Analysis
-
max time kernel
152s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
23-04-2024 01:58
Behavioral task
behavioral1
Sample
a5473ea4c4ef75c217e0d252d1c7d235b781a75810b7e731a97ed78b45646840.exe
Resource
win7-20240221-en
General
-
Target
a5473ea4c4ef75c217e0d252d1c7d235b781a75810b7e731a97ed78b45646840.exe
-
Size
3.1MB
-
MD5
2c1fba8d6624adf6c582fb2d5fb43b28
-
SHA1
bd45ee984e9476d604824f83c6cf6111a9db2467
-
SHA256
a5473ea4c4ef75c217e0d252d1c7d235b781a75810b7e731a97ed78b45646840
-
SHA512
cc85b5f1c2765c49f34c236634dcbfdfd6cc62e0b954b74c12b0d89dc29044dff88a9840e5c02a39e140564283074c78359dd70dfc7f426daefb75f195f14e19
-
SSDEEP
49152:nvVG42pda6D+/PjlLOlg6yQipV6iRJ67bR3LoGdTqTHHB72eh2NT:nvM42pda6D+/PjlLOlZyQipV6iRJ6ND
Malware Config
Extracted
quasar
1.4.1
Office04
funlink.ddns.net:4444
quasarhost1.ddns.net:4444
c363b2f8-fc6a-4abd-a753-cff1aad2a173
-
encryption_key
CE5FBAC1A56C8C780C74FE8E7CD5CBCF8ABD6C8D
-
install_name
updale.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
windows av startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4160-0-0x0000000000390000-0x00000000006B4000-memory.dmp family_quasar C:\Windows\System32\SubDir\updale.exe family_quasar -
Detects Windows executables referencing non-Windows User-Agents 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4160-0-0x0000000000390000-0x00000000006B4000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA C:\Windows\System32\SubDir\updale.exe INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA -
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4160-0-0x0000000000390000-0x00000000006B4000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers C:\Windows\System32\SubDir\updale.exe INDICATOR_SUSPICIOUS_Binary_References_Browsers -
Detects executables containing common artifacts observed in infostealers 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4160-0-0x0000000000390000-0x00000000006B4000-memory.dmp INDICATOR_SUSPICIOUS_GENInfoStealer C:\Windows\System32\SubDir\updale.exe INDICATOR_SUSPICIOUS_GENInfoStealer -
Checks computer location settings 2 TTPs 9 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
updale.exeupdale.exeupdale.exeupdale.exeupdale.exeupdale.exeupdale.exeupdale.exeupdale.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation updale.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation updale.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation updale.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation updale.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation updale.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation updale.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation updale.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation updale.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation updale.exe -
Executes dropped EXE 9 IoCs
Processes:
updale.exeupdale.exeupdale.exeupdale.exeupdale.exeupdale.exeupdale.exeupdale.exeupdale.exepid process 1976 updale.exe 4060 updale.exe 4448 updale.exe 2812 updale.exe 2900 updale.exe 332 updale.exe 5040 updale.exe 1452 updale.exe 4500 updale.exe -
Drops file in System32 directory 21 IoCs
Processes:
updale.exeupdale.exeupdale.exeupdale.exeupdale.exeupdale.exeupdale.exeupdale.exea5473ea4c4ef75c217e0d252d1c7d235b781a75810b7e731a97ed78b45646840.exeupdale.exedescription ioc process File opened for modification C:\Windows\system32\SubDir updale.exe File opened for modification C:\Windows\system32\SubDir\updale.exe updale.exe File opened for modification C:\Windows\system32\SubDir updale.exe File opened for modification C:\Windows\system32\SubDir\updale.exe updale.exe File opened for modification C:\Windows\system32\SubDir updale.exe File opened for modification C:\Windows\system32\SubDir\updale.exe updale.exe File opened for modification C:\Windows\system32\SubDir\updale.exe updale.exe File opened for modification C:\Windows\system32\SubDir updale.exe File opened for modification C:\Windows\system32\SubDir\updale.exe updale.exe File opened for modification C:\Windows\system32\SubDir updale.exe File opened for modification C:\Windows\system32\SubDir updale.exe File opened for modification C:\Windows\system32\SubDir\updale.exe updale.exe File created C:\Windows\system32\SubDir\updale.exe a5473ea4c4ef75c217e0d252d1c7d235b781a75810b7e731a97ed78b45646840.exe File opened for modification C:\Windows\system32\SubDir\updale.exe a5473ea4c4ef75c217e0d252d1c7d235b781a75810b7e731a97ed78b45646840.exe File opened for modification C:\Windows\system32\SubDir\updale.exe updale.exe File opened for modification C:\Windows\system32\SubDir\updale.exe updale.exe File opened for modification C:\Windows\system32\SubDir a5473ea4c4ef75c217e0d252d1c7d235b781a75810b7e731a97ed78b45646840.exe File opened for modification C:\Windows\system32\SubDir updale.exe File opened for modification C:\Windows\system32\SubDir updale.exe File opened for modification C:\Windows\system32\SubDir\updale.exe updale.exe File opened for modification C:\Windows\system32\SubDir updale.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 14 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1096 schtasks.exe 4508 schtasks.exe 3980 schtasks.exe 3488 schtasks.exe 868 schtasks.exe 3632 schtasks.exe 4016 schtasks.exe 3404 schtasks.exe 4104 schtasks.exe 2888 schtasks.exe 1624 schtasks.exe 1784 schtasks.exe 4732 schtasks.exe 1704 schtasks.exe -
Runs ping.exe 1 TTPs 12 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 1932 PING.EXE 4440 PING.EXE 3528 PING.EXE 316 PING.EXE 3744 PING.EXE 4744 PING.EXE 4580 PING.EXE 2472 PING.EXE 4420 PING.EXE 1568 PING.EXE 2856 PING.EXE 2300 PING.EXE -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
a5473ea4c4ef75c217e0d252d1c7d235b781a75810b7e731a97ed78b45646840.exeupdale.exeupdale.exeupdale.exeupdale.exeupdale.exeupdale.exeupdale.exeupdale.exeupdale.exedescription pid process Token: SeDebugPrivilege 4160 a5473ea4c4ef75c217e0d252d1c7d235b781a75810b7e731a97ed78b45646840.exe Token: SeDebugPrivilege 1976 updale.exe Token: SeDebugPrivilege 4060 updale.exe Token: SeDebugPrivilege 4448 updale.exe Token: SeDebugPrivilege 2812 updale.exe Token: SeDebugPrivilege 2900 updale.exe Token: SeDebugPrivilege 332 updale.exe Token: SeDebugPrivilege 5040 updale.exe Token: SeDebugPrivilege 1452 updale.exe Token: SeDebugPrivilege 4500 updale.exe -
Suspicious use of FindShellTrayWindow 9 IoCs
Processes:
updale.exeupdale.exeupdale.exeupdale.exeupdale.exeupdale.exeupdale.exeupdale.exeupdale.exepid process 1976 updale.exe 4060 updale.exe 4448 updale.exe 2812 updale.exe 2900 updale.exe 332 updale.exe 5040 updale.exe 1452 updale.exe 4500 updale.exe -
Suspicious use of SendNotifyMessage 9 IoCs
Processes:
updale.exeupdale.exeupdale.exeupdale.exeupdale.exeupdale.exeupdale.exeupdale.exeupdale.exepid process 1976 updale.exe 4060 updale.exe 4448 updale.exe 2812 updale.exe 2900 updale.exe 332 updale.exe 5040 updale.exe 1452 updale.exe 4500 updale.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
updale.exepid process 4448 updale.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a5473ea4c4ef75c217e0d252d1c7d235b781a75810b7e731a97ed78b45646840.exeupdale.execmd.exeupdale.execmd.exeupdale.execmd.exeupdale.execmd.exeupdale.execmd.exeupdale.execmd.exedescription pid process target process PID 4160 wrote to memory of 4104 4160 a5473ea4c4ef75c217e0d252d1c7d235b781a75810b7e731a97ed78b45646840.exe schtasks.exe PID 4160 wrote to memory of 4104 4160 a5473ea4c4ef75c217e0d252d1c7d235b781a75810b7e731a97ed78b45646840.exe schtasks.exe PID 4160 wrote to memory of 1976 4160 a5473ea4c4ef75c217e0d252d1c7d235b781a75810b7e731a97ed78b45646840.exe updale.exe PID 4160 wrote to memory of 1976 4160 a5473ea4c4ef75c217e0d252d1c7d235b781a75810b7e731a97ed78b45646840.exe updale.exe PID 1976 wrote to memory of 1096 1976 updale.exe schtasks.exe PID 1976 wrote to memory of 1096 1976 updale.exe schtasks.exe PID 1976 wrote to memory of 2320 1976 updale.exe cmd.exe PID 1976 wrote to memory of 2320 1976 updale.exe cmd.exe PID 2320 wrote to memory of 4252 2320 cmd.exe chcp.com PID 2320 wrote to memory of 4252 2320 cmd.exe chcp.com PID 2320 wrote to memory of 4420 2320 cmd.exe PING.EXE PID 2320 wrote to memory of 4420 2320 cmd.exe PING.EXE PID 2320 wrote to memory of 4060 2320 cmd.exe updale.exe PID 2320 wrote to memory of 4060 2320 cmd.exe updale.exe PID 4060 wrote to memory of 3632 4060 updale.exe schtasks.exe PID 4060 wrote to memory of 3632 4060 updale.exe schtasks.exe PID 4060 wrote to memory of 3956 4060 updale.exe cmd.exe PID 4060 wrote to memory of 3956 4060 updale.exe cmd.exe PID 3956 wrote to memory of 2900 3956 cmd.exe chcp.com PID 3956 wrote to memory of 2900 3956 cmd.exe chcp.com PID 3956 wrote to memory of 1568 3956 cmd.exe PING.EXE PID 3956 wrote to memory of 1568 3956 cmd.exe PING.EXE PID 3956 wrote to memory of 4448 3956 cmd.exe updale.exe PID 3956 wrote to memory of 4448 3956 cmd.exe updale.exe PID 4448 wrote to memory of 4508 4448 updale.exe schtasks.exe PID 4448 wrote to memory of 4508 4448 updale.exe schtasks.exe PID 4448 wrote to memory of 4492 4448 updale.exe cmd.exe PID 4448 wrote to memory of 4492 4448 updale.exe cmd.exe PID 4492 wrote to memory of 3488 4492 cmd.exe chcp.com PID 4492 wrote to memory of 3488 4492 cmd.exe chcp.com PID 4492 wrote to memory of 4440 4492 cmd.exe PING.EXE PID 4492 wrote to memory of 4440 4492 cmd.exe PING.EXE PID 4492 wrote to memory of 2812 4492 cmd.exe updale.exe PID 4492 wrote to memory of 2812 4492 cmd.exe updale.exe PID 2812 wrote to memory of 3980 2812 updale.exe schtasks.exe PID 2812 wrote to memory of 3980 2812 updale.exe schtasks.exe PID 2812 wrote to memory of 2472 2812 updale.exe cmd.exe PID 2812 wrote to memory of 2472 2812 updale.exe cmd.exe PID 2472 wrote to memory of 3968 2472 cmd.exe chcp.com PID 2472 wrote to memory of 3968 2472 cmd.exe chcp.com PID 2472 wrote to memory of 3528 2472 cmd.exe PING.EXE PID 2472 wrote to memory of 3528 2472 cmd.exe PING.EXE PID 2472 wrote to memory of 2900 2472 cmd.exe updale.exe PID 2472 wrote to memory of 2900 2472 cmd.exe updale.exe PID 2900 wrote to memory of 2888 2900 updale.exe schtasks.exe PID 2900 wrote to memory of 2888 2900 updale.exe schtasks.exe PID 2900 wrote to memory of 1524 2900 updale.exe cmd.exe PID 2900 wrote to memory of 1524 2900 updale.exe cmd.exe PID 1524 wrote to memory of 3868 1524 cmd.exe chcp.com PID 1524 wrote to memory of 3868 1524 cmd.exe chcp.com PID 1524 wrote to memory of 316 1524 cmd.exe PING.EXE PID 1524 wrote to memory of 316 1524 cmd.exe PING.EXE PID 1524 wrote to memory of 332 1524 cmd.exe updale.exe PID 1524 wrote to memory of 332 1524 cmd.exe updale.exe PID 332 wrote to memory of 4016 332 updale.exe schtasks.exe PID 332 wrote to memory of 4016 332 updale.exe schtasks.exe PID 332 wrote to memory of 2432 332 updale.exe cmd.exe PID 332 wrote to memory of 2432 332 updale.exe cmd.exe PID 2432 wrote to memory of 3292 2432 cmd.exe chcp.com PID 2432 wrote to memory of 3292 2432 cmd.exe chcp.com PID 2432 wrote to memory of 2856 2432 cmd.exe PING.EXE PID 2432 wrote to memory of 2856 2432 cmd.exe PING.EXE PID 2432 wrote to memory of 5040 2432 cmd.exe updale.exe PID 2432 wrote to memory of 5040 2432 cmd.exe updale.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\a5473ea4c4ef75c217e0d252d1c7d235b781a75810b7e731a97ed78b45646840.exe"C:\Users\Admin\AppData\Local\Temp\a5473ea4c4ef75c217e0d252d1c7d235b781a75810b7e731a97ed78b45646840.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4160 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "windows av startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\updale.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:4104 -
C:\Windows\system32\SubDir\updale.exe"C:\Windows\system32\SubDir\updale.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "windows av startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\updale.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:1096 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xK5IXmAI0nhk.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:4252
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
PID:4420 -
C:\Windows\system32\SubDir\updale.exe"C:\Windows\system32\SubDir\updale.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "windows av startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\updale.exe" /rl HIGHEST /f5⤵
- Creates scheduled task(s)
PID:3632 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YPbj0KkQcXpn.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:2900
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- Runs ping.exe
PID:1568 -
C:\Windows\system32\SubDir\updale.exe"C:\Windows\system32\SubDir\updale.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "windows av startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\updale.exe" /rl HIGHEST /f7⤵
- Creates scheduled task(s)
PID:4508 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IQkt8k3VOfC0.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:4492 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:3488
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- Runs ping.exe
PID:4440 -
C:\Windows\system32\SubDir\updale.exe"C:\Windows\system32\SubDir\updale.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "windows av startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\updale.exe" /rl HIGHEST /f9⤵
- Creates scheduled task(s)
PID:3980 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\f8wx7D9c1kSl.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:3968
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- Runs ping.exe
PID:3528 -
C:\Windows\system32\SubDir\updale.exe"C:\Windows\system32\SubDir\updale.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "windows av startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\updale.exe" /rl HIGHEST /f11⤵
- Creates scheduled task(s)
PID:2888 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QNildA48LLlK.bat" "11⤵
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\system32\chcp.comchcp 6500112⤵PID:3868
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- Runs ping.exe
PID:316 -
C:\Windows\system32\SubDir\updale.exe"C:\Windows\system32\SubDir\updale.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:332 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "windows av startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\updale.exe" /rl HIGHEST /f13⤵
- Creates scheduled task(s)
PID:4016 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\izDBbXvyE7LL.bat" "13⤵
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\system32\chcp.comchcp 6500114⤵PID:3292
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- Runs ping.exe
PID:2856 -
C:\Windows\system32\SubDir\updale.exe"C:\Windows\system32\SubDir\updale.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5040 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "windows av startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\updale.exe" /rl HIGHEST /f15⤵
- Creates scheduled task(s)
PID:1624 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XIVG8GaKznld.bat" "15⤵PID:4048
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:5024
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- Runs ping.exe
PID:2300 -
C:\Windows\system32\SubDir\updale.exe"C:\Windows\system32\SubDir\updale.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1452 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "windows av startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\updale.exe" /rl HIGHEST /f17⤵
- Creates scheduled task(s)
PID:3404 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QYCNAobkF9rt.bat" "17⤵PID:524
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:3156
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- Runs ping.exe
PID:4744 -
C:\Windows\system32\SubDir\updale.exe"C:\Windows\system32\SubDir\updale.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4500 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "windows av startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\updale.exe" /rl HIGHEST /f19⤵
- Creates scheduled task(s)
PID:1784 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3wiimGlo7pti.bat" "19⤵PID:4016
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:5088
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- Runs ping.exe
PID:3744 -
C:\Windows\system32\SubDir\updale.exe"C:\Windows\system32\SubDir\updale.exe"20⤵PID:3852
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "windows av startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\updale.exe" /rl HIGHEST /f21⤵
- Creates scheduled task(s)
PID:3488 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\E6YNydK52xxW.bat" "21⤵PID:3632
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:656
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- Runs ping.exe
PID:4580 -
C:\Windows\system32\SubDir\updale.exe"C:\Windows\system32\SubDir\updale.exe"22⤵PID:5036
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "windows av startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\updale.exe" /rl HIGHEST /f23⤵
- Creates scheduled task(s)
PID:1704 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\58BtiZXzhvMU.bat" "23⤵PID:4488
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:2320
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- Runs ping.exe
PID:2472 -
C:\Windows\system32\SubDir\updale.exe"C:\Windows\system32\SubDir\updale.exe"24⤵PID:2836
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "windows av startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\updale.exe" /rl HIGHEST /f25⤵
- Creates scheduled task(s)
PID:4732 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VMPsimu5AS0Y.bat" "25⤵PID:2024
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:1652
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- Runs ping.exe
PID:1932 -
C:\Windows\system32\SubDir\updale.exe"C:\Windows\system32\SubDir\updale.exe"26⤵PID:60
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "windows av startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\updale.exe" /rl HIGHEST /f27⤵
- Creates scheduled task(s)
PID:868
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:81⤵PID:3624
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD58f0271a63446aef01cf2bfc7b7c7976b
SHA1b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA51278a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5
-
Filesize
196B
MD56513736a392e8133f9a8c307dfb35994
SHA1b570f042c8b7a5d6d84f012ae47604f8cff039c9
SHA25673292d5767034cc3fe2b3f755ba342456aa2329352da2ac80a2a5af724d8f6dd
SHA512410d229ea294b35310fe979bb3a5fd07c6d9501bc3013320a147095710c4b80adc3d09817fb17fa1c09cd76d1f93dd2ed343f6089023f2900fb3f1657540195c
-
Filesize
196B
MD5cdc34f9e1c8e4ed7d4e79c16a668a7fe
SHA181da8d2d9690b609c7572b105dc79ff0c82649ff
SHA256e33e933200b99beb8e35dff9e9f48e5ad6b4f670859a0dd32a2d6564f07485d7
SHA51293d0d16d5410fbe9e0ad2ce2844541ded074e7076a61f212d82130b32a4239e196d1ad01000743299f59c924a967d4eaacb89f503bc3b5f84883dd8d28c08064
-
Filesize
196B
MD5767a73717b767d126aef804c081e8001
SHA1aae0d04bae666e6fd744a3cbb3b274eb6ab1b617
SHA256b2c10589e70b9bce94e896a1da4d563a9aa8187c81747893352c3f2c80300dd9
SHA51297f6836ee2b09109ad18b7d0fcb429ff02764231044f893fee4a8e7f3e6f1a06efe071c5df7129dee00720c91e4ebfb71e91cba9aa0eb3a7343ffb9a908cefc8
-
Filesize
196B
MD5ca0c3ea3a67b1b5906fb18619fdde961
SHA151904135b9e6dfc277bf7d984507ad336c9f3492
SHA2569544011bf611cd1d0ef31162172999a2394749b581e02f0dbaf755a3c576270c
SHA512ceb43d13f2912c45bc4ed7dcbbea9fed65d0f31c7d2330fb6127176f5fa295d79df37cdd56a13f5cc2db15333e855ded2e0cb8d4aafdee40db66da1dac46394e
-
Filesize
196B
MD51e6c3051448dc298c07496b5d55aa116
SHA1b11e2193bcf20668e18c48e886c3e65382d70460
SHA25659bc9c88d705098800056136a31273e2aeed2dc81098c3c5c4057f9eff25b113
SHA512ff8462cf8fbf67ea65622bded0ef04e918af8cc64a524eb78cbdfbcf134c9db97e589334123a1fabc41299a23ff712d3f94acaf596bc7e48571544c46a721c14
-
Filesize
196B
MD57e53c7a663729b0e590ced6683381975
SHA13435559413abddc9ec777fb10e2ba3bb0cceb5b0
SHA256531ccba7ba0f18b8eb867ac3e0c64c6c28415f924dc40c30435eb5075f3d5e04
SHA512751a3f9de84fe9c9eaeff51e5172471750d7530de713f76293987d301a6571f4121ed77ab58ee3ba677491b5438e6f3d89dc58aae35579c57249ed48f09ab7d5
-
Filesize
196B
MD5b69dd002df7747b5830b78e4877ef3ae
SHA1e7b1acee87288e03ae1d88c6ec08f4f6ddf2edb5
SHA256095cfe4c4c23ea4b0873c7d8fed40c2ee0b0ca87119598e49c46072994780087
SHA5120fe26e37fbcb1adfe599a34ca422e1e3ec27d5b0e55ec910066ef765b41202a5e2bad5055a96fd7129c0a66ff6b56756fbcb025dc4f18894c86b0626e0701e26
-
Filesize
196B
MD56227fe36beeac7ee3c6da0a7da4a585a
SHA1084c345270dee101380181eea5b0197e78901880
SHA25612140416d152620b1d9608bfc09b2546f641d91dd43662f167324e469b4a8854
SHA512f5f961b1fb9c6d2eb086d5e4b1f8959fe6530b5a77998d6c0e423e155de3b386afe0892ec76b55fb9d985db4ad57b2d84f7f3f8c3b04c2defc11ae67d138a969
-
Filesize
196B
MD5f053d5cd9363fc27a8cd2f8dd6292cb0
SHA124a3e5b04ca09d26aa040a600b564241ce3354be
SHA256a553e83f8cc405564f9c5c83d12828128b5660fcb4c763dc23dd705cece681ad
SHA512542de4a84df9ffc29644c3f5a64e26b78abb88cab716c7b077c15c81c1eb1e22a3a1feb71af33ba20df425f8ca5c9c6f148097dcd4743582f490ecd68f411ced
-
Filesize
196B
MD5205ee1c88d269cb92a407b9ecb06ef19
SHA1cffb195a20a5f5cdd4cb5deb3cb68f4ba7056ac8
SHA25694216dde4b6c835ed3c513dafff90bc7609d4f00ba94f1e94b27dbfb20be6843
SHA512c27cf1bb9c62765ab23fecf76f63e82bac93211db2d2f6f36db7f06036a8c44697069035f99fa15d1772bb1644a91e98af23d7c132e59e51e2d5186c950a3353
-
Filesize
196B
MD57bd44bb588c75a8af10b2b245002d614
SHA16b31f8be1387a83e51bab68cbc45b264af2db008
SHA256085e2ab320888fc3d7797222d92da2edd72ff27838499c2b28821ac54842ed20
SHA512d95fb6f887e0c9eaf79bad655afce56dd3416b1bb3499a8ff79f90231d9c5d385320f16cc6a3475d03f071d3de7069bc672d3df5ba8d84071a60278010c4cb56
-
Filesize
196B
MD59f8f12d4c0ef25b2858fa300b368d415
SHA11fc67dfbce03cbc945713bb791417040d32368dc
SHA25665b89c7a10cc18cab7b9b77ac2f176e72826ca6fbaa3ddd3f5d49ccaf0c5ef29
SHA5121fb950f3dcd75c9fba2829389a19926e7a11f198a384ac8b1c61c16fa2b22b5ec1c0b527f6a24f1e89aac0404c0226fdf38a59eca7dc0f5e469ae32c8f09ae38
-
Filesize
760KB
MD5515d2436af5cbc584fa72057b3b11670
SHA112023633d83992a250a4abdb5665b6cb0dd5d7b2
SHA25657e5ab552287e3b9458cae779275afda0e6fb082b8a52b561584aa7bc89b5906
SHA512ab0d6ec4467325818552ac9c1cb5daf4cabf642e55a0a5a2624f62f4ac7a928651961f39b4c5a7d02662e5ab913a0cc4462cd40191e32be6b7a0676c534c2ff7
-
Filesize
3.1MB
MD52c1fba8d6624adf6c582fb2d5fb43b28
SHA1bd45ee984e9476d604824f83c6cf6111a9db2467
SHA256a5473ea4c4ef75c217e0d252d1c7d235b781a75810b7e731a97ed78b45646840
SHA512cc85b5f1c2765c49f34c236634dcbfdfd6cc62e0b954b74c12b0d89dc29044dff88a9840e5c02a39e140564283074c78359dd70dfc7f426daefb75f195f14e19