Analysis
-
max time kernel
143s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
01-09-2024 14:53
Behavioral task
behavioral1
Sample
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe
Resource
win7-20240705-en
General
-
Target
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe
-
Size
6.1MB
-
MD5
03778d811f241e83ccad830372313b3c
-
SHA1
11962399abf7fc0981f324e4aa5271f36f50c5ba
-
SHA256
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc
-
SHA512
2e17b881491e2cc9759dde852198622956682327abcc20519ab7099e25b22252a167cd7a4e6e90651a8b44b22c89a52c8fd004a62043f8fa30fe523302f6674f
-
SSDEEP
98304:ulFqmwupyhcHp5ooEAnHRVN07KgHDpS18DqBRe7qxKfT1J+tNY3LU4rI2qo:uWJuMg53HRVu7vHDpS1IqBRU7kCs2q
Malware Config
Extracted
quasar
1.4.0
Chrome
live.nodenet.ml:8863
754ce6d6-f75b-4c6f-964c-3996e749369e
-
encryption_key
8F8DE0B9E0A9CA156684061043456EC2CF7D0A6D
-
install_name
chrome.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
System
-
subdirectory
chrome
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\chrome.exe family_quasar behavioral2/memory/4776-51-0x0000000000E70000-0x0000000000EF4000-memory.dmp family_quasar -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exe95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exechrome.exechrome.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation chrome.exe -
Executes dropped EXE 16 IoCs
Processes:
chrome.exeS^X.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exepid process 4776 chrome.exe 1040 S^X.exe 3584 chrome.exe 3652 chrome.exe 5056 chrome.exe 2716 chrome.exe 5008 chrome.exe 688 chrome.exe 3676 chrome.exe 3608 chrome.exe 2688 chrome.exe 4536 chrome.exe 936 chrome.exe 4888 chrome.exe 1220 chrome.exe 5056 chrome.exe -
Loads dropped DLL 1 IoCs
Processes:
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exepid process 4760 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe -
Obfuscated with Agile.Net obfuscator 7 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral2/memory/4760-1-0x0000000000700000-0x0000000000D14000-memory.dmp agile_net behavioral2/memory/4760-2-0x00000000056B0000-0x0000000005CC2000-memory.dmp agile_net behavioral2/memory/4760-16-0x00000000056B0000-0x0000000005CBC000-memory.dmp agile_net behavioral2/memory/4760-19-0x00000000056B0000-0x0000000005CBC000-memory.dmp agile_net behavioral2/memory/4760-18-0x00000000056B0000-0x0000000005CBC000-memory.dmp agile_net behavioral2/memory/4760-22-0x00000000056B0000-0x0000000005CBC000-memory.dmp agile_net behavioral2/memory/4760-23-0x00000000056B0000-0x0000000005CBC000-memory.dmp agile_net -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\45b8c97f-5cf8-49f5-b76c-0fc91adff9fb\AgileDotNetRT.dll themida behavioral2/memory/4760-11-0x0000000071A90000-0x0000000072098000-memory.dmp themida behavioral2/memory/4760-12-0x0000000071A90000-0x0000000072098000-memory.dmp themida behavioral2/memory/4760-14-0x0000000071A90000-0x0000000072098000-memory.dmp themida behavioral2/memory/4760-54-0x0000000071A90000-0x0000000072098000-memory.dmp themida -
Processes:
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exepid process 4760 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exeS^X.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language S^X.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 14 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 1748 PING.EXE 2516 PING.EXE 1680 PING.EXE 968 PING.EXE 2688 PING.EXE 3864 PING.EXE 4868 PING.EXE 3160 PING.EXE 5056 PING.EXE 4320 PING.EXE 4680 PING.EXE 1028 PING.EXE 4456 PING.EXE 2184 PING.EXE -
Runs ping.exe 1 TTPs 14 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 4680 PING.EXE 5056 PING.EXE 1680 PING.EXE 1028 PING.EXE 2184 PING.EXE 4868 PING.EXE 3864 PING.EXE 2516 PING.EXE 2688 PING.EXE 4320 PING.EXE 3160 PING.EXE 1748 PING.EXE 4456 PING.EXE 968 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1640 schtasks.exe 2084 schtasks.exe 4304 schtasks.exe 5036 schtasks.exe 1600 schtasks.exe 2004 schtasks.exe 1744 schtasks.exe 4988 schtasks.exe 4548 schtasks.exe 3088 schtasks.exe 2484 schtasks.exe 800 schtasks.exe 2448 schtasks.exe 688 schtasks.exe 3324 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
chrome.exeS^X.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exedescription pid process Token: SeDebugPrivilege 4776 chrome.exe Token: SeDebugPrivilege 1040 S^X.exe Token: SeDebugPrivilege 3584 chrome.exe Token: SeDebugPrivilege 3652 chrome.exe Token: SeDebugPrivilege 5056 chrome.exe Token: SeDebugPrivilege 2716 chrome.exe Token: SeDebugPrivilege 5008 chrome.exe Token: SeDebugPrivilege 688 chrome.exe Token: SeDebugPrivilege 3676 chrome.exe Token: SeDebugPrivilege 3608 chrome.exe Token: SeDebugPrivilege 2688 chrome.exe Token: SeDebugPrivilege 4536 chrome.exe Token: SeDebugPrivilege 936 chrome.exe Token: SeDebugPrivilege 4888 chrome.exe Token: SeDebugPrivilege 1220 chrome.exe Token: SeDebugPrivilege 5056 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exechrome.exechrome.execmd.exechrome.exechrome.execmd.exechrome.execmd.exechrome.execmd.exechrome.execmd.exechrome.exedescription pid process target process PID 4760 wrote to memory of 4776 4760 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe chrome.exe PID 4760 wrote to memory of 4776 4760 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe chrome.exe PID 4760 wrote to memory of 1040 4760 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe S^X.exe PID 4760 wrote to memory of 1040 4760 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe S^X.exe PID 4760 wrote to memory of 1040 4760 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe S^X.exe PID 4776 wrote to memory of 800 4776 chrome.exe schtasks.exe PID 4776 wrote to memory of 800 4776 chrome.exe schtasks.exe PID 4776 wrote to memory of 3584 4776 chrome.exe chrome.exe PID 4776 wrote to memory of 3584 4776 chrome.exe chrome.exe PID 3584 wrote to memory of 4988 3584 chrome.exe schtasks.exe PID 3584 wrote to memory of 4988 3584 chrome.exe schtasks.exe PID 3584 wrote to memory of 456 3584 chrome.exe cmd.exe PID 3584 wrote to memory of 456 3584 chrome.exe cmd.exe PID 456 wrote to memory of 4896 456 cmd.exe chcp.com PID 456 wrote to memory of 4896 456 cmd.exe chcp.com PID 456 wrote to memory of 4320 456 cmd.exe PING.EXE PID 456 wrote to memory of 4320 456 cmd.exe PING.EXE PID 456 wrote to memory of 3652 456 cmd.exe chrome.exe PID 456 wrote to memory of 3652 456 cmd.exe chrome.exe PID 3652 wrote to memory of 3324 3652 chrome.exe schtasks.exe PID 3652 wrote to memory of 3324 3652 chrome.exe schtasks.exe PID 3652 wrote to memory of 2188 3652 chrome.exe cmd.exe PID 3652 wrote to memory of 2188 3652 chrome.exe cmd.exe PID 5056 wrote to memory of 2084 5056 chrome.exe schtasks.exe PID 5056 wrote to memory of 2084 5056 chrome.exe schtasks.exe PID 5056 wrote to memory of 3132 5056 chrome.exe cmd.exe PID 5056 wrote to memory of 3132 5056 chrome.exe cmd.exe PID 3132 wrote to memory of 1980 3132 cmd.exe chcp.com PID 3132 wrote to memory of 1980 3132 cmd.exe chcp.com PID 3132 wrote to memory of 2184 3132 cmd.exe PING.EXE PID 3132 wrote to memory of 2184 3132 cmd.exe PING.EXE PID 3132 wrote to memory of 2716 3132 cmd.exe chrome.exe PID 3132 wrote to memory of 2716 3132 cmd.exe chrome.exe PID 2716 wrote to memory of 4304 2716 chrome.exe schtasks.exe PID 2716 wrote to memory of 4304 2716 chrome.exe schtasks.exe PID 2716 wrote to memory of 2828 2716 chrome.exe cmd.exe PID 2716 wrote to memory of 2828 2716 chrome.exe cmd.exe PID 2828 wrote to memory of 2004 2828 cmd.exe chcp.com PID 2828 wrote to memory of 2004 2828 cmd.exe chcp.com PID 2828 wrote to memory of 4868 2828 cmd.exe PING.EXE PID 2828 wrote to memory of 4868 2828 cmd.exe PING.EXE PID 2828 wrote to memory of 5008 2828 cmd.exe chrome.exe PID 2828 wrote to memory of 5008 2828 cmd.exe chrome.exe PID 5008 wrote to memory of 2448 5008 chrome.exe schtasks.exe PID 5008 wrote to memory of 2448 5008 chrome.exe schtasks.exe PID 5008 wrote to memory of 3916 5008 chrome.exe cmd.exe PID 5008 wrote to memory of 3916 5008 chrome.exe cmd.exe PID 3916 wrote to memory of 4760 3916 cmd.exe chcp.com PID 3916 wrote to memory of 4760 3916 cmd.exe chcp.com PID 3916 wrote to memory of 3864 3916 cmd.exe PING.EXE PID 3916 wrote to memory of 3864 3916 cmd.exe PING.EXE PID 3916 wrote to memory of 688 3916 cmd.exe chrome.exe PID 3916 wrote to memory of 688 3916 cmd.exe chrome.exe PID 688 wrote to memory of 5036 688 chrome.exe schtasks.exe PID 688 wrote to memory of 5036 688 chrome.exe schtasks.exe PID 688 wrote to memory of 5088 688 chrome.exe cmd.exe PID 688 wrote to memory of 5088 688 chrome.exe cmd.exe PID 5088 wrote to memory of 4172 5088 cmd.exe chcp.com PID 5088 wrote to memory of 4172 5088 cmd.exe chcp.com PID 5088 wrote to memory of 4680 5088 cmd.exe PING.EXE PID 5088 wrote to memory of 4680 5088 cmd.exe PING.EXE PID 5088 wrote to memory of 3676 5088 cmd.exe chrome.exe PID 5088 wrote to memory of 3676 5088 cmd.exe chrome.exe PID 3676 wrote to memory of 1600 3676 chrome.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe"C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Users\Admin\AppData\Roaming\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:800
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3584 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
PID:4988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fpC0LdY6mgWo.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:456 -
C:\Windows\system32\chcp.comchcp 650015⤵PID:4896
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost5⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4320
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3652 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f6⤵
- Scheduled Task/Job: Scheduled Task
PID:3324
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IbXEWFKNjw37.bat" "6⤵PID:2188
-
C:\Windows\system32\chcp.comchcp 650017⤵PID:4052
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost7⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3160
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f8⤵
- Scheduled Task/Job: Scheduled Task
PID:2084
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\00xG9REBODar.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:3132 -
C:\Windows\system32\chcp.comchcp 650019⤵PID:1980
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost9⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2184
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f10⤵
- Scheduled Task/Job: Scheduled Task
PID:4304
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PL6003Sm5y2G.bat" "10⤵
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\system32\chcp.comchcp 6500111⤵PID:2004
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost11⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4868
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f12⤵
- Scheduled Task/Job: Scheduled Task
PID:2448
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rPolwkhv6FgM.bat" "12⤵
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Windows\system32\chcp.comchcp 6500113⤵PID:4760
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3864
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:688 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f14⤵
- Scheduled Task/Job: Scheduled Task
PID:5036
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iBSTGk807IDj.bat" "14⤵
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Windows\system32\chcp.comchcp 6500115⤵PID:4172
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost15⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4680
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"15⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3676 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f16⤵
- Scheduled Task/Job: Scheduled Task
PID:1600
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CNwvaqImn10X.bat" "16⤵PID:2088
-
C:\Windows\system32\chcp.comchcp 6500117⤵PID:4928
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost17⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1748
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"17⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3608 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f18⤵
- Scheduled Task/Job: Scheduled Task
PID:4548
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bTMdxgLaWR1T.bat" "18⤵PID:1640
-
C:\Windows\system32\chcp.comchcp 6500119⤵PID:4584
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost19⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5056
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"19⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2688 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f20⤵
- Scheduled Task/Job: Scheduled Task
PID:3088
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7Ux3YFU8QKCN.bat" "20⤵PID:2876
-
C:\Windows\system32\chcp.comchcp 6500121⤵PID:4564
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost21⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2516
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"21⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4536 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f22⤵
- Scheduled Task/Job: Scheduled Task
PID:2004
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3cZyl6r5sF2M.bat" "22⤵PID:2824
-
C:\Windows\system32\chcp.comchcp 6500123⤵PID:2976
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost23⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1028
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"23⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:936 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f24⤵
- Scheduled Task/Job: Scheduled Task
PID:688
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cExtpCHQnfzd.bat" "24⤵PID:956
-
C:\Windows\system32\chcp.comchcp 6500125⤵PID:4340
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost25⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1680
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"25⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4888 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f26⤵
- Scheduled Task/Job: Scheduled Task
PID:2484
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GSEAhOv56Fv6.bat" "26⤵PID:4148
-
C:\Windows\system32\chcp.comchcp 6500127⤵PID:5072
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost27⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4456
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"27⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1220 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f28⤵
- Scheduled Task/Job: Scheduled Task
PID:1744
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\J2O3L3EfBncD.bat" "28⤵PID:1216
-
C:\Windows\system32\chcp.comchcp 6500129⤵PID:4308
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost29⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:968
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"29⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5056 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f30⤵
- Scheduled Task/Job: Scheduled Task
PID:1640
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XppgxuG2k82h.bat" "30⤵PID:3012
-
C:\Windows\system32\chcp.comchcp 6500131⤵PID:4076
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost31⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2688
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\S^X.exe"C:\Users\Admin\AppData\Local\Temp\S^X.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1040
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
207B
MD590c70c13a4055ed19f7998c74abae898
SHA183768f7a87b878e24ec0c2ec9f9dd4797db2057e
SHA256d89efd9f39d63b1a1b3951cdb070db5d7985af7ba9a12aedfda62af01f9fd49b
SHA512b53f9b1f66a5a1d2ef058170f85bc8d6ca88082faeeeff49e0ba68fb022464a80ec516c61436610832168f7310cfe372d7a21a4c2a62bcdff5d9ae8af11c0b16
-
Filesize
207B
MD5f339dde678bfc0652a652b09bebf0715
SHA1b3d332a7242a36b3e1fb2ff695612cd885556cf1
SHA2569d8ddc11fa3d0c3ae0b3eed6dbeaf64fbf4e26c994925f0a45ef96e7268e7702
SHA512dd2b2db4983143fdb5c47688fe80ffde5ea589ece71dcbe64bb83e36166e925f5ad3cfdf9cf1a240467f7a9e6201b97a0ba6362265588293e757474538bd3e81
-
Filesize
2.2MB
MD52d86c4ad18524003d56c1cb27c549ba8
SHA1123007f9337364e044b87deacf6793c2027c8f47
SHA256091ab8a1acdab40c544bd1e5c91a96881acc318cac4df5235e1b5673f5489280
SHA5120dd5204733b3c20932aeea2cebf0ca1eeca70e4b3b3b8932d78d952a8f762f0b96ebdbdaf217e95889c02ec6a39b8f9919fd4c0cba56bb629256e71fa61faa3c
-
Filesize
207B
MD50d6ea086cc6d41cc779c87dfe734fb2e
SHA194e7fd94d6e037f1b2c792b3682d73fe0e1455ed
SHA2560cdfb2d390135dc804d230976e9f25e878393601ea730b8bd33cb2e1cac3d884
SHA51280ea8815e1a58588889e01031fc59a8573e5f53597ef3a0816fb5a4ee97f8b624f62a5b6c693b52971d1a6f3dd0de8b71d98b62608817fe637a9209799392fa8
-
Filesize
207B
MD5fcc9947eff6e30c6c33822fa213d7ae7
SHA1e3782ea8aab2dfa96c6637f41ba1deac8c8d874f
SHA2565ab613e93d430b86a164551919c278f584242d2fcba8a291ea148880b21e65e9
SHA512cc661d35f8097ff7a8951cf964ba40df7d1456cf013e48b3cca7b3fcfabc8a8a9c60c4dca1ed8496c80e10a84386389fcfb52e084891c0e14a27449a1116e09d
-
Filesize
207B
MD541aaf6c15cf844bbccdf71859eda3f3b
SHA142a2c757f794139ae7bcf56bf290627d13f8b693
SHA256d43caf2a91e41c0eeec74f8ae5d09195ac02b5c192ef4dd6ee44ed43ef911f05
SHA512ffbd6f7f55fe7407551d3120fefed8d407105e35b4ecd473fa13439dcd8eda1519e38d53d87dfdd76feb1259391972038f45cf3158f4c775b8133c485f8f27fe
-
Filesize
207B
MD53a120ab38e35c5d469715d32a1b1e88d
SHA1e3935686f63c41ab77ef7d3e16e8d9b38af73d82
SHA256b7abd7e305a0e85b47b880ab6fde300e711d8c694e428518fb2abb14b62fa234
SHA512deea585788243b2fd8bc6d3be33ffe7167b06fc5be3d78aadc1c253b5f0d8349038f1e40a72e4a18479c64f1d696bd86d11087a92fd0b467d357f04e2dcb0f1e
-
Filesize
207B
MD5737fbb853b4df9db7abc08d207cc075b
SHA19d8729e38cf913efa19c9693c6d0aa6e3d10d156
SHA256624a355097cfee4ab894eaddfc50f4baf098313099ce903cebef5648c954ed4a
SHA512984a9ff289ae067cecc717f7ec1dd847f05aebf074ffa616618ccc70ee3e3893b639f0ffa6e23607cd42eadeef614d83bbc5e8d418d00485cfa68208d529a9e3
-
Filesize
789KB
MD5e2437ac017506bbde9a81fb1f618457b
SHA1adef2615312b31e041ccf700b3982dd50b686c7f
SHA25694594fa46d0bd28c02365f0a32ec3a662b25df95f3f3e8e2a952c18a23895b12
SHA5129169f8be39b8fede38f7fce5a2e64d42630857e0ebd37f921c68ccf0bf0a8816f1682ba4659d22ad43413d99de62a59b2494494701404b44aa41c4d6bdc1e019
-
Filesize
207B
MD5489f7eab1d48634e065e8ad7ae39b0ff
SHA161a5de291fa46f0d09244907ecad71655832bff1
SHA256796553676de4ac0a8c223f9824fb4d9d88ab94337acc694c3f7893a5b676bc6a
SHA51217e15bbf347c0bb81d49a7feaa9c8fd69c62766a081e4f0983105a8f0030da342b25787964bb0ac77a11e89eea6433ca3a6a27b8329674374bf24b750cde729e
-
Filesize
207B
MD5373acc7fcf71ccf4024430237ac12bc0
SHA14d70a8df6f522943096d445385c3ec4b25d4878c
SHA25639567ddce2cd048e52527795c9772769228f9b18c41171bd4079cb44b2149a2c
SHA5129b1b51ec7cdd7207410f8f4fdbd5da68fdc531c84bd9bb47eb876d0c35d371d36acbe73dad6fcaf9a3773f609caf30279a67341a587ae29951bd8b406c2bf59a
-
Filesize
207B
MD57f003baeefa26978df6384379931659e
SHA1207095150d4047f1c16f807e231415c6e60fdb7d
SHA256ac3a03ac298e09db7d6a5311dd6edb5f722f92fe4ec63316b6c6ffe5bdb3d847
SHA512406811b0873f47b2153e77b2bfb5fd6f5cf21f230c24b7374fdefa998b41d3744817ded54e00ba855e86a675628ca55e7591f25a720b7cf01dad5fd6e52f3dbd
-
Filesize
207B
MD5305a9e341390915a6f8138d5509d2191
SHA1c33aa939233430628a2749d68a9c5541c35fd6d5
SHA256f1fa859468715d8408698add0751619992c44adb57343fdb0d7000e51ab7be10
SHA512ad405b56a5c76d6706b80e2160096c166efae1b266f26bfc826c7005fa7e4549c82958183c88d72349c9414eb1278aabce164bb5f752e1f67011bc7601c366e6
-
Filesize
207B
MD53bff2ed1b336328ab8a2603ac8f8b75e
SHA19439d2fc1d27d8206e74edbb92fc008a1399bcd1
SHA25698066f34f7732100ada82be43140b59eac0865d007a8dbcff7b13bb5d3267263
SHA5129af617aa55e5b7a0da105c6450e7c037a3fa101c0fdbac045266458cda93d9a2ee520291a31eb19ff0e93f2c7e46993ec96ca2dbb979bb7be4b81fdbc65dddd8
-
Filesize
207B
MD571094bcd9a30a4068d284a58aaf83476
SHA15ce042fecf072a45695fe1269c62e0b4c1c176dd
SHA256f483dbfa869baf18aec09fdbd08a9e7a4406d11052634a9cd7b4092ad7f808da
SHA5120772d7c6c0c247b992233ed46afec7a233de4f1199792c7d98bbd015c4933ce1b527ba1b05fe406c715f7e151639e6126e1d01b20e64d30a507bff5c6f795259
-
Filesize
502KB
MD592479f1615fd4fa1dd3ac7f2e6a1b329
SHA10a6063d27c9f991be2053b113fcef25e071c57fd
SHA2560c4917cc756e769e94ab97d626bef49713dab833525ba2e5d75fc9aea4c72569
SHA5129f117c74c04749e6d0142e1cf952a8c59428f649413750921fc7aea35a3ccb62d9975ef954e61ce323d6234e0e9c7b8816f2ca9270552b726f9233219750847c