quasar | 8efc6505cd59fe757f371ff542e6a8b24ec29f8afb044c5dc32522e23a6cf4cb

Analysis

max time kernel
144s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-11-2024 16:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nemoxen.exe
Size

676KB
MD5

fd73b0b44b2d461b5f9fb9a8180de4be
SHA1

a22b3c1d4a77c8235a571229ce7f0aba31af9132
SHA256

8efc6505cd59fe757f371ff542e6a8b24ec29f8afb044c5dc32522e23a6cf4cb
SHA512

7665831e06ecab15114b391835d2a5df9dd7a3bcf05f63b6319f7260b7ea1cb97a9fa522cfe65563c48cc882a72ee004ba1b6392ce381008361a397e3b27871e
SSDEEP

12288:jTEgdfY2xUscjiez4EywIdp+sc8cdd+8:8UwQQrywIdpjcd48

Score

10^/10

quasar neoxen discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Neoxen

i92.168.0.42:4782

Mutex

5e5c2635-6e73-4945-84d1-6fff2a604503

Attributes

encryption_key
4D634613C08A5953B861CE48D768ABEFCD1484A3
install_name
coolpro12.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Neoxen
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1940-1-0x0000000000550000-0x0000000000600000-memory.dmp	family_quasar
behavioral2/files/0x0008000000023c86-4.dat	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

coolpro12.execoolpro12.execoolpro12.execoolpro12.execoolpro12.execoolpro12.execoolpro12.execoolpro12.execoolpro12.execoolpro12.execoolpro12.execoolpro12.execoolpro12.execoolpro12.execoolpro12.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	coolpro12.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	coolpro12.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	coolpro12.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	coolpro12.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	coolpro12.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	coolpro12.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	coolpro12.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	coolpro12.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	coolpro12.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	coolpro12.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	coolpro12.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	coolpro12.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	coolpro12.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	coolpro12.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	coolpro12.exe

Executes dropped EXE 15 IoCs

Processes:

coolpro12.execoolpro12.execoolpro12.execoolpro12.execoolpro12.execoolpro12.execoolpro12.execoolpro12.execoolpro12.execoolpro12.execoolpro12.execoolpro12.execoolpro12.execoolpro12.execoolpro12.exe

pid	Process
3260	coolpro12.exe
1692	coolpro12.exe
4716	coolpro12.exe
4416	coolpro12.exe
928	coolpro12.exe
3476	coolpro12.exe
3316	coolpro12.exe
2312	coolpro12.exe
4936	coolpro12.exe
1144	coolpro12.exe
2012	coolpro12.exe
2348	coolpro12.exe
3020	coolpro12.exe
4020	coolpro12.exe
1148	coolpro12.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	Process
3316	PING.EXE
4144	PING.EXE
2648	PING.EXE
2044	PING.EXE
2844	PING.EXE
924	PING.EXE
3708	PING.EXE
4016	PING.EXE
3784	PING.EXE
4044	PING.EXE
4660	PING.EXE
4732	PING.EXE
4672	PING.EXE
3656	PING.EXE
2940	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	Process
3708	PING.EXE
2044	PING.EXE
4016	PING.EXE
4144	PING.EXE
4672	PING.EXE
3656	PING.EXE
2940	PING.EXE
3316	PING.EXE
4044	PING.EXE
2648	PING.EXE
4660	PING.EXE
3784	PING.EXE
2844	PING.EXE
924	PING.EXE
4732	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
3376	schtasks.exe
2064	schtasks.exe
4148	schtasks.exe
1696	schtasks.exe
2460	schtasks.exe
2612	schtasks.exe
2380	schtasks.exe
4048	schtasks.exe
4440	schtasks.exe
1872	schtasks.exe
3292	schtasks.exe
2504	schtasks.exe
2388	schtasks.exe
5024	schtasks.exe
1516	schtasks.exe
2104	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

Nemoxen.execoolpro12.execoolpro12.execoolpro12.execoolpro12.execoolpro12.execoolpro12.execoolpro12.execoolpro12.execoolpro12.execoolpro12.execoolpro12.execoolpro12.execoolpro12.execoolpro12.execoolpro12.exe

description	pid	Process
Token: SeDebugPrivilege	1940	Nemoxen.exe
Token: SeDebugPrivilege	3260	coolpro12.exe
Token: SeDebugPrivilege	1692	coolpro12.exe
Token: SeDebugPrivilege	4716	coolpro12.exe
Token: SeDebugPrivilege	4416	coolpro12.exe
Token: SeDebugPrivilege	928	coolpro12.exe
Token: SeDebugPrivilege	3476	coolpro12.exe
Token: SeDebugPrivilege	3316	coolpro12.exe
Token: SeDebugPrivilege	2312	coolpro12.exe
Token: SeDebugPrivilege	4936	coolpro12.exe
Token: SeDebugPrivilege	1144	coolpro12.exe
Token: SeDebugPrivilege	2012	coolpro12.exe
Token: SeDebugPrivilege	2348	coolpro12.exe
Token: SeDebugPrivilege	3020	coolpro12.exe
Token: SeDebugPrivilege	4020	coolpro12.exe
Token: SeDebugPrivilege	1148	coolpro12.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Nemoxen.execoolpro12.execmd.execoolpro12.execmd.execoolpro12.execmd.execoolpro12.execmd.execoolpro12.execmd.execoolpro12.execmd.exe

description	pid	Process	procid_target
PID 1940 wrote to memory of 5024	1940	Nemoxen.exe	83
PID 1940 wrote to memory of 5024	1940	Nemoxen.exe	83
PID 1940 wrote to memory of 3260	1940	Nemoxen.exe	85
PID 1940 wrote to memory of 3260	1940	Nemoxen.exe	85
PID 3260 wrote to memory of 2064	3260	coolpro12.exe	86
PID 3260 wrote to memory of 2064	3260	coolpro12.exe	86
PID 3260 wrote to memory of 4492	3260	coolpro12.exe	88
PID 3260 wrote to memory of 4492	3260	coolpro12.exe	88
PID 4492 wrote to memory of 220	4492	cmd.exe	90
PID 4492 wrote to memory of 220	4492	cmd.exe	90
PID 4492 wrote to memory of 4732	4492	cmd.exe	91
PID 4492 wrote to memory of 4732	4492	cmd.exe	91
PID 4492 wrote to memory of 1692	4492	cmd.exe	95
PID 4492 wrote to memory of 1692	4492	cmd.exe	95
PID 1692 wrote to memory of 1516	1692	coolpro12.exe	96
PID 1692 wrote to memory of 1516	1692	coolpro12.exe	96
PID 1692 wrote to memory of 4460	1692	coolpro12.exe	99
PID 1692 wrote to memory of 4460	1692	coolpro12.exe	99
PID 4460 wrote to memory of 1796	4460	cmd.exe	101
PID 4460 wrote to memory of 1796	4460	cmd.exe	101
PID 4460 wrote to memory of 3316	4460	cmd.exe	102
PID 4460 wrote to memory of 3316	4460	cmd.exe	102
PID 4460 wrote to memory of 4716	4460	cmd.exe	112
PID 4460 wrote to memory of 4716	4460	cmd.exe	112
PID 4716 wrote to memory of 2104	4716	coolpro12.exe	113
PID 4716 wrote to memory of 2104	4716	coolpro12.exe	113
PID 4716 wrote to memory of 4668	4716	coolpro12.exe	116
PID 4716 wrote to memory of 4668	4716	coolpro12.exe	116
PID 4668 wrote to memory of 2692	4668	cmd.exe	118
PID 4668 wrote to memory of 2692	4668	cmd.exe	118
PID 4668 wrote to memory of 3708	4668	cmd.exe	119
PID 4668 wrote to memory of 3708	4668	cmd.exe	119
PID 4668 wrote to memory of 4416	4668	cmd.exe	123
PID 4668 wrote to memory of 4416	4668	cmd.exe	123
PID 4416 wrote to memory of 4048	4416	coolpro12.exe	124
PID 4416 wrote to memory of 4048	4416	coolpro12.exe	124
PID 4416 wrote to memory of 5024	4416	coolpro12.exe	127
PID 4416 wrote to memory of 5024	4416	coolpro12.exe	127
PID 5024 wrote to memory of 3628	5024	cmd.exe	129
PID 5024 wrote to memory of 3628	5024	cmd.exe	129
PID 5024 wrote to memory of 2044	5024	cmd.exe	130
PID 5024 wrote to memory of 2044	5024	cmd.exe	130
PID 5024 wrote to memory of 928	5024	cmd.exe	132
PID 5024 wrote to memory of 928	5024	cmd.exe	132
PID 928 wrote to memory of 4440	928	coolpro12.exe	133
PID 928 wrote to memory of 4440	928	coolpro12.exe	133
PID 928 wrote to memory of 1804	928	coolpro12.exe	136
PID 928 wrote to memory of 1804	928	coolpro12.exe	136
PID 1804 wrote to memory of 3940	1804	cmd.exe	138
PID 1804 wrote to memory of 3940	1804	cmd.exe	138
PID 1804 wrote to memory of 4016	1804	cmd.exe	139
PID 1804 wrote to memory of 4016	1804	cmd.exe	139
PID 1804 wrote to memory of 3476	1804	cmd.exe	141
PID 1804 wrote to memory of 3476	1804	cmd.exe	141
PID 3476 wrote to memory of 1872	3476	coolpro12.exe	142
PID 3476 wrote to memory of 1872	3476	coolpro12.exe	142
PID 3476 wrote to memory of 4184	3476	coolpro12.exe	145
PID 3476 wrote to memory of 4184	3476	coolpro12.exe	145
PID 4184 wrote to memory of 4356	4184	cmd.exe	147
PID 4184 wrote to memory of 4356	4184	cmd.exe	147
PID 4184 wrote to memory of 4144	4184	cmd.exe	148
PID 4184 wrote to memory of 4144	4184	cmd.exe	148
PID 4184 wrote to memory of 3316	4184	cmd.exe	150
PID 4184 wrote to memory of 3316	4184	cmd.exe	150

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Nemoxen.exe
"C:\Users\Admin\AppData\Local\Temp\Nemoxen.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Neoxen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Nemoxen.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:5024
- C:\Users\Admin\AppData\Roaming\SubDir\coolpro12.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\coolpro12.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3260
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Neoxen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\coolpro12.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rlyu9tEQ3oIw.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4492
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:220
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4732
  - - C:\Users\Admin\AppData\Roaming\SubDir\coolpro12.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\coolpro12.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1692
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Neoxen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\coolpro12.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1516
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ufzEnQOa8OED.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4460
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1796
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3316
      - C:\Users\Admin\AppData\Roaming\SubDir\coolpro12.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\coolpro12.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4716
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Neoxen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\coolpro12.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2104
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gFbVyDDTfr5o.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4668
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2692
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3708
        
        C:\Users\Admin\AppData\Roaming\SubDir\coolpro12.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\coolpro12.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4416
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Neoxen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\coolpro12.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4048
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xPMW81ypw1XK.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:3628
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2044
        
        C:\Users\Admin\AppData\Roaming\SubDir\coolpro12.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\coolpro12.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:928
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Neoxen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\coolpro12.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4440
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6NAZLUu5qwKB.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:3940
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4016
        
        C:\Users\Admin\AppData\Roaming\SubDir\coolpro12.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\coolpro12.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3476
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Neoxen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\coolpro12.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1872
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AdT5zxoA1wNj.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:4184
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:4356
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4144
        
        C:\Users\Admin\AppData\Roaming\SubDir\coolpro12.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\coolpro12.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3316
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Neoxen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\coolpro12.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2460
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XrUw2cUaVfMP.bat" "
        15⤵
        
        PID:3080
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:1832
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4672
        
        C:\Users\Admin\AppData\Roaming\SubDir\coolpro12.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\coolpro12.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2312
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Neoxen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\coolpro12.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2612
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HKFGcHZkyLBW.bat" "
        17⤵
        
        PID:1716
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:1188
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3656
        
        C:\Users\Admin\AppData\Roaming\SubDir\coolpro12.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\coolpro12.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4936
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Neoxen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\coolpro12.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3292
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PxtXK8jFRm2r.bat" "
        19⤵
        
        PID:2388
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2100
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3784
        
        C:\Users\Admin\AppData\Roaming\SubDir\coolpro12.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\coolpro12.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1144
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Neoxen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\coolpro12.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2380
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\H13jvdVbuuIL.bat" "
        21⤵
        
        PID:100
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:3420
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2844
        
        C:\Users\Admin\AppData\Roaming\SubDir\coolpro12.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\coolpro12.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2012
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Neoxen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\coolpro12.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2504
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yOS70J4od4aQ.bat" "
        23⤵
        
        PID:4712
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:1916
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:924
        
        C:\Users\Admin\AppData\Roaming\SubDir\coolpro12.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\coolpro12.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2348
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Neoxen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\coolpro12.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4148
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\moYOtpR4w9vm.bat" "
        25⤵
        
        PID:1964
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:3176
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2648
        
        C:\Users\Admin\AppData\Roaming\SubDir\coolpro12.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\coolpro12.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3020
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Neoxen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\coolpro12.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1696
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\m5jAf9Iv0NDB.bat" "
        27⤵
        
        PID:4004
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:1348
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4044
        
        C:\Users\Admin\AppData\Roaming\SubDir\coolpro12.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\coolpro12.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4020
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Neoxen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\coolpro12.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3376
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Qy9jMNLXAvLm.bat" "
        29⤵
        
        PID:2668
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:2268
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2940
        
        C:\Users\Admin\AppData\Roaming\SubDir\coolpro12.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\coolpro12.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1148
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Neoxen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\coolpro12.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2388
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\M2VUzQSWhytl.bat" "
        31⤵
        
        PID:3680
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:680
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\coolpro12.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\6NAZLUu5qwKB.bat

Filesize
210B

MD5
3a58c0eb50c2f46ca2be9bea4e1cc9a8

SHA1
04d74aec846eef0808636e4d709f6479ff820922

SHA256
c803529936e8f18d59ffcf4160caaeb9ef4ebbb9aae223c7e3acff096305309b

SHA512
39226a22427afe23dbe28d77947d45593e32b6c0a534ff3a394dea6f2cffcf08123b9f59e1997641ba4753615e3603efd92ed86a18b7c2a5cc459d86bcc35064

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdT5zxoA1wNj.bat

Filesize
210B

MD5
dbf65f7a4cbe1249aee4c8a643f1ef2d

SHA1
ed3bdf14428a7cf8c63a6a3a6a95d6ede50ab103

SHA256
19e96e9fd8dc3f9f386c4596fdd18bb7e7d76a2b4118ac9a2fff470de9e31dbc

SHA512
edb330db1d6a1ede994ad952dff927c279d35097a57c849a5779c4d3c92c72e182098ee611aad17b9a6c2693f473f9f0438d00a7cd2c3df4f2e6e03aa57f3b54

Download Submit
C:\Users\Admin\AppData\Local\Temp\H13jvdVbuuIL.bat

Filesize
210B

MD5
03349124500956595ac2e1ac87571f59

SHA1
928be4aca4cc558e267b73dff4873161ee8a09e8

SHA256
b9aa013aae2ae709e625b78251818abdddabf35adaddbcdb63cb63702f656e4a

SHA512
59744efe6d736dff668cc2ebf5b8a7af987125fcb1ff0e6c2b1ac2fc81a7e23493e01f7a58320fe88b3cdd3fad3b9253b252df2276e7aeaf509dc8c69f12c773

Download Submit
C:\Users\Admin\AppData\Local\Temp\HKFGcHZkyLBW.bat

Filesize
210B

MD5
0ea4888b67e99ed63351997388f5fcad

SHA1
9a212e9792935406897d2ef600842707c1e835ac

SHA256
3d401ea80809ded46e850837f1381b3706124dea3379ba3799000dbad49bc0a3

SHA512
ac97dc08d6d65a382b3d735c822031e898075aa729974856c9295faefaa954402eaf4e69f5394ae912550c63067c8d16dd3b6c0413e27696cb4029cf3cf0dbe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\M2VUzQSWhytl.bat

Filesize
210B

MD5
8a72eb76e40b7a5e9207a7dc6e3c8afb

SHA1
5d8adcce4fc1f0c4aae8d9327f20c810cc5cc377

SHA256
16a55c3a69ff78a74a32b98dd602735b08702c2ec1b8fe653ac1247ce67e8e6b

SHA512
a39a6539042960ec0cdfae2e89286971645b9b154b2a010088a62c15a90da10055e616643e48baef641a6b4f1fecf047b88c95edcfb9c0f771ee0a12e1ec2d65

Download Submit
C:\Users\Admin\AppData\Local\Temp\PxtXK8jFRm2r.bat

Filesize
210B

MD5
a686f4378da96013a2fc9e85356231b0

SHA1
ccf4ac9cac2102bf6ac2673bec15952d4eb91ffd

SHA256
cd2506eb6caa45d7e6c812ac508a74c765f7b9e5b443a0c8bb0df98749ec49d0

SHA512
5e7102f2670a7a3e5232cc1a6c70d1661d2ed495b6904039db486ad59ab1805851a31b62ae91c488e14c3c152ecffc0cfdfcb4f3c8a5adcd9d1293f218669477

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qy9jMNLXAvLm.bat

Filesize
210B

MD5
832deefac27c85b25653c3b62a41ffad

SHA1
e87c0f8f98234098dcf40da96bbc3ddd5c3ab308

SHA256
9c47b9adaa48f414262c5a9cad84f9ebfe195be68ddcc413e89b5529e7eed5ef

SHA512
0ca6915854b91f23742897e6a9d7cec595853fd791acb7a4d68e56965488129d56660b099a70214238f378306948eb637ebaef39cfb42bdeddebad038ca37add

Download Submit
C:\Users\Admin\AppData\Local\Temp\XrUw2cUaVfMP.bat

Filesize
210B

MD5
2ec997dfe61d8ec2fb7124702f1b9c59

SHA1
277fd4d18502ab2900a9498bd208a8ae3b6eba77

SHA256
01aa2cbe7d549c634404d42bacf85ab87f219e32c4c65f015c87c294290f868a

SHA512
215caf77ed53c6292b262d07b5dd265b3f6ca7e29d84d4592c2aecb565b78776de4bd11a4c6fd72c9f0daa5fb4a50358bdfade3ea6fe308ee9a2914602133075

Download Submit
C:\Users\Admin\AppData\Local\Temp\gFbVyDDTfr5o.bat

Filesize
210B

MD5
8bf1f73055dee9e3fc9323c3d3ef3715

SHA1
2c7f93e66e9ecc3d6850c508dcc046e57bfb7297

SHA256
2321dfb9a120122f9ef5a07f5aa5debd002dc398290a4576e4b96a730c57d6b6

SHA512
af55d481d36307f5a47d450c888f60fded97d37072d75ee4216b409097e96403a13b38e7bc50473956d6b8f9eca4f00a236a23614e308dafab1438b3a28e6f34

Download Submit
C:\Users\Admin\AppData\Local\Temp\m5jAf9Iv0NDB.bat

Filesize
210B

MD5
75309afb10f4847b7223a5e29cd5bde6

SHA1
69eea464c6e951fb59ec165d1b43e6495bc6ea28

SHA256
146a539c91ba584bfc427b7aaae3044f242591a5a1e2bc9fb055c1f2173d51f9

SHA512
e052794a354413158657a702e1856b646a5bebb656c9cf073fbc7d116143732329bc6775665ad39245afca3ab2b013635427aede91f83877aa3665580fd611ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\moYOtpR4w9vm.bat

Filesize
210B

MD5
a9105b4e84828d19c71359307f5fff34

SHA1
54d65b33cb9d1c2d5490937f0823fcea82c9fe6b

SHA256
afeb910f4d5ddb98a534cecb597c65c979a94d2ae0ef029e7e52b4ffe1c52484

SHA512
c677d30b3793aa6bb69fb12ddfe86ef219ebc29723afab391e1a56c9bd823e751070ddcc60aeffc8a983a4fe9501814e53651a52772aa7996ca7abf4f50d51d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\rlyu9tEQ3oIw.bat

Filesize
210B

MD5
397bdc643cf4c9144acb0bb452849b6a

SHA1
c740fad78922397ab9148dfef859550f1e185225

SHA256
22453ec4518b42f38cad2dcc95030ac1345e7eb919ee20c89b80b59b4571ce62

SHA512
d2affa9a235dfb718b73791a61510eddda4a65d286484b340f2588bd3b01262239926e966ec05f6b6adbe068bac3845cc348ff565c1de890eda91a157aeb7340

Download Submit
C:\Users\Admin\AppData\Local\Temp\ufzEnQOa8OED.bat

Filesize
210B

MD5
bfec26792811e5b82f1afac5fc868406

SHA1
1cce6f8996e395ba8f5d01d42d91e020ae4989eb

SHA256
3fb7dc519cf43da40d0143afcccc29022fc2c546e4a0236e55834d1d6dd1c88e

SHA512
5b6de19ebf8850165db347fae1892441c04d58a0f61b3419e4a72f38bc916f070cae2fb4a8820257aa5cc2d2ad39e7ea6c200288b0e49eca77e6e391886a9739

Download Submit
C:\Users\Admin\AppData\Local\Temp\xPMW81ypw1XK.bat

Filesize
210B

MD5
de56a52d9a44d3cbeb088b2d25704c05

SHA1
79b96ef0443f30b17384adb90a9920295e9e45f8

SHA256
864632a6e0b8177fcf33f47b0d461fd440ea2e0b1b7f0a6ab266fbc757817ac2

SHA512
4fb6b8eb779a7b48bb5f41de3e5156a290ecdddc9f8c355c01171a082454abfb505394386f38f6a6103b01a3e53de330d171ce226306f609d7abe14972279fb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\yOS70J4od4aQ.bat

Filesize
210B

MD5
389a0e09662c4fa080e28286828aea53

SHA1
932b227aedc5cec9a2595b9d2dd0ef2b820106d9

SHA256
e2f36f9d918b1d5f2e943ecf2915415bdf10c7d6da9eadcddf6e615a68c961a5

SHA512
407987d9f32ecdaa1d6b5203e6dd35ecd5f6a81841f72f14593ed7514fb81f22b8a2994306fafbae428533c5bd38079f1a2ac3c6a28b0b9ad3bf6da16a7cd4e2

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\coolpro12.exe

Filesize
676KB

MD5
fd73b0b44b2d461b5f9fb9a8180de4be

SHA1
a22b3c1d4a77c8235a571229ce7f0aba31af9132

SHA256
8efc6505cd59fe757f371ff542e6a8b24ec29f8afb044c5dc32522e23a6cf4cb

SHA512
7665831e06ecab15114b391835d2a5df9dd7a3bcf05f63b6319f7260b7ea1cb97a9fa522cfe65563c48cc882a72ee004ba1b6392ce381008361a397e3b27871e

Download Submit
memory/1940-0-0x00007FFA473E3000-0x00007FFA473E5000-memory.dmp

Filesize
8KB

Download
memory/1940-9-0x00007FFA473E0000-0x00007FFA47EA1000-memory.dmp

Filesize
10.8MB

Download
memory/1940-2-0x00007FFA473E0000-0x00007FFA47EA1000-memory.dmp

Filesize
10.8MB

Download
memory/1940-1-0x0000000000550000-0x0000000000600000-memory.dmp

Filesize
704KB

Download
memory/3260-17-0x00007FFA473E0000-0x00007FFA47EA1000-memory.dmp

Filesize
10.8MB

Download
memory/3260-12-0x000000001B670000-0x000000001B722000-memory.dmp

Filesize
712KB

Download
memory/3260-11-0x000000001AF10000-0x000000001AF60000-memory.dmp

Filesize
320KB

Download
memory/3260-10-0x00007FFA473E0000-0x00007FFA47EA1000-memory.dmp

Filesize
10.8MB

Download
memory/3260-8-0x00007FFA473E0000-0x00007FFA47EA1000-memory.dmp

Filesize
10.8MB

Download