Analysis Overview
SHA256
75a58e896b1e5f70dceb2bc8e189ec19f600cb2df28196af4ba05711bea7ce3f
Threat Level: Known bad
The file 03778d811f241e83ccad830372313b3c.zip was found to be: Known bad.
Malicious Activity Summary
Quasar payload
Quasar RAT
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Checks BIOS information in registry
Loads dropped DLL
Checks computer location settings
Obfuscated with Agile.Net obfuscator
Themida packer
Executes dropped EXE
Checks whether UAC is enabled
Suspicious use of NtSetInformationThreadHideFromDebugger
Unsigned PE
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Enumerates physical storage devices
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Uses Task Scheduler COM API
Scheduled Task/Job: Scheduled Task
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-01 14:57
Signatures
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-01 14:57
Reported
2024-09-01 15:02
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\S^X.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe
"C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe"
C:\Users\Admin\AppData\Roaming\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome.exe"
C:\Users\Admin\AppData\Local\Temp\S^X.exe
"C:\Users\Admin\AppData\Local\Temp\S^X.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TiO2x4T1iMHw.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\V5vYhonXox7B.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rrH8RC6Cqb4U.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0Jq6v8MQqba6.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GaDly6luJKfo.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HkRfqyzAeuC5.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\b4HPmBq25jFh.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7wssTq9a2idU.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gLS8sxroRDz3.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cdiwTGuls5CO.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lpZwYkFlSXLZ.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RPNiXERGK92f.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TdcC7oPPZfP2.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B2xbX3CQyoIF.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YhXDXisMRfHD.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | synapse.to | udp |
| US | 104.21.21.210:443 | synapse.to | tcp |
| US | 8.8.8.8:53 | 210.21.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
Files
memory/3776-0-0x0000000074A6E000-0x0000000074A6F000-memory.dmp
memory/3776-1-0x0000000000F60000-0x0000000001574000-memory.dmp
memory/3776-2-0x0000000006020000-0x0000000006632000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\45b8c97f-5cf8-49f5-b76c-0fc91adff9fb\AgileDotNetRT.dll
| MD5 | 2d86c4ad18524003d56c1cb27c549ba8 |
| SHA1 | 123007f9337364e044b87deacf6793c2027c8f47 |
| SHA256 | 091ab8a1acdab40c544bd1e5c91a96881acc318cac4df5235e1b5673f5489280 |
