quasar | 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c

Analysis

max time kernel
146s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2024 00:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Size

3.1MB
MD5

239c5f964b458a0a935a4b42d74bcbda
SHA1

7a037d3bd8817adf6e58734b08e807a84083f0ce
SHA256

7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c
SHA512

2e9e95d5097ce751d2a641a8fc7f8bc824a525a07bc06cd8a60580405fad90543ffa3259e6b2b2e97a70a3c3ed03e73b29f7cb9ebd10e7c62eaef2078805be19
SSDEEP

98304:mWV5SgjlbwPdRl5fGO4ZL0luiel9uRJk3HZ2b/aryTnrfvnM3A2Ozvhk:JTQzG

Score

10^/10

quasar zjeb discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

ZJEB

VIPEEK1990-25013.portmap.host:25013

Mutex

ad21b115-2c1b-40cb-adba-a50736b76c21

Attributes

encryption_key
3EBA8BC34FA983893A9B07B831E7CEB183F7492D
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Security Service
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/memory/3576-1-0x0000000000FF0000-0x0000000001314000-memory.dmp	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
64	PING.EXE
1352	PING.EXE
2572	PING.EXE
464	PING.EXE
4796	PING.EXE
4996	PING.EXE
3868	PING.EXE
3576	PING.EXE
1800	PING.EXE
1536	PING.EXE
3388	PING.EXE
2436	PING.EXE
708	PING.EXE
612	PING.EXE
5028	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
4996	PING.EXE
3576	PING.EXE
1536	PING.EXE
612	PING.EXE
464	PING.EXE
64	PING.EXE
4796	PING.EXE
1352	PING.EXE
2436	PING.EXE
1800	PING.EXE
5028	PING.EXE
3868	PING.EXE
3388	PING.EXE
708	PING.EXE
2572	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1696	schtasks.exe
3016	schtasks.exe
1824	schtasks.exe
4708	schtasks.exe
3316	schtasks.exe
4800	schtasks.exe
4780	schtasks.exe
4192	schtasks.exe
3080	schtasks.exe
1408	schtasks.exe
2304	schtasks.exe
3644	schtasks.exe
1832	schtasks.exe
2332	schtasks.exe
3524	schtasks.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	3576	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Token: SeDebugPrivilege	840	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Token: SeDebugPrivilege	4600	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Token: SeDebugPrivilege	3828	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Token: SeDebugPrivilege	3652	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Token: SeDebugPrivilege	4172	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Token: SeDebugPrivilege	1964	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Token: SeDebugPrivilege	4372	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Token: SeDebugPrivilege	3916	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Token: SeDebugPrivilege	3304	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Token: SeDebugPrivilege	1664	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Token: SeDebugPrivilege	5116	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Token: SeDebugPrivilege	3428	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Token: SeDebugPrivilege	3008	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Token: SeDebugPrivilege	1144	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3576	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
4172	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3576 wrote to memory of 1824	3576	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	83
PID 3576 wrote to memory of 1824	3576	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	83
PID 3576 wrote to memory of 2576	3576	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	85
PID 3576 wrote to memory of 2576	3576	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	85
PID 2576 wrote to memory of 5024	2576	cmd.exe	87
PID 2576 wrote to memory of 5024	2576	cmd.exe	87
PID 2576 wrote to memory of 64	2576	cmd.exe	88
PID 2576 wrote to memory of 64	2576	cmd.exe	88
PID 2576 wrote to memory of 840	2576	cmd.exe	98
PID 2576 wrote to memory of 840	2576	cmd.exe	98
PID 840 wrote to memory of 1408	840	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	99
PID 840 wrote to memory of 1408	840	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	99
PID 840 wrote to memory of 3880	840	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	103
PID 840 wrote to memory of 3880	840	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	103
PID 3880 wrote to memory of 1800	3880	cmd.exe	106
PID 3880 wrote to memory of 1800	3880	cmd.exe	106
PID 3880 wrote to memory of 4796	3880	cmd.exe	107
PID 3880 wrote to memory of 4796	3880	cmd.exe	107
PID 3880 wrote to memory of 4600	3880	cmd.exe	108
PID 3880 wrote to memory of 4600	3880	cmd.exe	108
PID 4600 wrote to memory of 2332	4600	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	109
PID 4600 wrote to memory of 2332	4600	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	109
PID 4600 wrote to memory of 2636	4600	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	112
PID 4600 wrote to memory of 2636	4600	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	112
PID 2636 wrote to memory of 3552	2636	cmd.exe	114
PID 2636 wrote to memory of 3552	2636	cmd.exe	114
PID 2636 wrote to memory of 2436	2636	cmd.exe	115
PID 2636 wrote to memory of 2436	2636	cmd.exe	115
PID 2636 wrote to memory of 3828	2636	cmd.exe	118
PID 2636 wrote to memory of 3828	2636	cmd.exe	118
PID 3828 wrote to memory of 4708	3828	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	120
PID 3828 wrote to memory of 4708	3828	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	120
PID 3828 wrote to memory of 612	3828	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	122
PID 3828 wrote to memory of 612	3828	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	122
PID 612 wrote to memory of 3024	612	cmd.exe	125
PID 612 wrote to memory of 3024	612	cmd.exe	125
PID 612 wrote to memory of 3576	612	cmd.exe	126
PID 612 wrote to memory of 3576	612	cmd.exe	126
PID 612 wrote to memory of 3652	612	cmd.exe	128
PID 612 wrote to memory of 3652	612	cmd.exe	128
PID 3652 wrote to memory of 2304	3652	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	129
PID 3652 wrote to memory of 2304	3652	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	129
PID 3652 wrote to memory of 1928	3652	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	132
PID 3652 wrote to memory of 1928	3652	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	132
PID 1928 wrote to memory of 2016	1928	cmd.exe	134
PID 1928 wrote to memory of 2016	1928	cmd.exe	134
PID 1928 wrote to memory of 708	1928	cmd.exe	135
PID 1928 wrote to memory of 708	1928	cmd.exe	135
PID 1928 wrote to memory of 4172	1928	cmd.exe	137
PID 1928 wrote to memory of 4172	1928	cmd.exe	137
PID 4172 wrote to memory of 3524	4172	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	138
PID 4172 wrote to memory of 3524	4172	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	138
PID 4172 wrote to memory of 4076	4172	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	141
PID 4172 wrote to memory of 4076	4172	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	141
PID 4076 wrote to memory of 3288	4076	cmd.exe	143
PID 4076 wrote to memory of 3288	4076	cmd.exe	143
PID 4076 wrote to memory of 1800	4076	cmd.exe	144
PID 4076 wrote to memory of 1800	4076	cmd.exe	144
PID 4076 wrote to memory of 1964	4076	cmd.exe	146
PID 4076 wrote to memory of 1964	4076	cmd.exe	146
PID 1964 wrote to memory of 4780	1964	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	147
PID 1964 wrote to memory of 4780	1964	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	147
PID 1964 wrote to memory of 3888	1964	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	150
PID 1964 wrote to memory of 3888	1964	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	150

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
"C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3576
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qYnfBN1pPmhw.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:5024
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:64
- - C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
    "C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:840
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1408
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\U0LNUd81CETa.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3880
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:1800
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4796
    - - C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"
        5⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4600
      - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2332
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ou9W470xebhj.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:3552
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"
        7⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3828
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4708
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Wn3XZhkLseQI.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:612
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:3024
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3576
        
        C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"
        9⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3652
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        10⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2304
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\soYfvEQhALbn.bat" "
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:2016
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:708
        
        C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"
        11⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4172
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        12⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3524
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bdi6T6YNPFCy.bat" "
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:4076
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:3288
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"
        13⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        14⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4780
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\b54hvShUYJir.bat" "
        14⤵
        
        PID:3888
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:388
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"
        15⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:4372
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        16⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1696
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\64MFIFcTy3JX.bat" "
        16⤵
        
        PID:2220
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:4496
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"
        17⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:3916
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        18⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4192
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1YeqtjHFQW2s.bat" "
        18⤵
        
        PID:4268
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:1404
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:612
        
        C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"
        19⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:3304
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        20⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3316
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YAjDJFV34E3q.bat" "
        20⤵
        
        PID:3408
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:3548
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"
        21⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1664
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        22⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3016
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VvjLGbdlZK5f.bat" "
        22⤵
        
        PID:3228
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:4288
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"
        23⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:5116
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        24⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4800
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VDDMUauXs1Z5.bat" "
        24⤵
        
        PID:3552
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:4356
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"
        25⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:3428
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        26⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3644
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0viMWLH373Ru.bat" "
        26⤵
        
        PID:1696
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:704
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3868
        
        C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"
        27⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:3008
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        28⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3080
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3gxPK4pD1PlT.bat" "
        28⤵
        
        PID:2992
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:4536
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        29⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:464
        
        C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"
        29⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1144
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        30⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1832
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SOcFIrXEYtVP.bat" "
        30⤵
        
        PID:4100
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:668
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        31⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\0viMWLH373Ru.bat

Filesize
261B

MD5
9068f924ce2223bc4ba65a69f1949c29

SHA1
ce646f4c0250d8f3b7581abeaf39b9586e4d7295

SHA256
047686d037e5ed1a2feeecb65c6eeeb7bbdf6f28a7282c2b7072932cfb5c49f8

SHA512
aaa32459ea512629f2f30583075a23d70b36d09d8677878ad39cec028b3c7b04232f3d536517497663f81c0074574b5f5a6ee49849f53b49ef88ec681421ac1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1YeqtjHFQW2s.bat

Filesize
261B

MD5
fefb56d4af995312c58cf7bcabff6327

SHA1
af4cb7d8c7f3bd6549916ba373a0fb6d6462178e

SHA256
e681cfda495a065dcdcf7da276c6280f40ce94a2d696c9bfb2f6f54956a14430

SHA512
6d86fd5b23393cb7b93c975cd631bbd9665bb2f46446ab55f990ed254ea3e91418b3fce24f3d89e2b1f764d891129b555fb1869957ecbb637c2c3f03e403b4d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\3gxPK4pD1PlT.bat

Filesize
261B

MD5
aaf2f8d92ff7ec184cb3b4bc54873e75

SHA1
35922c3441ba6a49ec6347d86840fe03bf9e2f19

SHA256
b9ede13b5dd8d8ff8853ef08baa330eaff9db75046421feb4e2e03816648d9c2

SHA512
ffa498d953c7e09b5f4d9774c068bfa3a5da4c4580c983b462f70b391b58af5cc68daa14f7bb1cbc282051228189ac0c3952b9ce84aa6609f8f737f2056234ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\64MFIFcTy3JX.bat

Filesize
261B

MD5
1e225d810d4b7676e92b65905de9d794

SHA1
5bb7f66009f0941130b3a6dd1f61a6e81b068b7d

SHA256
1bbcbf226e5e9864efc0117a065b7515f30d9710561c2153c8451351ce11cefc

SHA512
ef562899277a6cb80962d08aad3f4eaddb3159ba3028ef86a902e1afc17f4344ba1d28dd01604c39c3a76db42b0944abbd53d9e29c1bc4021ff909d0719ca411

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ou9W470xebhj.bat

Filesize
261B

MD5
44cadacdd866172f9a320f09b48fb317

SHA1
1e587d02397c7fe32901e3fe4a2b407b509cbd0d

SHA256
56011dbfd882afd436d644328fb710e7d895aedfcd6449ce57a152592ee5f728

SHA512
ab08441174b814f3e1adfab571ebb017af1f845c0bf23900f3d86de442503fb4b88dfe83c6d751446858645f33f0d2bce8ade833b15ac6c06e22a83ac9578f82

Download Submit
C:\Users\Admin\AppData\Local\Temp\SOcFIrXEYtVP.bat

Filesize
261B

MD5
f28675ff976de093a4651038659598c6

SHA1
344fbb42d8e05aad42e302707d7fcfe926e17773

SHA256
69a337cbafecc05e883ad0a52fd193c4686b8d0f0c8180a356dbd00530cde433

SHA512
fe6e9321fdaa16d3eab49223b0c557cf7b07cfea7463a529b621e26d87957698eef216b400e22c5e5c04ceea76ba52f9942a37c3e06de7bd94ecfc21abcf7db4

Download Submit
C:\Users\Admin\AppData\Local\Temp\U0LNUd81CETa.bat

Filesize
261B

MD5
157a320de8df32257d2c7e9a9764c9cc

SHA1
fd741729224861c062e1dce45fa592bc75fe84af

SHA256
4bec552fc39043eaa634d45a8602eae532a4bec9d7169cdb407a4089c0f7702d

SHA512
84e794d645bab1e6b2b4870a346269ceb7e0ab2c721db110ccd6b8cfaa068617cfd4794e0925c3c8a9311037b60a9911311306c6e26ff53e23601326d59b7c14

Download Submit
C:\Users\Admin\AppData\Local\Temp\VDDMUauXs1Z5.bat

Filesize
261B

MD5
f8d6615adf404eefa02a559622d2a1da

SHA1
6031c4bb468242c49e689843dc565a7e2892742b

SHA256
ee6c306b5a5b33fe32af944c2d8a57d06a4a0c7a0b92a372fbef6881f30a5661

SHA512
3c49f5560c002ab843b410345ccdbdb6e8d590f8a884833763ac598464be2d9ee2dce34f3e3bf186b99c86d2c5f4d800eeace18298fd57545dad9b3ff83060de

Download Submit
C:\Users\Admin\AppData\Local\Temp\VvjLGbdlZK5f.bat

Filesize
261B

MD5
6b94b8726ea02d7638150279be6ceeff

SHA1
6372c80ca3a533d75761b1f84c5427831c7bf227

SHA256
e127e5dba9340006c3435bd2ac5f5f630e140ba14c9e510512071a87e407d029

SHA512
8ed322d697269a3a37de37ea188172a5fdeb615893a73942c0f9a3d015be2129bc2dc2ddf8825c36a559fd227f4715608675bdcf6e049d483528bef7f9cf011a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wn3XZhkLseQI.bat

Filesize
261B

MD5
45e17dde508fb24cbfbae9820ee6412c

SHA1
a63aa5a55138fb12c477856bea2ffd2222edcb62

SHA256
b020b232215d548a20865530e696bb5a2f525f80db735a0aa0afd827a751757d

SHA512
7f9a3880157669d6bdf41fdc905ab80b1240ca954602175303ce9856bcc1a28491568a7e7a63a57dc0aefd66b4e6e5ce15f0a081a17baf923b2271f6931f18df

Download Submit
C:\Users\Admin\AppData\Local\Temp\YAjDJFV34E3q.bat

Filesize
261B

MD5
3bcee57fc6c86ef6ee76e7e000edf330

SHA1
bab9b6462183de13067f9b3a1e2275626547ae33

SHA256
9ff0e9a82020a148377ce2df2a1e6f1212090090ae0f3dd23b2cbdbff19468b3

SHA512
6bcab0ea2042560d5c3d72ec8a2ec2425e9dcc1c1d3762159fcb06cc28de3092a4a9bbf2c5168a13ec6392113058b95492261bcb6e4c01f58a6de7dc47ce9865

Download Submit
C:\Users\Admin\AppData\Local\Temp\b54hvShUYJir.bat

Filesize
261B

MD5
c7d763c5fd74b2f88c2496e5ca4b579d

SHA1
b76939850dc416b75b29029fdcd948364e0e1301

SHA256
630e8bf03b326c5763417a2994998ab110b718038dd65760cf1549b5a404d102

SHA512
2a080eff4628698c9e62000df1d86fd17cc81f54446bfc4029868b97b2f831db935372234e0f02d1da9d1615f4aa9d00ff9d22f860dee752e60c021caf1cd901

Download Submit
C:\Users\Admin\AppData\Local\Temp\bdi6T6YNPFCy.bat

Filesize
261B

MD5
ff77aaac0138b3082aca7afce2b4d052

SHA1
d0571844767f573cfe3408f740fea043cc7d229d

SHA256
79fe2c7e4cb8021a8473fbb13cf097689a1f8adf9b0c18687cb9bb46f0ef94a4

SHA512
80cc0bb25b233fce6076117afc2bd5c80ab29092907f605d4d414f96737b719103df9207287b5d1e8981c4c69c0729cda5cbb5b0b7c6f9e14936bbecfe9382be

Download Submit
C:\Users\Admin\AppData\Local\Temp\qYnfBN1pPmhw.bat

Filesize
261B

MD5
37fa434e4bcd13d6f9989f9ae1cc9f2e

SHA1
cb43a41e52f44dc79233d2c78cd7a52838dd5c15

SHA256
e54c288307a0d38b0b814b72b2ec4a8338472747e776bb88fb637df4ed4c122f

SHA512
b2afc2e013de5791ae80a7243114ac786c1db52f609968390d8b005bcafad0316635cbb06e686cbc9fff37edce1291ac485c3f08ffc78424bf0ff54081f90aa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\soYfvEQhALbn.bat

Filesize
261B

MD5
78478e025ff3d29d2225292d106335dc

SHA1
3198e46886eba7f539e1c4a24440764ae46f3f54

SHA256
5cf9d15283964a8849ece979a97d97aaf79932c05f7119c2fb997a70177f484f

SHA512
8d78b754bfa861c1f282cb8adf6aa9fc9d8a889dcbecdfc3c6dc07b6d0b885e31dd7ab5b0cf976112677dcf78183c1da7339069c8f8241660876e47f31f07829

Download Submit
memory/3576-0-0x00007FFD41BF3000-0x00007FFD41BF5000-memory.dmp

Filesize
8KB

Download
memory/3576-9-0x00007FFD41BF0000-0x00007FFD426B1000-memory.dmp

Filesize
10.8MB

Download
memory/3576-4-0x000000001E120000-0x000000001E1D2000-memory.dmp

Filesize
712KB

Download
memory/3576-3-0x00000000034A0000-0x00000000034F0000-memory.dmp

Filesize
320KB

Download
memory/3576-2-0x00007FFD41BF0000-0x00007FFD426B1000-memory.dmp

Filesize
10.8MB

Download
memory/3576-1-0x0000000000FF0000-0x0000000001314000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads