quasar | 76741ecdd14996115907fb61b4727a102321b829f37f027acb5bf6bd9eaf736b

Analysis

max time kernel
144s
max time network
96s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
21-04-2024 00:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Rebuild.exe
Size

3.1MB
MD5

3eedcddc5146178740acb8f2f03b17c5
SHA1

8825064b4e3780f9f291d1d15bc819bd77f84570
SHA256

76741ecdd14996115907fb61b4727a102321b829f37f027acb5bf6bd9eaf736b
SHA512

23d5f4065a34730a9a3689f3d9141ebf408f324b1f9d01daec78e4e33ae4df5c1a51ca4819c33ea317d95d6862090e5b9a5ace0055a0c54d856ab5f47d05db31
SSDEEP

49152:XvVuf2NUaNmwzPWlvdaKM7ZxTwIydumzGgoGdjTHHB72eh2NT:Xvgf2NUaNmwzPWlvdaB7ZxTwIydN

Score

10^/10

quasar slave spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

SLAVE

uk2.localto.net:44425:44425

uk2.localto.net:44425

Mutex

cc0a2b76-665e-4e16-b318-5ee02270fbcd

Attributes

encryption_key
D7F09F1F0B9CECC640BA0B3D8975FBE5CED725B5
install_name
UpdateHost.exe
log_directory
Error Logs
reconnect_delay
3000
startup_key
WOS64
subdirectory
Windows

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral3/memory/1544-0-0x0000000000C80000-0x0000000000FA4000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe	family_quasar

Executes dropped EXE 15 IoCs

Processes:

UpdateHost.exeUpdateHost.exeUpdateHost.exeUpdateHost.exeUpdateHost.exeUpdateHost.exeUpdateHost.exeUpdateHost.exeUpdateHost.exeUpdateHost.exeUpdateHost.exeUpdateHost.exeUpdateHost.exeUpdateHost.exeUpdateHost.exe

pid	process
496	UpdateHost.exe
2180	UpdateHost.exe
1948	UpdateHost.exe
2596	UpdateHost.exe
3388	UpdateHost.exe
3912	UpdateHost.exe
4444	UpdateHost.exe
2388	UpdateHost.exe
800	UpdateHost.exe
2160	UpdateHost.exe
2984	UpdateHost.exe
2356	UpdateHost.exe
4916	UpdateHost.exe
3372	UpdateHost.exe
4960	UpdateHost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3732	schtasks.exe
4632	schtasks.exe
3420	schtasks.exe
4080	schtasks.exe
3140	schtasks.exe
4400	schtasks.exe
2096	schtasks.exe
1020	schtasks.exe
4740	schtasks.exe
4072	schtasks.exe
2204	schtasks.exe
1384	schtasks.exe
4548	schtasks.exe
2964	schtasks.exe
2168	schtasks.exe
1500	schtasks.exe

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
1564	PING.EXE
972	PING.EXE
900	PING.EXE
1972	PING.EXE
4412	PING.EXE
4900	PING.EXE
2760	PING.EXE
2192	PING.EXE
440	PING.EXE
2644	PING.EXE
4972	PING.EXE
3204	PING.EXE
4312	PING.EXE
5116	PING.EXE
5068	PING.EXE

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

Rebuild.exeUpdateHost.exeUpdateHost.exeUpdateHost.exeUpdateHost.exeUpdateHost.exeUpdateHost.exeUpdateHost.exeUpdateHost.exeUpdateHost.exeUpdateHost.exeUpdateHost.exeUpdateHost.exeUpdateHost.exeUpdateHost.exeUpdateHost.exe

description	pid	process
Token: SeDebugPrivilege	1544	Rebuild.exe
Token: SeDebugPrivilege	496	UpdateHost.exe
Token: SeDebugPrivilege	2180	UpdateHost.exe
Token: SeDebugPrivilege	1948	UpdateHost.exe
Token: SeDebugPrivilege	2596	UpdateHost.exe
Token: SeDebugPrivilege	3388	UpdateHost.exe
Token: SeDebugPrivilege	3912	UpdateHost.exe
Token: SeDebugPrivilege	4444	UpdateHost.exe
Token: SeDebugPrivilege	2388	UpdateHost.exe
Token: SeDebugPrivilege	800	UpdateHost.exe
Token: SeDebugPrivilege	2160	UpdateHost.exe
Token: SeDebugPrivilege	2984	UpdateHost.exe
Token: SeDebugPrivilege	2356	UpdateHost.exe
Token: SeDebugPrivilege	4916	UpdateHost.exe
Token: SeDebugPrivilege	3372	UpdateHost.exe
Token: SeDebugPrivilege	4960	UpdateHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Rebuild.exeUpdateHost.execmd.exeUpdateHost.execmd.exeUpdateHost.execmd.exeUpdateHost.execmd.exeUpdateHost.execmd.exeUpdateHost.execmd.exe

description	pid	process	target process
PID 1544 wrote to memory of 2096	1544	Rebuild.exe	schtasks.exe
PID 1544 wrote to memory of 2096	1544	Rebuild.exe	schtasks.exe
PID 1544 wrote to memory of 496	1544	Rebuild.exe	UpdateHost.exe
PID 1544 wrote to memory of 496	1544	Rebuild.exe	UpdateHost.exe
PID 496 wrote to memory of 2204	496	UpdateHost.exe	schtasks.exe
PID 496 wrote to memory of 2204	496	UpdateHost.exe	schtasks.exe
PID 496 wrote to memory of 868	496	UpdateHost.exe	cmd.exe
PID 496 wrote to memory of 868	496	UpdateHost.exe	cmd.exe
PID 868 wrote to memory of 3520	868	cmd.exe	chcp.com
PID 868 wrote to memory of 3520	868	cmd.exe	chcp.com
PID 868 wrote to memory of 440	868	cmd.exe	PING.EXE
PID 868 wrote to memory of 440	868	cmd.exe	PING.EXE
PID 868 wrote to memory of 2180	868	cmd.exe	UpdateHost.exe
PID 868 wrote to memory of 2180	868	cmd.exe	UpdateHost.exe
PID 2180 wrote to memory of 4632	2180	UpdateHost.exe	schtasks.exe
PID 2180 wrote to memory of 4632	2180	UpdateHost.exe	schtasks.exe
PID 2180 wrote to memory of 2244	2180	UpdateHost.exe	cmd.exe
PID 2180 wrote to memory of 2244	2180	UpdateHost.exe	cmd.exe
PID 2244 wrote to memory of 1932	2244	cmd.exe	chcp.com
PID 2244 wrote to memory of 1932	2244	cmd.exe	chcp.com
PID 2244 wrote to memory of 2644	2244	cmd.exe	PING.EXE
PID 2244 wrote to memory of 2644	2244	cmd.exe	PING.EXE
PID 2244 wrote to memory of 1948	2244	cmd.exe	UpdateHost.exe
PID 2244 wrote to memory of 1948	2244	cmd.exe	UpdateHost.exe
PID 1948 wrote to memory of 1384	1948	UpdateHost.exe	schtasks.exe
PID 1948 wrote to memory of 1384	1948	UpdateHost.exe	schtasks.exe
PID 1948 wrote to memory of 1400	1948	UpdateHost.exe	cmd.exe
PID 1948 wrote to memory of 1400	1948	UpdateHost.exe	cmd.exe
PID 1400 wrote to memory of 4836	1400	cmd.exe	chcp.com
PID 1400 wrote to memory of 4836	1400	cmd.exe	chcp.com
PID 1400 wrote to memory of 1972	1400	cmd.exe	PING.EXE
PID 1400 wrote to memory of 1972	1400	cmd.exe	PING.EXE
PID 1400 wrote to memory of 2596	1400	cmd.exe	UpdateHost.exe
PID 1400 wrote to memory of 2596	1400	cmd.exe	UpdateHost.exe
PID 2596 wrote to memory of 4548	2596	UpdateHost.exe	schtasks.exe
PID 2596 wrote to memory of 4548	2596	UpdateHost.exe	schtasks.exe
PID 2596 wrote to memory of 1324	2596	UpdateHost.exe	cmd.exe
PID 2596 wrote to memory of 1324	2596	UpdateHost.exe	cmd.exe
PID 1324 wrote to memory of 3540	1324	cmd.exe	chcp.com
PID 1324 wrote to memory of 3540	1324	cmd.exe	chcp.com
PID 1324 wrote to memory of 5116	1324	cmd.exe	PING.EXE
PID 1324 wrote to memory of 5116	1324	cmd.exe	PING.EXE
PID 1324 wrote to memory of 3388	1324	cmd.exe	UpdateHost.exe
PID 1324 wrote to memory of 3388	1324	cmd.exe	UpdateHost.exe
PID 3388 wrote to memory of 2168	3388	UpdateHost.exe	schtasks.exe
PID 3388 wrote to memory of 2168	3388	UpdateHost.exe	schtasks.exe
PID 3388 wrote to memory of 1620	3388	UpdateHost.exe	cmd.exe
PID 3388 wrote to memory of 1620	3388	UpdateHost.exe	cmd.exe
PID 1620 wrote to memory of 4064	1620	cmd.exe	chcp.com
PID 1620 wrote to memory of 4064	1620	cmd.exe	chcp.com
PID 1620 wrote to memory of 4412	1620	cmd.exe	PING.EXE
PID 1620 wrote to memory of 4412	1620	cmd.exe	PING.EXE
PID 1620 wrote to memory of 3912	1620	cmd.exe	UpdateHost.exe
PID 1620 wrote to memory of 3912	1620	cmd.exe	UpdateHost.exe
PID 3912 wrote to memory of 3420	3912	UpdateHost.exe	schtasks.exe
PID 3912 wrote to memory of 3420	3912	UpdateHost.exe	schtasks.exe
PID 3912 wrote to memory of 2816	3912	UpdateHost.exe	cmd.exe
PID 3912 wrote to memory of 2816	3912	UpdateHost.exe	cmd.exe
PID 2816 wrote to memory of 2304	2816	cmd.exe	chcp.com
PID 2816 wrote to memory of 2304	2816	cmd.exe	chcp.com
PID 2816 wrote to memory of 5068	2816	cmd.exe	PING.EXE
PID 2816 wrote to memory of 5068	2816	cmd.exe	PING.EXE
PID 2816 wrote to memory of 4444	2816	cmd.exe	UpdateHost.exe
PID 2816 wrote to memory of 4444	2816	cmd.exe	UpdateHost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Rebuild.exe
"C:\Users\Admin\AppData\Local\Temp\Rebuild.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1544

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:2096

C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe
"C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:496

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jXxTWKleSUW2.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:868

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:3520

C:\Windows\system32\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:440

C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe
"C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:4632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\e3DiYUj6nLMK.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:2244

C:\Windows\system32\chcp.com
chcp 65001
6⤵
PID:1932

C:\Windows\system32\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:2644

C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe
"C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:1384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\J0JJPqJlyat8.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:1400

C:\Windows\system32\chcp.com
chcp 65001
8⤵
PID:4836

C:\Windows\system32\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:1972

C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe
"C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe"
8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2596

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe" /rl HIGHEST /f
9⤵
- Creates scheduled task(s)
PID:4548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\M9QGBogN830j.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:1324

C:\Windows\system32\chcp.com
chcp 65001
10⤵
PID:3540

C:\Windows\system32\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:5116

C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe
"C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe"
10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3388

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe" /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:2168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\e1qUtNHac1ah.bat" "
11⤵
- Suspicious use of WriteProcessMemory
PID:1620

C:\Windows\system32\chcp.com
chcp 65001
12⤵
PID:4064

C:\Windows\system32\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:4412

C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe
"C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe"
12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3912

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe" /rl HIGHEST /f
13⤵
- Creates scheduled task(s)
PID:3420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1vUZ2tQWolDG.bat" "
13⤵
- Suspicious use of WriteProcessMemory
PID:2816

C:\Windows\system32\chcp.com
chcp 65001
14⤵
PID:2304

C:\Windows\system32\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:5068

C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe
"C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe"
14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4444

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe" /rl HIGHEST /f
15⤵
- Creates scheduled task(s)
PID:2964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SjvAyo026zny.bat" "
15⤵
PID:3640

C:\Windows\system32\chcp.com
chcp 65001
16⤵
PID:336

C:\Windows\system32\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:4900

C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe
"C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe"
16⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2388

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe" /rl HIGHEST /f
17⤵
- Creates scheduled task(s)
PID:4080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\R99nMB43iI4I.bat" "
17⤵
PID:1616

C:\Windows\system32\chcp.com
chcp 65001
18⤵
PID:3756

C:\Windows\system32\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:2760

C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe
"C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe"
18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:800

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe" /rl HIGHEST /f
19⤵
- Creates scheduled task(s)
PID:3140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ak6ICzbWq73c.bat" "
19⤵
PID:4468

C:\Windows\system32\chcp.com
chcp 65001
20⤵
PID:3432

C:\Windows\system32\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:2192

C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe
"C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe"
20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2160

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe" /rl HIGHEST /f
21⤵
- Creates scheduled task(s)
PID:1020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8moDhmnki5tw.bat" "
21⤵
PID:4540

C:\Windows\system32\chcp.com
chcp 65001
22⤵
PID:3804

C:\Windows\system32\PING.EXE
ping -n 10 localhost
22⤵
- Runs ping.exe
PID:3204

C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe
"C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe"
22⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2984

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe" /rl HIGHEST /f
23⤵
- Creates scheduled task(s)
PID:1500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\izC8M7U7kDGt.bat" "
23⤵
PID:5096

C:\Windows\system32\chcp.com
chcp 65001
24⤵
PID:3444

C:\Windows\system32\PING.EXE
ping -n 10 localhost
24⤵
- Runs ping.exe
PID:4972

C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe
"C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe"
24⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2356

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe" /rl HIGHEST /f
25⤵
- Creates scheduled task(s)
PID:4740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5UBuW7rLyatj.bat" "
25⤵
PID:3528

C:\Windows\system32\chcp.com
chcp 65001
26⤵
PID:2668

C:\Windows\system32\PING.EXE
ping -n 10 localhost
26⤵
- Runs ping.exe
PID:4312

C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe
"C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe"
26⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4916

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe" /rl HIGHEST /f
27⤵
- Creates scheduled task(s)
PID:4400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\USy9qwIqlQdE.bat" "
27⤵
PID:4412

C:\Windows\system32\chcp.com
chcp 65001
28⤵
PID:2780

C:\Windows\system32\PING.EXE
ping -n 10 localhost
28⤵
- Runs ping.exe
PID:1564

C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe
"C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe"
28⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3372

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe" /rl HIGHEST /f
29⤵
- Creates scheduled task(s)
PID:3732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\r3wHAGVDABGY.bat" "
29⤵
PID:1080

C:\Windows\system32\chcp.com
chcp 65001
30⤵
PID:5016

C:\Windows\system32\PING.EXE
ping -n 10 localhost
30⤵
- Runs ping.exe
PID:972

C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe
"C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe"
30⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4960

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WOS64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe" /rl HIGHEST /f
31⤵
- Creates scheduled task(s)
PID:4072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\otxBU7agMtNs.bat" "
31⤵
PID:1804

C:\Windows\system32\chcp.com
chcp 65001
32⤵
PID:4624

C:\Windows\system32\PING.EXE
ping -n 10 localhost
32⤵
- Runs ping.exe
PID:900

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\UpdateHost.exe.log
Filesize
2KB

MD5
15eab799098760706ed95d314e75449d

SHA1
273fb07e40148d5c267ca53f958c5075d24c4444

SHA256
45030bd997f50bb52c481f7bc86fac5f375d08911bcc106b98d9d8f0c2ce9778

SHA512
50c125e2a98740db0a0122d7f4de97c50d84623e800b3d3e173049c8e28ff0fbe4add7677bc56cb2228f78ed17522f67ae8f1b85f62824012414ce38ce0b500c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1vUZ2tQWolDG.bat
Filesize
212B

MD5
6041236969849d7b40c9924cbcb7ba2c

SHA1
7773aa3dc7af014decd4b0c76dee1f6c8b370bc9

SHA256
689f6b82c9ff94fa3e41c14b1b3dd98ee28aaf29d5397e2e5c0acd0e0a13285f

SHA512
7abb8f3a5b5b018bdd987919afc70cd3aa6e89f50f26dc50f22b710e33b9231ef1995d746650b0e2d9be2864d826e516d2c82bd68e46f02885094285c0a46575

Download Submit
C:\Users\Admin\AppData\Local\Temp\5UBuW7rLyatj.bat
Filesize
212B

MD5
93cb2ed5899fc7b2e940007e9fbbc17a

SHA1
a36d4256f5df966ea16026c312b340db9e0d2764

SHA256
ae412c388d06952e50b4faa66ead2ebbced54af6cacd9f8cff1a344dfff4a807

SHA512
10bbe22c98bf750b86ebcd8381cc97104d2ebe646325879cc7fd9317dcba4bd44e628257db63ac61773ec20140316832bcca413d176c31d7c7dfdb0f0cac72d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\8moDhmnki5tw.bat
Filesize
212B

MD5
35ed3a4b59e8aaae21a848e1748ae882

SHA1
d6c3ed7a19d9b62c55628f03554d840eec3e09a2

SHA256
73f10c4079bac62403c0be77ceada0102b07dfc58a3effbb422709f2fd93feb2

SHA512
18583ac6d47c7b075d055b1e80c303f3601670659ccc9b1baa3cbf3bfb2d8881e096681f91e3ae823841f5e4dfe2efaab93c1fdc8d9b06eb6c5aa1a538a2b434

Download Submit
C:\Users\Admin\AppData\Local\Temp\J0JJPqJlyat8.bat
Filesize
212B

MD5
292bbb0f056a0a163fa1e5ccb39f2ce7

SHA1
047e3b2f769173d948d7d27a52ba5fc53b4ad306

SHA256
a1733756fb84b5281bb4f701ced773e9ba96ac396be8903bd1404adf01681b16

SHA512
32f1a01d0ab2ccfe49807f47bc632b3cf0a76a4e20a3c0169fea3aa1ea94728933e68f3f37240678280a062742c7c7bb9dc24220711142be81398c59fd827f64

Download Submit
C:\Users\Admin\AppData\Local\Temp\M9QGBogN830j.bat
Filesize
212B

MD5
64245bf846e770749588b10a8066fa47

SHA1
dee8def12f5b20d07388d913cebd42a999d486dd

SHA256
b3a72d606cdce4034f481eb0efdca881b4b89d91881c50576ddb246ae36301dc

SHA512
fc72c7d80410c8da9d5369048231c994ca70b226be10026c48077bc330157fd6253ae7b0f9d16210f8d03aa29bef518bee8abedb3bf8723b1d33a75ac15ff3b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\R99nMB43iI4I.bat
Filesize
212B

MD5
44fd4ce8ee4c282af36e8e33447df208

SHA1
3bca469f9b825826aa01896d24560723c3dd7fb7

SHA256
bb5646550846b8c49c9b648eaf81190947dbba2c8e5139d02c4f69a5f4892ca2

SHA512
b47fa45a028f72d6dc209a00d607db769516c9f27b1180d089fc949d01b2eb12151689664f1ec6a5b852734cf97cdab103095703c27f1db442ff0df454fd9e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SjvAyo026zny.bat
Filesize
212B

MD5
d5c61f30c354634614a215e55ee04c04

SHA1
064228de95131730259efa5f9c6c49b086d9d671

SHA256
7605d675af5cc0253beaca9de594cdb7639c5df7cce0ad60761ca8c1c7782a7d

SHA512
6fa1b5624dab731da4e903f990e6907a56a9f1128a6740bbfb59a7a67660a4d80ff6abdc9fd8b0c15923775abd02cf0471cffd91363aeffd4fb731707a297305

Download Submit
C:\Users\Admin\AppData\Local\Temp\USy9qwIqlQdE.bat
Filesize
212B

MD5
e8ed41778b3dd437443607a093b8eafd

SHA1
9991eb775f6efe1a959630ac3d3088d71f64ef30

SHA256
c17826fb053c72a4c3d57569402fcbcf6eb5da6b65ccd0244cd7aa7fd1fed638

SHA512
a7a56cb758989278977bec9a6c665a192d5ff5308d35c5ee842aadf51542038509aaaa0633e15a46a78443b0eb0c36e546c9b202df5ccaf2cded31cd476437c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ak6ICzbWq73c.bat
Filesize
212B

MD5
885263d4366ded9ca15ee7a75de10561

SHA1
de27215bd24d2b8a61cf7a664765fc4cfdd3efae

SHA256
e8b3eb31aa8b90549895ed401207d76d8738961b9b764f5550fe3d90e306cf2b

SHA512
28e87de021d6407e6630c4a9441315e854f2790af6714d46d499586d2cbabd0922d6c12bbbacdc7061e9b2cd1d913351cd48fb89252426a2795129b18ccc4540

Download Submit
C:\Users\Admin\AppData\Local\Temp\e1qUtNHac1ah.bat
Filesize
212B

MD5
7b593d742138ecb6bf9d8b538e2c2505

SHA1
0950f73a2eeee6b1e74eea7b956abbb0bd2b23bf

SHA256
38f8cc46a476b5ea151f2173be09befcb247b0424a964ba1d947bd67b970aee5

SHA512
47f3e256b3b3d36952203ca879f23ecf9b3bad0576a5f9aebc3769f615dd59bb633fd6a1a9036031278133b03c540555b7d6e17f8ef08e056ca88765349e5add

Download Submit
C:\Users\Admin\AppData\Local\Temp\e3DiYUj6nLMK.bat
Filesize
212B

MD5
c37b75db4e517d49d466c2dc54c1f4d4

SHA1
1776709060b5627e0703c9d82bae435956870a4f

SHA256
9fcf1a1cca37e447bb53df4c6e63012ecfe275eca785819942dcf0be140fbab9

SHA512
f7ebffa3eb1f6c894e63c53a21f734e56ca947d23388a35bfb4b206ce62fb8f436e92fcb336bc0cdb2da9313d9ac3425debbc4ec445fc92029daf03203e10404

Download Submit
C:\Users\Admin\AppData\Local\Temp\izC8M7U7kDGt.bat
Filesize
212B

MD5
89f31f6a8a08d31e86fc48b43a22b916

SHA1
3766040a37a76e2cfd19cdcdfc29c7b37a3740c6

SHA256
59d970369dc613fdd787918e9710bf5a088beb9b2e0178921d9f6a44b4225c74

SHA512
e6bef77e3fed6f9e47900f2b92a2d5c2cdc55f6688cf89cdd8e0954e94df8ae83f0695cef78b3e9fd0933e5d014cbcf744f2a6603c5d7834fa8d9e01cc45888d

Download Submit
C:\Users\Admin\AppData\Local\Temp\jXxTWKleSUW2.bat
Filesize
212B

MD5
0d114e623245af6d3cf0437d93afae5e

SHA1
73e6fb47650a5575cd35443c5fc1f90715ca0b46

SHA256
b2793bd2470e8f68c69191253c23a201f05d9ae95bab2c57f912926f69018575

SHA512
3443a53d56cc1a344fa4c9ed002b4b8404b9b080fd0bdf42300e425bef7964c922cded0162bf6b27edbad89fba06faa0d7690ed49b8d41354a926505cfc284b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\otxBU7agMtNs.bat
Filesize
212B

MD5
d1524ab4d5c5fbb982e79d1e3a364aa4

SHA1
b1caadfeb27beedcad9a869910c1dba373283915

SHA256
ceb2bb5c1f1a0e23441f80e6531cda3e0504b92dbf6404154f2d40b631ae505b

SHA512
d5753132b56ca96e50f54acffc1679e084a4df3ba6d8919c596e3bf732d875cdacba5f4050c015261cfa7da9344521684e9692fd212fd14a44d2d774ea6b07e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\r3wHAGVDABGY.bat
Filesize
212B

MD5
d5c1bb7f8f3270dd5599d10e2deb4cb6

SHA1
67f8baf402bdf672b9932225b4b329fd013fb60c

SHA256
989e49d17b17a68fa7fa7c81146bd503db22434f362f9ff709574d61fa3e330a

SHA512
1f7df0fd3cf020489d4bfb15205577e6a896caa805b341f268476a6c9b2a8312044cdc837eb6c090f61955069d716f67458c21d6326e55adf3273235ed23421b

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\UpdateHost.exe
Filesize
3.1MB

MD5
3eedcddc5146178740acb8f2f03b17c5

SHA1
8825064b4e3780f9f291d1d15bc819bd77f84570

SHA256
76741ecdd14996115907fb61b4727a102321b829f37f027acb5bf6bd9eaf736b

SHA512
23d5f4065a34730a9a3689f3d9141ebf408f324b1f9d01daec78e4e33ae4df5c1a51ca4819c33ea317d95d6862090e5b9a5ace0055a0c54d856ab5f47d05db31

Download Submit
memory/496-11-0x0000000002BA0000-0x0000000002BF0000-memory.dmp

Filesize
320KB

Download
memory/496-18-0x00007FFB1BA30000-0x00007FFB1C4F2000-memory.dmp

Filesize
10.8MB

Download
memory/496-12-0x000000001C3D0000-0x000000001C482000-memory.dmp

Filesize
712KB

Download
memory/496-10-0x000000001B7D0000-0x000000001B7E0000-memory.dmp

Filesize
64KB

Download
memory/496-9-0x00007FFB1BA30000-0x00007FFB1C4F2000-memory.dmp

Filesize
10.8MB

Download
memory/800-82-0x00007FFB1BA30000-0x00007FFB1C4F2000-memory.dmp

Filesize
10.8MB

Download
memory/800-78-0x000000001BA30000-0x000000001BA40000-memory.dmp

Filesize
64KB

Download
memory/800-77-0x00007FFB1BA30000-0x00007FFB1C4F2000-memory.dmp

Filesize
10.8MB

Download
memory/1544-2-0x00000000030E0000-0x00000000030F0000-memory.dmp

Filesize
64KB

Download
memory/1544-0-0x0000000000C80000-0x0000000000FA4000-memory.dmp

Filesize
3.1MB

Download
memory/1544-1-0x00007FFB1BA30000-0x00007FFB1C4F2000-memory.dmp

Filesize
10.8MB

Download
memory/1544-8-0x00007FFB1BA30000-0x00007FFB1C4F2000-memory.dmp

Filesize
10.8MB

Download
memory/1948-30-0x000000001B740000-0x000000001B750000-memory.dmp

Filesize
64KB

Download
memory/1948-35-0x00007FFB1BA30000-0x00007FFB1C4F2000-memory.dmp

Filesize
10.8MB

Download
memory/1948-29-0x00007FFB1BA30000-0x00007FFB1C4F2000-memory.dmp

Filesize
10.8MB

Download
memory/2160-86-0x000000001BD40000-0x000000001BD50000-memory.dmp

Filesize
64KB

Download
memory/2160-90-0x00007FFB1BA30000-0x00007FFB1C4F2000-memory.dmp

Filesize
10.8MB

Download
memory/2160-85-0x00007FFB1BA30000-0x00007FFB1C4F2000-memory.dmp

Filesize
10.8MB

Download
memory/2180-26-0x00007FFB1BA30000-0x00007FFB1C4F2000-memory.dmp

Filesize
10.8MB

Download
memory/2180-22-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/2180-21-0x00007FFB1BA30000-0x00007FFB1C4F2000-memory.dmp

Filesize
10.8MB

Download
memory/2356-101-0x00007FFB1BA30000-0x00007FFB1C4F2000-memory.dmp

Filesize
10.8MB

Download
memory/2356-106-0x00007FFB1BA30000-0x00007FFB1C4F2000-memory.dmp

Filesize
10.8MB

Download
memory/2356-102-0x0000000001770000-0x0000000001780000-memory.dmp

Filesize
64KB

Download
memory/2388-70-0x000000001B620000-0x000000001B630000-memory.dmp

Filesize
64KB

Download
memory/2388-69-0x00007FFB1BA30000-0x00007FFB1C4F2000-memory.dmp

Filesize
10.8MB

Download
memory/2388-74-0x00007FFB1BA30000-0x00007FFB1C4F2000-memory.dmp

Filesize
10.8MB

Download
memory/2596-37-0x00007FFB1BA30000-0x00007FFB1C4F2000-memory.dmp

Filesize
10.8MB

Download
memory/2596-38-0x000000001AF70000-0x000000001AF80000-memory.dmp

Filesize
64KB

Download
memory/2596-42-0x00007FFB1BA30000-0x00007FFB1C4F2000-memory.dmp

Filesize
10.8MB

Download
memory/2984-98-0x00007FFB1BA30000-0x00007FFB1C4F2000-memory.dmp

Filesize
10.8MB

Download
memory/2984-93-0x00007FFB1BA30000-0x00007FFB1C4F2000-memory.dmp

Filesize
10.8MB

Download
memory/2984-94-0x000000001B360000-0x000000001B370000-memory.dmp

Filesize
64KB

Download
memory/3372-117-0x00007FFB1BA30000-0x00007FFB1C4F2000-memory.dmp

Filesize
10.8MB

Download
memory/3372-122-0x00007FFB1BA30000-0x00007FFB1C4F2000-memory.dmp

Filesize
10.8MB

Download
memory/3372-118-0x000000001B2E0000-0x000000001B2F0000-memory.dmp

Filesize
64KB

Download
memory/3388-50-0x00007FFB1BA30000-0x00007FFB1C4F2000-memory.dmp

Filesize
10.8MB

Download
memory/3388-45-0x00007FFB1BA30000-0x00007FFB1C4F2000-memory.dmp

Filesize
10.8MB

Download
memory/3388-46-0x000000001B870000-0x000000001B880000-memory.dmp

Filesize
64KB

Download
memory/3912-58-0x00007FFB1BA30000-0x00007FFB1C4F2000-memory.dmp

Filesize
10.8MB

Download
memory/3912-54-0x000000001BA90000-0x000000001BAA0000-memory.dmp

Filesize
64KB

Download
memory/3912-53-0x00007FFB1BA30000-0x00007FFB1C4F2000-memory.dmp

Filesize
10.8MB

Download
memory/4444-61-0x00007FFB1BA30000-0x00007FFB1C4F2000-memory.dmp

Filesize
10.8MB

Download
memory/4444-62-0x000000001B680000-0x000000001B690000-memory.dmp

Filesize
64KB

Download
memory/4444-66-0x00007FFB1BA30000-0x00007FFB1C4F2000-memory.dmp

Filesize
10.8MB

Download
memory/4916-110-0x000000001B0D0000-0x000000001B0E0000-memory.dmp

Filesize
64KB

Download
memory/4916-114-0x00007FFB1BA30000-0x00007FFB1C4F2000-memory.dmp

Filesize
10.8MB

Download
memory/4916-109-0x00007FFB1BA30000-0x00007FFB1C4F2000-memory.dmp

Filesize
10.8MB

Download
memory/4960-125-0x00007FFB1BA30000-0x00007FFB1C4F2000-memory.dmp

Filesize
10.8MB

Download
memory/4960-126-0x0000000002330000-0x0000000002340000-memory.dmp

Filesize
64KB

Download
memory/4960-130-0x00007FFB1BA30000-0x00007FFB1C4F2000-memory.dmp

Filesize
10.8MB

Download