| SHA512 | 0dd5204733b3c20932aeea2cebf0ca1eeca70e4b3b3b8932d78d952a8f762f0b96ebdbdaf217e95889c02ec6a39b8f9919fd4c0cba56bb629256e71fa61faa3c |
memory/3776-11-0x0000000071B40000-0x0000000072148000-memory.dmp
memory/3776-10-0x0000000074A60000-0x0000000075210000-memory.dmp
memory/3776-12-0x0000000071B40000-0x0000000072148000-memory.dmp
memory/3776-13-0x0000000071B40000-0x0000000072148000-memory.dmp
memory/3776-16-0x0000000006020000-0x000000000662C000-memory.dmp
memory/3776-22-0x0000000006020000-0x000000000662C000-memory.dmp
memory/3776-20-0x0000000006020000-0x000000000662C000-memory.dmp
memory/3776-24-0x0000000005FE0000-0x0000000005FE8000-memory.dmp
memory/3776-23-0x0000000006A00000-0x0000000006AB2000-memory.dmp
memory/3776-18-0x0000000006020000-0x000000000662C000-memory.dmp
memory/3776-15-0x0000000006020000-0x000000000662C000-memory.dmp
memory/3776-14-0x0000000073470000-0x00000000734F9000-memory.dmp
C:\Users\Admin\AppData\Roaming\chrome.exe
| MD5 | 92479f1615fd4fa1dd3ac7f2e6a1b329 |
| SHA1 | 0a6063d27c9f991be2053b113fcef25e071c57fd |
| SHA256 | 0c4917cc756e769e94ab97d626bef49713dab833525ba2e5d75fc9aea4c72569 |
| SHA512 | 9f117c74c04749e6d0142e1cf952a8c59428f649413750921fc7aea35a3ccb62d9975ef954e61ce323d6234e0e9c7b8816f2ca9270552b726f9233219750847c |
C:\Users\Admin\AppData\Local\Temp\S^X.exe
| MD5 | e2437ac017506bbde9a81fb1f618457b |
| SHA1 | adef2615312b31e041ccf700b3982dd50b686c7f |
| SHA256 | 94594fa46d0bd28c02365f0a32ec3a662b25df95f3f3e8e2a952c18a23895b12 |
| SHA512 | 9169f8be39b8fede38f7fce5a2e64d42630857e0ebd37f921c68ccf0bf0a8816f1682ba4659d22ad43413d99de62a59b2494494701404b44aa41c4d6bdc1e019 |
memory/3776-50-0x0000000071B40000-0x0000000072148000-memory.dmp
memory/4616-51-0x0000000000BB0000-0x0000000000C34000-memory.dmp
memory/4980-52-0x0000000000A30000-0x0000000000AFC000-memory.dmp
memory/4980-49-0x0000000074A6E000-0x0000000074A6F000-memory.dmp
memory/4980-54-0x0000000005940000-0x0000000005EE4000-memory.dmp
memory/4980-55-0x0000000005430000-0x00000000054C2000-memory.dmp
memory/4616-53-0x000000001B9A0000-0x000000001B9B0000-memory.dmp
memory/3776-56-0x0000000074A60000-0x0000000075210000-memory.dmp
memory/4616-45-0x00007FFEF7F83000-0x00007FFEF7F85000-memory.dmp
memory/3332-62-0x000000001B230000-0x000000001B280000-memory.dmp
memory/3332-63-0x000000001B940000-0x000000001B9F2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\chrome.exe.log
| MD5 | baf55b95da4a601229647f25dad12878 |
| SHA1 | abc16954ebfd213733c4493fc1910164d825cac8 |
| SHA256 | ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924 |
| SHA512 | 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545 |
C:\Users\Admin\AppData\Local\Temp\TiO2x4T1iMHw.bat
| MD5 | b6f3d4c6ba905d99aeca54c8864de6ec |
| SHA1 | 3b75c3d52ae850cbbe71c8666b2571dca27eac2f |
| SHA256 | a6eb8de8d9dab52ea770d95dac9184f717b06428daa3208261c539249455a343 |
| SHA512 | ee493f7e6b476f8921e37816683f532af412e699b58beab903ba636843c05df04699dac2fd149f6b9b8a479ffeea35449b41bd5de4bf1920a8b90cd54a6a59ce |
memory/4980-69-0x0000000005330000-0x0000000005340000-memory.dmp
memory/4980-70-0x0000000074A6E000-0x0000000074A6F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\V5vYhonXox7B.bat
| MD5 | afdef4dba7493b79d32d251afe2cd794 |
| SHA1 | 384a56c375565142ba7edc55d39c177ec15cc157 |
| SHA256 | 6ed84fcad8888d3c1758b3bdfa3e6991c037f09bebf4b5343e4ca4b236e0ce89 |
| SHA512 | 9bc87d93d85064f2bb82306871c729a4ab3aa4847b39cd8ca060fe6f28f73926b900dc7d3fa90302f0a2478adfc1a5c3d3111e69f9b89ce474518bed1132b64c |
C:\Users\Admin\AppData\Local\Temp\rrH8RC6Cqb4U.bat
| MD5 | 01ed264a01942d159c428e62cabf2543 |
| SHA1 | 7fb7ca8c4a7acb4ed6d3a3cc64514e26f7d67dfe |
| SHA256 | c43bc14b24811cd901fb437a334e2f67beb0594f7a97e9a78f4ef255fffc7b60 |
| SHA512 | bbd49c870137544c25996d6ce1626eefe0c77910f67842ca87057c2b42b0619098eb3a9f6dfcf16807727454c1ac2c10f5e52bd5ed33237809bbd204afe2aad1 |
C:\Users\Admin\AppData\Local\Temp\0Jq6v8MQqba6.bat
| MD5 | f32de3802c6cbf6d3aba7f57874d7352 |
| SHA1 | 0ed829a6c433534236fb57d99db723a820e6990c |
| SHA256 | fdb810e759620151d6d662fca1ef22d3c43b2b08d200fc939caf031ddbf70d5d |
| SHA512 | f100e127021b4aaa8c93366f20920a6d392abde3c6d2cc0c93c0f8fba59ea4af8b5ade09d72326bdcb328caba3917ed01c21ee99a13de8226fd7203403e5211b |
C:\Users\Admin\AppData\Local\Temp\GaDly6luJKfo.bat
| MD5 | 43ebd6e866d007f5c1a5301433fb3ca7 |
| SHA1 | cfc91b26b54685342ace9366b54ccd8a9d9b7109 |
| SHA256 | 8719916f0748a73dc37dd193e38ff8785f664fb0fbd926062e53832d2ed0da0b |
| SHA512 | 3f52192218db1de75c42a6764645d2c87fd1f84e0c5da155a9c695113f762fac4f1855cf756fe01bcf2cc2067b36aa517769986ee0b6f56c0a659814118606c7 |
C:\Users\Admin\AppData\Local\Temp\HkRfqyzAeuC5.bat
| MD5 | d439eeaf720b1bc0e786f50f345f0418 |
| SHA1 | b12de7a5791ab234714b840aa0f172b8ed4de282 |
| SHA256 | 9d026d48a6cc04a568446fc003728fcf78903840f8e5c448852a930a55a0f562 |
| SHA512 | cf5b26da49245132ed1dc91b3fcc0f94f0213e5c39b57e978cf4dc2347e3b5c6b18a6042287b72ee87110f3fb487437aaaad639895dc70ec546b587c87f9fa26 |
C:\Users\Admin\AppData\Local\Temp\b4HPmBq25jFh.bat
| MD5 | 442e9156b557f1eb3b0e15e5964c05b4 |
| SHA1 | c5278a33b21b1b639f8bcef1e23a70ff5d090ff8 |
| SHA256 | 6a2c8161d1b771747a3c0fefbb8713e6fed01d0b8d3e3a49ff64945846e975e9 |
| SHA512 | 9d4a2c14e2d6474f5e4e90971cf1cf436c4461d7d771d00eedba05a3243548fa8c951be9140444dc4de463e6459caf1237fdcdf96d243ca8768e1ed394090016 |
C:\Users\Admin\AppData\Local\Temp\7wssTq9a2idU.bat
| MD5 | 1099cd0f80bcfd025ea4ca95d423b552 |
| SHA1 | 5eabd8742e7484e08cf8c79316c7028e36d4aa16 |
| SHA256 | b90f4d040240c821577bc7bf7baaa9b2697158405a6b7cc10177ce303f2c852e |
| SHA512 | ae2c2106ae2968832fc924020b45ffcd60a99a9c92e70c4641625c4499fe7b37912f84bbf1ae0674ca23f3223b507921577a016743d1cf2fa05144c262ad143d |
C:\Users\Admin\AppData\Local\Temp\gLS8sxroRDz3.bat
| MD5 | c73f161d233f51c299aaae240a535b3f |
| SHA1 | 321f0c8b9deae1a9b0749f4f0e5a7cc92a285ccd |
| SHA256 | 22381321819aebac6f48759195bbf5e048d4f7680195a9a2af2473750fb4db2a |
| SHA512 | a63d16a7b3d8ab291c6472ab048ef5b0dbe745e7394f5edabf30f2d2f3046cb21b99232644b899dcadc89cdce1b1be4cccab7e2f5a1da9fda7b84dcd2e970020 |
C:\Users\Admin\AppData\Local\Temp\cdiwTGuls5CO.bat
| MD5 | 007b524401a4e293868e5706d69079f2 |
| SHA1 | a1ba39298b6c8b7ba4abf5f60959208057a394b9 |
| SHA256 | 4bc9994a35c11b1f78a55078403eb20ec3619e46da0d6958c013691f73df6a6c |
| SHA512 | f3efec4df7da7b859b855396166c01c6cfbbc9b5fed95ea107e7510ad0e1eb91736e93648a0af9945f4706be45b530495e50866034b911d6429d610b96a365ee |
C:\Users\Admin\AppData\Local\Temp\lpZwYkFlSXLZ.bat
| MD5 | 9ff22bfff9b76d0d0f018c41b6cf075f |
| SHA1 | 3c300bd8b08f44efa89a6439755ad794a9722f19 |
| SHA256 | 3112a35c44ff78b51c439b5746f73a09ff623e5bcb64950e68e3b948c3ede5e1 |
| SHA512 | 580e1142a8131d1f8ff0e21c6eaba6d401248a61a2946ddc7ce9c9bd9bf98c09726d47c8a72e020ed91c32860d90ed75d72cfdb2af5c9182b0ad6b4059c002f1 |
C:\Users\Admin\AppData\Local\Temp\RPNiXERGK92f.bat
| MD5 | 898acd16a042ed1677d257cfedcde4c2 |
| SHA1 | e72c2856ea32bb6579ce88fa6d015252ae2052d4 |
| SHA256 | 858ad82fa85c24efbb56c53fd975026b0a7281cebe5f5c3a271d78b433347f05 |
| SHA512 | 5b8b660d80d6526d63586d1a3cb9a27516063af09a8955ffde477b924d3481e0d008c79c3c060320179f83fb673004e54c6a5b6577f622a05d0c15d66879f1a7 |
C:\Users\Admin\AppData\Local\Temp\TdcC7oPPZfP2.bat
| MD5 | ee4b372d11bd9cfdb97a1a956640a9a7 |
| SHA1 | 042042b747966bc2cef0aa71aa61aedf8949d1d2 |
| SHA256 | 8fd4ed1bc683e0238b5aaf0346d4f4ad2c38f40fc0cd5cddbdee6959cec1d4f8 |
| SHA512 | ab5afe2afa9060ec380c1c2440be2d932d0271d4e7a87f87f614911212b3b5f5c5db835a032dddef1f8d913558182a783c58050449366b0c82448071c3a274a1 |
C:\Users\Admin\AppData\Local\Temp\B2xbX3CQyoIF.bat
| MD5 | 91e74abf3c49522f88ad2c44eec276e8 |
| SHA1 | 5324d3da7bc1850eca13bdafd1e88b1b80a42773 |
| SHA256 | 52d0d5357cbc0979462c70d7376259cea3b18d0ae8e8b8eb88d1dee5145ced91 |
| SHA512 | dabf95210618bec848217b7f6023c460ff7440ce6ddad893e465d11db99043aeb6a8bba39a904799bd299186acc4356433a09fa26f056af78e898a5faf9d7263 |
C:\Users\Admin\AppData\Local\Temp\YhXDXisMRfHD.bat
| MD5 | 27f2a94137619ccdbb7858d263410058 |
| SHA1 | aa558a6da002d5738139c66c8583784c44291d8a |
| SHA256 | 628ff10c33fb53e5e4403304523bca9d413d5350a56ac678623f0798c0d308f0 |
| SHA512 | f4f344796e00554014c229fc3bb410c4e8305b495db2292e2cec0d303e3120f612fd3f27905e0ed10bce5b7a31273bdca3883ecdd27aa53698935b2b310f9752 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-01 14:57
Reported
2024-09-01 15:02
Platform
win7-20240704-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\S^X.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\S^X.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\chrome\chrome.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe
"C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe"
C:\Users\Admin\AppData\Roaming\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome.exe"
C:\Users\Admin\AppData\Local\Temp\S^X.exe
"C:\Users\Admin\AppData\Local\Temp\S^X.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\i0eLT3CDrcsP.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\lgy77yBnfgd4.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\x1sOgQvrmJpW.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zcB5uutlq6lA.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\4ExnliY9lQHH.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RXsEs3akRUBY.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\kMpbiBvEGy5W.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\7xUK3UEXFuny.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\aA0V4lxnv0tG.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cHWIGHONmkPF.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CtAV2ZffacSe.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\rv3TtwJUxUYx.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | live.nodenet.ml | udp |
| US | 8.8.8.8:53 | synapse.to | udp |
| US | 104.21.21.210:443 | synapse.to | tcp |
Files
memory/2088-0-0x000000007427E000-0x000000007427F000-memory.dmp
memory/2088-1-0x00000000003D0000-0x00000000009E4000-memory.dmp
memory/2088-2-0x0000000005180000-0x0000000005792000-memory.dmp
memory/2088-5-0x0000000074270000-0x000000007495E000-memory.dmp
\Users\Admin\AppData\Local\Temp\45b8c97f-5cf8-49f5-b76c-0fc91adff9fb\AgileDotNetRT.dll
| MD5 | 2d86c4ad18524003d56c1cb27c549ba8 |
| SHA1 | 123007f9337364e044b87deacf6793c2027c8f47 |
| SHA256 | 091ab8a1acdab40c544bd1e5c91a96881acc318cac4df5235e1b5673f5489280 |
| SHA512 | 0dd5204733b3c20932aeea2cebf0ca1eeca70e4b3b3b8932d78d952a8f762f0b96ebdbdaf217e95889c02ec6a39b8f9919fd4c0cba56bb629256e71fa61faa3c |
memory/2088-10-0x0000000073C10000-0x0000000074218000-memory.dmp
memory/2088-11-0x0000000073C10000-0x0000000074218000-memory.dmp
memory/2088-12-0x0000000074270000-0x000000007495E000-memory.dmp
memory/2088-13-0x0000000073C10000-0x0000000074218000-memory.dmp
memory/2088-14-0x0000000074AC0000-0x0000000074B40000-memory.dmp
memory/2088-16-0x0000000005180000-0x000000000578C000-memory.dmp
memory/2088-18-0x0000000005180000-0x000000000578C000-memory.dmp
memory/2088-20-0x0000000005180000-0x000000000578C000-memory.dmp
memory/2088-15-0x0000000005180000-0x000000000578C000-memory.dmp
memory/2088-22-0x0000000005180000-0x000000000578C000-memory.dmp
memory/2088-24-0x00000000002B0000-0x00000000002B8000-memory.dmp
memory/2088-23-0x0000000005890000-0x0000000005942000-memory.dmp
C:\Users\Admin\AppData\Roaming\chrome.exe
| MD5 | 92479f1615fd4fa1dd3ac7f2e6a1b329 |
| SHA1 | 0a6063d27c9f991be2053b113fcef25e071c57fd |
| SHA256 | 0c4917cc756e769e94ab97d626bef49713dab833525ba2e5d75fc9aea4c72569 |
| SHA512 | 9f117c74c04749e6d0142e1cf952a8c59428f649413750921fc7aea35a3ccb62d9975ef954e61ce323d6234e0e9c7b8816f2ca9270552b726f9233219750847c |
C:\Users\Admin\AppData\Local\Temp\S^X.exe
| MD5 | e2437ac017506bbde9a81fb1f618457b |
| SHA1 | adef2615312b31e041ccf700b3982dd50b686c7f |
| SHA256 | 94594fa46d0bd28c02365f0a32ec3a662b25df95f3f3e8e2a952c18a23895b12 |
| SHA512 | 9169f8be39b8fede38f7fce5a2e64d42630857e0ebd37f921c68ccf0bf0a8816f1682ba4659d22ad43413d99de62a59b2494494701404b44aa41c4d6bdc1e019 |
memory/804-38-0x0000000000320000-0x00000000003EC000-memory.dmp
memory/2328-39-0x0000000000F60000-0x0000000000FE4000-memory.dmp
memory/2088-41-0x0000000074270000-0x000000007495E000-memory.dmp
memory/2088-40-0x0000000073C10000-0x0000000074218000-memory.dmp
memory/2716-46-0x0000000000FB0000-0x0000000001034000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\i0eLT3CDrcsP.bat
| MD5 | 11a3f682422c894ffcf7ff74c8c37777 |
| SHA1 | 253f00d9e3ced673f70ec75e2e19d49afaa02c19 |
| SHA256 | 441165aaf4c7c750fa4da7a221c44f42c8115c8ae8c5c8f01aee6e544ccceda7 |
| SHA512 | 00db475985b59547f05ce05ad0c4cb8ae9c67a10254d110e2e12e64354cf6af8a53c2dd4caa15731a1f8ff94d51a25f74e0ab03356ef65516d08142f61889f20 |
memory/1312-57-0x0000000001370000-0x00000000013F4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\lgy77yBnfgd4.bat
| MD5 | f5d9bab7e7b3b084f68bfc2b9958f518 |
| SHA1 | a9490386eecc066bf08b7ac431eb9be09229cee5 |
| SHA256 | e3f68651641bd4e2e14c61bfb017c46f00b97ea93d4cc3602cbcc6a41c56ad4f |
| SHA512 | d40b0716a1ab6bc2fc6113db29ab623ecfd9e7ee6eb1a2cd45f9bf36ea138a2c1b92c9813eed7ac59dbd454bbf137c96b6e1c486e7a65850a80f7ee4e6717fd0 |
memory/1212-68-0x0000000000320000-0x00000000003A4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\x1sOgQvrmJpW.bat
| MD5 | 9d5f4362a6e6f39153f3f9fd8cc7175c |
| SHA1 | f57260683217119d914f80b7d3f74109edc79f4c |
| SHA256 | 0b88ce448aceae0aa135272d3561f6ebd152ec7123c9b6aca438e5356006ec56 |
| SHA512 | 695b6d149ff857aeb125e11785bdfce2084fe3712181db2e46a4a76f57ffe734a69118bbc0930b8561e9c7ed16c47910f3dfcbfd54b19af47b8cd4106b29a967 |
memory/800-79-0x00000000008B0000-0x0000000000934000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zcB5uutlq6lA.bat
| MD5 | 228e49854952a287beaafbac94a1b658 |
| SHA1 | 7d29e116e3228d2589a6e7c1525b85f034f0406f |
| SHA256 | a4e268c4ae6d8c8e64417c80d50990229426371847e48cc295b955625a37f54c |
| SHA512 | a5e80bd757e48f1bf36602bd054b7dde836bcaf89845e16c5bc9a2b07bc861eda016a925a52f9681ba5a1c718e276078084a5f7eec9d1ffe70e2f43b36633504 |
memory/1568-90-0x00000000003D0000-0x0000000000454000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4ExnliY9lQHH.bat
| MD5 | 99b55040d0399e8dd71c1d658b40ccff |
| SHA1 | e55c100b87205b691de629d5afee08ba685a00b2 |
| SHA256 | f639b2d28b1ae89d668b74c561026b3686c4e5c82825dbc9427f0a930d573c06 |
| SHA512 | 19a83e37960171d263321d93359ff726cee30feacedac354dd0ccc6dce750ac48050ca9d3ae097b52c0765104e9730e7a482dcae7955688bc7862aa8b59d0a9f |
memory/112-101-0x00000000011C0000-0x0000000001244000-memory.dmp
\??\PIPE\lsarpc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\RXsEs3akRUBY.bat
| MD5 | f04e69d8c9229c5231f8fe68aaab5617 |
| SHA1 | bd2136d155d309b3631f84bf89e6ac7e9b768699 |
| SHA256 | c6ca074c8f3efeb7b93405a8cb138688c268e7a0b71c160e5f844850261c6254 |
| SHA512 | 45f32568b5797c8ddfa3b7f25db63cd030d76e9c95d86e819010ed1ff218888292ae257a07172068d26eb03fb81b9a29bd63055462706442367a1cf3bfcc69f2 |
C:\Users\Admin\AppData\Local\Temp\kMpbiBvEGy5W.bat
| MD5 | bbd031c13d05fff36ecc3cdb6b054cca |
| SHA1 | 418ce242b351c90086101000202c2dc8ed4a5fe3 |
| SHA256 | 308ec0ddc5bcccee8a5fb1e87be74f77139a75e7af36d502c5d6018120490a02 |
| SHA512 | c106f5a707e8fecc84e205497ca07329b4f6c6826c77f0a4e81ef2b327bbb0ad1224575f6a99f0917a79ce32421842406965c60190c0e841282aac6de23af4b9 |
memory/1292-123-0x0000000001340000-0x00000000013C4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7xUK3UEXFuny.bat
| MD5 | ccfd20748cc6e3bdfba753c06bd18e31 |
| SHA1 | 0cf83fac723a86c0787c72bef5ae69e6fb9614c7 |
| SHA256 | bac21b88ffb6fe287e48b4f2b9d4edb06a6e5251f6668c5484bd70bd2add1b5a |
| SHA512 | 2c026068276e04675c9f5ab3fe113dea707841d057780699e47677797ba5eb4b9248f846fff4076bc3502eebfdf2bda90cb2f7682f459b2f02abd82cab0f1897 |
C:\Users\Admin\AppData\Local\Temp\aA0V4lxnv0tG.bat
| MD5 | fb604e0650254fbdcde4eeed7c0cee4f |
| SHA1 | 8b37a0023668390d4d1863955aa2fc585229a5cb |
| SHA256 | e422cdcfdb5a166ca1e9f17e49fcefe74a843fc8928c617f7821d7f455bc1dda |
| SHA512 | 53e0c842a76261dcd222deb5d1b272fa759aab948a6e88029fe03b03bdb09ee3880ccadcda32f8137ba5b9d1f2d3fb35ae7542ed3ea6a29d6a5a2d3c4edc33e1 |
memory/2928-145-0x0000000000110000-0x0000000000194000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cHWIGHONmkPF.bat
| MD5 | 05d0c9fa24f3849c7d4ab0810628ace7 |
| SHA1 | 69eac2cf3602157d7f612888c954ba3ac238a13a |
| SHA256 | 95ab3743a40e2a7c3b8146077ea5d045b5f3d443d4036d966d0bb6d817eed916 |
| SHA512 | 9793e8000331a944258f1269bd4984757eb3e5d5ebef54d8702b7d44d75d08f4a843ca6cd885c03f6516bfc2e5078097b28a2c3376358d169177716cbe813f99 |
memory/2204-156-0x0000000000180000-0x0000000000204000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CtAV2ZffacSe.bat
| MD5 | af249ed787f0cd9656c005fab6863fb0 |
| SHA1 | 985116a66ecc5ae92dfd366aded082eb2667e84f |
| SHA256 | a86d69dcb9b6b0cbe1240c1dbc3b7eae31f7d340d38e2fb9598822f0e271ef95 |
| SHA512 | 82fce7466aaa53bbcc349bb90d24a791141eb1855cd8183eefc0e45c808f69deb5b00b46e4b18c4465fec7923e0b2b7da383e86ed029dbaeedd45c3753857eb1 |
memory/988-167-0x00000000013C0000-0x0000000001444000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rv3TtwJUxUYx.bat
| MD5 | 5248c136f1e5632c8ee8811dc90bfd8f |
| SHA1 | 51f64cefe26036e2ea83b362a1c57afaa0f7742c |
| SHA256 | 36db850314f0e075baa65631ef5c72244d7e0b9771fe0ff6a62181181f5753cd |
| SHA512 | 29a8bad4962f6277f000e3d5fabfb14f8a3f69fdb00551d39780b126d3c8f076545be8913f4891ff870cc92ff3999bdbd746216bb430ff803ad5fbc7f5ac9d8b |