quasar | 8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997

Analysis

max time kernel
142s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-12-2024 17:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997.exe
Size

3.1MB
MD5

c2281b1740f2acd02e9e19f83441b033
SHA1

bf321d96b83261e5487f06c9c0ddfc75786c7c8c
SHA256

8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997
SHA512

0c8a95e5caa07047073077a252a891e321cf1a8c964e6e99b72a1c701e6368e63aa82c0425f58364887de3c277130c3c1acda2064332c377efaccf6ce568e027
SSDEEP

49152:jyF/j2yMy5en93hlLLzJjVrvjkoGduTHHB72eh2NT:jydj2yMy5en93hlLLzJjVrvo

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Office04

connectdadad.ddns.net:4782

Mutex

e862a94f-5f45-4b8c-89de-f84dadb095d0

Attributes

encryption_key
23E5F6D22FEE1750D36544A759A48349B064BC34
install_name
PerfWatson1.exe
log_directory
Logs
reconnect_delay
3000
startup_key
svhost
subdirectory
KDOT

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 11 IoCs

resource	yara_rule
behavioral1/memory/1924-1-0x0000000000290000-0x00000000005B4000-memory.dmp	family_quasar
behavioral1/files/0x0008000000016d4e-6.dat	family_quasar
behavioral1/memory/1136-9-0x0000000000B60000-0x0000000000E84000-memory.dmp	family_quasar
behavioral1/memory/2628-22-0x0000000000EF0000-0x0000000001214000-memory.dmp	family_quasar
behavioral1/memory/2052-43-0x0000000001360000-0x0000000001684000-memory.dmp	family_quasar
behavioral1/memory/2480-64-0x0000000000270000-0x0000000000594000-memory.dmp	family_quasar
behavioral1/memory/2520-75-0x0000000001340000-0x0000000001664000-memory.dmp	family_quasar
behavioral1/memory/2820-86-0x0000000000040000-0x0000000000364000-memory.dmp	family_quasar
behavioral1/memory/684-97-0x0000000000D60000-0x0000000001084000-memory.dmp	family_quasar
behavioral1/memory/1280-108-0x0000000001220000-0x0000000001544000-memory.dmp	family_quasar
behavioral1/memory/2260-159-0x00000000001B0000-0x00000000004D4000-memory.dmp	family_quasar

Executes dropped EXE 15 IoCs

pid	Process
1136	PerfWatson1.exe
2628	PerfWatson1.exe
1520	PerfWatson1.exe
2052	PerfWatson1.exe
2812	PerfWatson1.exe
2480	PerfWatson1.exe
2520	PerfWatson1.exe
2820	PerfWatson1.exe
684	PerfWatson1.exe
1280	PerfWatson1.exe
2168	PerfWatson1.exe
1872	PerfWatson1.exe
2512	PerfWatson1.exe
1732	PerfWatson1.exe
2260	PerfWatson1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
236	PING.EXE
1048	PING.EXE
2196	PING.EXE
1564	PING.EXE
2640	PING.EXE
1700	PING.EXE
1516	PING.EXE
380	PING.EXE
336	PING.EXE
2872	PING.EXE
2140	PING.EXE
1408	PING.EXE
1712	PING.EXE
1268	PING.EXE
1048	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
1712	PING.EXE
336	PING.EXE
1048	PING.EXE
236	PING.EXE
1048	PING.EXE
1564	PING.EXE
380	PING.EXE
2640	PING.EXE
2196	PING.EXE
2872	PING.EXE
1516	PING.EXE
1268	PING.EXE
2140	PING.EXE
1408	PING.EXE
1700	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3032	schtasks.exe
272	schtasks.exe
2292	schtasks.exe
572	schtasks.exe
1744	schtasks.exe
2988	schtasks.exe
2072	schtasks.exe
2740	schtasks.exe
2700	schtasks.exe
2492	schtasks.exe
2596	schtasks.exe
956	schtasks.exe
2548	schtasks.exe
2324	schtasks.exe
2928	schtasks.exe
1756	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	1924	8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997.exe
Token: SeDebugPrivilege	1136	PerfWatson1.exe
Token: SeDebugPrivilege	2628	PerfWatson1.exe
Token: SeDebugPrivilege	1520	PerfWatson1.exe
Token: SeDebugPrivilege	2052	PerfWatson1.exe
Token: SeDebugPrivilege	2812	PerfWatson1.exe
Token: SeDebugPrivilege	2480	PerfWatson1.exe
Token: SeDebugPrivilege	2520	PerfWatson1.exe
Token: SeDebugPrivilege	2820	PerfWatson1.exe
Token: SeDebugPrivilege	684	PerfWatson1.exe
Token: SeDebugPrivilege	1280	PerfWatson1.exe
Token: SeDebugPrivilege	2168	PerfWatson1.exe
Token: SeDebugPrivilege	1872	PerfWatson1.exe
Token: SeDebugPrivilege	2512	PerfWatson1.exe
Token: SeDebugPrivilege	1732	PerfWatson1.exe
Token: SeDebugPrivilege	2260	PerfWatson1.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 2548	1924	8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997.exe	30
PID 1924 wrote to memory of 2548	1924	8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997.exe	30
PID 1924 wrote to memory of 2548	1924	8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997.exe	30
PID 1924 wrote to memory of 1136	1924	8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997.exe	32
PID 1924 wrote to memory of 1136	1924	8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997.exe	32
PID 1924 wrote to memory of 1136	1924	8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997.exe	32
PID 1136 wrote to memory of 2324	1136	PerfWatson1.exe	33
PID 1136 wrote to memory of 2324	1136	PerfWatson1.exe	33
PID 1136 wrote to memory of 2324	1136	PerfWatson1.exe	33
PID 1136 wrote to memory of 2904	1136	PerfWatson1.exe	35
PID 1136 wrote to memory of 2904	1136	PerfWatson1.exe	35
PID 1136 wrote to memory of 2904	1136	PerfWatson1.exe	35
PID 2904 wrote to memory of 2864	2904	cmd.exe	37
PID 2904 wrote to memory of 2864	2904	cmd.exe	37
PID 2904 wrote to memory of 2864	2904	cmd.exe	37
PID 2904 wrote to memory of 2872	2904	cmd.exe	38
PID 2904 wrote to memory of 2872	2904	cmd.exe	38
PID 2904 wrote to memory of 2872	2904	cmd.exe	38
PID 2904 wrote to memory of 2628	2904	cmd.exe	40
PID 2904 wrote to memory of 2628	2904	cmd.exe	40
PID 2904 wrote to memory of 2628	2904	cmd.exe	40
PID 2628 wrote to memory of 2700	2628	PerfWatson1.exe	41
PID 2628 wrote to memory of 2700	2628	PerfWatson1.exe	41
PID 2628 wrote to memory of 2700	2628	PerfWatson1.exe	41
PID 2628 wrote to memory of 1524	2628	PerfWatson1.exe	43
PID 2628 wrote to memory of 1524	2628	PerfWatson1.exe	43
PID 2628 wrote to memory of 1524	2628	PerfWatson1.exe	43
PID 1524 wrote to memory of 1904	1524	cmd.exe	45
PID 1524 wrote to memory of 1904	1524	cmd.exe	45
PID 1524 wrote to memory of 1904	1524	cmd.exe	45
PID 1524 wrote to memory of 1048	1524	cmd.exe	46
PID 1524 wrote to memory of 1048	1524	cmd.exe	46
PID 1524 wrote to memory of 1048	1524	cmd.exe	46
PID 1524 wrote to memory of 1520	1524	cmd.exe	47
PID 1524 wrote to memory of 1520	1524	cmd.exe	47
PID 1524 wrote to memory of 1520	1524	cmd.exe	47
PID 1520 wrote to memory of 2928	1520	PerfWatson1.exe	48
PID 1520 wrote to memory of 2928	1520	PerfWatson1.exe	48
PID 1520 wrote to memory of 2928	1520	PerfWatson1.exe	48
PID 1520 wrote to memory of 2932	1520	PerfWatson1.exe	50
PID 1520 wrote to memory of 2932	1520	PerfWatson1.exe	50
PID 1520 wrote to memory of 2932	1520	PerfWatson1.exe	50
PID 2932 wrote to memory of 2460	2932	cmd.exe	52
PID 2932 wrote to memory of 2460	2932	cmd.exe	52
PID 2932 wrote to memory of 2460	2932	cmd.exe	52
PID 2932 wrote to memory of 1516	2932	cmd.exe	53
PID 2932 wrote to memory of 1516	2932	cmd.exe	53
PID 2932 wrote to memory of 1516	2932	cmd.exe	53
PID 2932 wrote to memory of 2052	2932	cmd.exe	54
PID 2932 wrote to memory of 2052	2932	cmd.exe	54
PID 2932 wrote to memory of 2052	2932	cmd.exe	54
PID 2052 wrote to memory of 3032	2052	PerfWatson1.exe	55
PID 2052 wrote to memory of 3032	2052	PerfWatson1.exe	55
PID 2052 wrote to memory of 3032	2052	PerfWatson1.exe	55
PID 2052 wrote to memory of 2112	2052	PerfWatson1.exe	57
PID 2052 wrote to memory of 2112	2052	PerfWatson1.exe	57
PID 2052 wrote to memory of 2112	2052	PerfWatson1.exe	57
PID 2112 wrote to memory of 1060	2112	cmd.exe	59
PID 2112 wrote to memory of 1060	2112	cmd.exe	59
PID 2112 wrote to memory of 1060	2112	cmd.exe	59
PID 2112 wrote to memory of 1712	2112	cmd.exe	60
PID 2112 wrote to memory of 1712	2112	cmd.exe	60
PID 2112 wrote to memory of 1712	2112	cmd.exe	60
PID 2112 wrote to memory of 2812	2112	cmd.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997.exe
"C:\Users\Admin\AppData\Local\Temp\8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2548
- C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
  "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1136
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2324
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\RqWZyiv7nQ5b.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2904
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2864
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2872
  - - C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
      "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2628
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2700
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lAYBFM6WubYP.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1524
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1904
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1048
      - C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1520
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2928
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\6uceaMeGzw6q.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2460
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1516
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3032
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NJ8cok4uBHiz.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2112
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:1060
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1712
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2812
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:272
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vxjoKHlQzrrs.bat" "
        11⤵
        
