quasar | 2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb

General

Target

2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe
Size

3.2MB
MD5

6c16807e4417e60366cde4515d148ab3
SHA1

b8212729ae453b48531c5331cfdaea3aa213cf85
SHA256

2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb
SHA512

eb448d72c2d7d74cae67cac46ebc0262e50113b40164d0c9837e4e0d481c23038f85a414dd92561fdbe5958ecdbaa86e8cdd921cc1cc2571eb96f9dd76cc2efe
SSDEEP

49152:6oHBs26nkjh/a3LlwLkl6cV0ymGIj5y60K9F8AA/qDTvyNUjqwZjAN+68OxcIzQW:9B6Wh/9L3clIVy6RwA29NGoN+3OWIzQ

Score

10^/10

quasar office04 execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

1`:4782

Mutex

af2aa588-6605-4638-8da1-ae434f48b4a8

Attributes

encryption_key
45ADA9B733F36F800D08E295E8F812611F35D087
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 9 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2780-19-0x0000000000400000-0x0000000000724000-memory.dmp	family_quasar
behavioral1/memory/2780-21-0x0000000000400000-0x0000000000724000-memory.dmp	family_quasar
behavioral1/memory/2780-18-0x0000000000400000-0x0000000000724000-memory.dmp	family_quasar
behavioral1/memory/2780-15-0x0000000000400000-0x0000000000724000-memory.dmp	family_quasar
behavioral1/memory/2780-13-0x0000000000400000-0x0000000000724000-memory.dmp	family_quasar
behavioral1/memory/2276-50-0x0000000000400000-0x0000000000724000-memory.dmp	family_quasar
behavioral1/memory/2276-51-0x0000000000400000-0x0000000000724000-memory.dmp	family_quasar
behavioral1/memory/1920-79-0x0000000000400000-0x0000000000724000-memory.dmp	family_quasar
behavioral1/memory/1920-81-0x0000000000400000-0x0000000000724000-memory.dmp	family_quasar

Detects Windows executables referencing non-Windows User-Agents 9 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2780-19-0x0000000000400000-0x0000000000724000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2780-21-0x0000000000400000-0x0000000000724000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2780-18-0x0000000000400000-0x0000000000724000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2780-15-0x0000000000400000-0x0000000000724000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2780-13-0x0000000000400000-0x0000000000724000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2276-50-0x0000000000400000-0x0000000000724000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2276-51-0x0000000000400000-0x0000000000724000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1920-79-0x0000000000400000-0x0000000000724000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1920-81-0x0000000000400000-0x0000000000724000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 9 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2780-19-0x0000000000400000-0x0000000000724000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/2780-21-0x0000000000400000-0x0000000000724000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/2780-18-0x0000000000400000-0x0000000000724000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/2780-15-0x0000000000400000-0x0000000000724000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/2780-13-0x0000000000400000-0x0000000000724000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/2276-50-0x0000000000400000-0x0000000000724000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/2276-51-0x0000000000400000-0x0000000000724000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/1920-79-0x0000000000400000-0x0000000000724000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/1920-81-0x0000000000400000-0x0000000000724000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers

Detects executables containing common artifacts observed in infostealers 9 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2780-19-0x0000000000400000-0x0000000000724000-memory.dmp	INDICATOR_SUSPICIOUS_GENInfoStealer
behavioral1/memory/2780-21-0x0000000000400000-0x0000000000724000-memory.dmp	INDICATOR_SUSPICIOUS_GENInfoStealer
behavioral1/memory/2780-18-0x0000000000400000-0x0000000000724000-memory.dmp	INDICATOR_SUSPICIOUS_GENInfoStealer
behavioral1/memory/2780-15-0x0000000000400000-0x0000000000724000-memory.dmp	INDICATOR_SUSPICIOUS_GENInfoStealer
behavioral1/memory/2780-13-0x0000000000400000-0x0000000000724000-memory.dmp	INDICATOR_SUSPICIOUS_GENInfoStealer
behavioral1/memory/2276-50-0x0000000000400000-0x0000000000724000-memory.dmp	INDICATOR_SUSPICIOUS_GENInfoStealer
behavioral1/memory/2276-51-0x0000000000400000-0x0000000000724000-memory.dmp	INDICATOR_SUSPICIOUS_GENInfoStealer
behavioral1/memory/1920-79-0x0000000000400000-0x0000000000724000-memory.dmp	INDICATOR_SUSPICIOUS_GENInfoStealer
behavioral1/memory/1920-81-0x0000000000400000-0x0000000000724000-memory.dmp	INDICATOR_SUSPICIOUS_GENInfoStealer

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to get system information.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

2212 powershell.exe
552 powershell.exe
2412 powershell.exe
1616 powershell.exe

pid	process
2212	powershell.exe
552	powershell.exe
2412	powershell.exe
1616	powershell.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe

description	pid	process	target process
PID 2192 set thread context of 2780	2192	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe
PID 2568 set thread context of 2276	2568	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe
PID 304 set thread context of 1920	304	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

2728 schtasks.exe
2988 schtasks.exe
2612 schtasks.exe
888 schtasks.exe
Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

2536 PING.EXE
2752 PING.EXE
2288 PING.EXE

pid	process
2728	schtasks.exe
2988	schtasks.exe
2612	schtasks.exe
888	schtasks.exe

pid	process
2536	PING.EXE
2752	PING.EXE
2288	PING.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

powershell.exepowershell.exe2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exepowershell.exepowershell.exe2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe

pid	process
1616	powershell.exe
2212	powershell.exe
2568	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe
552	powershell.exe
2412	powershell.exe
448	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe
448	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe
448	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe
448	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe
448	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

powershell.exe2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exepowershell.exe2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exepowershell.exe2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exepowershell.exe2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe

description	pid	process
Token: SeDebugPrivilege	1616	powershell.exe
Token: SeDebugPrivilege	2780	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	2568	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe
Token: SeDebugPrivilege	2276	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe
Token: SeDebugPrivilege	552	powershell.exe
Token: SeDebugPrivilege	1920	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe
Token: SeDebugPrivilege	2412	powershell.exe
Token: SeDebugPrivilege	448	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe

pid	process
2780	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe
2276	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe
1920	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe

pid	process
2780	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe
2276	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe
1920	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.execmd.exe2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.execmd.exe2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.execmd.exe2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe

description	pid	process	target process
PID 2192 wrote to memory of 1616	2192	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe	powershell.exe
PID 2192 wrote to memory of 1616	2192	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe	powershell.exe
PID 2192 wrote to memory of 1616	2192	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe	powershell.exe
PID 2192 wrote to memory of 1616	2192	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe	powershell.exe
PID 2192 wrote to memory of 2112	2192	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe	cmd.exe
PID 2192 wrote to memory of 2112	2192	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe	cmd.exe
PID 2192 wrote to memory of 2112	2192	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe	cmd.exe
PID 2192 wrote to memory of 2112	2192	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe	cmd.exe
PID 2112 wrote to memory of 2728	2112	cmd.exe	schtasks.exe
PID 2112 wrote to memory of 2728	2112	cmd.exe	schtasks.exe
PID 2112 wrote to memory of 2728	2112	cmd.exe	schtasks.exe
PID 2112 wrote to memory of 2728	2112	cmd.exe	schtasks.exe
PID 2192 wrote to memory of 2780	2192	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe
PID 2192 wrote to memory of 2780	2192	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe
PID 2192 wrote to memory of 2780	2192	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe
PID 2192 wrote to memory of 2780	2192	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe
PID 2192 wrote to memory of 2780	2192	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe
PID 2192 wrote to memory of 2780	2192	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe
PID 2192 wrote to memory of 2780	2192	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe
PID 2192 wrote to memory of 2780	2192	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe
PID 2192 wrote to memory of 2780	2192	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe
PID 2780 wrote to memory of 2572	2780	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe	cmd.exe
PID 2780 wrote to memory of 2572	2780	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe	cmd.exe
PID 2780 wrote to memory of 2572	2780	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe	cmd.exe
PID 2780 wrote to memory of 2572	2780	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe	cmd.exe
PID 2572 wrote to memory of 2528	2572	cmd.exe	chcp.com
PID 2572 wrote to memory of 2528	2572	cmd.exe	chcp.com
PID 2572 wrote to memory of 2528	2572	cmd.exe	chcp.com
PID 2572 wrote to memory of 2528	2572	cmd.exe	chcp.com
PID 2572 wrote to memory of 2536	2572	cmd.exe	PING.EXE
PID 2572 wrote to memory of 2536	2572	cmd.exe	PING.EXE
PID 2572 wrote to memory of 2536	2572	cmd.exe	PING.EXE
PID 2572 wrote to memory of 2536	2572	cmd.exe	PING.EXE
PID 2572 wrote to memory of 2568	2572	cmd.exe	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe
PID 2572 wrote to memory of 2568	2572	cmd.exe	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe
PID 2572 wrote to memory of 2568	2572	cmd.exe	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe
PID 2572 wrote to memory of 2568	2572	cmd.exe	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe
PID 2568 wrote to memory of 2212	2568	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe	powershell.exe
PID 2568 wrote to memory of 2212	2568	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe	powershell.exe
PID 2568 wrote to memory of 2212	2568	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe	powershell.exe
PID 2568 wrote to memory of 2212	2568	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe	powershell.exe
PID 2568 wrote to memory of 2968	2568	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe	cmd.exe
PID 2568 wrote to memory of 2968	2568	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe	cmd.exe
PID 2568 wrote to memory of 2968	2568	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe	cmd.exe
PID 2568 wrote to memory of 2968	2568	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe	cmd.exe
PID 2968 wrote to memory of 2988	2968	cmd.exe	schtasks.exe
PID 2968 wrote to memory of 2988	2968	cmd.exe	schtasks.exe
PID 2968 wrote to memory of 2988	2968	cmd.exe	schtasks.exe
PID 2968 wrote to memory of 2988	2968	cmd.exe	schtasks.exe
PID 2568 wrote to memory of 2372	2568	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe
PID 2568 wrote to memory of 2372	2568	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe
PID 2568 wrote to memory of 2372	2568	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe
PID 2568 wrote to memory of 2372	2568	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe
PID 2568 wrote to memory of 2276	2568	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe
PID 2568 wrote to memory of 2276	2568	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe
PID 2568 wrote to memory of 2276	2568	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe
PID 2568 wrote to memory of 2276	2568	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe
PID 2568 wrote to memory of 2276	2568	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe
PID 2568 wrote to memory of 2276	2568	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe
PID 2568 wrote to memory of 2276	2568	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe
PID 2568 wrote to memory of 2276	2568	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe
PID 2568 wrote to memory of 2276	2568	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe
PID 2276 wrote to memory of 1276	2276	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe	cmd.exe
PID 2276 wrote to memory of 1276	2276	2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe
"C:\Users\Admin\AppData\Local\Temp\2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2192

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" (Get-CimInstance -ClassName Win32_ComputerSystem).TotalPhysicalMemory
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1616

C:\Windows\SysWOW64\cmd.exe
"cmd" /C schtasks /create /tn \ /tr "C:\Users\Admin\AppData\Roaming\.exe" /st 00:00 /du 9999:59 /sc once /ri 30 /rl HIGHEST /f
2⤵
- Suspicious use of WriteProcessMemory
PID:2112

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn \ /tr "C:\Users\Admin\AppData\Roaming\.exe" /st 00:00 /du 9999:59 /sc once /ri 30 /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2728

C:\Users\Admin\AppData\Local\Temp\2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe
#by-unknown
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2780

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\PjnjGGAm1qn7.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:2572

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:2528

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:2536

C:\Users\Admin\AppData\Local\Temp\2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe
"C:\Users\Admin\AppData\Local\Temp\2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2568

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" (Get-CimInstance -ClassName Win32_ComputerSystem).TotalPhysicalMemory
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2212

C:\Windows\SysWOW64\cmd.exe
"cmd" /C schtasks /create /tn \ /tr "C:\Users\Admin\AppData\Roaming\.exe" /st 00:00 /du 9999:59 /sc once /ri 30 /rl HIGHEST /f
5⤵
- Suspicious use of WriteProcessMemory
PID:2968

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn \ /tr "C:\Users\Admin\AppData\Roaming\.exe" /st 00:00 /du 9999:59 /sc once /ri 30 /rl HIGHEST /f
6⤵
- Creates scheduled task(s)
PID:2988

C:\Users\Admin\AppData\Local\Temp\2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe
#by-unknown
5⤵
PID:2372

C:\Users\Admin\AppData\Local\Temp\2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe
#by-unknown
5⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2276

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\8xg1836q38ww.bat" "
6⤵
PID:1276

C:\Windows\SysWOW64\chcp.com
chcp 65001
7⤵
PID:1952

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
7⤵
- Runs ping.exe
PID:2752

C:\Users\Admin\AppData\Local\Temp\2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe
"C:\Users\Admin\AppData\Local\Temp\2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe"
7⤵
- Suspicious use of SetThreadContext
PID:304

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" (Get-CimInstance -ClassName Win32_ComputerSystem).TotalPhysicalMemory
8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:552

C:\Windows\SysWOW64\cmd.exe
"cmd" /C schtasks /create /tn \ /tr "C:\Users\Admin\AppData\Roaming\.exe" /st 00:00 /du 9999:59 /sc once /ri 30 /rl HIGHEST /f
8⤵
PID:2140

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn \ /tr "C:\Users\Admin\AppData\Roaming\.exe" /st 00:00 /du 9999:59 /sc once /ri 30 /rl HIGHEST /f
9⤵
- Creates scheduled task(s)
PID:2612

C:\Users\Admin\AppData\Local\Temp\2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe
#by-unknown
8⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1920

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\dziUUBVLQgLl.bat" "
9⤵
PID:1636

C:\Windows\SysWOW64\chcp.com
chcp 65001
10⤵
PID:836

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:2288

C:\Users\Admin\AppData\Local\Temp\2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe
"C:\Users\Admin\AppData\Local\Temp\2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe"
10⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:448

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" (Get-CimInstance -ClassName Win32_ComputerSystem).TotalPhysicalMemory
11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2412

C:\Windows\SysWOW64\cmd.exe
"cmd" /C schtasks /create /tn \ /tr "C:\Users\Admin\AppData\Roaming\.exe" /st 00:00 /du 9999:59 /sc once /ri 30 /rl HIGHEST /f
11⤵
PID:940

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn \ /tr "C:\Users\Admin\AppData\Roaming\.exe" /st 00:00 /du 9999:59 /sc once /ri 30 /rl HIGHEST /f
12⤵
- Creates scheduled task(s)
PID:888

C:\Users\Admin\AppData\Local\Temp\2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe
#by-unknown
11⤵
PID:1052

C:\Users\Admin\AppData\Local\Temp\2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe
#by-unknown
11⤵
PID:1988

C:\Users\Admin\AppData\Local\Temp\2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe
#by-unknown
11⤵
PID:2100

C:\Users\Admin\AppData\Local\Temp\2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe
#by-unknown
11⤵
PID:2008

C:\Users\Admin\AppData\Local\Temp\2379cbf1b539be7380bed6b1c5e1d29c77acc795d291fa2a687819d48df930bb.exe
#by-unknown
11⤵
PID:2260

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

Scheduled Task/Job

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8xg1836q38ww.bat
Filesize
261B

MD5
8dd851e7e9d371a6119d981de4821faa

SHA1
d4498c781947fad8c04194ad65b262dc1d78b055

SHA256
c087d27b5e1dc010e10f181a8ed49e24fb0100611c6cdf41a85b93b59ed6008a

SHA512
0e8aed23f58bbb3eefabe83a29b69e009b8df983069e59b35cd3beb7ca8850778e6315285c6271f66130754c9325f43f0151ce46241d2196ee108669b357850b

Download Submit
C:\Users\Admin\AppData\Local\Temp\PjnjGGAm1qn7.bat
Filesize
261B

MD5
e82d9bbc8571842b399e0d2d0060122b

SHA1
dbfe9adee60ac443d894179aa68abc25579463d3

SHA256
bb60a7bff9ceee5002f2c25b45f961ded4021318edfff57ae9a75795f829a008

SHA512
b49c97c5da008ce4a3aeff032ed012c5041cb56840c0d8605075df4f93747ef88ecb56621be00a0a527f1258ba318f36077009eb087f42c21ded93eb51ee972d

Download Submit
C:\Users\Admin\AppData\Local\Temp\dziUUBVLQgLl.bat
Filesize
261B

MD5
17f20b7609ae63be92ee2e431d996470

SHA1
f89e8e5b082bb39effc791db4cfe342e4817921f

SHA256
ce7f1b07c20b6d3d7c4863d6e412f8cd2b92eba3b1723504e6aa2b9416586fe2

SHA512
f82f6f857aadacfdeaffe966dcfc35b827f691d16d85b8e77cab8cf72fafa051206d86a2b023b55d85326075f6d04d97cad572feb50074ae92a5f2ddbe5bd59b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
9be3a3da9e98f9fbf0991ab681879737

SHA1
e4702769927bd84c735c6f094a1df64539ec88d2

SHA256
ab00149cf0cb2dcd30907a314013cca741579a26454cd756d8402a103654a91f

SHA512
68629db57df4da45f02c33f6974d669b76c9a0434cad46fc3428801ada32ef6a99418ad0aa34c747896940537de4cd77f59d873b49c4b3df6a4e14af384dec18

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/304-61-0x0000000001190000-0x00000000014C2000-memory.dmp

Filesize
3.2MB

Download
memory/448-92-0x0000000000090000-0x00000000003C2000-memory.dmp

Filesize
3.2MB

Download
memory/1616-4-0x0000000070171000-0x0000000070172000-memory.dmp

Filesize
4KB

Download
memory/1616-7-0x0000000070170000-0x000000007071B000-memory.dmp

Filesize
5.7MB

Download
memory/1616-5-0x0000000070170000-0x000000007071B000-memory.dmp

Filesize
5.7MB

Download
memory/1616-6-0x0000000070170000-0x000000007071B000-memory.dmp

Filesize
5.7MB

Download
memory/1920-79-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/1920-77-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1920-81-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/2192-1-0x0000000000980000-0x0000000000CB2000-memory.dmp

Filesize
3.2MB

Download
memory/2192-0-0x0000000073EAE000-0x0000000073EAF000-memory.dmp

Filesize
4KB

Download
memory/2276-48-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2276-50-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/2276-51-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/2568-31-0x0000000000990000-0x0000000000CC2000-memory.dmp

Filesize
3.2MB

Download
memory/2780-15-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/2780-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2780-18-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/2780-21-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/2780-19-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/2780-11-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/2780-9-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/2780-13-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads