Analysis
-
max time kernel
143s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
01-09-2024 18:58
Behavioral task
behavioral1
Sample
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe
Resource
win7-20240708-en
General
-
Target
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe
-
Size
6.1MB
-
MD5
03778d811f241e83ccad830372313b3c
-
SHA1
11962399abf7fc0981f324e4aa5271f36f50c5ba
-
SHA256
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc
-
SHA512
2e17b881491e2cc9759dde852198622956682327abcc20519ab7099e25b22252a167cd7a4e6e90651a8b44b22c89a52c8fd004a62043f8fa30fe523302f6674f
-
SSDEEP
98304:ulFqmwupyhcHp5ooEAnHRVN07KgHDpS18DqBRe7qxKfT1J+tNY3LU4rI2qo:uWJuMg53HRVu7vHDpS1IqBRU7kCs2q
Malware Config
Extracted
quasar
1.4.0
Chrome
live.nodenet.ml:8863
754ce6d6-f75b-4c6f-964c-3996e749369e
-
encryption_key
8F8DE0B9E0A9CA156684061043456EC2CF7D0A6D
-
install_name
chrome.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
System
-
subdirectory
chrome
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\chrome.exe family_quasar behavioral2/memory/4740-51-0x00000000003F0000-0x0000000000474000-memory.dmp family_quasar -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exe95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation chrome.exe -
Executes dropped EXE 16 IoCs
Processes:
chrome.exeS^X.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exepid process 4740 chrome.exe 4208 S^X.exe 324 chrome.exe 2148 chrome.exe 3672 chrome.exe 5064 chrome.exe 3152 chrome.exe 1844 chrome.exe 3960 chrome.exe 3384 chrome.exe 2040 chrome.exe 2412 chrome.exe 4476 chrome.exe 4112 chrome.exe 3508 chrome.exe 212 chrome.exe -
Loads dropped DLL 1 IoCs
Processes:
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exepid process 4160 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe -
Obfuscated with Agile.Net obfuscator 7 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral2/memory/4160-1-0x0000000000480000-0x0000000000A94000-memory.dmp agile_net behavioral2/memory/4160-2-0x0000000005560000-0x0000000005B72000-memory.dmp agile_net behavioral2/memory/4160-17-0x0000000005560000-0x0000000005B6C000-memory.dmp agile_net behavioral2/memory/4160-16-0x0000000005560000-0x0000000005B6C000-memory.dmp agile_net behavioral2/memory/4160-19-0x0000000005560000-0x0000000005B6C000-memory.dmp agile_net behavioral2/memory/4160-23-0x0000000005560000-0x0000000005B6C000-memory.dmp agile_net behavioral2/memory/4160-21-0x0000000005560000-0x0000000005B6C000-memory.dmp agile_net -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\45b8c97f-5cf8-49f5-b76c-0fc91adff9fb\AgileDotNetRT.dll themida behavioral2/memory/4160-11-0x0000000071B60000-0x0000000072168000-memory.dmp themida behavioral2/memory/4160-12-0x0000000071B60000-0x0000000072168000-memory.dmp themida behavioral2/memory/4160-14-0x0000000071B60000-0x0000000072168000-memory.dmp themida behavioral2/memory/4160-50-0x0000000071B60000-0x0000000072168000-memory.dmp themida -
Processes:
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exepid process 4160 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exeS^X.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language S^X.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 14 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 4088 PING.EXE 4740 PING.EXE 2872 PING.EXE 1180 PING.EXE 5028 PING.EXE 3972 PING.EXE 1608 PING.EXE 3156 PING.EXE 4452 PING.EXE 3440 PING.EXE 1044 PING.EXE 4308 PING.EXE 1408 PING.EXE 3360 PING.EXE -
Runs ping.exe 1 TTPs 14 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 4088 PING.EXE 5028 PING.EXE 3972 PING.EXE 3360 PING.EXE 1044 PING.EXE 2872 PING.EXE 1608 PING.EXE 4740 PING.EXE 1408 PING.EXE 4452 PING.EXE 1180 PING.EXE 4308 PING.EXE 3440 PING.EXE 3156 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1464 schtasks.exe 2764 schtasks.exe 3392 schtasks.exe 1860 schtasks.exe 912 schtasks.exe 2256 schtasks.exe 552 schtasks.exe 4084 schtasks.exe 3412 schtasks.exe 4364 schtasks.exe 3640 schtasks.exe 3176 schtasks.exe 4052 schtasks.exe 1004 schtasks.exe 4920 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
chrome.exechrome.exeS^X.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exedescription pid process Token: SeDebugPrivilege 4740 chrome.exe Token: SeDebugPrivilege 324 chrome.exe Token: SeDebugPrivilege 4208 S^X.exe Token: SeDebugPrivilege 2148 chrome.exe Token: SeDebugPrivilege 3672 chrome.exe Token: SeDebugPrivilege 5064 chrome.exe Token: SeDebugPrivilege 3152 chrome.exe Token: SeDebugPrivilege 1844 chrome.exe Token: SeDebugPrivilege 3960 chrome.exe Token: SeDebugPrivilege 3384 chrome.exe Token: SeDebugPrivilege 2040 chrome.exe Token: SeDebugPrivilege 2412 chrome.exe Token: SeDebugPrivilege 4476 chrome.exe Token: SeDebugPrivilege 4112 chrome.exe Token: SeDebugPrivilege 3508 chrome.exe Token: SeDebugPrivilege 212 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exechrome.exechrome.execmd.exechrome.execmd.exechrome.execmd.exechrome.execmd.exechrome.execmd.exechrome.execmd.exedescription pid process target process PID 4160 wrote to memory of 4740 4160 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe chrome.exe PID 4160 wrote to memory of 4740 4160 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe chrome.exe PID 4160 wrote to memory of 4208 4160 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe S^X.exe PID 4160 wrote to memory of 4208 4160 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe S^X.exe PID 4160 wrote to memory of 4208 4160 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe S^X.exe PID 4740 wrote to memory of 3392 4740 chrome.exe schtasks.exe PID 4740 wrote to memory of 3392 4740 chrome.exe schtasks.exe PID 4740 wrote to memory of 324 4740 chrome.exe chrome.exe PID 4740 wrote to memory of 324 4740 chrome.exe chrome.exe PID 324 wrote to memory of 3412 324 chrome.exe schtasks.exe PID 324 wrote to memory of 3412 324 chrome.exe schtasks.exe PID 324 wrote to memory of 3228 324 chrome.exe cmd.exe PID 324 wrote to memory of 3228 324 chrome.exe cmd.exe PID 3228 wrote to memory of 1972 3228 cmd.exe chcp.com PID 3228 wrote to memory of 1972 3228 cmd.exe chcp.com PID 3228 wrote to memory of 4308 3228 cmd.exe PING.EXE PID 3228 wrote to memory of 4308 3228 cmd.exe PING.EXE PID 3228 wrote to memory of 2148 3228 cmd.exe chrome.exe PID 3228 wrote to memory of 2148 3228 cmd.exe chrome.exe PID 2148 wrote to memory of 2256 2148 chrome.exe schtasks.exe PID 2148 wrote to memory of 2256 2148 chrome.exe schtasks.exe PID 2148 wrote to memory of 3532 2148 chrome.exe cmd.exe PID 2148 wrote to memory of 3532 2148 chrome.exe cmd.exe PID 3532 wrote to memory of 1932 3532 cmd.exe chcp.com PID 3532 wrote to memory of 1932 3532 cmd.exe chcp.com PID 3532 wrote to memory of 5028 3532 cmd.exe PING.EXE PID 3532 wrote to memory of 5028 3532 cmd.exe PING.EXE PID 3532 wrote to memory of 3672 3532 cmd.exe chrome.exe PID 3532 wrote to memory of 3672 3532 cmd.exe chrome.exe PID 3672 wrote to memory of 4364 3672 chrome.exe schtasks.exe PID 3672 wrote to memory of 4364 3672 chrome.exe schtasks.exe PID 3672 wrote to memory of 3988 3672 chrome.exe cmd.exe PID 3672 wrote to memory of 3988 3672 chrome.exe cmd.exe PID 3988 wrote to memory of 3552 3988 cmd.exe chcp.com PID 3988 wrote to memory of 3552 3988 cmd.exe chcp.com PID 3988 wrote to memory of 3156 3988 cmd.exe PING.EXE PID 3988 wrote to memory of 3156 3988 cmd.exe PING.EXE PID 3988 wrote to memory of 5064 3988 cmd.exe chrome.exe PID 3988 wrote to memory of 5064 3988 cmd.exe chrome.exe PID 5064 wrote to memory of 3640 5064 chrome.exe schtasks.exe PID 5064 wrote to memory of 3640 5064 chrome.exe schtasks.exe PID 5064 wrote to memory of 756 5064 chrome.exe cmd.exe PID 5064 wrote to memory of 756 5064 chrome.exe cmd.exe PID 756 wrote to memory of 4520 756 cmd.exe chcp.com PID 756 wrote to memory of 4520 756 cmd.exe chcp.com PID 756 wrote to memory of 4740 756 cmd.exe PING.EXE PID 756 wrote to memory of 4740 756 cmd.exe PING.EXE PID 756 wrote to memory of 3152 756 cmd.exe chrome.exe PID 756 wrote to memory of 3152 756 cmd.exe chrome.exe PID 3152 wrote to memory of 1464 3152 chrome.exe schtasks.exe PID 3152 wrote to memory of 1464 3152 chrome.exe schtasks.exe PID 3152 wrote to memory of 1508 3152 chrome.exe cmd.exe PID 3152 wrote to memory of 1508 3152 chrome.exe cmd.exe PID 1508 wrote to memory of 3932 1508 cmd.exe chcp.com PID 1508 wrote to memory of 3932 1508 cmd.exe chcp.com PID 1508 wrote to memory of 1408 1508 cmd.exe PING.EXE PID 1508 wrote to memory of 1408 1508 cmd.exe PING.EXE PID 1508 wrote to memory of 1844 1508 cmd.exe chrome.exe PID 1508 wrote to memory of 1844 1508 cmd.exe chrome.exe PID 1844 wrote to memory of 3176 1844 chrome.exe schtasks.exe PID 1844 wrote to memory of 3176 1844 chrome.exe schtasks.exe PID 1844 wrote to memory of 3460 1844 chrome.exe cmd.exe PID 1844 wrote to memory of 3460 1844 chrome.exe cmd.exe PID 3460 wrote to memory of 3332 3460 cmd.exe chcp.com -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe"C:\Users\Admin\AppData\Local\Temp\95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4160 -
C:\Users\Admin\AppData\Roaming\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:3392
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:324 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
PID:3412
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6ngwl50dS0e5.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:3228 -
C:\Windows\system32\chcp.comchcp 650015⤵PID:1972
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost5⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4308
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f6⤵
- Scheduled Task/Job: Scheduled Task
PID:2256
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CaV3iklJ7O1t.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:3532 -
C:\Windows\system32\chcp.comchcp 650017⤵PID:1932
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost7⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5028
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f8⤵
- Scheduled Task/Job: Scheduled Task
PID:4364
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\on0eX2RbPAuw.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:3988 -
C:\Windows\system32\chcp.comchcp 650019⤵PID:3552
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost9⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3156
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f10⤵
- Scheduled Task/Job: Scheduled Task
PID:3640
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XIPeKwwQjXDp.bat" "10⤵
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\system32\chcp.comchcp 6500111⤵PID:4520
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost11⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4740
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f12⤵
- Scheduled Task/Job: Scheduled Task
PID:1464
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EJnE5u7WvzkQ.bat" "12⤵
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\system32\chcp.comchcp 6500113⤵PID:3932
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1408
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f14⤵
- Scheduled Task/Job: Scheduled Task
PID:3176
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\prBbNdd02xWX.bat" "14⤵
- Suspicious use of WriteProcessMemory
PID:3460 -
C:\Windows\system32\chcp.comchcp 6500115⤵PID:3332
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost15⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3972
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"15⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3960 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f16⤵
- Scheduled Task/Job: Scheduled Task
PID:2764
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\h3ay5nzuvZdc.bat" "16⤵PID:2600
-
C:\Windows\system32\chcp.comchcp 6500117⤵PID:4420
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost17⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3360
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"17⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3384 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f18⤵
- Scheduled Task/Job: Scheduled Task
PID:4052
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YvM1GdQifK0s.bat" "18⤵PID:1048
-
C:\Windows\system32\chcp.comchcp 6500119⤵PID:3236
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost19⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4452
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"19⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2040 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f20⤵
- Scheduled Task/Job: Scheduled Task
PID:1004
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nNHWV5LPuKWE.bat" "20⤵PID:4160
-
C:\Windows\system32\chcp.comchcp 6500121⤵PID:1908
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost21⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3440
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"21⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2412 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f22⤵
- Scheduled Task/Job: Scheduled Task
PID:1860
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3e43vdTaNVkS.bat" "22⤵PID:2672
-
C:\Windows\system32\chcp.comchcp 6500123⤵PID:756
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost23⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1044
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"23⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4476 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f24⤵
- Scheduled Task/Job: Scheduled Task
PID:4920
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8UOABS1HXaN3.bat" "24⤵PID:1524
-
C:\Windows\system32\chcp.comchcp 6500125⤵PID:2680
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost25⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2872
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"25⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4112 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f26⤵
- Scheduled Task/Job: Scheduled Task
PID:912
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4DggADSjzcaL.bat" "26⤵PID:5092
-
C:\Windows\system32\chcp.comchcp 6500127⤵PID:4604
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost27⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1608
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"27⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3508 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f28⤵
- Scheduled Task/Job: Scheduled Task
PID:4084
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GECQrSvbhFWV.bat" "28⤵PID:4560
-
C:\Windows\system32\chcp.comchcp 6500129⤵PID:4256
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost29⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1180
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"29⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:212 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f30⤵
- Scheduled Task/Job: Scheduled Task
PID:552
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ljQbke1ccJoX.bat" "30⤵PID:2676
-
C:\Windows\system32\chcp.comchcp 6500131⤵PID:220
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost31⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4088
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\S^X.exe"C:\Users\Admin\AppData\Local\Temp\S^X.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4208
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
207B
MD52849ae243b33d7bfc329b7cb1d1a14c9
SHA1aa2883e962b7f15ecd6a576b41c7092924ffaaf5
SHA256a93570f9116e72d8ad0ae0a31c664d078044dab24e96baf207b033565c2db3b9
SHA51212df856c4622c9c25438770720b465e5bf1d8c5051f0939ee6be0fc3087f08b77ff64975ac839d56c704905e27cceafc71fa1406b27c8f1e3b2d2ff707b97e16
-
Filesize
2.2MB
MD52d86c4ad18524003d56c1cb27c549ba8
SHA1123007f9337364e044b87deacf6793c2027c8f47
SHA256091ab8a1acdab40c544bd1e5c91a96881acc318cac4df5235e1b5673f5489280
SHA5120dd5204733b3c20932aeea2cebf0ca1eeca70e4b3b3b8932d78d952a8f762f0b96ebdbdaf217e95889c02ec6a39b8f9919fd4c0cba56bb629256e71fa61faa3c
-
Filesize
207B
MD5a951ce161eff3911b2f94ab013342036
SHA134f5da8e6bc958108b1311ab953ada08661f42df
SHA256a5fc071d6397e349064a359fae17c1d104376f875458c95d6d8af98a6ff33f13
SHA51233ed547a2d28238e316c4007ab5b8a680bf901c3fcc5fd75a1e2402492f1afb5bc0366bdaf9e3f005411b2e77330dec71b9eaaf95878009a766f95b7c384f68b
-
Filesize
207B
MD53cd746de8e254b76ef66d55b42f1c66b
SHA176ac9e3e6b41918de079a306b78315a8499fb247
SHA25654019d3cff4f88469799073d2eb507ecd2781d9057b7517ebb01fd93289c6948
SHA512cf3be5df0454043284a1002d0e5d27990e1833cc42962163a6d77f59a7e7147ee2a853643e3b2929a964c607710dd9cc18cf5a3b50531b66f38a2e769167474d
-
Filesize
207B
MD588f5d190e68a92cf366d16caad0d1d91
SHA1a2ffa05ac2cdb324645135baeffd61fdb663dc34
SHA256c9050809de8382ce73c2e0596383df307748470f07e351b2095b7c1dc41ec374
SHA512cba168b42c06612106d98f8937f6f53c982cdc1bee24c9d885a89abc96ac84b05270623a6dacc20764316ebb4959f9c3f7d91ae327fcccddb157e0d310e6d1ed
-
Filesize
207B
MD55b3a0c0755ec8338caa1ab545c621d2c
SHA155a8c774a92d1720595660eb611ea75557301afb
SHA256b66aab4af82286d3bbe48589d17f6914bd2b130828d8b193ed533d96205641a2
SHA5126c9e39ac4f1bdada3d8e8413b1ee6236ffc5c77c88d2c92eb3c31aa34721bec6c790d8c9a16b921a39d4f263df9979ff4a3a3711887d8a88d441e0060af608d3
-
Filesize
207B
MD589edcd346af0e6fced4cbded6421eb10
SHA1d09a06462197cd679f07c2ae9a04637c891db870
SHA25661c9d265a24ac0ae838746699600cfcecf1880e004a2f5a19042fdbd301b835f
SHA512a9267fae43cb2d0df01db40a2dbb6dc1224fbc3c305c9ab2b1557169209293386fbef9d331b794f21c1cf0a43c02156c31929aad2e274e5add9aea660c91573e
-
Filesize
207B
MD589a2d8dd1c489d7404e4ef6e655cd291
SHA18673864fb5742f013fa07a5d9c368de92f1a9c57
SHA256baa0ea99959ce97028b820482d2eaf4fc10e56490cb9d05369abebe837e4cc4e
SHA5129497cd40cee3bd9719fc25190bcda823d74c6cd462aae9491eb4a21744478579c097681e82ee905510c64ad848d00c5cd54757e956837195bc24032eac2fa654
-
Filesize
789KB
MD5e2437ac017506bbde9a81fb1f618457b
SHA1adef2615312b31e041ccf700b3982dd50b686c7f
SHA25694594fa46d0bd28c02365f0a32ec3a662b25df95f3f3e8e2a952c18a23895b12
SHA5129169f8be39b8fede38f7fce5a2e64d42630857e0ebd37f921c68ccf0bf0a8816f1682ba4659d22ad43413d99de62a59b2494494701404b44aa41c4d6bdc1e019
-
Filesize
207B
MD5399be82fe21c1b0decf93aa616e46532
SHA14dca8902e2e610e8c9a18189086137dead307cb0
SHA256d2305ca150dc6c1728ab20c45bea4a42b60ec4fdf2124987991b646e26e8a72f
SHA5125b6eab7c77ee8271ab727e354a73f348447f2f7e2094be675db559915b563eb79adca53610f8e3f522e61bfa497cc9cec9793836a8e0e7fef29a72175b6bd7bb
-
Filesize
207B
MD51cda4f348dadc55b693f4fff55bdef22
SHA126f206d4660203d87c54744b18dc06f38167f0ec
SHA25620d71473d25c52966721ccced1f6493c561309df67a8a5e00d6536129ceec777
SHA512e0c4f84878daf54a5ac6b5f98dfb4653ce65e3ac48adc447a700b9e966ac3bfab33bba7eeea825fce69215b68ff086f2d741e4578941c27d62cd562d3de2bd72
-
Filesize
207B
MD5a98c7752132ef0f7a9bbda2a3fcad0d0
SHA1367c1ee03cb1968703c91337eb9a8914383a6b6c
SHA256aaa559afc48f70be38ea132cd46ae7ab3491dc385d6ae213f14e0a4c13c1af7c
SHA5126da18834b3e46f9350a26e533a650804379e03146b7c06c46616ac696bfeadb3e34361e190c62200c41f309148048555f9eecff57d9b2286b612c6d64c282abf
-
Filesize
207B
MD57e353cb901aa68b7cd1e5ea6354de0b7
SHA180308546171cc111ccdfdc02d11a4c687b847a56
SHA256c11457b1d7ba1a0edd77816892485bc90e8ec071765adf62ad28d0c06c5668d4
SHA51246d8ec223cab1005e7f6072b9c9ffebb2f29cae8b2568dd10ad0758f316df4a91d5c5a3ff83bbb34644292738304aba3cd851b967c1fdb9b1a19401fd6b57b29
-
Filesize
207B
MD5f3095c1045c5c420181d1dc105e7fa23
SHA1ea313d2170920da6411c1cd1459a68b2fadaf04d
SHA256c708bec67398af611b31fb13a7347834972e841bc924ae88ebce058a987c11a6
SHA512041284fbad40df40fe60bc682600d4bfc9315be0c908cf9ef9a2735a452ef51829dd85d2ce2e75973169bf56b9f1b80e771030ac9ac3d40c323d66492579451b
-
Filesize
207B
MD55bf671db639647eee89f514dc8db4258
SHA159e452ec60cc2e120a92b6ea7f86f3c2c6748112
SHA256cbc8d1aaeceb88a4ecceb69faf85814381914d68d7861472ad0b2e4088e4e423
SHA5123f29f5d954f12065c695343d8daf039ffe3cb9dc524a518622c8f0e354d907bcf771543f5b2ad02848fdbf1a8870fc093c7ab0277fafb6bde6165be46bd614db
-
Filesize
207B
MD57b25ca46f7767251fc31670cb9800f13
SHA152bec8d5ab13db26de9fd8b76b84070e8242f8fe
SHA2567566a17f35eada34f55158aada36c64c134e3ee56ec9e58787e0f91531e98903
SHA512e60f5c57ce6fc21e55df6d45e96c2c08ba591ebc556e7937abba8f0557303fd2e3c33e01336bae6f910e5e7c8528b6f88625735a93c1e5969e84ae80e483bb95
-
Filesize
502KB
MD592479f1615fd4fa1dd3ac7f2e6a1b329
SHA10a6063d27c9f991be2053b113fcef25e071c57fd
SHA2560c4917cc756e769e94ab97d626bef49713dab833525ba2e5d75fc9aea4c72569
SHA5129f117c74c04749e6d0142e1cf952a8c59428f649413750921fc7aea35a3ccb62d9975ef954e61ce323d6234e0e9c7b8816f2ca9270552b726f9233219750847c