        PID:3008
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:2328
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1268
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2480
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2492
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ULoRjbqBzqnQ.bat" "
        13⤵
        
        PID:1968
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2116
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:380
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2520
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2292
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\m4hR5F2LSv8y.bat" "
        15⤵
        
        PID:1404
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2768
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:336
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2820
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1744
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xMCkNaI6LIUt.bat" "
        17⤵
        
        PID:2684
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2876
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2640
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:684
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:572
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RVUW7MkLmm9N.bat" "
        19⤵
        
        PID:1560
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1140
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1048
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1280
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2988
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\r9looFj3y8R3.bat" "
        21⤵
        
        PID:1620
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:2996
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2140
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2168
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2596
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\G8dv6EoV8S4S.bat" "
        23⤵
        
        PID:1000
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2160
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1408
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1872
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:956
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OnKIQmmFbdhv.bat" "
        25⤵
        
        PID:1648
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2524
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2196
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2512
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1756
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nz5mehSzeyxD.bat" "
        27⤵
        
        PID:3052
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:592
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1564
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1732
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2072
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\pCAInGj7m01R.bat" "
        29⤵
        
        PID:2412
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:2912
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1700
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2260
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2740
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\x2rJwRGlvvvc.bat" "
        31⤵
        
        PID:3060
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:1608
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6uceaMeGzw6q.bat

Filesize
210B

MD5
019c29f9cbefa54b85dc2521793bf1e4

SHA1
f592f1b8bac4d43636168917bac6439a64459785

SHA256
3bc8614836b9a524b3aa0174a176b9e3bbb7dfe46b8237a0f9fe3a96e3c42a2a

SHA512
b0745a377241509d6bfb8c6b6a410d69c8a18a9585b5a681ac329d7675f064715b822c0cfbadb69e9f9b287de80d0f5ba6de18a69616b024268ebd779d3b8ea0

Download Submit
C:\Users\Admin\AppData\Local\Temp\G8dv6EoV8S4S.bat

Filesize
210B

MD5
e3e49bb3332a109e8a69615b67e1ef4d

SHA1
e0719c170dbc3ca667be6f00c5f6279cf9bf17e3

SHA256
e4cc8ce8d34b0895e8a07f5e5ed167f7a23d3a9d24a713362b830395caab4188

SHA512
2ff361a4700867d03ded4286e5da6e7585bdb20bf60a9f011919f2b7e0805f842e64f4b19a54d0d35c2b5e5e8a47a1b39c1f08d4be3415156be5ef2147ef402b

Download Submit
C:\Users\Admin\AppData\Local\Temp\NJ8cok4uBHiz.bat

Filesize
210B

MD5
0fc2cede3e70d14342d419e49b3162eb

SHA1
c51186ac349192ab92991db00f67a035dbbf909d

SHA256
b188b00c7dd235efb17ca5b986266c0f12ed8181bc4485e2d314429366cad762

SHA512
315a77d9ab29ee0ff778777bc47f9583bb627144719e93a6f0d50406cfaebfb5f520ffc7671e9400e962a39c0824d01461641bcd1fa36f83d166d4a0bc408345

Download Submit
C:\Users\Admin\AppData\Local\Temp\OnKIQmmFbdhv.bat

Filesize
210B

MD5
9bb16c7de73fc04aa9a93f8238f19012

SHA1
cb011964ba667f687b2090f265806e40e6a34c2c

SHA256
19918604858c897bdb355b890ca6cabf2984960edd9060c63f4050541b54f3c0

SHA512
f879328676815fa30e8a7b36195ccb1f43288556e6940269420193b87aee835c5d59b231cb4fc803e5f088fd98103064b10a66ecad1636d8c1a9f11087282aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\RVUW7MkLmm9N.bat

Filesize
210B

MD5
41fa62ee06fb8cb82ec74ee7ce9ff206

SHA1
127e04d968b4bf2823782439fcd0199736c28882

SHA256
b94e85d5f4712ff8613f13f4dedc910bf986c60db6682782cc3831fcbd968d80

SHA512
c6e10aa7760acc2fc78fbf63311c8df04afa1ae6232013bcbbcfe08393eef6a0f6cb13b7e503e503e28a18a2c72640c0a1aae3c2bba4e43428bb410a514899ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\RqWZyiv7nQ5b.bat

Filesize
210B

MD5
910ed4ccfeb67d49392d116e8dae1178

SHA1
4b3282c8e4db3e57f74745e8ca7d30d353a65a37

SHA256
5821da43e8d1a740dab40957f7c80aefc4fd0900bc9c990c4d9d428398947e7e

SHA512
a50e8d3bb5b519139dac661a8f2229238ce557696d381ebc4af35fcf06e19b419faf45b4b9da08b3facbfb3f2d1284e60f694b3f98f130963af51f115cc10b19

Download Submit
C:\Users\Admin\AppData\Local\Temp\ULoRjbqBzqnQ.bat

Filesize
210B

MD5
1bd35a272226e4c27d44e860c3886dd6

SHA1
2711d9a954e14d90fc61fbdb39f064af474a339b

SHA256
745ff30291f67fa476686902c9e76bde21c1c376c6a3a1f8f71630abb163be18

SHA512
3528889fce0c9d284a339bd6a5e295d53e0b83f04d9a076d1f573b1c4965ec3053fa36d871ab9e0d26fcb575643c41a343c35157ee7fff1d534146f0aaeb0bf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\lAYBFM6WubYP.bat

Filesize
210B

MD5
fb6cad88faf39418495e26a6bb6cfc69

SHA1
8a25d874824c6d14a10b013f9526f99a973fdeaa

SHA256
329e0de33d347025590a2d06ae2feeb82eb655a6adcb67353e42c5cb63c50327

SHA512
49c476e273613e68a10ee3d36db5e81254657bbd395361c7b0bf6230f244aabcf42f105ce7ceceeefa441ed9a3d75227c932192dc01bb221e0efa9fe571882df

Download Submit
C:\Users\Admin\AppData\Local\Temp\m4hR5F2LSv8y.bat

Filesize
210B

MD5
058530b02dec5ba973b8adea75e1d0ff

SHA1
fed88c36106d09ac9e3929cf644e5da5de709339

SHA256
208a3a0495f926e99d66eb838e49f8bb06d3da05b8c23ddf477fdbfd45094fef

SHA512
0c5eadc693b274125290c92a4581c38d309df53157155dbe1ea60f10be767abfd6f2064e453ca383a0a254a37aa73d849ffc2cec41be6d1211ac0488e34a8170

Download Submit
C:\Users\Admin\AppData\Local\Temp\nz5mehSzeyxD.bat

Filesize
210B

MD5
bca76372f08c33d91ff0acef9e9a0bbe

SHA1
1e8a4539489bbd0b123270fd474ba98b41f6613f

SHA256
c31342a76aac7845e57d959b1e44dcdba809e97447172b13ebe2b7388e1a80d5

SHA512
5bff00c7bc56f5d334d97089d626cc1ea124868c4c4b98104d5ba7a4b3cbcef9d95a1dbba6c44f2b41b3ef8cc133848bb046ddadc8c26a1613f752005dc6a22c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pCAInGj7m01R.bat

Filesize
210B

MD5
7390dd007e984e8395129c2a090339eb

SHA1
e7b76ede6fb8e15ee76ab51c7142213aacd29fac

SHA256
99ff2b236f1b89fd6d4d4361e3343f81d9aa44a24d617ea85b996c1eac6135c8

SHA512
03fb8a519e2cd1ace5566e2b1a4c2543880eac8440b13859a289ab23857f9d085a42303eda130861a1b7a33e8522d022fd61b378c079fd05824526b781719cf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\r9looFj3y8R3.bat

Filesize
210B

MD5
821ce6bbeac3954ae04082cd6bebcc87

SHA1
40d7732d77ab5a0f3eb344a243415df71c937cdf

SHA256
664a2b35f4d28088c6312121afee18a9132daf6d78f8af49b34c6e3c6c7684cc

SHA512
e32f18860e5d84f05e42e1cadcd0ffeb9cc02972f44032fae7c503c63b47177fda17f47b9e0d9f88e9cfe93425d3fe165f2884da2c89ac93f9f7f172634e516d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vxjoKHlQzrrs.bat

Filesize
210B

MD5
f9e3fd72aad6f4bbeb6a342e9690ceae

SHA1
2d02fbdf7fb8f98baf7573612a702511ed2a2836

SHA256
e7d6099ea37e0e15dae2a991daee95b9baccc1f62a68e61d547d66a36f7e3e81

SHA512
60760463e1eddc854fbe4499f5b56e6dd768cd17775382ed45a72dd3322b2809112ba6d8220214ed706db14f3d5a7cf8c995b233bb7ca7f1fb418fa3c50b9e53

Download Submit
C:\Users\Admin\AppData\Local\Temp\x2rJwRGlvvvc.bat

Filesize
210B

MD5
367173f50e41d1f4718d58ac091b7b50

SHA1
cc489d0912ba366a1a92657d750a1755a8d2aa38

SHA256
727e944ba8ea0639b983d9676cd8e9912fb2ee7fe66bff850be45140479f65bb

SHA512
0df716c1fe547e6929c64d1474d47a028ce472a2089b50fc2828e2e00fd0e514d38359ee88c8b0cc14cc32e29c4d69910fb9c6ca6a41c11ceb4040fde2b1a92e

Download Submit
C:\Users\Admin\AppData\Local\Temp\xMCkNaI6LIUt.bat

Filesize
210B

MD5
87dcde5397bef0f4af8617e86549b9be

SHA1
cd37d6365eee686a02f10c5a32a2ff0b0cdac61e

SHA256
caaf8227b0bfeda5b1e52fe1a0927092ce6a52e14767d6cd7a24ad9e62134d18

SHA512
83298c0fc10ba8dc503fc66c348f5273035e8548999faee2effcd48f4c0824182cb052ea0865196fb55fb9f7371ab687355942fd878ce8a6ff0d7a04fb595a3c

Download Submit
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

Filesize
3.1MB

MD5
c2281b1740f2acd02e9e19f83441b033

SHA1
bf321d96b83261e5487f06c9c0ddfc75786c7c8c

SHA256
8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997

SHA512
0c8a95e5caa07047073077a252a891e321cf1a8c964e6e99b72a1c701e6368e63aa82c0425f58364887de3c277130c3c1acda2064332c377efaccf6ce568e027

Download Submit
memory/684-97-0x0000000000D60000-0x0000000001084000-memory.dmp

Filesize
3.1MB

Download
memory/1136-20-0x000007FEF5700000-0x000007FEF60EC000-memory.dmp

Filesize
9.9MB

Download
memory/1136-10-0x000007FEF5700000-0x000007FEF60EC000-memory.dmp

Filesize
9.9MB

Download
memory/1136-9-0x0000000000B60000-0x0000000000E84000-memory.dmp

Filesize
3.1MB

Download
memory/1136-8-0x000007FEF5700000-0x000007FEF60EC000-memory.dmp

Filesize
9.9MB

Download
memory/1280-108-0x0000000001220000-0x0000000001544000-memory.dmp

Filesize
3.1MB

Download
memory/1924-0-0x000007FEF5703000-0x000007FEF5704000-memory.dmp

Filesize
4KB

Download
memory/1924-7-0x000007FEF5700000-0x000007FEF60EC000-memory.dmp

Filesize
9.9MB

Download
memory/1924-2-0x000007FEF5700000-0x000007FEF60EC000-memory.dmp

Filesize
9.9MB

Download
memory/1924-1-0x0000000000290000-0x00000000005B4000-memory.dmp

Filesize
3.1MB

Download
memory/2052-43-0x0000000001360000-0x0000000001684000-memory.dmp

Filesize
3.1MB

Download
memory/2260-159-0x00000000001B0000-0x00000000004D4000-memory.dmp

Filesize
3.1MB

Download
memory/2480-64-0x0000000000270000-0x0000000000594000-memory.dmp

Filesize
3.1MB

Download
memory/2520-75-0x0000000001340000-0x0000000001664000-memory.dmp

Filesize
3.1MB

Download
memory/2628-22-0x0000000000EF0000-0x0000000001214000-memory.dmp

Filesize
3.1MB

Download
memory/2820-86-0x0000000000040000-0x0000000000364000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads