivilege	396	UpdateHost.exe
Token: SeDebugPrivilege	4336	UpdateHost.exe
Token: SeDebugPrivilege	2020	UpdateHost.exe
Token: SeDebugPrivilege	3052	UpdateHost.exe
Token: SeDebugPrivilege	1096	UpdateHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Rebuild.exeUpdateHost.execmd.exeUpdateHost.execmd.exeUpdateHost.execmd.exeUpdateHost.execmd.exeUpdateHost.execmd.exeUpdateHost.execmd.exe

description	pid	process	target process
PID 5008 wrote to memory of 3712	5008	Rebuild.exe	schtasks.exe
PID 5008 wrote to memory of 3712	5008	Rebuild.exe	schtasks.exe
PID 5008 wrote to memory of 3184	5008	Rebuild.exe	UpdateHost.exe
PID 5008 wrote to memory of 3184	5008	Rebuild.exe	UpdateHost.exe
PID 3184 wrote to memory of 3288	3184	UpdateHost.exe	schtasks.exe
PID 3184 wrote to memory of 3288	3184	UpdateHost.exe	schtasks.exe
PID 3184 wrote to memory of 2460	3184	UpdateHost.exe	cmd.exe
PID 3184 wrote to memory of 2460	3184	UpdateHost.exe	cmd.exe
PID 2460 wrote to memory of 4700	2460	cmd.exe	chcp.com
PID 2460 wrote to memory of 4700	2460	cmd.exe	chcp.com
PID 2460 wrote to memory of 4400	2460	cmd.exe	PING.EXE
PID 2460 wrote to memory of 4400	2460	cmd.exe	PING.EXE
PID 2460 wrote to memory of 3648	2460	cmd.exe	UpdateHost.exe
PID 2460 wrote to memory of 3648	2460	cmd.exe	UpdateHost.exe
PID 3648 wrote to memory of 4388	3648	UpdateHost.exe	schtasks.exe
PID 3648 wrote to memory of 4388	3648	UpdateHost.exe	schtasks.exe
PID 3648 wrote to memory of 1396	3648	UpdateHost.exe	cmd.exe
PID 3648 wrote to memory of 1396	3648	UpdateHost.exe	cmd.exe
PID 1396 wrote to memory of 5080	1396	cmd.exe	chcp.com
PID 1396 wrote to memory of 5080	1396	cmd.exe	chcp.com
PID 1396 wrote to memory of 5016	1396	cmd.exe	PING.EXE
PID 1396 wrote to memory of 5016	1396	cmd.exe	PING.EXE
PID 1396 wrote to memory of 928	1396	cmd.exe	UpdateHost.exe
PID 1396 wrote to memory of 928	1396	cmd.exe	UpdateHost.exe
PID 928 wrote to memory of 3020	928	UpdateHost.exe	schtasks.exe
PID 928 wrote to memory of 3020	928	UpdateHost.exe	schtasks.exe
PID 928 wrote to memory of 5008	928	UpdateHost.exe	cmd.exe
PID 928 wrote to memory of 5008	928	UpdateHost.exe	cmd.exe
PID 5008 wrote to memory of 4668	5008	cmd.exe	chcp.com
PID 5008 wrote to memory of 4668	5008	cmd.exe	chcp.com
PID 5008 wrote to memory of 4456	5008	cmd.exe	PING.EXE
PID 5008 wrote to memory of 4456	5008	cmd.exe	PING.EXE
PID 5008 wrote to memory of 4540	5008	cmd.exe	UpdateHost.exe
PID 5008 wrote to memory of 4540	5008	cmd.exe	UpdateHost.exe
PID 4540 wrote to memory of 4408	4540	UpdateHost.exe	schtasks.exe
PID 4540 wrote to memory of 4408	4540	UpdateHost.exe	schtasks.exe
PID 4540 wrote to memory of 3556	4540	UpdateHost.exe	cmd.exe
PID 4540 wrote to memory of 3556	4540	UpdateHost.exe	cmd.exe
PID 3556 wrote to memory of 1136	3556	cmd.exe	chcp.com
PID 3556 wrote to memory of 1136	3556	cmd.exe	chcp.com
PID 3556 wrote to memory of 4796	3556	cmd.exe	PING.EXE
PID 3556 wrote to memory of 4796	3556	cmd.exe	PING.EXE
PID 3556 wrote to memory of 1356	3556	cmd.exe	UpdateHost.exe
PID 3556 wrote to memory of 1356	3556	cmd.exe	UpdateHost.exe
PID 1356 wrote to memory of 848	1356	UpdateHost.exe	schtasks.exe
PID 1356 wrote to memory of 848	1356	UpdateHost.exe	schtasks.exe
PID 1356 wrote to memory of 3744	1356	UpdateHost.exe	cmd.exe
PID 1356 wrote to memory of 3744	1356	UpdateHost.exe	cmd.exe
PID 3744 wrote to memory of 4484	3744	cmd.exe	chcp.com
PID 3744 wrote to memory of 4484	3744	cmd.exe	chcp.com
PID 3744 wrote to memory of 1396	3744	cmd.exe	PING.EXE
PID 3744 wrote to memory of 1396	3744	cmd.exe	PING.EXE
PID 3744 wrote to memory of 3452	3744	cmd.exe	UpdateHost.exe
PID 3744 wrote to memory of 3452	3744	cmd.exe	UpdateHost.exe
PID 3452 wrote to memory of 4712	3452	UpdateHost.exe	schtasks.exe
PID 3452 wrote to memory of 4712	3452	UpdateHost.exe	schtasks.exe
PID 3452 wrote to memory of 1096	3452	UpdateHost.exe	cmd.exe
PID 3452 wrote to memory of 1096	3452	UpdateHost.exe	cmd.exe
PID 1096 wrote to memory of 2140	1096	cmd.exe	chcp.com
PID 1096 wrote to memory of 2140	1096	cmd.exe	chcp.com
PID 1096 wrote to memory of 4436	1096	cmd.exe	PING.EXE
PID 1096 wrote to memory of 4436	1096	cmd.exe	PING.EXE
PID 1096 wrote to memory of 1972	1096	cmd.exe	UpdateHost.exe
PID 1096 wrote to memory of 1972	1096	cmd.exe	UpdateHost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Rebuild.exe
"C:\Users\Admin\AppData\Local\Temp\Rebuild.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5008

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:3712

C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe
"C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3184

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:3288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tWeigdwkFICc.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:2460

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:4700

C:\Windows\system32\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:4400

C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe
"C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3648

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:4388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5xeTbbyJTvy6.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:1396

C:\Windows\system32\chcp.com
chcp 65001
6⤵
PID:5080

C:\Windows\system32\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:5016

C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe
"C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:928

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:3020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\I6YxABdhBbKJ.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:5008

C:\Windows\system32\chcp.com
chcp 65001
8⤵
PID:4668

C:\Windows\system32\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:4456

C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe
"C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4540

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe" /rl HIGHEST /f
9⤵
- Creates scheduled task(s)
PID:4408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tEB3cR3pCl8v.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:3556

C:\Windows\system32\chcp.com
chcp 65001
10⤵
PID:1136

C:\Windows\system32\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:4796

C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe
"C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1356

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe" /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3HpE7EcpSYth.bat" "
11⤵
- Suspicious use of WriteProcessMemory
PID:3744

C:\Windows\system32\chcp.com
chcp 65001
12⤵
PID:4484

C:\Windows\system32\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:1396

C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe
"C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3452

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe" /rl HIGHEST /f
13⤵
- Creates scheduled task(s)
PID:4712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bse8tG9yMQBC.bat" "
13⤵
- Suspicious use of WriteProcessMemory
PID:1096

C:\Windows\system32\chcp.com
chcp 65001
14⤵
PID:2140

C:\Windows\system32\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:4436

C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe
"C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1972

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe" /rl HIGHEST /f
15⤵
- Creates scheduled task(s)
PID:4588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ScxJecnYUYtD.bat" "
15⤵
PID:4216

C:\Windows\system32\chcp.com
chcp 65001
16⤵
PID:2360

C:\Windows\system32\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:4336

C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe
"C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:464

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe" /rl HIGHEST /f
17⤵
- Creates scheduled task(s)
PID:2664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Cx7mc5trclPr.bat" "
17⤵
PID:2148

C:\Windows\system32\chcp.com
chcp 65001
18⤵
PID:232

C:\Windows\system32\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:2848

C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe
"C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe"
18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2268

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe" /rl HIGHEST /f
19⤵
- Creates scheduled task(s)
PID:2692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SKqhuzKgdv7L.bat" "
19⤵
PID:2820

C:\Windows\system32\chcp.com
chcp 65001
20⤵
PID:3372

C:\Windows\system32\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:988

C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe
"C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe"
20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1120

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe" /rl HIGHEST /f
21⤵
- Creates scheduled task(s)
PID:4980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JKTk53vE2itw.bat" "
21⤵
PID:1676

C:\Windows\system32\chcp.com
chcp 65001
22⤵
PID:2720

C:\Windows\system32\PING.EXE
ping -n 10 localhost
22⤵
- Runs ping.exe
PID:1488

C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe
"C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe"
22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:396

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe" /rl HIGHEST /f
23⤵
- Creates scheduled task(s)
PID:2404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1qhtrG4aqO1S.bat" "
23⤵
PID:2968

C:\Windows\system32\chcp.com
chcp 65001
24⤵
PID:4944

C:\Windows\system32\PING.EXE
ping -n 10 localhost
24⤵
- Runs ping.exe
PID:2108

C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe
"C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe"
24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4336

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe" /rl HIGHEST /f
25⤵
- Creates scheduled task(s)
PID:3232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nZh1eVilbxrA.bat" "
25⤵
PID:2316

C:\Windows\system32\chcp.com
chcp 65001
26⤵
PID:4712

C:\Windows\system32\PING.EXE
ping -n 10 localhost
26⤵
- Runs ping.exe
PID:2200

C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe
"C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe"
26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe" /rl HIGHEST /f
27⤵
- Creates scheduled task(s)
PID:2392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Xe0op8HSoWsx.bat" "
27⤵
PID:4568

C:\Windows\system32\chcp.com
chcp 65001
28⤵
PID:756

C:\Windows\system32\PING.EXE
ping -n 10 localhost
28⤵
- Runs ping.exe
PID:3700

C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe
"C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe"
28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3052

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe" /rl HIGHEST /f
29⤵
- Creates scheduled task(s)
PID:2172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D1V3yP2WeqmP.bat" "
29⤵
PID:1840

C:\Windows\system32\chcp.com
chcp 65001
30⤵
PID:4700

C:\Windows\system32\PING.EXE
ping -n 10 localhost
30⤵
- Runs ping.exe
PID:3676

C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe
"C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe"
30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1096

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe" /rl HIGHEST /f
31⤵
- Creates scheduled task(s)
PID:2200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fQMPHza5RTad.bat" "
31⤵
PID:1216

C:\Windows\system32\chcp.com
chcp 65001
32⤵
PID:1776

C:\Windows\system32\PING.EXE
ping -n 10 localhost
32⤵
- Runs ping.exe
PID:1388

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\UpdateHost.exe.log
Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1qhtrG4aqO1S.bat
Filesize
212B

MD5
efbf455306993ced87cb71b57841444a

SHA1
cae408d3ee1b440b223cc0d92521f67da975881a

SHA256
f6407844fd6545513970beb38f639911d9dec65eb311612d6f7620f93a34fc7c

SHA512
9cab1a7c4673b170157fe7ed9d7f520b09467508b627a7e4c184dc6d79e2448190acb1a0c13595130b6039d6dd9769cf1c9dee9bd16de04212280aa54d8b087a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3HpE7EcpSYth.bat
Filesize
212B

MD5
94ef88735d51d9e44327710e40cbdc0b

SHA1
3956a32fcc4c4f120630592beeff14de78c7a8ae

SHA256
1cfc90da696c24af7e9336904f7ec27f49aa21327145d56af96834f9c7ba446e

SHA512
a1c2ee48285ea76a9177691ce279008d91ea7773e3c839c73840d201109a2c1d5608ecf80da89420a7384c0a90dce0ba3a60be7f57f1708ef60c119ad867bf2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\5xeTbbyJTvy6.bat
Filesize
212B

MD5
df5f3c7012873240beee86559343a89f

SHA1
02a9a6d5b6a439a41b87e3e7e803b5942f2e31d5

SHA256
50dad83bab76adc313c1a5591be330050652d8cb0e7c4ae76ad2afb74c2299f2

SHA512
a6bf54d941935cb06cc558a518ecacf8b392b677f669c0dadc9b5fdee3272cafdc86f8c4be2684404d53ba121d16073466b26b1df68bd6ae932e24743a571bf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cx7mc5trclPr.bat
Filesize
212B

MD5
964b8dc423bbc5ca82baab7169f2ba29

SHA1
d87bfbb0329722c6ad9cfe304f19544c6c0f85dc

SHA256
a0398ece77fe630e58f8fa21ccaf6464e708222bb831c7ca1f31083d7d5c3d4d

SHA512
7b90cc2cf20206214f0a883a768fe12a2aa88a6bc09665e663e550aeb8fbe4f435f7bca6e5c9c4990b6c1cef986fe79762458e367a79abc408ea6a6bca4259ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\D1V3yP2WeqmP.bat
Filesize
212B

MD5
8eb85e5beb5ac9016a6b0b45e1ccb192

SHA1
e358d2c72d0075e764a7f2932c1a5927cd5557bf

SHA256
fdde1b1259d1685ec3489c11a01a9f3095fdd5617a2546cbf13ef2760dd110ab

SHA512
4c2c69c8adb8d487aad27ed7d75175d76b6aff1e03486a3e09a1e699cf8a794d8abca9275a71954f851ed42181d42982fe75d5acb19dcb0bd4d8465fd5702cf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\I6YxABdhBbKJ.bat
Filesize
212B

MD5
dc0470d53d006c83cc9c38297929122f

SHA1
fa3a9e322f0131496bbffb2b067be6bd39e472d3

SHA256
cb1bd00fea238f1f49cec4458d02917ae527e25960e95d7d86f911ca3fe98fb8

SHA512
b4ff17e9e532767185e845011ba7183fc74c7aab4f5b641ed2d11a4e1a287cdbebb5e554c94de5b9eb4690f72ef3492d61998abe306a9c4cd5e500a8aab35f8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\JKTk53vE2itw.bat
Filesize
212B

MD5
b433ccea5552076cff63b7440040eb21

SHA1
6f8772d65c1274e1fa758e1c6984c246ae1bdc13

SHA256
d29ee19b7b4643b49dd69259479cb32ba20981aac1fdcaff4e2bc18d7c368666

SHA512
fc34e6cc4e386f8c34975897e2ea330702631c3089971813b4c0a96eb4f1be867b962440fb3d19fbc739f88f727c172d03f1222983cad9320f1f5517f4f614bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\SKqhuzKgdv7L.bat
Filesize
212B

MD5
c9446ce24b5b5a3687cabf365203af83

SHA1
d78f0cbf21200ba62d3afcfe2e18f6efca2f342b

SHA256
ac8b64ce273ce8849c9fe0957d7533e46b8b50fd80344245df74ab13302d769f

SHA512
1d9c69f39fe12d5a56e7137d3ce34e7048a889abfd8fdacfece11cd15d7edb117e2b9d68fa5ee76f7fe0bb04ba7fc3f75d5822bba128195d8fb7e30ebdbcf713

Download Submit
C:\Users\Admin\AppData\Local\Temp\ScxJecnYUYtD.bat
Filesize
212B

MD5
2b2e235381693b296f6467a78ec79794

SHA1
915dc5c78eac91ef12e9d359e62e14bc1bb9cd6e

SHA256
d85808936c06027632cc7dc6163345349af1f724bff54368f15e06cd4a58fc0a

SHA512
8107afa1be8ca65ae048815f5d932a2471cf5f2dba06e27b84af8929addcbe1f4001de9002f68ca6f884eda1eb8f9f6f47f79981c448061bb550b51b480a8048

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xe0op8HSoWsx.bat
Filesize
212B

MD5
c1975c7bd53bbaed7e704ae5c01df578

SHA1
ea69c86638220a490ed8bd2c51f6ec322696865d

SHA256
886f83d8a92d6e31c6d2671ba11b12e6cc3b2cfa65ed588e8a01dbc8f13b2e00

SHA512
ddc039ea35c3b82ed82b0eda7279b0c41f5b495a2d7adba638275dde4870cff0e697f606a9727ca6b540ef79d52124357cc0659e1a82f6809ccee32efef00987

Download Submit
C:\Users\Admin\AppData\Local\Temp\bse8tG9yMQBC.bat
Filesize
212B

MD5
6b202e81470e7890fb887e2aef7af944

SHA1
9c13a478457ad90eb8087b600e124dd32315df05

SHA256
290ee50431233628edc9b60a623d2f5f62140918bdbe9f52a0735489b02f3c79

SHA512
6c02c0a923f0f7a995f7977df01d217a8381dcdb01ebc33236aa738f6c4b3b4e8104b7a148d089544b61edd1e9bbaf55d5a635076ee92dd2a7037c988f1a48f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\fQMPHza5RTad.bat
Filesize
212B

MD5
6b9fc8de54e69b5f2e070465c5765a31

SHA1
568a34c6a8b694d7d49a300ae6a961c414040cbd

SHA256
14cf21c4ffe3ea86209561f86f1af4ebb09f50b7a3d62b6678168b40e132f6e4

SHA512
4562b0ced6abd8cb07707fa1c3cd316994311771920d6a1e32abb69dcaaadcaf9466cc9899ea4ba1bb764f4d134e55e495136e285c1fc6ca509ed999b2b71e86

Download Submit
C:\Users\Admin\AppData\Local\Temp\nZh1eVilbxrA.bat
Filesize
212B

MD5
a0175fda2bfd45be171af92132580904

SHA1
59006b4cafce4f416eff41eba9a60f21ac617d58

SHA256
cab84642c85454753d9792657c7b803c7e80eeeafe0025ac49798828e6a11000

SHA512
b2b35e245effbfe10dc913d5e5d7d5f6c86600f11e4bf7abeef359cc793b0b2c501e4f88abacc021fa124c77c6fa0cc17c08309840968fd52079c7837f73c604

Download Submit
C:\Users\Admin\AppData\Local\Temp\tEB3cR3pCl8v.bat
Filesize
212B

MD5
1119bdc079a3cd68eb047f8cc6c211d3

SHA1
591dcc8a9de47bdd871bc36f86ec27ce6604d336

SHA256
beeb39b405ebc845694590e63f9ba36f6647b080a3e7947f828f48fdcf3ab1c4

SHA512
c6bd448dc97d09b8500d980043fbbeb26902c6be402a631b2633422989953038b4db207bc88e66ae75a48c2fcd24f480b705f21712a60897760b3e9fe2d4dadf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tWeigdwkFICc.bat
Filesize
212B

MD5
a5a795f67f50dcce790d7723dc39692a

SHA1
a66f59545ef4aa7b518656a271dcc446e38626ec

SHA256
c34e9abaf73732d431694815fc8b73855b135f4c376766c534e29b9fff373ea5

SHA512
e44f3fd15372ca68ef9631cc8a1848e11be9de164c2e7861e80eb5f26cb2a8fe7db206304eb627c3fde20d5d97d1b5397ff22ba5fe3fc767e239523d17eb142c

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe
Filesize
3.1MB

MD5
3eedcddc5146178740acb8f2f03b17c5

SHA1
8825064b4e3780f9f291d1d15bc819bd77f84570

SHA256
76741ecdd14996115907fb61b4727a102321b829f37f027acb5bf6bd9eaf736b

SHA512
23d5f4065a34730a9a3689f3d9141ebf408f324b1f9d01daec78e4e33ae4df5c1a51ca4819c33ea317d95d6862090e5b9a5ace0055a0c54d856ab5f47d05db31

Download Submit
memory/396-93-0x00007FF95C220000-0x00007FF95CCE1000-memory.dmp

Filesize
10.8MB

Download
memory/396-94-0x000000001BB40000-0x000000001BB50000-memory.dmp

Filesize
64KB

Download
memory/396-98-0x00007FF95C220000-0x00007FF95CCE1000-memory.dmp

Filesize
10.8MB

Download
memory/464-74-0x00007FF95BAB0000-0x00007FF95C571000-memory.dmp

Filesize
10.8MB

Download
memory/464-70-0x000000001BFC0000-0x000000001BFD0000-memory.dmp

Filesize
64KB

Download
memory/464-69-0x00007FF95BAB0000-0x00007FF95C571000-memory.dmp

Filesize
10.8MB

Download
memory/928-30-0x000000001BC80000-0x000000001BC90000-memory.dmp

Filesize
64KB

Download
memory/928-34-0x00007FF95CBD0000-0x00007FF95D691000-memory.dmp

Filesize
10.8MB

Download
memory/928-29-0x00007FF95CBD0000-0x00007FF95D691000-memory.dmp

Filesize
10.8MB

Download
memory/1096-130-0x00007FF95C220000-0x00007FF95CCE1000-memory.dmp

Filesize
10.8MB

Download
memory/1096-126-0x000000001BC20000-0x000000001BC30000-memory.dmp

Filesize
64KB

Download
memory/1096-125-0x00007FF95C220000-0x00007FF95CCE1000-memory.dmp

Filesize
10.8MB

Download
memory/1120-86-0x000000001B0D0000-0x000000001B0E0000-memory.dmp

Filesize
64KB

Download
memory/1120-85-0x00007FF95C170000-0x00007FF95CC31000-memory.dmp

Filesize
10.8MB

Download
memory/1120-90-0x00007FF95C170000-0x00007FF95CC31000-memory.dmp

Filesize
10.8MB

Download
memory/1356-45-0x00007FF95C650000-0x00007FF95D111000-memory.dmp

Filesize
10.8MB

Download
memory/1356-50-0x00007FF95C650000-0x00007FF95D111000-memory.dmp

Filesize
10.8MB

Download
memory/1356-46-0x000000001B780000-0x000000001B790000-memory.dmp

Filesize
64KB

Download
memory/1972-62-0x000000001BBE0000-0x000000001BBF0000-memory.dmp

Filesize
64KB

Download
memory/1972-66-0x00007FF95C0B0000-0x00007FF95CB71000-memory.dmp

Filesize
10.8MB

Download
memory/1972-61-0x00007FF95C0B0000-0x00007FF95CB71000-memory.dmp

Filesize
10.8MB

Download
memory/2020-110-0x000000001BD00000-0x000000001BD10000-memory.dmp

Filesize
64KB

Download
memory/2020-114-0x00007FF95B950000-0x00007FF95C411000-memory.dmp

Filesize
10.8MB

Download
memory/2020-109-0x00007FF95B950000-0x00007FF95C411000-memory.dmp

Filesize
10.8MB

Download
memory/2268-77-0x00007FF95C120000-0x00007FF95CBE1000-memory.dmp

Filesize
10.8MB

Download
memory/2268-78-0x0000000000E60000-0x0000000000E70000-memory.dmp

Filesize
64KB

Download
memory/2268-82-0x00007FF95C120000-0x00007FF95CBE1000-memory.dmp

Filesize
10.8MB

Download
memory/3052-118-0x000000001BD10000-0x000000001BD20000-memory.dmp

Filesize
64KB

Download
memory/3052-117-0x00007FF95B950000-0x00007FF95C411000-memory.dmp

Filesize
10.8MB

Download
memory/3052-122-0x00007FF95B950000-0x00007FF95C411000-memory.dmp

Filesize
10.8MB

Download
memory/3184-10-0x000000001B920000-0x000000001B930000-memory.dmp

Filesize
64KB

Download
memory/3184-17-0x00007FF95DE40000-0x00007FF95E901000-memory.dmp

Filesize
10.8MB

Download
memory/3184-12-0x000000001C430000-0x000000001C4E2000-memory.dmp

Filesize
712KB

Download
memory/3184-11-0x000000001B8B0000-0x000000001B900000-memory.dmp

Filesize
320KB

Download
memory/3184-9-0x00007FF95DE40000-0x00007FF95E901000-memory.dmp

Filesize
10.8MB

Download
memory/3452-58-0x00007FF95C100000-0x00007FF95CBC1000-memory.dmp

Filesize
10.8MB

Download
memory/3452-54-0x000000001B8E0000-0x000000001B8F0000-memory.dmp

Filesize
64KB

Download
memory/3452-53-0x00007FF95C100000-0x00007FF95CBC1000-memory.dmp

Filesize
10.8MB

Download
memory/3648-22-0x000000001BDC0000-0x000000001BDD0000-memory.dmp

Filesize
64KB

Download
memory/3648-26-0x00007FF95D100000-0x00007FF95DBC1000-memory.dmp

Filesize
10.8MB

Download
memory/3648-21-0x00007FF95D100000-0x00007FF95DBC1000-memory.dmp

Filesize
10.8MB

Download
memory/4336-102-0x00000000025C0000-0x00000000025D0000-memory.dmp

Filesize
64KB

Download
memory/4336-106-0x00007FF95B950000-0x00007FF95C411000-memory.dmp

Filesize
10.8MB

Download
memory/4336-101-0x00007FF95B950000-0x00007FF95C411000-memory.dmp

Filesize
10.8MB

Download
memory/4540-38-0x00000000018B0000-0x00000000018C0000-memory.dmp

Filesize
64KB

Download
memory/4540-37-0x00007FF95CB70000-0x00007FF95D631000-memory.dmp

Filesize
10.8MB

Download
memory/4540-42-0x00007FF95CB70000-0x00007FF95D631000-memory.dmp

Filesize
10.8MB

Download
memory/5008-8-0x00007FF95DE40000-0x00007FF95E901000-memory.dmp

Filesize
10.8MB

Download
memory/5008-2-0x000000001C010000-0x000000001C020000-memory.dmp

Filesize
64KB

Download
memory/5008-0-0x0000000000CE0000-0x0000000001004000-memory.dmp

Filesize
3.1MB

Download
memory/5008-1-0x00007FF95DE40000-0x00007FF95E901000-memory.dmp

Filesize
10.8MB

Download