quasar | 8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997

Analysis

max time kernel
144s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2024 17:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997.exe
Size

3.1MB
MD5

c2281b1740f2acd02e9e19f83441b033
SHA1

bf321d96b83261e5487f06c9c0ddfc75786c7c8c
SHA256

8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997
SHA512

0c8a95e5caa07047073077a252a891e321cf1a8c964e6e99b72a1c701e6368e63aa82c0425f58364887de3c277130c3c1acda2064332c377efaccf6ce568e027
SSDEEP

49152:jyF/j2yMy5en93hlLLzJjVrvjkoGduTHHB72eh2NT:jydj2yMy5en93hlLLzJjVrvo

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Office04

connectdadad.ddns.net:4782

Mutex

e862a94f-5f45-4b8c-89de-f84dadb095d0

Attributes

encryption_key
23E5F6D22FEE1750D36544A759A48349B064BC34
install_name
PerfWatson1.exe
log_directory
Logs
reconnect_delay
3000
startup_key
svhost
subdirectory
KDOT

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/5072-1-0x0000000000540000-0x0000000000864000-memory.dmp	family_quasar
behavioral2/files/0x0007000000023ce1-7.dat	family_quasar

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	PerfWatson1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	PerfWatson1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	PerfWatson1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	PerfWatson1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	PerfWatson1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	PerfWatson1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	PerfWatson1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	PerfWatson1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	PerfWatson1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	PerfWatson1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	PerfWatson1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	PerfWatson1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	PerfWatson1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	PerfWatson1.exe

Executes dropped EXE 14 IoCs

pid	Process
3272	PerfWatson1.exe
1916	PerfWatson1.exe
3740	PerfWatson1.exe
3988	PerfWatson1.exe
4712	PerfWatson1.exe
1596	PerfWatson1.exe
1560	PerfWatson1.exe
832	PerfWatson1.exe
1500	PerfWatson1.exe
2916	PerfWatson1.exe
3124	PerfWatson1.exe
4224	PerfWatson1.exe
828	PerfWatson1.exe
2964	PerfWatson1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 14 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2420	PING.EXE
2356	PING.EXE
1240	PING.EXE
2184	PING.EXE
2392	PING.EXE
880	PING.EXE
4300	PING.EXE
4308	PING.EXE
2404	PING.EXE
2020	PING.EXE
2680	PING.EXE
2804	PING.EXE
1052	PING.EXE
4512	PING.EXE

Runs ping.exe 1 TTPs 14 IoCs

Remote System Discovery

T1018

pid	Process
2420	PING.EXE
2680	PING.EXE
4300	PING.EXE
2356	PING.EXE
2020	PING.EXE
2804	PING.EXE
880	PING.EXE
2392	PING.EXE
1052	PING.EXE
4512	PING.EXE
4308	PING.EXE
2404	PING.EXE
1240	PING.EXE
2184	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4528	schtasks.exe
1224	schtasks.exe
800	schtasks.exe
2196	schtasks.exe
4240	schtasks.exe
4916	schtasks.exe
3340	schtasks.exe
4580	schtasks.exe
548	schtasks.exe
3332	schtasks.exe
1196	schtasks.exe
64	schtasks.exe
2828	schtasks.exe
2272	schtasks.exe
4412	schtasks.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	5072	8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997.exe
Token: SeDebugPrivilege	3272	PerfWatson1.exe
Token: SeDebugPrivilege	1916	PerfWatson1.exe
Token: SeDebugPrivilege	3740	PerfWatson1.exe
Token: SeDebugPrivilege	3988	PerfWatson1.exe
Token: SeDebugPrivilege	4712	PerfWatson1.exe
Token: SeDebugPrivilege	1596	PerfWatson1.exe
Token: SeDebugPrivilege	1560	PerfWatson1.exe
Token: SeDebugPrivilege	832	PerfWatson1.exe
Token: SeDebugPrivilege	1500	PerfWatson1.exe
Token: SeDebugPrivilege	2916	PerfWatson1.exe
Token: SeDebugPrivilege	3124	PerfWatson1.exe
Token: SeDebugPrivilege	4224	PerfWatson1.exe
Token: SeDebugPrivilege	828	PerfWatson1.exe
Token: SeDebugPrivilege	2964	PerfWatson1.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3988	PerfWatson1.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5072 wrote to memory of 4528	5072	8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997.exe	84
PID 5072 wrote to memory of 4528	5072	8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997.exe	84
PID 5072 wrote to memory of 3272	5072	8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997.exe	86
PID 5072 wrote to memory of 3272	5072	8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997.exe	86
PID 3272 wrote to memory of 3340	3272	PerfWatson1.exe	87
PID 3272 wrote to memory of 3340	3272	PerfWatson1.exe	87
PID 3272 wrote to memory of 4532	3272	PerfWatson1.exe	89
PID 3272 wrote to memory of 4532	3272	PerfWatson1.exe	89
PID 4532 wrote to memory of 2204	4532	cmd.exe	91
PID 4532 wrote to memory of 2204	4532	cmd.exe	91
PID 4532 wrote to memory of 4308	4532	cmd.exe	92
PID 4532 wrote to memory of 4308	4532	cmd.exe	92
PID 4532 wrote to memory of 1916	4532	cmd.exe	98
PID 4532 wrote to memory of 1916	4532	cmd.exe	98
PID 1916 wrote to memory of 4580	1916	PerfWatson1.exe	101
PID 1916 wrote to memory of 4580	1916	PerfWatson1.exe	101
PID 1916 wrote to memory of 2296	1916	PerfWatson1.exe	103
PID 1916 wrote to memory of 2296	1916	PerfWatson1.exe	103
PID 2296 wrote to memory of 3772	2296	cmd.exe	105
PID 2296 wrote to memory of 3772	2296	cmd.exe	105
PID 2296 wrote to memory of 2404	2296	cmd.exe	106
PID 2296 wrote to memory of 2404	2296	cmd.exe	106
PID 2296 wrote to memory of 3740	2296	cmd.exe	107
PID 2296 wrote to memory of 3740	2296	cmd.exe	107
PID 3740 wrote to memory of 548	3740	PerfWatson1.exe	108
PID 3740 wrote to memory of 548	3740	PerfWatson1.exe	108
PID 3740 wrote to memory of 968	3740	PerfWatson1.exe	110
PID 3740 wrote to memory of 968	3740	PerfWatson1.exe	110
PID 968 wrote to memory of 3044	968	cmd.exe	112
PID 968 wrote to memory of 3044	968	cmd.exe	112
PID 968 wrote to memory of 2356	968	cmd.exe	113
PID 968 wrote to memory of 2356	968	cmd.exe	113
PID 968 wrote to memory of 3988	968	cmd.exe	116
PID 968 wrote to memory of 3988	968	cmd.exe	116
PID 3988 wrote to memory of 1224	3988	PerfWatson1.exe	117
PID 3988 wrote to memory of 1224	3988	PerfWatson1.exe	117
PID 3988 wrote to memory of 4880	3988	PerfWatson1.exe	119
PID 3988 wrote to memory of 4880	3988	PerfWatson1.exe	119
PID 4880 wrote to memory of 1516	4880	cmd.exe	121
PID 4880 wrote to memory of 1516	4880	cmd.exe	121
PID 4880 wrote to memory of 1240	4880	cmd.exe	122
PID 4880 wrote to memory of 1240	4880	cmd.exe	122
PID 4880 wrote to memory of 4712	4880	cmd.exe	123
PID 4880 wrote to memory of 4712	4880	cmd.exe	123
PID 4712 wrote to memory of 2196	4712	PerfWatson1.exe	124
PID 4712 wrote to memory of 2196	4712	PerfWatson1.exe	124
PID 4712 wrote to memory of 772	4712	PerfWatson1.exe	126
PID 4712 wrote to memory of 772	4712	PerfWatson1.exe	126
PID 772 wrote to memory of 2024	772	cmd.exe	128
PID 772 wrote to memory of 2024	772	cmd.exe	128
PID 772 wrote to memory of 2184	772	cmd.exe	129
PID 772 wrote to memory of 2184	772	cmd.exe	129
PID 772 wrote to memory of 1596	772	cmd.exe	130
PID 772 wrote to memory of 1596	772	cmd.exe	130
PID 1596 wrote to memory of 4240	1596	PerfWatson1.exe	131
PID 1596 wrote to memory of 4240	1596	PerfWatson1.exe	131
PID 1596 wrote to memory of 2324	1596	PerfWatson1.exe	133
PID 1596 wrote to memory of 2324	1596	PerfWatson1.exe	133
PID 2324 wrote to memory of 4940	2324	cmd.exe	135
PID 2324 wrote to memory of 4940	2324	cmd.exe	135
PID 2324 wrote to memory of 2020	2324	cmd.exe	136
PID 2324 wrote to memory of 2020	2324	cmd.exe	136
PID 2324 wrote to memory of 1560	2324	cmd.exe	137
PID 2324 wrote to memory of 1560	2324	cmd.exe	137

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997.exe
"C:\Users\Admin\AppData\Local\Temp\8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5072
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4528
- C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
  "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3272
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3340
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Edgb8r2YBDqJ.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4532
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2204
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4308
  - - C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
      "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1916
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4580
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LvkI6C4yPGE4.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2296
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:3772
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2404
      - C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3740
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:548
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hzMijYnvUwyX.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:968
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:3044
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2356
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3988
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1224
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C9mR2D7J3kyI.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4880
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:1516
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1240
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4712
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2196
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ABxRyxo4r8X2.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:772
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:2024
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2184
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4240
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JNGwsFDca89S.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:4940
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2020
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1560
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:800
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IZ4DgHwrxn4V.bat" "
        15⤵
        
        PID:4444
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:436
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2680
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:832
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3332
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pp7HGqVLrQq1.bat" "
        17⤵
        
        PID:3792
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:4300
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2420
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1500
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4916
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\H6tEXdRiQQr1.bat" "
        19⤵
        
        PID:4760
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:3264
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2804
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2916
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1196
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\njd0rkR8Sa30.bat" "
        21⤵
        
        PID:2276
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:4880
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2392
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3124
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:64
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YInDvMxQFKPZ.bat" "
        23⤵
        
        PID:820
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2184
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:880
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4224
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2828
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EnslRS5bVCYu.bat" "
        25⤵
        
        PID:4520
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2676
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1052
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:828
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2272
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B2wXJ7adjJkl.bat" "
        27⤵
        
        PID:2864
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:4480
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4512
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2964
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4412
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7LJNWAoLBAby.bat" "
        29⤵
        
        PID:4420
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:1684
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\PerfWatson1.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7LJNWAoLBAby.bat

Filesize
210B

MD5
ab0efc3974089db367d4c54de42dd9ae

SHA1
816f2bd4f468941f678845f0c23dc65867fbe53f

SHA256
e99176103fd2e2896b689ab21efdba8137af62721c78492bffb36bedb37a64a0

SHA512
dbfd4de9d2274d010a9d7af0dc4e73e5f75bafc42ba8604d15d90d9dcdcf6ad820ca592f7791b2abf833880c30954bf5b8868b4a733670af8a2dc3ea074d0eb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ABxRyxo4r8X2.bat

Filesize
210B

MD5
eeb755c6705105f804376450a8cb4e27

SHA1
d48706688e1d6c5c870fb5472af99a8e0533deb4

SHA256
7d244116d8443a6ef6749c82f0c26663187c91f33de943d5e9e4d612f2b467b4

SHA512
7d4beec70d4b6caa0047753f4cffb6652b9bf02e73c6178c6f59e4ef1bb8b3b89c5339abb6425791f1af7a89749630e13bbf23bfac4100e7c390af72b9e5395c

Download Submit
C:\Users\Admin\AppData\Local\Temp\B2wXJ7adjJkl.bat

Filesize
210B

MD5
c7d0b1255e0a53f949383f3d7d0f6f99

SHA1
a1138a9b9fa4e1415fed2bef620342be6e9a7f41

SHA256
1a929a0b436ef75f5c6a51998cfa296cf6ec8366f3404f93f7195c3df48da453

SHA512
5303629a0e5798ed6e2847ffa81b7f5d106f2b11484beb47db1574338c69a80b26731d9c5d4c45f0be23ed7831ffebccf858a7cde6484d4c83a333af92ca7ede

Download Submit
C:\Users\Admin\AppData\Local\Temp\C9mR2D7J3kyI.bat

Filesize
210B

MD5
5b4a1c556ce96755f61111d2fbf2c7e1

SHA1
03d9f47b39df70a9feafb75ea5e9a24632acf8bd

SHA256
25844925d568c3bf596f1b435b372222360a02b2018a476cec7282e07ee5d849

SHA512
ca57e9dec8ccb3d2a7c6b8de231cebb5c75639a960da4d4d31539747cb382806332f0575e82a794317f30be79e532d8ff1822169921a981002998a286dfc95f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Edgb8r2YBDqJ.bat

Filesize
210B

MD5
9aec5587db690c081176d8477d19fb7d

SHA1
cd4803ec8dfb24569bb9715d3557feb8e47bf86d

SHA256
0e954c13852dd3db3e44bf442e40fd6861b793e8364f480f2dc34fe71f6fc2e8

SHA512
b053cf7cbe1c65eec64f3440cc52d090e3f86dc0d84491def81123a3066e9c0a2b4a0b1381e9532a60a784346b516ad439ca2efc40ee595e05772c09881f9a2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\EnslRS5bVCYu.bat

Filesize
210B

MD5
28579fda39054c2fcbf4189582234753

SHA1
6ce6a71b1f0fd6d576a1579660df7faea63aaa9c

SHA256
22c243c69065a0bbd3bba6ce58dcc5b23d35a14cc394fbfb9a8b787da03f1b15

SHA512
b87ed76858383d03141c4f2d95360a413fc7ef2bf68f4886e0f17ef0d49f43f87672d06d76c3990ea86f95af0105db491fbed578d0512deeb16ddb82c2e7d220

Download Submit
C:\Users\Admin\AppData\Local\Temp\H6tEXdRiQQr1.bat

Filesize
210B

MD5
5c7a4d6890a5f9f481e0a6e4e6daaab7

SHA1
aa48ebd650fe443706330564667be79a5c17cad3

SHA256
af21261186570b993a5aecbb51ee4e0f9470a12b7e10b8660d20918871e1df72

SHA512
767668e529fc5b6e0a875e48b77da043a304140c78d5ea64ed8295f07e6434b96b8627baa872d824448efc0c5a88fc50f3952898cc4dbb3a22f0ef9cfdcb1dbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IZ4DgHwrxn4V.bat

Filesize
210B

MD5
1bdecff0368a863d4efb57e08671ddce

SHA1
8bf7ac7d719953846300aa1c756d6278de36275d

SHA256
d59bbbb26cabe4478515d728935a125ad9f755bcae926099a048a0a2f81d925e

SHA512
ee1b718583803b3130ab0dbd5d1450aafe25af8f27eca97bc61c2329eaf4bcd5acb345fefca89b7d32ce38bda06aecffd75842df7bd27cc143639c3030c6d5da

Download Submit
C:\Users\Admin\AppData\Local\Temp\JNGwsFDca89S.bat

Filesize
210B

MD5
60f5d2e60d109752bffe583052223a6f

SHA1
bbb9b9f8459c28149fcf7171532a0788496d756d

SHA256
606a0049fc8d4779cd84ebeecd30cfb5beb70fd4082aa3cf41cc6b87651e3180

SHA512
41b5a201aad6614a9392055c3f994003347826912a10444cd9003b90befaa61f5be89e52fbc0dd6c4f225ac3589188b06667138c2b1999c73fff99f8e7fe1906

Download Submit
C:\Users\Admin\AppData\Local\Temp\LvkI6C4yPGE4.bat

Filesize
210B

MD5
c9d347f2335d8c66fdc3199f1547f817

SHA1
39caec0c73ec24bc7ba0fdf7ab709264cb075234

SHA256
d491233042597ed73a319e3c9a79b7c0ee01d37bd6a56ef5c7717e1b4ec051f7

SHA512
427d4709997f2a81a8a038a224a4da9230eec0e085cbd8883bc99b2c743cf811a349f97936c0b420f7efb505fbe781abe335abf3895ed9aa163db6093d70e237

Download Submit
C:\Users\Admin\AppData\Local\Temp\YInDvMxQFKPZ.bat

Filesize
210B

MD5
ca99d608464ca067799a5162877164f8

SHA1
0dd1601a4422f524f41b31f8a4d68a2708fdba9b

SHA256
2b6d5148b4995cf046e34ab8cacb78b64875217caa4f7a7167ad625a8f25e0a2

SHA512
e32aec7421a06030462557a44853b3c6381ecbc89f7c5a6e523cd301dee85c2324c24efe79fc9503aac9d13f38fbfd8add818864e20f7471f147aaa01a0d893c

Download Submit
C:\Users\Admin\AppData\Local\Temp\hzMijYnvUwyX.bat

Filesize
210B

MD5
e98015dbc52b31b06565faccbcb5ae98

SHA1
53c418fb757221f487f8f586bb76d249ca3311dd

SHA256
4c0b75615cabdf94566c68d27a3efa1ba68e308905bdc00a3304527bb392bc55

SHA512
e94811d1004ae02ce64f8ed652a8432449fbd80aaa16b1ea926ca83a93c06492dc521111a6556f836994ef287113f8c2fb93900d854ab83238d6b1444fc216e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\njd0rkR8Sa30.bat

Filesize
210B

MD5
41bb61d68f09190679b3727b6805277c

SHA1
cb7283f4a342557eb3870ca4db4640287ecc3e18

SHA256
1c1ab02a8cbf4db65d072f83f4098f2b1103eeb6194577b0165b09e0a0a2fa92

SHA512
bed15fefda240f898f994eb57464b160e26e0d1109d52900537aaaaf14268289f16fe05b9b93937f97504ee1dc68af63c9e363a814c95bcc0b16d5d53ae5d7c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\pp7HGqVLrQq1.bat

Filesize
210B

MD5
f39b867a49289987f6aac411a7c343bb

SHA1
5e4ce954bd916fab1444de30b60a4a542eb88bfa

SHA256
6ebe2f972466229b9dba76c92a0c100de214ec638184f1a8d58614ea047bcf1a

SHA512
c717d21b29fb0e93a840329019870669e4ffe4165938a44003be518964e357355514ee17a326a6926ff13c0a66fc8f9ae5c93dde74154b24835388592108a20a

Download Submit
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

Filesize
3.1MB

MD5
c2281b1740f2acd02e9e19f83441b033

SHA1
bf321d96b83261e5487f06c9c0ddfc75786c7c8c

SHA256
8fb680e847ab1c533fc3f092164064a5c298126ba16db0ab7df84cbaf6ffa997

SHA512
0c8a95e5caa07047073077a252a891e321cf1a8c964e6e99b72a1c701e6368e63aa82c0425f58364887de3c277130c3c1acda2064332c377efaccf6ce568e027

Download Submit
memory/3272-17-0x00007FFC53830000-0x00007FFC542F1000-memory.dmp

Filesize
10.8MB

Download
memory/3272-12-0x000000001D280000-0x000000001D332000-memory.dmp

Filesize
712KB

Download
memory/3272-11-0x000000001D170000-0x000000001D1C0000-memory.dmp

Filesize
320KB

Download
memory/3272-10-0x00007FFC53830000-0x00007FFC542F1000-memory.dmp

Filesize
10.8MB

Download
memory/3272-8-0x00007FFC53830000-0x00007FFC542F1000-memory.dmp

Filesize
10.8MB

Download
memory/5072-0-0x00007FFC53833000-0x00007FFC53835000-memory.dmp

Filesize
8KB

Download
memory/5072-9-0x00007FFC53830000-0x00007FFC542F1000-memory.dmp

Filesize
10.8MB

Download
memory/5072-2-0x00007FFC53830000-0x00007FFC542F1000-memory.dmp

Filesize
10.8MB

Download
memory/5072-1-0x0000000000540000-0x0000000000864000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads