quasar | 06d191cb11b5332ca315fde549e38123a59b462a1712563c81129aaf70de8e8c

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-11-2024 06:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06d191cb11b5332ca315fde549e38123a59b462a1712563c81129aaf70de8e8c.exe
Size

16.7MB
MD5

65e77040ed7d9dbbbbb65be5f8528b61
SHA1

22e5e40a62ebda8aae9f658d617888114ccc712f
SHA256

06d191cb11b5332ca315fde549e38123a59b462a1712563c81129aaf70de8e8c
SHA512

b185ea47e46279938566febd61fe120d4255ae2ade08bf213edf477096bbafb244705208dfec28dabf1e19db85e85dea24880fdc8efd10b7fb05cd709c0b7236
SSDEEP

393216:urN50n4bwQq7t3J086sIB6ehAAJ2u653xVu7vHhqBa4Cs0:uka9ZPBxKJpHCpqBa4Cx

Score

10^/10

quasar chrome agilenet discovery evasion spyware themida trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Chrome

live.nodenet.ml:8863

Mutex

754ce6d6-f75b-4c6f-964c-3996e749369e

Attributes

encryption_key
8F8DE0B9E0A9CA156684061043456EC2CF7D0A6D
install_name
chrome.exe
log_directory
Logs
reconnect_delay
3000
startup_key
System
subdirectory
chrome

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 7 IoCs

resource	yara_rule
behavioral1/files/0x0007000000016d24-69.dat	family_quasar
behavioral1/memory/640-84-0x0000000000960000-0x00000000009E4000-memory.dmp	family_quasar
behavioral1/memory/2812-89-0x0000000000E60000-0x0000000000EE4000-memory.dmp	family_quasar
behavioral1/memory/2688-130-0x00000000000B0000-0x0000000000134000-memory.dmp	family_quasar
behavioral1/memory/332-141-0x00000000002C0000-0x0000000000344000-memory.dmp	family_quasar
behavioral1/memory/2452-152-0x0000000000180000-0x0000000000204000-memory.dmp	family_quasar
behavioral1/memory/1800-163-0x0000000001140000-0x00000000011C4000-memory.dmp	family_quasar

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	06d191cb11b5332ca315fde549e38123a59b462a1712563c81129aaf70de8e8c.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	AVB.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	06d191cb11b5332ca315fde549e38123a59b462a1712563c81129aaf70de8e8c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	06d191cb11b5332ca315fde549e38123a59b462a1712563c81129aaf70de8e8c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	AVB.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	AVB.exe

Executes dropped EXE 13 IoCs

pid	Process
2668	AVB.exe
640	chrome.exe
3056	S^X.exe
2812	chrome.exe
2316	chrome.exe
976	chrome.exe
1948	chrome.exe
2688	chrome.exe
332	chrome.exe
2452	chrome.exe
1800	chrome.exe
2164	chrome.exe
2476	chrome.exe

Loads dropped DLL 6 IoCs

pid	Process
2636	06d191cb11b5332ca315fde549e38123a59b462a1712563c81129aaf70de8e8c.exe
2636	06d191cb11b5332ca315fde549e38123a59b462a1712563c81129aaf70de8e8c.exe
2668	AVB.exe
2668	AVB.exe
2668	AVB.exe
2668	AVB.exe

Obfuscated with Agile.Net obfuscator 8 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/files/0x0035000000016c3d-16.dat	agile_net
behavioral1/memory/2668-25-0x0000000000F40000-0x0000000001A90000-memory.dmp	agile_net
behavioral1/memory/2668-38-0x0000000005B70000-0x0000000006182000-memory.dmp	agile_net
behavioral1/memory/2668-62-0x0000000005B70000-0x000000000617C000-memory.dmp	agile_net
behavioral1/memory/2668-60-0x0000000005B70000-0x000000000617C000-memory.dmp	agile_net
behavioral1/memory/2668-58-0x0000000005B70000-0x000000000617C000-memory.dmp	agile_net
behavioral1/memory/2668-56-0x0000000005B70000-0x000000000617C000-memory.dmp	agile_net
behavioral1/memory/2668-55-0x0000000005B70000-0x000000000617C000-memory.dmp	agile_net

Themida packer 13 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x0007000000016cd3-8.dat	themida
behavioral1/memory/2636-10-0x0000000072720000-0x0000000072D28000-memory.dmp	themida
behavioral1/memory/2636-11-0x0000000072720000-0x0000000072D28000-memory.dmp	themida
behavioral1/memory/2636-9-0x0000000072720000-0x0000000072D28000-memory.dmp	themida
behavioral1/memory/2636-23-0x0000000072720000-0x0000000072D28000-memory.dmp	themida
behavioral1/memory/2668-33-0x0000000073220000-0x0000000073828000-memory.dmp	themida
behavioral1/memory/2668-34-0x0000000073220000-0x0000000073828000-memory.dmp	themida
behavioral1/memory/2668-35-0x0000000073220000-0x0000000073828000-memory.dmp	themida
behavioral1/memory/2668-45-0x00000000703C0000-0x00000000709C8000-memory.dmp	themida
behavioral1/memory/2668-48-0x00000000703C0000-0x00000000709C8000-memory.dmp	themida
behavioral1/memory/2668-46-0x00000000703C0000-0x00000000709C8000-memory.dmp	themida
behavioral1/memory/2668-81-0x0000000073220000-0x0000000073828000-memory.dmp	themida
behavioral1/memory/2668-82-0x00000000703C0000-0x00000000709C8000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	06d191cb11b5332ca315fde549e38123a59b462a1712563c81129aaf70de8e8c.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	AVB.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
2636	06d191cb11b5332ca315fde549e38123a59b462a1712563c81129aaf70de8e8c.exe
2668	AVB.exe
2668	AVB.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	06d191cb11b5332ca315fde549e38123a59b462a1712563c81129aaf70de8e8c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AVB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	S^X.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 9 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1596	PING.EXE
2852	PING.EXE
2608	PING.EXE
2368	PING.EXE
1704	PING.EXE
2076	PING.EXE
2524	PING.EXE
2640	PING.EXE
2132	PING.EXE

Runs ping.exe 1 TTPs 9 IoCs

Remote System Discovery

T1018

pid	Process
1704	PING.EXE
2368	PING.EXE
2524	PING.EXE
1596	PING.EXE
2852	PING.EXE
2608	PING.EXE
2640	PING.EXE
2132	PING.EXE
2076	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 11 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1612	schtasks.exe
748	schtasks.exe
2452	schtasks.exe
2900	schtasks.exe
1460	schtasks.exe
2220	schtasks.exe
2000	schtasks.exe
2528	schtasks.exe
3000	schtasks.exe
2272	schtasks.exe
1492	schtasks.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	640	chrome.exe
Token: SeDebugPrivilege	2812	chrome.exe
Token: SeDebugPrivilege	3056	S^X.exe
Token: SeDebugPrivilege	2316	chrome.exe
Token: SeDebugPrivilege	976	chrome.exe
Token: SeDebugPrivilege	1948	chrome.exe
Token: SeDebugPrivilege	2688	chrome.exe
Token: SeDebugPrivilege	332	chrome.exe
Token: SeDebugPrivilege	2452	chrome.exe
Token: SeDebugPrivilege	1800	chrome.exe
Token: SeDebugPrivilege	2164	chrome.exe
Token: SeDebugPrivilege	2476	chrome.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2812	chrome.exe
2316	chrome.exe
976	chrome.exe
1948	chrome.exe
2688	chrome.exe
332	chrome.exe
2452	chrome.exe
1800	chrome.exe
2164	chrome.exe
2476	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2636 wrote to memory of 2668	2636	06d191cb11b5332ca315fde549e38123a59b462a1712563c81129aaf70de8e8c.exe	30
PID 2636 wrote to memory of 2668	2636	06d191cb11b5332ca315fde549e38123a59b462a1712563c81129aaf70de8e8c.exe	30
PID 2636 wrote to memory of 2668	2636	06d191cb11b5332ca315fde549e38123a59b462a1712563c81129aaf70de8e8c.exe	30
PID 2636 wrote to memory of 2668	2636	06d191cb11b5332ca315fde549e38123a59b462a1712563c81129aaf70de8e8c.exe	30
PID 2668 wrote to memory of 640	2668	AVB.exe	31
PID 2668 wrote to memory of 640	2668	AVB.exe	31
PID 2668 wrote to memory of 640	2668	AVB.exe	31
PID 2668 wrote to memory of 640	2668	AVB.exe	31
PID 2668 wrote to memory of 3056	2668	AVB.exe	32
PID 2668 wrote to memory of 3056	2668	AVB.exe	32
PID 2668 wrote to memory of 3056	2668	AVB.exe	32
PID 2668 wrote to memory of 3056	2668	AVB.exe	32
PID 640 wrote to memory of 2452	640	chrome.exe	33
PID 640 wrote to memory of 2452	640	chrome.exe	33
PID 640 wrote to memory of 2452	640	chrome.exe	33
PID 640 wrote to memory of 2812	640	chrome.exe	35
PID 640 wrote to memory of 2812	640	chrome.exe	35
PID 640 wrote to memory of 2812	640	chrome.exe	35
PID 2812 wrote to memory of 2900	2812	chrome.exe	36
PID 2812 wrote to memory of 2900	2812	chrome.exe	36
PID 2812 wrote to memory of 2900	2812	chrome.exe	36
PID 2812 wrote to memory of 2912	2812	chrome.exe	38
PID 2812 wrote to memory of 2912	2812	chrome.exe	38
PID 2812 wrote to memory of 2912	2812	chrome.exe	38
PID 2912 wrote to memory of 2372	2912	cmd.exe	40
PID 2912 wrote to memory of 2372	2912	cmd.exe	40
PID 2912 wrote to memory of 2372	2912	cmd.exe	40
PID 2912 wrote to memory of 2076	2912	cmd.exe	41
PID 2912 wrote to memory of 2076	2912	cmd.exe	41
PID 2912 wrote to memory of 2076	2912	cmd.exe	41
PID 2912 wrote to memory of 2316	2912	cmd.exe	42
PID 2912 wrote to memory of 2316	2912	cmd.exe	42
PID 2912 wrote to memory of 2316	2912	cmd.exe	42
PID 2316 wrote to memory of 2272	2316	chrome.exe	43
PID 2316 wrote to memory of 2272	2316	chrome.exe	43
PID 2316 wrote to memory of 2272	2316	chrome.exe	43
PID 2316 wrote to memory of 668	2316	chrome.exe	45
PID 2316 wrote to memory of 668	2316	chrome.exe	45
PID 2316 wrote to memory of 668	2316	chrome.exe	45
PID 668 wrote to memory of 1464	668	cmd.exe	47
PID 668 wrote to memory of 1464	668	cmd.exe	47
PID 668 wrote to memory of 1464	668	cmd.exe	47
PID 668 wrote to memory of 2524	668	cmd.exe	48
PID 668 wrote to memory of 2524	668	cmd.exe	48
PID 668 wrote to memory of 2524	668	cmd.exe	48
PID 668 wrote to memory of 976	668	cmd.exe	50
PID 668 wrote to memory of 976	668	cmd.exe	50
PID 668 wrote to memory of 976	668	cmd.exe	50
PID 976 wrote to memory of 1492	976	chrome.exe	51
PID 976 wrote to memory of 1492	976	chrome.exe	51
PID 976 wrote to memory of 1492	976	chrome.exe	51
PID 976 wrote to memory of 2176	976	chrome.exe	53
PID 976 wrote to memory of 2176	976	chrome.exe	53
PID 976 wrote to memory of 2176	976	chrome.exe	53
PID 2176 wrote to memory of 692	2176	cmd.exe	55
PID 2176 wrote to memory of 692	2176	cmd.exe	55
PID 2176 wrote to memory of 692	2176	cmd.exe	55
PID 2176 wrote to memory of 1596	2176	cmd.exe	56
PID 2176 wrote to memory of 1596	2176	cmd.exe	56
PID 2176 wrote to memory of 1596	2176	cmd.exe	56
PID 2176 wrote to memory of 1948	2176	cmd.exe	57
PID 2176 wrote to memory of 1948	2176	cmd.exe	57
PID 2176 wrote to memory of 1948	2176	cmd.exe	57
PID 1948 wrote to memory of 1460	1948	chrome.exe	58

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\06d191cb11b5332ca315fde549e38123a59b462a1712563c81129aaf70de8e8c.exe
"C:\Users\Admin\AppData\Local\Temp\06d191cb11b5332ca315fde549e38123a59b462a1712563c81129aaf70de8e8c.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2636
- C:\Users\Admin\AppData\Roaming\AVB.exe
  "C:\Users\Admin\AppData\Roaming\AVB.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Users\Admin\AppData\Roaming\chrome.exe
    "C:\Users\Admin\AppData\Roaming\chrome.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:640
  - - C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2452
  - - C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
      "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2812
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2900
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\0nK4txexeFc3.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2912
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2372
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2076
      - C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2272
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WVSryckjZg7m.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:668
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1464
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2524
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:976
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1492
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\guRHwp1QtFwb.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:692
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1596
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1460
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kS2AA6qqDxvC.bat" "
        11⤵
        
        PID:1912
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:2280
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2852
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2688
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2220
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OlvtDDDBUrvK.bat" "
        13⤵
        
        PID:2596
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2544
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2608
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:332
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2000
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\r1KsbafDjhfy.bat" "
        15⤵
        
        PID:2096
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2896
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2640
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2452
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2528
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zb79paAXgO6r.bat" "
        17⤵
        
        PID:2784
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2812
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2368
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1800
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1612
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OmOg2OOHAmeX.bat" "
        19⤵
        
        PID:2232
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2120
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2132
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2164
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:748
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NFCmTUm1apAk.bat" "
        21⤵
        
        PID:1352
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1716
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1704
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2476
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3000
- - C:\Users\Admin\AppData\Local\Temp\S^X.exe
    "C:\Users\Admin\AppData\Local\Temp\S^X.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0nK4txexeFc3.bat

Filesize
207B

MD5
db1cff891300429a203de7d75243105a

SHA1
6350a2cf7e28d4504a816f30646adeb65407e844

SHA256
d99d4b5b81466a0f56a748e635a39c7caabfb8a4d255d104e22f44cb32ad494e

SHA512
8df8cda48b5657c132a0ac88be47ad2062db1feb7a7c5ec3a41b2ee82846b47cc30ea821befe907be2d672cdee20eb945b0c1ccaf52c2e1596c037971c7df3b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\NFCmTUm1apAk.bat

Filesize
207B

MD5
bc4e9293c00615ef5fda71446751d282

SHA1
91473c4cd7fe60974a81542361364e3aa8b216b1

SHA256
1bb94ff44d8f5dc95badf720c3ddcca4c097bec769f22ad025810fe6ecc538cb

SHA512
85c3df2315c14f4474c48abcf1fc1827b3a2e7d5eaccbd3a3c8842084d765fc1c7fcfcea66f53856a0feb3c845cd87de4b387a7da263a7ab6309b591a5fd47ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\OlvtDDDBUrvK.bat

Filesize
207B

MD5
db0f543dd78ba2eda3c4c8b7121fbf06

SHA1
70ff32192ae7ef6d2b2d4fd10a747ea0bc34d379

SHA256
ca60398e6c59fe59b52d27dc1e093862e8386b1b4733c68994979e154c146be6

SHA512
74685b0191c542e1173c93d0ce03b610dd5f07adc8ffbd6cf455f53391c9da27d2343fb3eabae815488b0aabd7e3366354fa76fcafcfbc7ac33f4202f6d6d550

Download Submit
C:\Users\Admin\AppData\Local\Temp\OmOg2OOHAmeX.bat

Filesize
207B

MD5
40be8222a290911d24d0c9d2a3af490f

SHA1
c5d13f694d0cd78ab46cb795672aee770f320068

SHA256
0f5967e1bb1bffb603a77a7db94a16f58ffbaaeef1b125e666a46e6c1ac81d8c

SHA512
97a77347732740c63065d6711dddbc0c95fa31341886248209287bdf70a0dd0025b81f8e6e778fed5b8cf45222cedc1deac49a30a0c5d0ff7074f73994b3ba3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WVSryckjZg7m.bat

Filesize
207B

MD5
e1c0a887e8bee679be08befdcadd07ca

SHA1
f3f41443917f71e2ef86bb4c0f46279e223ec1ed

SHA256
27d9d89684a8d946e7228fd75cdd548bf6ddf5e24b3abd7527c948272a073787

SHA512
6f54d69369d991e9f36585228807fce81005e8caf72ee1d605e2c0ae66cafbdf95ad821d40ac5a2863cb12f6116a3b365373278d5a807da067564c4692eb0720

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zb79paAXgO6r.bat

Filesize
207B

MD5
66e165207639bd5a1aff8c51fa089dc0

SHA1
87fa97d687df7ede94e6cbc44ea37ba053b6eeb3

SHA256
f17baa71be6d131e44af2c22a2393ac3b83b8a752bd434ed6ac08e3521a966ec

SHA512
cfd947ae2e3fc960624366e8f17f490c575de2aaf4900cd4792bdb2b5e3d06f6e7bd12b655645d3aede40f657d7a26b59aea0e2f99d3cec920a9591f2814090d

Download Submit
C:\Users\Admin\AppData\Local\Temp\c73c9c9b-1adc-4deb-a031-aebb4e3010ac\AgileDotNetRT.dll

Filesize
2.2MB

MD5
2d86c4ad18524003d56c1cb27c549ba8

SHA1
123007f9337364e044b87deacf6793c2027c8f47

SHA256
091ab8a1acdab40c544bd1e5c91a96881acc318cac4df5235e1b5673f5489280

SHA512
0dd5204733b3c20932aeea2cebf0ca1eeca70e4b3b3b8932d78d952a8f762f0b96ebdbdaf217e95889c02ec6a39b8f9919fd4c0cba56bb629256e71fa61faa3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\guRHwp1QtFwb.bat

Filesize
207B

MD5
1386d6befd5fe6f482c41d14279685d0

SHA1
edfef898e35bd3df70f79ed18ab325dd5741123e

SHA256
7f52e3cac49067a3bd31890ecc183f401884f2868a0bac428556f25707f797ff

SHA512
a50edad5cd74d32c76c0532aa9a1f48b02ca35361a89520b1826dfbc82e50b99e754d3cb08b8e4465a41c9bd90d6226f365644ea4cb04d5ed938bc6f9306ec6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\kS2AA6qqDxvC.bat

Filesize
207B

MD5
1f3468f4e85dc5c7ca6c431fc6eff225

SHA1
bac2f4f86383ba047881c36b4976757121ee39c1

SHA256
14e45373d62fb66e61604b9fe726425ab8af2658454ea36ee8359ec9ee248d0a

SHA512
12eade9bf808763ca4fc2d0bcbccec08cab47df98b38679256105d4e1cbccf3ad76c703e0dcbc69dabfe63018fbd76b9f54505f38b3b7b11493eb99748fb61b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\r1KsbafDjhfy.bat

Filesize
207B

MD5
9efa254e95e89bc99557bd78fc6ae280

SHA1
947483789b89d313ceef5d4bf3dd881f8219e31a

SHA256
d4e67519e14157b868d559fd68ff822c06a749a82bb6e10603face1d7a0282b1

SHA512
1b8b2a55d419c2036d22883a8b12249d0abd6543d59af20371da73f095b3390d243fbb7ecf677aba75e0ada77bd82ed66872dd59f2c7e8cd7fd27db0e3c2864e

Download Submit
C:\Users\Admin\AppData\Roaming\chrome.exe

Filesize
502KB

MD5
92479f1615fd4fa1dd3ac7f2e6a1b329

SHA1
0a6063d27c9f991be2053b113fcef25e071c57fd

SHA256
0c4917cc756e769e94ab97d626bef49713dab833525ba2e5d75fc9aea4c72569

SHA512
9f117c74c04749e6d0142e1cf952a8c59428f649413750921fc7aea35a3ccb62d9975ef954e61ce323d6234e0e9c7b8816f2ca9270552b726f9233219750847c

Download Submit
\Users\Admin\AppData\Local\Temp\S^X.exe

Filesize
789KB

MD5
e2437ac017506bbde9a81fb1f618457b

SHA1
adef2615312b31e041ccf700b3982dd50b686c7f

SHA256
94594fa46d0bd28c02365f0a32ec3a662b25df95f3f3e8e2a952c18a23895b12

SHA512
9169f8be39b8fede38f7fce5a2e64d42630857e0ebd37f921c68ccf0bf0a8816f1682ba4659d22ad43413d99de62a59b2494494701404b44aa41c4d6bdc1e019

Download Submit
\Users\Admin\AppData\Roaming\AVB.exe

Filesize
11.3MB

MD5
04d5fbe1ca0ee0d8b82c9c47786de31d

SHA1
e63bc0f81cb9d1b4439e62c5018ae30120a5a8a3

SHA256
8bde20ee2c5183c9d13716242130b6fc5f8f4bf317e7908645dc460f3ed15715

SHA512
dcd3213f484cbb301e8fb17b98fff51d6003cefd401e0d9358f0f2219e906f25f2fa0f66c81aa8bb031b327c6c19412b99472f2815262de86e73c635622b413a

Download Submit
memory/332-141-0x00000000002C0000-0x0000000000344000-memory.dmp

Filesize
528KB

Download
memory/640-84-0x0000000000960000-0x00000000009E4000-memory.dmp

Filesize
528KB

Download
memory/1800-163-0x0000000001140000-0x00000000011C4000-memory.dmp

Filesize
528KB

Download
memory/2452-152-0x0000000000180000-0x0000000000204000-memory.dmp

Filesize
528KB

Download
memory/2636-10-0x0000000072720000-0x0000000072D28000-memory.dmp

Filesize
6.0MB

Download
memory/2636-0-0x0000000074561000-0x0000000074562000-memory.dmp

Filesize
4KB

Download
memory/2636-22-0x0000000074560000-0x0000000074B0B000-memory.dmp

Filesize
5.7MB

Download
memory/2636-2-0x0000000074560000-0x0000000074B0B000-memory.dmp

Filesize
5.7MB

Download
memory/2636-23-0x0000000072720000-0x0000000072D28000-memory.dmp

Filesize
6.0MB

Download
memory/2636-13-0x00000000743E0000-0x000000007443B000-memory.dmp

Filesize
364KB

Download
memory/2636-12-0x0000000074560000-0x0000000074B0B000-memory.dmp

Filesize
5.7MB

Download
memory/2636-1-0x0000000074560000-0x0000000074B0B000-memory.dmp

Filesize
5.7MB

Download
memory/2636-9-0x0000000072720000-0x0000000072D28000-memory.dmp

Filesize
6.0MB

Download
memory/2636-11-0x0000000072720000-0x0000000072D28000-memory.dmp

Filesize
6.0MB

Download
memory/2668-25-0x0000000000F40000-0x0000000001A90000-memory.dmp

Filesize
11.3MB

Download
memory/2668-47-0x0000000071E60000-0x000000007254E000-memory.dmp

Filesize
6.9MB

Download
memory/2668-63-0x0000000000BC0000-0x0000000000C72000-memory.dmp

Filesize
712KB

Download
memory/2668-64-0x00000000007F0000-0x00000000007F8000-memory.dmp

Filesize
32KB

Download
memory/2668-56-0x0000000005B70000-0x000000000617C000-memory.dmp

Filesize
6.0MB

Download
memory/2668-58-0x0000000005B70000-0x000000000617C000-memory.dmp

Filesize
6.0MB

Download
memory/2668-81-0x0000000073220000-0x0000000073828000-memory.dmp

Filesize
6.0MB

Download
memory/2668-80-0x0000000071E60000-0x000000007254E000-memory.dmp

Filesize
6.9MB

Download
memory/2668-24-0x0000000071E6E000-0x0000000071E6F000-memory.dmp

Filesize
4KB

Download
memory/2668-82-0x00000000703C0000-0x00000000709C8000-memory.dmp

Filesize
6.0MB

Download
memory/2668-60-0x0000000005B70000-0x000000000617C000-memory.dmp

Filesize
6.0MB

Download
memory/2668-26-0x0000000071E60000-0x000000007254E000-memory.dmp

Filesize
6.9MB

Download
memory/2668-62-0x0000000005B70000-0x000000000617C000-memory.dmp

Filesize
6.0MB

Download
memory/2668-55-0x0000000005B70000-0x000000000617C000-memory.dmp

Filesize
6.0MB

Download
memory/2668-46-0x00000000703C0000-0x00000000709C8000-memory.dmp

Filesize
6.0MB

Download
memory/2668-48-0x00000000703C0000-0x00000000709C8000-memory.dmp

Filesize
6.0MB

Download
memory/2668-33-0x0000000073220000-0x0000000073828000-memory.dmp

Filesize
6.0MB

Download
memory/2668-45-0x00000000703C0000-0x00000000709C8000-memory.dmp

Filesize
6.0MB

Download
memory/2668-38-0x0000000005B70000-0x0000000006182000-memory.dmp

Filesize
6.1MB

Download
memory/2668-37-0x0000000074A10000-0x0000000074A90000-memory.dmp

Filesize
512KB

Download
memory/2668-36-0x0000000071E60000-0x000000007254E000-memory.dmp

Filesize
6.9MB

Download
memory/2668-35-0x0000000073220000-0x0000000073828000-memory.dmp

Filesize
6.0MB

Download
memory/2668-34-0x0000000073220000-0x0000000073828000-memory.dmp

Filesize
6.0MB

Download
memory/2688-130-0x00000000000B0000-0x0000000000134000-memory.dmp

Filesize
528KB

Download
memory/2812-89-0x0000000000E60000-0x0000000000EE4000-memory.dmp

Filesize
528KB

Download
memory/3056-83-0x0000000001340000-0x000000000140C000-memory.dmp

Filesize
816KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads