Analysis
-
max time kernel
142s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
01-09-2024 14:55
Behavioral task
behavioral1
Sample
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe
Resource
win7-20240708-en
General
-
Target
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe
-
Size
6.1MB
-
MD5
03778d811f241e83ccad830372313b3c
-
SHA1
11962399abf7fc0981f324e4aa5271f36f50c5ba
-
SHA256
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc
-
SHA512
2e17b881491e2cc9759dde852198622956682327abcc20519ab7099e25b22252a167cd7a4e6e90651a8b44b22c89a52c8fd004a62043f8fa30fe523302f6674f
-
SSDEEP
98304:ulFqmwupyhcHp5ooEAnHRVN07KgHDpS18DqBRe7qxKfT1J+tNY3LU4rI2qo:uWJuMg53HRVu7vHDpS1IqBRU7kCs2q
Malware Config
Extracted
quasar
1.4.0
Chrome
live.nodenet.ml:8863
754ce6d6-f75b-4c6f-964c-3996e749369e
-
encryption_key
8F8DE0B9E0A9CA156684061043456EC2CF7D0A6D
-
install_name
chrome.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
System
-
subdirectory
chrome
Signatures
-
Quasar payload 12 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\chrome.exe family_quasar behavioral1/memory/2684-43-0x0000000000C40000-0x0000000000CC4000-memory.dmp family_quasar behavioral1/memory/2680-48-0x0000000000170000-0x00000000001F4000-memory.dmp family_quasar behavioral1/memory/2940-61-0x0000000000AB0000-0x0000000000B34000-memory.dmp family_quasar behavioral1/memory/2096-73-0x0000000000E00000-0x0000000000E84000-memory.dmp family_quasar behavioral1/memory/1784-84-0x0000000000EE0000-0x0000000000F64000-memory.dmp family_quasar behavioral1/memory/1632-96-0x0000000001030000-0x00000000010B4000-memory.dmp family_quasar behavioral1/memory/3068-118-0x00000000000A0000-0x0000000000124000-memory.dmp family_quasar behavioral1/memory/2896-129-0x0000000001160000-0x00000000011E4000-memory.dmp family_quasar behavioral1/memory/1668-141-0x0000000000300000-0x0000000000384000-memory.dmp family_quasar behavioral1/memory/692-152-0x0000000000240000-0x00000000002C4000-memory.dmp family_quasar behavioral1/memory/2332-173-0x0000000000090000-0x0000000000114000-memory.dmp family_quasar -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe -
Executes dropped EXE 14 IoCs
Processes:
chrome.exeS^X.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exepid process 2684 chrome.exe 2836 S^X.exe 2680 chrome.exe 2940 chrome.exe 2096 chrome.exe 1784 chrome.exe 1632 chrome.exe 2748 chrome.exe 3068 chrome.exe 2896 chrome.exe 1668 chrome.exe 692 chrome.exe 2156 chrome.exe 2332 chrome.exe -
Loads dropped DLL 3 IoCs
Processes:
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exepid process 2644 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe 2644 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe 2644 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe -
Obfuscated with Agile.Net obfuscator 7 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/2644-1-0x0000000000F80000-0x0000000001594000-memory.dmp agile_net behavioral1/memory/2644-2-0x00000000052B0000-0x00000000058C2000-memory.dmp agile_net behavioral1/memory/2644-15-0x00000000052B0000-0x00000000058BC000-memory.dmp agile_net behavioral1/memory/2644-18-0x00000000052B0000-0x00000000058BC000-memory.dmp agile_net behavioral1/memory/2644-20-0x00000000052B0000-0x00000000058BC000-memory.dmp agile_net behavioral1/memory/2644-16-0x00000000052B0000-0x00000000058BC000-memory.dmp agile_net behavioral1/memory/2644-22-0x00000000052B0000-0x00000000058BC000-memory.dmp agile_net -
Processes:
resource yara_rule behavioral1/memory/2644-10-0x00000000743F0000-0x00000000749F8000-memory.dmp themida \Users\Admin\AppData\Local\Temp\45b8c97f-5cf8-49f5-b76c-0fc91adff9fb\AgileDotNetRT.dll themida behavioral1/memory/2644-11-0x00000000743F0000-0x00000000749F8000-memory.dmp themida behavioral1/memory/2644-12-0x00000000743F0000-0x00000000749F8000-memory.dmp themida behavioral1/memory/2644-41-0x00000000743F0000-0x00000000749F8000-memory.dmp themida -
Processes:
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exepid process 2644 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exeS^X.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language S^X.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 12 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 872 PING.EXE 756 PING.EXE 2972 PING.EXE 2204 PING.EXE 848 PING.EXE 2424 PING.EXE 2640 PING.EXE 2796 PING.EXE 2132 PING.EXE 860 PING.EXE 2740 PING.EXE 1824 PING.EXE -
Runs ping.exe 1 TTPs 12 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 2640 PING.EXE 860 PING.EXE 848 PING.EXE 2740 PING.EXE 1824 PING.EXE 872 PING.EXE 2972 PING.EXE 2796 PING.EXE 2204 PING.EXE 2132 PING.EXE 2424 PING.EXE 756 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 13 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 768 schtasks.exe 752 schtasks.exe 2196 schtasks.exe 1672 schtasks.exe 1816 schtasks.exe 1776 schtasks.exe 2836 schtasks.exe 2316 schtasks.exe 2980 schtasks.exe 2572 schtasks.exe 3048 schtasks.exe 1628 schtasks.exe 2220 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
Processes:
chrome.exechrome.exeS^X.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exedescription pid process Token: SeDebugPrivilege 2684 chrome.exe Token: SeDebugPrivilege 2680 chrome.exe Token: SeDebugPrivilege 2836 S^X.exe Token: SeDebugPrivilege 2940 chrome.exe Token: SeDebugPrivilege 2096 chrome.exe Token: SeDebugPrivilege 1784 chrome.exe Token: SeDebugPrivilege 1632 chrome.exe Token: SeDebugPrivilege 2748 chrome.exe Token: SeDebugPrivilege 3068 chrome.exe Token: SeDebugPrivilege 2896 chrome.exe Token: SeDebugPrivilege 1668 chrome.exe Token: SeDebugPrivilege 692 chrome.exe Token: SeDebugPrivilege 2156 chrome.exe Token: SeDebugPrivilege 2332 chrome.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exepid process 2680 chrome.exe 2940 chrome.exe 2096 chrome.exe 1784 chrome.exe 1632 chrome.exe 2748 chrome.exe 3068 chrome.exe 2896 chrome.exe 1668 chrome.exe 692 chrome.exe 2156 chrome.exe 2332 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exechrome.exechrome.execmd.exechrome.execmd.exechrome.execmd.exechrome.exedescription pid process target process PID 2644 wrote to memory of 2684 2644 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe chrome.exe PID 2644 wrote to memory of 2684 2644 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe chrome.exe PID 2644 wrote to memory of 2684 2644 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe chrome.exe PID 2644 wrote to memory of 2684 2644 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe chrome.exe PID 2644 wrote to memory of 2836 2644 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe S^X.exe PID 2644 wrote to memory of 2836 2644 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe S^X.exe PID 2644 wrote to memory of 2836 2644 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe S^X.exe PID 2644 wrote to memory of 2836 2644 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe S^X.exe PID 2684 wrote to memory of 2572 2684 chrome.exe schtasks.exe PID 2684 wrote to memory of 2572 2684 chrome.exe schtasks.exe PID 2684 wrote to memory of 2572 2684 chrome.exe schtasks.exe PID 2684 wrote to memory of 2680 2684 chrome.exe chrome.exe PID 2684 wrote to memory of 2680 2684 chrome.exe chrome.exe PID 2684 wrote to memory of 2680 2684 chrome.exe chrome.exe PID 2680 wrote to memory of 1816 2680 chrome.exe schtasks.exe PID 2680 wrote to memory of 1816 2680 chrome.exe schtasks.exe PID 2680 wrote to memory of 1816 2680 chrome.exe schtasks.exe PID 2680 wrote to memory of 556 2680 chrome.exe cmd.exe PID 2680 wrote to memory of 556 2680 chrome.exe cmd.exe PID 2680 wrote to memory of 556 2680 chrome.exe cmd.exe PID 556 wrote to memory of 1160 556 cmd.exe chcp.com PID 556 wrote to memory of 1160 556 cmd.exe chcp.com PID 556 wrote to memory of 1160 556 cmd.exe chcp.com PID 556 wrote to memory of 1824 556 cmd.exe PING.EXE PID 556 wrote to memory of 1824 556 cmd.exe PING.EXE PID 556 wrote to memory of 1824 556 cmd.exe PING.EXE PID 556 wrote to memory of 2940 556 cmd.exe chrome.exe PID 556 wrote to memory of 2940 556 cmd.exe chrome.exe PID 556 wrote to memory of 2940 556 cmd.exe chrome.exe PID 2940 wrote to memory of 768 2940 chrome.exe schtasks.exe PID 2940 wrote to memory of 768 2940 chrome.exe schtasks.exe PID 2940 wrote to memory of 768 2940 chrome.exe schtasks.exe PID 2940 wrote to memory of 1092 2940 chrome.exe cmd.exe PID 2940 wrote to memory of 1092 2940 chrome.exe cmd.exe PID 2940 wrote to memory of 1092 2940 chrome.exe cmd.exe PID 1092 wrote to memory of 2312 1092 cmd.exe chcp.com PID 1092 wrote to memory of 2312 1092 cmd.exe chcp.com PID 1092 wrote to memory of 2312 1092 cmd.exe chcp.com PID 1092 wrote to memory of 2424 1092 cmd.exe PING.EXE PID 1092 wrote to memory of 2424 1092 cmd.exe PING.EXE PID 1092 wrote to memory of 2424 1092 cmd.exe PING.EXE PID 1092 wrote to memory of 2096 1092 cmd.exe chrome.exe PID 1092 wrote to memory of 2096 1092 cmd.exe chrome.exe PID 1092 wrote to memory of 2096 1092 cmd.exe chrome.exe PID 2096 wrote to memory of 752 2096 chrome.exe schtasks.exe PID 2096 wrote to memory of 752 2096 chrome.exe schtasks.exe PID 2096 wrote to memory of 752 2096 chrome.exe schtasks.exe PID 2096 wrote to memory of 2504 2096 chrome.exe cmd.exe PID 2096 wrote to memory of 2504 2096 chrome.exe cmd.exe PID 2096 wrote to memory of 2504 2096 chrome.exe cmd.exe PID 2504 wrote to memory of 892 2504 cmd.exe chcp.com PID 2504 wrote to memory of 892 2504 cmd.exe chcp.com PID 2504 wrote to memory of 892 2504 cmd.exe chcp.com PID 2504 wrote to memory of 872 2504 cmd.exe PING.EXE PID 2504 wrote to memory of 872 2504 cmd.exe PING.EXE PID 2504 wrote to memory of 872 2504 cmd.exe PING.EXE PID 2504 wrote to memory of 1784 2504 cmd.exe chrome.exe PID 2504 wrote to memory of 1784 2504 cmd.exe chrome.exe PID 2504 wrote to memory of 1784 2504 cmd.exe chrome.exe PID 1784 wrote to memory of 1776 1784 chrome.exe schtasks.exe PID 1784 wrote to memory of 1776 1784 chrome.exe schtasks.exe PID 1784 wrote to memory of 1776 1784 chrome.exe schtasks.exe PID 1784 wrote to memory of 2440 1784 chrome.exe cmd.exe PID 1784 wrote to memory of 2440 1784 chrome.exe cmd.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe"C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Users\Admin\AppData\Roaming\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2572
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
PID:1816
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\e9oKJ2zBGeu3.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Windows\system32\chcp.comchcp 650015⤵PID:1160
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost5⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1824
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f6⤵
- Scheduled Task/Job: Scheduled Task
PID:768
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\2VOKWRR3fdvx.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Windows\system32\chcp.comchcp 650017⤵PID:2312
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost7⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2424
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f8⤵
- Scheduled Task/Job: Scheduled Task
PID:752
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\BnI06RqNvZpP.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\system32\chcp.comchcp 650019⤵PID:892
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost9⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:872
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f10⤵
- Scheduled Task/Job: Scheduled Task
PID:1776
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\zaBfDuKGOWZ3.bat" "10⤵PID:2440
-
C:\Windows\system32\chcp.comchcp 6500111⤵PID:1984
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost11⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:756
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"11⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1632 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f12⤵
- Scheduled Task/Job: Scheduled Task
PID:3048
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Fd1RQsqva95F.bat" "12⤵PID:1764
-
C:\Windows\system32\chcp.comchcp 6500113⤵PID:1332
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2640
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"13⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2748 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f14⤵
- Scheduled Task/Job: Scheduled Task
PID:2220
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\5DfporpZMB3J.bat" "14⤵PID:2716
-
C:\Windows\system32\chcp.comchcp 6500115⤵PID:1868
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost15⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2972
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"15⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3068 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f16⤵
- Scheduled Task/Job: Scheduled Task
PID:2196
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\o4CnitZ1i5DM.bat" "16⤵PID:2996
-
C:\Windows\system32\chcp.comchcp 6500117⤵PID:1572
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost17⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2796
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"17⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2896 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f18⤵
- Scheduled Task/Job: Scheduled Task
PID:2836
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\C63S5h9WZFZ3.bat" "18⤵PID:768
-
C:\Windows\system32\chcp.comchcp 6500119⤵PID:2016
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost19⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2204
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"19⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1668 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f20⤵
- Scheduled Task/Job: Scheduled Task
PID:1672
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\EaHnt8sNMUC9.bat" "20⤵PID:2916
-
C:\Windows\system32\chcp.comchcp 6500121⤵PID:1152
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost21⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2132
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"21⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:692 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f22⤵
- Scheduled Task/Job: Scheduled Task
PID:1628
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\sok6wQ1EBFVi.bat" "22⤵PID:1864
-
C:\Windows\system32\chcp.comchcp 6500123⤵PID:3036
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost23⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:860
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"23⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2156 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f24⤵
- Scheduled Task/Job: Scheduled Task
PID:2316
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\47ZfCqBms3T5.bat" "24⤵PID:2476
-
C:\Windows\system32\chcp.comchcp 6500125⤵PID:1740
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost25⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:848
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"25⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2332 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f26⤵
- Scheduled Task/Job: Scheduled Task
PID:2980
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\IpxqiXMjAxp1.bat" "26⤵PID:2640
-
C:\Windows\system32\chcp.comchcp 6500127⤵PID:2564
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost27⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2740
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\S^X.exe"C:\Users\Admin\AppData\Local\Temp\S^X.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2836
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
207B
MD50a093b594b9e1074020e5441e958ea99
SHA10afe9ac2057463b47a23f53ecf65c8d147121543
SHA2568230492b077de6e11914b0bf38d24434efec6914cddbeb1e0a46fb9a51def779
SHA5125d39f24a07744361435b2087d607538e953e3b7b25e70388153da35175853115f3a9e901e1ce0ec9a6558d2761e898ffeb9356f20042c8b501be82fdd3f9a2e4
-
Filesize
207B
MD5acaf1a07091bbcb3f0e2b0ccfe8d40fd
SHA1687ecd117b990b166840e186cf244455af803acb
SHA256c4ce5cb470da0dc191d828e1b31fcd1fdc9c0e78bdc2c9a38d5e4eb1af6b9ddb
SHA5122c2e9dae4b3fafcd41c7102e71d6688150eee26593c91d1ee01cb25a372b758f261e51d60eb3177b2734c35f71223e028a3493d3e5cd8bb97c3a571a39ed9e0d
-
Filesize
207B
MD50af4e1609872bdcbe2b0fc93ed389eee
SHA1c1e233d6fb2d049d1e1f4e159962780ba2aa36cd
SHA2569d0e65eccd0f0e1fb15abf6adfef42e4a5c8f5cf5073818d6c2ff9a9dcc927cf
SHA5125db4d83c8c24c9baf69ba7f419f9c79cf73d07656d63b6ea08dcaa8b62070efe579883e99d26d712bdc6e5377333b56b674ea848425cf186fda88cfd60d26d81
-
Filesize
207B
MD573cc7a1cb59bfd36571c3fa50c347184
SHA1bb32cf508e968e12dec78168f822082d542f20ad
SHA2564c70ca62b4a6f73ee2594b890fc23cb32c565f72ea359e034960237f0b2580f0
SHA5127fafda6611b195a51e016833c9164d211c7250d0606d8b29ca2219b065a4b1582835dae19c08eab60d583a326c35fc1aeef4928d1c4595434180d9449ce53bb9
-
Filesize
207B
MD53d26bdc8f3a6c236947d5666cf447b5e
SHA1c4aa7dfe779fe21353d5923c86823a3339c107ac
SHA2566de9d150db61f29cdd8cc82e98f3f82b079e52b5663127338680b34bbe74631c
SHA5120e54e3b059d197c945e9b6c098512aa726a8e064fe22d6406b826e75533347527e6976a010c57184a31a2b25674cbe9a4df9ad9dbe36fef5f84f7b832ec56d0c
-
Filesize
207B
MD557c505dc7f4df47d1180be2140e6938c
SHA107a0256b282d2ac62f6a98039e12e495c3fad163
SHA256e037d3f2968860c371572d744a31d1ff172006c8c6c53e0edcc33eea1a63eb71
SHA5124142ad869a5bb15f8d7795f68c575c252f2a903e4a47a146e6a16fc2536afda5113898c706a0160b0393433f5a7f420e4af5b464eec667645c9660b6dcdf9947
-
Filesize
207B
MD58dd980e1619105242c220a0030c5eb19
SHA17acb79ee004754259484d3127515519ac5de8227
SHA2564dbc99d3f18a380eece8fdc0ddce0bd7f7580b0dbcfcc0784edf0806b41e506b
SHA512b6b944fe6bf86b39beeece6062996c6feea5d2826fecaa08aaebb6b4a57a315e6252f2d586e2951de1ae03570a958258fba048b96d412d343eea3851bb02cb53
-
Filesize
207B
MD59495c5f2e1dd1284600931d0841e6e4f
SHA128fc1cf7817300f7e1623c58ee30a6d77116d5c7
SHA256961af974886e244103a10faa4ac02ce2783948fd75970bb9faa8fb1851a0389f
SHA5122974108f6f61e4e907a6096e67d5b796b179a1a78655923c122ba0fcf29afcd31f9ad255e6244018b16ed77420ee48824c8ef9b547673372b87de0cc81183efe
-
Filesize
789KB
MD5e2437ac017506bbde9a81fb1f618457b
SHA1adef2615312b31e041ccf700b3982dd50b686c7f
SHA25694594fa46d0bd28c02365f0a32ec3a662b25df95f3f3e8e2a952c18a23895b12
SHA5129169f8be39b8fede38f7fce5a2e64d42630857e0ebd37f921c68ccf0bf0a8816f1682ba4659d22ad43413d99de62a59b2494494701404b44aa41c4d6bdc1e019
-
Filesize
207B
MD5397ecf23756b46b4f2ff9a6cb220318d
SHA1d4b6da2da4e693dc6857770d98c234c47176b808
SHA256566b7a5bb64e071060adf750dce0d915d5627f7e15114884d9e369d5b9f9c619
SHA512eb8c91b4ddb86ee51f050c28bfe357ebf0f3a73f374ac205ad9b3ef85e42a6598cc0ba33ff18eedf3d97baec001d9f0e1822174e5a2d5571113a56a28812dde8
-
Filesize
207B
MD5187764d298935c6a71386420ff86fb4c
SHA128b6e6d5319953a068118fddcfc1768f55509ae2
SHA256afc9a771bbab5fcd30f03e5564dfd62834df1dca463caba051961540b07bf1e8
SHA5129821386ca90a9539a5464d80c2daf56fde646053b0d2b943c43270a8f8fee74285b8cd2f29e5060c03b1e655f0a9e4f78254de2f33f0d0e98eb85c3736f3ee6f
-
Filesize
207B
MD5809ee8106cf6197be02b1be219c6dd50
SHA1f2705ec6c395725f56672bc7205cb4727bd8dcb5
SHA256b66f7a8dd30c17826358dab68cb1dd82c1ffdb83234724a720e10a3efd7ee1f5
SHA512909c819a67bac0104a1d5e55b1cbe673547da35d8b454ece78ed1c0e89757f82ef9ce8d9a55ef27b7892934b828a246f33ddf06db3e902d47c4f80ad212a5490
-
Filesize
207B
MD5013c6c20fc505da42ead85c0a625d032
SHA1b964ba61ad2234a1b28e56ea3fab9fbb694a72ce
SHA2560a559bd7f064772e8a473117ff6169a01366ad82ad2038df478b0c7b41977ec4
SHA51234e256775a933e36fc19c476de635ac5b86912f9ff6866a8e15b3c906ea898e5306f65888050121c05628a22d775b692121627d84f41400ef65a395546a882a9
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
2.2MB
MD52d86c4ad18524003d56c1cb27c549ba8
SHA1123007f9337364e044b87deacf6793c2027c8f47
SHA256091ab8a1acdab40c544bd1e5c91a96881acc318cac4df5235e1b5673f5489280
SHA5120dd5204733b3c20932aeea2cebf0ca1eeca70e4b3b3b8932d78d952a8f762f0b96ebdbdaf217e95889c02ec6a39b8f9919fd4c0cba56bb629256e71fa61faa3c
-
Filesize
502KB
MD592479f1615fd4fa1dd3ac7f2e6a1b329
SHA10a6063d27c9f991be2053b113fcef25e071c57fd
SHA2560c4917cc756e769e94ab97d626bef49713dab833525ba2e5d75fc9aea4c72569
SHA5129f117c74c04749e6d0142e1cf952a8c59428f649413750921fc7aea35a3ccb62d9975ef954e61ce323d6234e0e9c7b8816f2ca9270552b726f9233219750847c