quasar | 06d191cb11b5332ca315fde549e38123a59b462a1712563c81129aaf70de8e8c

Analysis

max time kernel
145s
max time network
146s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
23/11/2024, 06:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06d191cb11b5332ca315fde549e38123a59b462a1712563c81129aaf70de8e8c.exe
Size

16.7MB
MD5

65e77040ed7d9dbbbbb65be5f8528b61
SHA1

22e5e40a62ebda8aae9f658d617888114ccc712f
SHA256

06d191cb11b5332ca315fde549e38123a59b462a1712563c81129aaf70de8e8c
SHA512

b185ea47e46279938566febd61fe120d4255ae2ade08bf213edf477096bbafb244705208dfec28dabf1e19db85e85dea24880fdc8efd10b7fb05cd709c0b7236
SSDEEP

393216:urN50n4bwQq7t3J086sIB6ehAAJ2u653xVu7vHhqBa4Cs0:uka9ZPBxKJpHCpqBa4Cx

Score

10^/10

quasar chrome agilenet discovery evasion spyware themida trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Chrome

live.nodenet.ml:8863

Mutex

754ce6d6-f75b-4c6f-964c-3996e749369e

Attributes

encryption_key
8F8DE0B9E0A9CA156684061043456EC2CF7D0A6D
install_name
chrome.exe
log_directory
Logs
reconnect_delay
3000
startup_key
System
subdirectory
chrome

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 9 IoCs

resource	yara_rule
behavioral1/files/0x0007000000016307-72.dat	family_quasar
behavioral1/memory/592-77-0x0000000000300000-0x0000000000384000-memory.dmp	family_quasar
behavioral1/memory/1920-87-0x0000000001190000-0x0000000001214000-memory.dmp	family_quasar
behavioral1/memory/2260-118-0x00000000003C0000-0x0000000000444000-memory.dmp	family_quasar
behavioral1/memory/2940-129-0x0000000000C90000-0x0000000000D14000-memory.dmp	family_quasar
behavioral1/memory/3064-151-0x0000000000230000-0x00000000002B4000-memory.dmp	family_quasar
behavioral1/memory/1184-162-0x0000000000240000-0x00000000002C4000-memory.dmp	family_quasar
behavioral1/memory/2244-173-0x0000000000D10000-0x0000000000D94000-memory.dmp	family_quasar
behavioral1/memory/1576-194-0x00000000012F0000-0x0000000001374000-memory.dmp	family_quasar

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	06d191cb11b5332ca315fde549e38123a59b462a1712563c81129aaf70de8e8c.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	AVB.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	06d191cb11b5332ca315fde549e38123a59b462a1712563c81129aaf70de8e8c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	06d191cb11b5332ca315fde549e38123a59b462a1712563c81129aaf70de8e8c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	AVB.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	AVB.exe

Executes dropped EXE 15 IoCs

pid	Process
2724	AVB.exe
592	chrome.exe
584	S^X.exe
1920	chrome.exe
2956	chrome.exe
448	chrome.exe
2260	chrome.exe
2940	chrome.exe
1608	chrome.exe
3064	chrome.exe
1184	chrome.exe
2244	chrome.exe
1764	chrome.exe
1576	chrome.exe
2836	chrome.exe

Loads dropped DLL 6 IoCs

pid	Process
1692	06d191cb11b5332ca315fde549e38123a59b462a1712563c81129aaf70de8e8c.exe
1692	06d191cb11b5332ca315fde549e38123a59b462a1712563c81129aaf70de8e8c.exe
2724	AVB.exe
2724	AVB.exe
2724	AVB.exe
2724	AVB.exe

Obfuscated with Agile.Net obfuscator 8 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/files/0x0038000000012275-16.dat	agile_net
behavioral1/memory/2724-25-0x00000000012F0000-0x0000000001E40000-memory.dmp	agile_net
behavioral1/memory/2724-38-0x0000000005BD0000-0x00000000061E2000-memory.dmp	agile_net
behavioral1/memory/2724-60-0x0000000005BD0000-0x00000000061DC000-memory.dmp	agile_net
behavioral1/memory/2724-58-0x0000000005BD0000-0x00000000061DC000-memory.dmp	agile_net
behavioral1/memory/2724-56-0x0000000005BD0000-0x00000000061DC000-memory.dmp	agile_net
behavioral1/memory/2724-54-0x0000000005BD0000-0x00000000061DC000-memory.dmp	agile_net
behavioral1/memory/2724-53-0x0000000005BD0000-0x00000000061DC000-memory.dmp	agile_net

Themida packer 13 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x0008000000015d5b-6.dat	themida
behavioral1/memory/1692-9-0x00000000726F0000-0x0000000072CF8000-memory.dmp	themida
behavioral1/memory/1692-11-0x00000000726F0000-0x0000000072CF8000-memory.dmp	themida
behavioral1/memory/1692-10-0x00000000726F0000-0x0000000072CF8000-memory.dmp	themida
behavioral1/memory/1692-23-0x00000000726F0000-0x0000000072CF8000-memory.dmp	themida
behavioral1/memory/2724-33-0x0000000073E20000-0x0000000074428000-memory.dmp	themida
behavioral1/memory/2724-34-0x0000000073E20000-0x0000000074428000-memory.dmp	themida
behavioral1/memory/2724-35-0x0000000073E20000-0x0000000074428000-memory.dmp	themida
behavioral1/memory/2724-65-0x0000000070390000-0x0000000070998000-memory.dmp	themida
behavioral1/memory/2724-46-0x0000000070390000-0x0000000070998000-memory.dmp	themida
behavioral1/memory/2724-45-0x0000000070390000-0x0000000070998000-memory.dmp	themida
behavioral1/memory/2724-80-0x0000000070390000-0x0000000070998000-memory.dmp	themida
behavioral1/memory/2724-78-0x0000000073E20000-0x0000000074428000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	AVB.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	06d191cb11b5332ca315fde549e38123a59b462a1712563c81129aaf70de8e8c.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
1692	06d191cb11b5332ca315fde549e38123a59b462a1712563c81129aaf70de8e8c.exe
2724	AVB.exe
2724	AVB.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	06d191cb11b5332ca315fde549e38123a59b462a1712563c81129aaf70de8e8c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AVB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	S^X.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 12 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1772	PING.EXE
3024	PING.EXE
612	PING.EXE
912	PING.EXE
484	PING.EXE
1004	PING.EXE
2344	PING.EXE
2912	PING.EXE
1100	PING.EXE
2448	PING.EXE
3044	PING.EXE
2960	PING.EXE

Runs ping.exe 1 TTPs 12 IoCs

Remote System Discovery

T1018

pid	Process
612	PING.EXE
3044	PING.EXE
1004	PING.EXE
1772	PING.EXE
2344	PING.EXE
1100	PING.EXE
912	PING.EXE
2448	PING.EXE
484	PING.EXE
2960	PING.EXE
2912	PING.EXE
3024	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1156	schtasks.exe
1292	schtasks.exe
2616	schtasks.exe
2612	schtasks.exe
2184	schtasks.exe
2092	schtasks.exe
3036	schtasks.exe
2908	schtasks.exe
2848	schtasks.exe
2568	schtasks.exe
1620	schtasks.exe
2224	schtasks.exe
2804	schtasks.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	592	chrome.exe
Token: SeDebugPrivilege	1920	chrome.exe
Token: SeDebugPrivilege	584	S^X.exe
Token: SeDebugPrivilege	2956	chrome.exe
Token: SeDebugPrivilege	448	chrome.exe
Token: SeDebugPrivilege	2260	chrome.exe
Token: SeDebugPrivilege	2940	chrome.exe
Token: SeDebugPrivilege	1608	chrome.exe
Token: SeDebugPrivilege	3064	chrome.exe
Token: SeDebugPrivilege	1184	chrome.exe
Token: SeDebugPrivilege	2244	chrome.exe
Token: SeDebugPrivilege	1764	chrome.exe
Token: SeDebugPrivilege	1576	chrome.exe
Token: SeDebugPrivilege	2836	chrome.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1920	chrome.exe
2956	chrome.exe
448	chrome.exe
2260	chrome.exe
2940	chrome.exe
1608	chrome.exe
3064	chrome.exe
1184	chrome.exe
2244	chrome.exe
1764	chrome.exe
1576	chrome.exe
2836	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1692 wrote to memory of 2724	1692	06d191cb11b5332ca315fde549e38123a59b462a1712563c81129aaf70de8e8c.exe	30
PID 1692 wrote to memory of 2724	1692	06d191cb11b5332ca315fde549e38123a59b462a1712563c81129aaf70de8e8c.exe	30
PID 1692 wrote to memory of 2724	1692	06d191cb11b5332ca315fde549e38123a59b462a1712563c81129aaf70de8e8c.exe	30
PID 1692 wrote to memory of 2724	1692	06d191cb11b5332ca315fde549e38123a59b462a1712563c81129aaf70de8e8c.exe	30
PID 2724 wrote to memory of 592	2724	AVB.exe	31
PID 2724 wrote to memory of 592	2724	AVB.exe	31
PID 2724 wrote to memory of 592	2724	AVB.exe	31
PID 2724 wrote to memory of 592	2724	AVB.exe	31
PID 2724 wrote to memory of 584	2724	AVB.exe	32
PID 2724 wrote to memory of 584	2724	AVB.exe	32
PID 2724 wrote to memory of 584	2724	AVB.exe	32
PID 2724 wrote to memory of 584	2724	AVB.exe	32
PID 592 wrote to memory of 3036	592	chrome.exe	33
PID 592 wrote to memory of 3036	592	chrome.exe	33
PID 592 wrote to memory of 3036	592	chrome.exe	33
PID 592 wrote to memory of 1920	592	chrome.exe	35
PID 592 wrote to memory of 1920	592	chrome.exe	35
PID 592 wrote to memory of 1920	592	chrome.exe	35
PID 1920 wrote to memory of 2908	1920	chrome.exe	36
PID 1920 wrote to memory of 2908	1920	chrome.exe	36
PID 1920 wrote to memory of 2908	1920	chrome.exe	36
PID 1920 wrote to memory of 1668	1920	chrome.exe	38
PID 1920 wrote to memory of 1668	1920	chrome.exe	38
PID 1920 wrote to memory of 1668	1920	chrome.exe	38
PID 1668 wrote to memory of 2320	1668	cmd.exe	40
PID 1668 wrote to memory of 2320	1668	cmd.exe	40
PID 1668 wrote to memory of 2320	1668	cmd.exe	40
PID 1668 wrote to memory of 1100	1668	cmd.exe	41
PID 1668 wrote to memory of 1100	1668	cmd.exe	41
PID 1668 wrote to memory of 1100	1668	cmd.exe	41
PID 1668 wrote to memory of 2956	1668	cmd.exe	42
PID 1668 wrote to memory of 2956	1668	cmd.exe	42
PID 1668 wrote to memory of 2956	1668	cmd.exe	42
PID 2956 wrote to memory of 1156	2956	chrome.exe	43
PID 2956 wrote to memory of 1156	2956	chrome.exe	43
PID 2956 wrote to memory of 1156	2956	chrome.exe	43
PID 2956 wrote to memory of 2552	2956	chrome.exe	45
PID 2956 wrote to memory of 2552	2956	chrome.exe	45
PID 2956 wrote to memory of 2552	2956	chrome.exe	45
PID 2552 wrote to memory of 2008	2552	cmd.exe	47
PID 2552 wrote to memory of 2008	2552	cmd.exe	47
PID 2552 wrote to memory of 2008	2552	cmd.exe	47
PID 2552 wrote to memory of 612	2552	cmd.exe	48
PID 2552 wrote to memory of 612	2552	cmd.exe	48
PID 2552 wrote to memory of 612	2552	cmd.exe	48
PID 2552 wrote to memory of 448	2552	cmd.exe	49
PID 2552 wrote to memory of 448	2552	cmd.exe	49
PID 2552 wrote to memory of 448	2552	cmd.exe	49
PID 448 wrote to memory of 2224	448	chrome.exe	50
PID 448 wrote to memory of 2224	448	chrome.exe	50
PID 448 wrote to memory of 2224	448	chrome.exe	50
PID 448 wrote to memory of 2920	448	chrome.exe	53
PID 448 wrote to memory of 2920	448	chrome.exe	53
PID 448 wrote to memory of 2920	448	chrome.exe	53
PID 2920 wrote to memory of 2016	2920	cmd.exe	55
PID 2920 wrote to memory of 2016	2920	cmd.exe	55
PID 2920 wrote to memory of 2016	2920	cmd.exe	55
PID 2920 wrote to memory of 912	2920	cmd.exe	56
PID 2920 wrote to memory of 912	2920	cmd.exe	56
PID 2920 wrote to memory of 912	2920	cmd.exe	56
PID 2920 wrote to memory of 2260	2920	cmd.exe	57
PID 2920 wrote to memory of 2260	2920	cmd.exe	57
PID 2920 wrote to memory of 2260	2920	cmd.exe	57
PID 2260 wrote to memory of 1292	2260	chrome.exe	58

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\06d191cb11b5332ca315fde549e38123a59b462a1712563c81129aaf70de8e8c.exe
"C:\Users\Admin\AppData\Local\Temp\06d191cb11b5332ca315fde549e38123a59b462a1712563c81129aaf70de8e8c.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Users\Admin\AppData\Roaming\AVB.exe
  "C:\Users\Admin\AppData\Roaming\AVB.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Users\Admin\AppData\Roaming\chrome.exe
    "C:\Users\Admin\AppData\Roaming\chrome.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:592
  - - C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3036
  - - C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
      "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1920
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2908
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vAPJkhv5yD84.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1668
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2320
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1100
      - C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1156
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OU5KSUokAkOs.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2552
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2008
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:612
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2224
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JLQm03irs28c.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2016
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:912
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1292
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\0EuHVz84dXyG.bat" "
        11⤵
        
        PID:3000
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:2876
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2448
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2940
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2616
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\6cTaIovkLPHn.bat" "
        13⤵
        
        PID:2760
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:536
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:484
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1608
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2612
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\illfqPJgjoka.bat" "
        15⤵
        
        PID:3052
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2832
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3044
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3064
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2184
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\1d7caQKKgqYV.bat" "
        17⤵
        
        PID:3056
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:1820
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1004
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1184
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2804
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RLIse15LqFvX.bat" "
        19⤵
        
        PID:2168
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1560
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2960
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2244
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2092
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oumOeqAdUCCt.bat" "
        21⤵
        
        PID:2180
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:840
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1772
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1764
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1620
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qDm6BNJdDWy5.bat" "
        23⤵
        
        PID:1704
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:760
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2344
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1576
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2848
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Rf8p8C2nW2Q6.bat" "
        25⤵
        
        PID:2800
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2712
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2912
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2836
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2568
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oj26tAck7VNO.bat" "
        27⤵
        
        PID:784
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:3032
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3024
- - C:\Users\Admin\AppData\Local\Temp\S^X.exe
    "C:\Users\Admin\AppData\Local\Temp\S^X.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0EuHVz84dXyG.bat

Filesize
207B

MD5
228b3a5523252643c65a1b669ff8d424

SHA1
41c5e17ce8a04ddd90c4a50a3241082dd83763b2

SHA256
f58fd2a5dca6b52838d0a3be9d886d86117282af4f3cdc002a2bbb5f3e3f000c

SHA512
0f90746a92d9781026a092c219b214a61da8bdf400daa9bc5f8cd44659f223e649d2a8fc5a1b678272d29b15362aa23ea2bb6bc42faab6e6ddd0724bbbb030c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1d7caQKKgqYV.bat

Filesize
207B

MD5
338480a3b409b3dc35630e6c88a16176

SHA1
d38f581a162ab549c70ad5fea05f4023483c3422

SHA256
4dcd676773366cad000f5e73fc9873ab323381a1be63e09702be983b6845168a

SHA512
a410651e8370a28770bbe5380933aa118721a55973023afde3474f726b2ac8952f9e217dc0bbe14db490409f0a01857430b836266734c37c95c851785e3a1757

Download Submit
C:\Users\Admin\AppData\Local\Temp\6cTaIovkLPHn.bat

Filesize
207B

MD5
8f0b4eda4014b46ae04f88b881518d85

SHA1
d893963775ec58351bc322059a7424c3f2862bca

SHA256
8ed32dcd3ffb14aee1ec2380a20d213a2fec48ef5ac955b2dc6317a88c803d9f

SHA512
cb562265d5dd299d2bf2356a030c3875d128ee94bc8ead7d7e72ead1904822beb16f234266c5a8b7ff7a6f2393b931a3c16eb1e75ebb05283923262f16d97cfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\JLQm03irs28c.bat

Filesize
207B

MD5
115ec8ad75df146602e556867b764f3a

SHA1
60b3a2b1b81c83024653f7c187fa31b1a9854830

SHA256
14452b4f77e888b1e16158cbf1a9e314b8d2ee20b8049d936c76953668d2e07d

SHA512
c47c771166ea449862d6af2dc7a4653247a388bf2a49e7e9877cc55e1572f0d74a000d2f71cdd48003b26919f4ae7f9e5c859dc7ce788f1287674d656eb77148

Download Submit
C:\Users\Admin\AppData\Local\Temp\OU5KSUokAkOs.bat

Filesize
207B

MD5
a9ad426aa644bf376e8acaf4b3dabdbf

SHA1
dcdb69b5c6a0d8acfe18794d4da1f415e52419c5

SHA256
233604e18100e3689e2c3424512c54b2ca37c605100161031c079d40204bceb0

SHA512
6ed6e1e25862a9621a1ab84ed62ec6b7ebd78391cfc9f7ea3e2e3dd245d30035932fe67db8473ac483de137773ac067d08af60759b45ed3fb7f4945277e6f038

Download Submit
C:\Users\Admin\AppData\Local\Temp\RLIse15LqFvX.bat

Filesize
207B

MD5
3cbfb61d5238136f13b6d098b793928a

SHA1
b4746e84a067390e4b94b96c728e3907c557af83

SHA256
63f2edf821395d7816cac4b715a0fe0a0be7c730c7d2dceb468ab9778ca71c56

SHA512
ed5242f581dc9a66a53dec034252fc6aa10852873f23b0d95c9609a1483f7dc23d78401decea35eb4a5963925f02d114c30d10c9edf4555f738ef3ac4b2be58f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rf8p8C2nW2Q6.bat

Filesize
207B

MD5
3420cfeab7a74b3ee573494c6a34b464

SHA1
453a2fe335c27b41b624ff5dc0d668a5afe41d6b

SHA256
91d5b72343a0d12ab8bc4e29a80d826c8943bb455a302197c79c3c1446c4e2be

SHA512
0fc8777956fae18329ab72b4cda6c8768f44f0cbb364afd0e6447e47e9b7cebbd4a330495a2e80a60239b7524eaf557940aab79c49feb9d24a56bb18a0309bd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\illfqPJgjoka.bat

Filesize
207B

MD5
d3fa18e970609ecc2394b25734529066

SHA1
37ca838dd96859f4ffca56d908b496cc84811a6c

SHA256
5b6b12027d95862b4cb703e805737cea9125586a30ccf0343f25d64042af62a9

SHA512
415817aced3432496a5c083a06974cb26917317152b4a37d1113dd50322d071450097adf9005690db41ab2d7de8993cb2543f99724c630d2cb1e50731e4b5ecc

Download Submit
C:\Users\Admin\AppData\Local\Temp\oj26tAck7VNO.bat

Filesize
207B

MD5
82cdf04f96efca47a51cd39e65f17da3

SHA1
3f688a7c783420dbca93e78b51c38cbd7a0616b1

SHA256
2f8184a65ee60e51e589a79056119cef141a5d6a3255ea75ce7897470c6420d1

SHA512
c6046c19fd45381d73fd7b42c6b10d2c79d16a47433065d7d180843e9f00bb64a025b90362cfdead82f0d02380604408cfa788f06a8107a15a4416fc8ffec3c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\oumOeqAdUCCt.bat

Filesize
207B

MD5
84d01e7e9558dfcae6e0fb5a6182e78d

SHA1
f57154c84ff00712ef04f934efa5c48ae8f6330e

SHA256
e1cc200abc636e9889f79952cda3f546856dc87f119c2da9a6037bd9232cec7e

SHA512
3d12ed771692ac6e8f0f04b857cbee6a3ede51ecd33e80dc0a0b471b3f78326cb57fb16419444b668858af2ea595a7f633bb7c8bd27eb433b0d417e44aecff0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\qDm6BNJdDWy5.bat

Filesize
207B

MD5
dac2c040616fedc23109904a3de12bcf

SHA1
d2b028c063c8c6a74b9ef4f213a588b2db404f68

SHA256
5bd1f72520ea174cc3e976674bb3c6bd268e425349fa8e681d43694599caae57

SHA512
05c942f73fe1aa9a73dd7085b9383537d68ca38a575b63ef5e3d3981f94ef5996a0bd0deabe8ddfbdd018f216a6aead297f42961930a8d8423517d5e75a83402

Download Submit
C:\Users\Admin\AppData\Local\Temp\vAPJkhv5yD84.bat

Filesize
207B

MD5
b85d7294442fb1d6ced10d2ee368efd3

SHA1
0597eef1a5ac659ff4e48559476053197591e150

SHA256
707ff42c32470c817bd34fe0bbc7f52ce5fd5e300c89c7d812f0248d73e61811

SHA512
ec0d4a560f81f6348fda6b3ebd21fd4b8605fe112b314af3b462854c1f819a99e209835ad7c8589a6193a73f7f8f072b5e56c78ab760cee6f8be673b09b1d4f0

Download Submit
C:\Users\Admin\AppData\Roaming\chrome.exe

Filesize
502KB

MD5
92479f1615fd4fa1dd3ac7f2e6a1b329

SHA1
0a6063d27c9f991be2053b113fcef25e071c57fd

SHA256
0c4917cc756e769e94ab97d626bef49713dab833525ba2e5d75fc9aea4c72569

SHA512
9f117c74c04749e6d0142e1cf952a8c59428f649413750921fc7aea35a3ccb62d9975ef954e61ce323d6234e0e9c7b8816f2ca9270552b726f9233219750847c

Download Submit
\Users\Admin\AppData\Local\Temp\S^X.exe

Filesize
789KB

MD5
e2437ac017506bbde9a81fb1f618457b

SHA1
adef2615312b31e041ccf700b3982dd50b686c7f

SHA256
94594fa46d0bd28c02365f0a32ec3a662b25df95f3f3e8e2a952c18a23895b12

SHA512
9169f8be39b8fede38f7fce5a2e64d42630857e0ebd37f921c68ccf0bf0a8816f1682ba4659d22ad43413d99de62a59b2494494701404b44aa41c4d6bdc1e019

Download Submit
\Users\Admin\AppData\Local\Temp\c73c9c9b-1adc-4deb-a031-aebb4e3010ac\AgileDotNetRT.dll

Filesize
2.2MB

MD5
2d86c4ad18524003d56c1cb27c549ba8

SHA1
123007f9337364e044b87deacf6793c2027c8f47

SHA256
091ab8a1acdab40c544bd1e5c91a96881acc318cac4df5235e1b5673f5489280

SHA512
0dd5204733b3c20932aeea2cebf0ca1eeca70e4b3b3b8932d78d952a8f762f0b96ebdbdaf217e95889c02ec6a39b8f9919fd4c0cba56bb629256e71fa61faa3c

Download Submit
\Users\Admin\AppData\Roaming\AVB.exe

Filesize
11.3MB

MD5
04d5fbe1ca0ee0d8b82c9c47786de31d

SHA1
e63bc0f81cb9d1b4439e62c5018ae30120a5a8a3

SHA256
8bde20ee2c5183c9d13716242130b6fc5f8f4bf317e7908645dc460f3ed15715

SHA512
dcd3213f484cbb301e8fb17b98fff51d6003cefd401e0d9358f0f2219e906f25f2fa0f66c81aa8bb031b327c6c19412b99472f2815262de86e73c635622b413a

Download Submit
memory/584-82-0x0000000000D30000-0x0000000000DFC000-memory.dmp

Filesize
816KB

Download
memory/592-77-0x0000000000300000-0x0000000000384000-memory.dmp

Filesize
528KB

Download
memory/1184-162-0x0000000000240000-0x00000000002C4000-memory.dmp

Filesize
528KB

Download
memory/1576-194-0x00000000012F0000-0x0000000001374000-memory.dmp

Filesize
528KB

Download
memory/1692-11-0x00000000726F0000-0x0000000072CF8000-memory.dmp

Filesize
6.0MB

Download
memory/1692-12-0x00000000743D0000-0x000000007442B000-memory.dmp

Filesize
364KB

Download
memory/1692-23-0x00000000726F0000-0x0000000072CF8000-memory.dmp

Filesize
6.0MB

Download
memory/1692-9-0x00000000726F0000-0x0000000072CF8000-memory.dmp

Filesize
6.0MB

Download
memory/1692-10-0x00000000726F0000-0x0000000072CF8000-memory.dmp

Filesize
6.0MB

Download
memory/1692-2-0x0000000074550000-0x0000000074AFB000-memory.dmp

Filesize
5.7MB

Download
memory/1692-1-0x0000000074550000-0x0000000074AFB000-memory.dmp

Filesize
5.7MB

Download
memory/1692-13-0x0000000074550000-0x0000000074AFB000-memory.dmp

Filesize
5.7MB

Download
memory/1692-0-0x0000000074551000-0x0000000074552000-memory.dmp

Filesize
4KB

Download
memory/1692-22-0x0000000074550000-0x0000000074AFB000-memory.dmp

Filesize
5.7MB

Download
memory/1920-87-0x0000000001190000-0x0000000001214000-memory.dmp

Filesize
528KB

Download
memory/2244-173-0x0000000000D10000-0x0000000000D94000-memory.dmp

Filesize
528KB

Download
memory/2260-118-0x00000000003C0000-0x0000000000444000-memory.dmp

Filesize
528KB

Download
memory/2724-26-0x0000000071E30000-0x000000007251E000-memory.dmp

Filesize
6.9MB

Download
memory/2724-62-0x0000000000420000-0x0000000000428000-memory.dmp

Filesize
32KB

Download
memory/2724-78-0x0000000073E20000-0x0000000074428000-memory.dmp

Filesize
6.0MB

Download
memory/2724-45-0x0000000070390000-0x0000000070998000-memory.dmp

Filesize
6.0MB

Download
memory/2724-81-0x0000000071E30000-0x000000007251E000-memory.dmp

Filesize
6.9MB

Download
memory/2724-46-0x0000000070390000-0x0000000070998000-memory.dmp

Filesize
6.0MB

Download
memory/2724-53-0x0000000005BD0000-0x00000000061DC000-memory.dmp

Filesize
6.0MB

Download
memory/2724-54-0x0000000005BD0000-0x00000000061DC000-memory.dmp

Filesize
6.0MB

Download
memory/2724-56-0x0000000005BD0000-0x00000000061DC000-memory.dmp

Filesize
6.0MB

Download
memory/2724-58-0x0000000005BD0000-0x00000000061DC000-memory.dmp

Filesize
6.0MB

Download
memory/2724-60-0x0000000005BD0000-0x00000000061DC000-memory.dmp

Filesize
6.0MB

Download
memory/2724-24-0x0000000071E3E000-0x0000000071E3F000-memory.dmp

Filesize
4KB

Download
memory/2724-61-0x0000000005380000-0x0000000005432000-memory.dmp

Filesize
712KB

Download
memory/2724-80-0x0000000070390000-0x0000000070998000-memory.dmp

Filesize
6.0MB

Download
memory/2724-65-0x0000000070390000-0x0000000070998000-memory.dmp

Filesize
6.0MB

Download
memory/2724-25-0x00000000012F0000-0x0000000001E40000-memory.dmp

Filesize
11.3MB

Download
memory/2724-66-0x0000000071E30000-0x000000007251E000-memory.dmp

Filesize
6.9MB

Download
memory/2724-38-0x0000000005BD0000-0x00000000061E2000-memory.dmp

Filesize
6.1MB

Download
memory/2724-35-0x0000000073E20000-0x0000000074428000-memory.dmp

Filesize
6.0MB

Download
memory/2724-37-0x0000000074A80000-0x0000000074B00000-memory.dmp

Filesize
512KB

Download
memory/2724-34-0x0000000073E20000-0x0000000074428000-memory.dmp

Filesize
6.0MB

Download
memory/2724-36-0x0000000071E30000-0x000000007251E000-memory.dmp

Filesize
6.9MB

Download
memory/2724-33-0x0000000073E20000-0x0000000074428000-memory.dmp

Filesize
6.0MB

Download
memory/2940-129-0x0000000000C90000-0x0000000000D14000-memory.dmp

Filesize
528KB

Download
memory/3064-151-0x0000000000230000-0x00000000002B4000-memory.dmp

Filesize
528KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads