quasar | 033d335780d49949daea53acdb1b3ef162efc4bf02233ca8cd9e8d0a6533c8ea

Analysis

max time kernel
147s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-12-2024 17:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

033d335780d49949daea53acdb1b3ef162efc4bf02233ca8cd9e8d0a6533c8ea.exe
Size

3.1MB
MD5

82222cff36f2c338159b23a7f18a4815
SHA1

8beccbb99e38248a080d5de1de8d87617ca428c2
SHA256

033d335780d49949daea53acdb1b3ef162efc4bf02233ca8cd9e8d0a6533c8ea
SHA512

ed1a66e9d925291b14131b129e28e02494d6a174b3abde8d724d35a502f805ef472e5a780d37ce0ed2548a5f7071afbccbbd769ff938e04458d7eb409371ef55
SSDEEP

49152:qUd1/DM2zv8aMlqCPwln5+Hjdh+EuvQ1VeiroGnGTHHB72eh2NTe:qUPrM2zEaMlqCPwln5+Ddh+Zvus

Score

10^/10

quasar rat1 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

rat1

unitedrat.ddns.net:4782

Mutex

5100ab61-a5a5-407f-af55-9e7766b9d637

Attributes

encryption_key
AB7A97D9E0F9B0A44190A0D500EAB7AF37629802
install_name
System32.exe
log_directory
Logs
reconnect_delay
3000
startup_key
System32
subdirectory
System32

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 15 IoCs

resource	yara_rule
behavioral1/memory/3048-1-0x0000000001130000-0x0000000001454000-memory.dmp	family_quasar
behavioral1/files/0x0033000000016dd9-5.dat	family_quasar
behavioral1/memory/2912-8-0x0000000000370000-0x0000000000694000-memory.dmp	family_quasar
behavioral1/memory/2992-22-0x0000000000900000-0x0000000000C24000-memory.dmp	family_quasar
behavioral1/memory/2004-34-0x0000000000980000-0x0000000000CA4000-memory.dmp	family_quasar
behavioral1/memory/1132-45-0x00000000000A0000-0x00000000003C4000-memory.dmp	family_quasar
behavioral1/memory/1772-57-0x0000000001260000-0x0000000001584000-memory.dmp	family_quasar
behavioral1/memory/1224-79-0x0000000000230000-0x0000000000554000-memory.dmp	family_quasar
behavioral1/memory/2548-90-0x0000000001300000-0x0000000001624000-memory.dmp	family_quasar
behavioral1/memory/1964-101-0x00000000002F0000-0x0000000000614000-memory.dmp	family_quasar
behavioral1/memory/2060-113-0x00000000000C0000-0x00000000003E4000-memory.dmp	family_quasar
behavioral1/memory/2072-124-0x0000000000C50000-0x0000000000F74000-memory.dmp	family_quasar
behavioral1/memory/2520-136-0x0000000000150000-0x0000000000474000-memory.dmp	family_quasar
behavioral1/memory/612-147-0x0000000000B50000-0x0000000000E74000-memory.dmp	family_quasar
behavioral1/memory/2776-169-0x0000000000040000-0x0000000000364000-memory.dmp	family_quasar

Executes dropped EXE 15 IoCs

pid	Process
2912	System32.exe
2992	System32.exe
2004	System32.exe
1132	System32.exe
1772	System32.exe
2948	System32.exe
1224	System32.exe
2548	System32.exe
1964	System32.exe
2060	System32.exe
2072	System32.exe
2520	System32.exe
612	System32.exe
1600	System32.exe
2776	System32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2008	PING.EXE
2016	PING.EXE
1096	PING.EXE
1440	PING.EXE
632	PING.EXE
2392	PING.EXE
2880	PING.EXE
2616	PING.EXE
448	PING.EXE
3044	PING.EXE
1740	PING.EXE
1552	PING.EXE
2932	PING.EXE
2252	PING.EXE
2152	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
2008	PING.EXE
2932	PING.EXE
2880	PING.EXE
1552	PING.EXE
2016	PING.EXE
3044	PING.EXE
2152	PING.EXE
2392	PING.EXE
1740	PING.EXE
448	PING.EXE
2252	PING.EXE
632	PING.EXE
2616	PING.EXE
1096	PING.EXE
1440	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1132	schtasks.exe
2296	schtasks.exe
2932	schtasks.exe
2912	schtasks.exe
1328	schtasks.exe
3060	schtasks.exe
2912	schtasks.exe
2888	schtasks.exe
676	schtasks.exe
1672	schtasks.exe
2692	schtasks.exe
2740	schtasks.exe
2760	schtasks.exe
708	schtasks.exe
2252	schtasks.exe
1780	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	3048	033d335780d49949daea53acdb1b3ef162efc4bf02233ca8cd9e8d0a6533c8ea.exe
Token: SeDebugPrivilege	2912	System32.exe
Token: SeDebugPrivilege	2992	System32.exe
Token: SeDebugPrivilege	2004	System32.exe
Token: SeDebugPrivilege	1132	System32.exe
Token: SeDebugPrivilege	1772	System32.exe
Token: SeDebugPrivilege	2948	System32.exe
Token: SeDebugPrivilege	1224	System32.exe
Token: SeDebugPrivilege	2548	System32.exe
Token: SeDebugPrivilege	1964	System32.exe
Token: SeDebugPrivilege	2060	System32.exe
Token: SeDebugPrivilege	2072	System32.exe
Token: SeDebugPrivilege	2520	System32.exe
Token: SeDebugPrivilege	612	System32.exe
Token: SeDebugPrivilege	1600	System32.exe
Token: SeDebugPrivilege	2776	System32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 2740	3048	033d335780d49949daea53acdb1b3ef162efc4bf02233ca8cd9e8d0a6533c8ea.exe	30
PID 3048 wrote to memory of 2740	3048	033d335780d49949daea53acdb1b3ef162efc4bf02233ca8cd9e8d0a6533c8ea.exe	30
PID 3048 wrote to memory of 2740	3048	033d335780d49949daea53acdb1b3ef162efc4bf02233ca8cd9e8d0a6533c8ea.exe	30
PID 3048 wrote to memory of 2912	3048	033d335780d49949daea53acdb1b3ef162efc4bf02233ca8cd9e8d0a6533c8ea.exe	32
PID 3048 wrote to memory of 2912	3048	033d335780d49949daea53acdb1b3ef162efc4bf02233ca8cd9e8d0a6533c8ea.exe	32
PID 3048 wrote to memory of 2912	3048	033d335780d49949daea53acdb1b3ef162efc4bf02233ca8cd9e8d0a6533c8ea.exe	32
PID 2912 wrote to memory of 2760	2912	System32.exe	33
PID 2912 wrote to memory of 2760	2912	System32.exe	33
PID 2912 wrote to memory of 2760	2912	System32.exe	33
PID 2912 wrote to memory of 2664	2912	System32.exe	35
PID 2912 wrote to memory of 2664	2912	System32.exe	35
PID 2912 wrote to memory of 2664	2912	System32.exe	35
PID 2664 wrote to memory of 2568	2664	cmd.exe	37
PID 2664 wrote to memory of 2568	2664	cmd.exe	37
PID 2664 wrote to memory of 2568	2664	cmd.exe	37
PID 2664 wrote to memory of 2616	2664	cmd.exe	38
PID 2664 wrote to memory of 2616	2664	cmd.exe	38
PID 2664 wrote to memory of 2616	2664	cmd.exe	38
PID 2664 wrote to memory of 2992	2664	cmd.exe	39
PID 2664 wrote to memory of 2992	2664	cmd.exe	39
PID 2664 wrote to memory of 2992	2664	cmd.exe	39
PID 2992 wrote to memory of 708	2992	System32.exe	40
PID 2992 wrote to memory of 708	2992	System32.exe	40
PID 2992 wrote to memory of 708	2992	System32.exe	40
PID 2992 wrote to memory of 2868	2992	System32.exe	42
PID 2992 wrote to memory of 2868	2992	System32.exe	42
PID 2992 wrote to memory of 2868	2992	System32.exe	42
PID 2868 wrote to memory of 1488	2868	cmd.exe	44
PID 2868 wrote to memory of 1488	2868	cmd.exe	44
PID 2868 wrote to memory of 1488	2868	cmd.exe	44
PID 2868 wrote to memory of 2008	2868	cmd.exe	45
PID 2868 wrote to memory of 2008	2868	cmd.exe	45
PID 2868 wrote to memory of 2008	2868	cmd.exe	45
PID 2868 wrote to memory of 2004	2868	cmd.exe	46
PID 2868 wrote to memory of 2004	2868	cmd.exe	46
PID 2868 wrote to memory of 2004	2868	cmd.exe	46
PID 2004 wrote to memory of 2296	2004	System32.exe	47
PID 2004 wrote to memory of 2296	2004	System32.exe	47
PID 2004 wrote to memory of 2296	2004	System32.exe	47
PID 2004 wrote to memory of 932	2004	System32.exe	49
PID 2004 wrote to memory of 932	2004	System32.exe	49
PID 2004 wrote to memory of 932	2004	System32.exe	49
PID 932 wrote to memory of 588	932	cmd.exe	51
PID 932 wrote to memory of 588	932	cmd.exe	51
PID 932 wrote to memory of 588	932	cmd.exe	51
PID 932 wrote to memory of 1740	932	cmd.exe	52
PID 932 wrote to memory of 1740	932	cmd.exe	52
PID 932 wrote to memory of 1740	932	cmd.exe	52
PID 932 wrote to memory of 1132	932	cmd.exe	53
PID 932 wrote to memory of 1132	932	cmd.exe	53
PID 932 wrote to memory of 1132	932	cmd.exe	53
PID 1132 wrote to memory of 2932	1132	System32.exe	54
PID 1132 wrote to memory of 2932	1132	System32.exe	54
PID 1132 wrote to memory of 2932	1132	System32.exe	54
PID 1132 wrote to memory of 2532	1132	System32.exe	56
PID 1132 wrote to memory of 2532	1132	System32.exe	56
PID 1132 wrote to memory of 2532	1132	System32.exe	56
PID 2532 wrote to memory of 2476	2532	cmd.exe	58
PID 2532 wrote to memory of 2476	2532	cmd.exe	58
PID 2532 wrote to memory of 2476	2532	cmd.exe	58
PID 2532 wrote to memory of 448	2532	cmd.exe	59
PID 2532 wrote to memory of 448	2532	cmd.exe	59
PID 2532 wrote to memory of 448	2532	cmd.exe	59
PID 2532 wrote to memory of 1772	2532	cmd.exe	60

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\033d335780d49949daea53acdb1b3ef162efc4bf02233ca8cd9e8d0a6533c8ea.exe
"C:\Users\Admin\AppData\Local\Temp\033d335780d49949daea53acdb1b3ef162efc4bf02233ca8cd9e8d0a6533c8ea.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2740
- C:\Users\Admin\AppData\Roaming\System32\System32.exe
  "C:\Users\Admin\AppData\Roaming\System32\System32.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2760
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\IyNJ8Hh5dxKR.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2568
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2616
  - - C:\Users\Admin\AppData\Roaming\System32\System32.exe
      "C:\Users\Admin\AppData\Roaming\System32\System32.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2992
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:708
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TSd6CZo3y6dV.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2868
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1488
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2008
      - C:\Users\Admin\AppData\Roaming\System32\System32.exe
        
        "C:\Users\Admin\AppData\Roaming\System32\System32.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2296
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\dd8HQ0c0N8ek.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:932
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:588
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1740
        
        C:\Users\Admin\AppData\Roaming\System32\System32.exe
        
        "C:\Users\Admin\AppData\Roaming\System32\System32.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1132
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2932
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vFHaGyIRFKyV.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2476
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:448
        
        C:\Users\Admin\AppData\Roaming\System32\System32.exe
        
        "C:\Users\Admin\AppData\Roaming\System32\System32.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1772
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2252
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DZ2BuIMEN6Fc.bat" "
        11⤵
        
        PID:2484
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1544
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1552
        
        C:\Users\Admin\AppData\Roaming\System32\System32.exe
        
        "C:\Users\Admin\AppData\Roaming\System32\System32.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2948
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1328
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MfDs0TAQPu9X.bat" "
        13⤵
        
        PID:2056
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2632
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2016
        
        C:\Users\Admin\AppData\Roaming\System32\System32.exe
        
        "C:\Users\Admin\AppData\Roaming\System32\System32.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1224
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3060
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\2wytaOA5pidb.bat" "
        15⤵
        
        PID:2752
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2768
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3044
        
        C:\Users\Admin\AppData\Roaming\System32\System32.exe
        
        "C:\Users\Admin\AppData\Roaming\System32\System32.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2548
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2912
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\t2Xp2immML5N.bat" "
        17⤵
        
        PID:2608
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:880
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1096
        
        C:\Users\Admin\AppData\Roaming\System32\System32.exe
        
        "C:\Users\Admin\AppData\Roaming\System32\System32.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1964
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2888
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\eglvBLxPvR5X.bat" "
        19⤵
        
        PID:884
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1852
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1440
        
        C:\Users\Admin\AppData\Roaming\System32\System32.exe
        
        "C:\Users\Admin\AppData\Roaming\System32\System32.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2060
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:676
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bT4kCwx9jO1r.bat" "
        21⤵
        
        PID:932
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:2356
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2932
        
        C:\Users\Admin\AppData\Roaming\System32\System32.exe
        
        "C:\Users\Admin\AppData\Roaming\System32\System32.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2072
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1132
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\n8Cq8q3EAjTp.bat" "
        23⤵
        
        PID:912
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2500
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2252
        
        C:\Users\Admin\AppData\Roaming\System32\System32.exe
        
        "C:\Users\Admin\AppData\Roaming\System32\System32.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2520
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1672
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iVOIw5jaePBX.bat" "
        25⤵
        
        PID:2208
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:1328
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2152
        
        C:\Users\Admin\AppData\Roaming\System32\System32.exe
        
        "C:\Users\Admin\AppData\Roaming\System32\System32.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:612
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1780
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LlFjbg9GWhnU.bat" "
        27⤵
        
        PID:892
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:2016
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:632
        
        C:\Users\Admin\AppData\Roaming\System32\System32.exe
        
        "C:\Users\Admin\AppData\Roaming\System32\System32.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1600
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2692
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xRYnIYbNSQgK.bat" "
        29⤵
        
        PID:2944
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:2836
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2392
        
        C:\Users\Admin\AppData\Roaming\System32\System32.exe
        
        "C:\Users\Admin\AppData\Roaming\System32\System32.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2912
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tT7qwyaM1mHS.bat" "
        31⤵
        
        PID:1988
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:2872
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2wytaOA5pidb.bat

Filesize
211B

MD5
24f874518694345c029e04ec2f6eacd2

SHA1
dce0c3ebd51a1e2be70f98605228f3ae99073a45

SHA256
20415b6a01e24cece4ab3af8b506886f07f181ae6267cb707ff89ae6062fe378

SHA512
af3a31585c4442b682a93846e6ef5c730475593abd082e374adbf693ae544770e18f4441bd22382eeabe58c9ccb8819383a0ae3a8e92396e095427a38597bc44

Download Submit
C:\Users\Admin\AppData\Local\Temp\DZ2BuIMEN6Fc.bat

Filesize
211B

MD5
2a845fc65fe220d6d1be3813959d1da5

SHA1
2dbbca0decc37b1564cb962d44ea0647d500cee7

SHA256
d6f74600cc3b03ae11bcb486160f9eea92a0a75987650cae5de47fc0f98d106a

SHA512
d0c293941fc1060d0402b2f57a30b598bdb5f667205cb95216a60663bbba75f509ee1040b0febf8645c9ef6114723894cb124486081416961dae45c49b475369

Download Submit
C:\Users\Admin\AppData\Local\Temp\IyNJ8Hh5dxKR.bat

Filesize
211B

MD5
2f5a9fec06774dce11ec705a4290a1c7

SHA1
db5ea1e8ebfab51a4f1dbc60fd0fc76a07c16f33

SHA256
2e4d29f3205c8afe01912677e84fed08383c9af87f96942a3fc848750e705db8

SHA512
85f54285e4d8feb79e7729f7c7439ab2c51ef2175e4e72c5d8bcdf7d7001d39cef26a2fb9b3ad7d8b16e58c82587e3ce9387d9cfcec68316a9b3addf1d26652a

Download Submit
C:\Users\Admin\AppData\Local\Temp\LlFjbg9GWhnU.bat

Filesize
211B

MD5
94bd3b84d3a8ede85238a6d22a599328

SHA1
6c98fdb063836838a02b4382cdbb144b22e6da1e

SHA256
3c1f295e0a8fc4ce10eba2da7f5f44f309ce3564dac8707544de9b82c1987b6e

SHA512
d171a1a56f25c8404ebc8e02c060bec8d735fe68fff5b7ff2e68e1c41e363f11b345ef94b865b3bb2bb94b3b75e1a9c56c6bd79d04d00d24db709ac3fca3e5f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MfDs0TAQPu9X.bat

Filesize
211B

MD5
0a92d7c4f756250d4491ef46039d6679

SHA1
9799bc4a28e31b22491a4fa03d13614b1c1e0c8d

SHA256
6a1077e51bbafe19c13c4f4f642c211c749101c4bcd0bdc84395ae6592bc68cc

SHA512
0e2d5101f685bbab9311c5c2fff5c85158d9ab56d63c3039e54c439ae6daaa1012cf3ca9c85267c0df5f77b269251117bd2e1f70d4c4ae5020b118e5a8453d29

Download Submit
C:\Users\Admin\AppData\Local\Temp\TSd6CZo3y6dV.bat

Filesize
211B

MD5
c52c4b816c87ce7b224b779e8aa23022

SHA1
c7c43a670ddf2d1ac5edf7b70835ff69692bdccc

SHA256
8dc8cc1bbfdc3f0a90a88e7b85e5dc938a88b843097cdffdf1c0db11d6055420

SHA512
e85bde3220873a16263a5f8be29fd8d0959bdc6e870045a716e673612e632a21c323434cf516bbc94dbf8acf70f8e634bc3537fea850ccd044d20146d0f1c6ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\bT4kCwx9jO1r.bat

Filesize
211B

MD5
7f0102ac8472270dad7f573b13415539

SHA1
2316dd4684ec49b76ea0e60a7a3c4be82e92a523

SHA256
4837fb95ff4b69ea9d0bf945892145a5853d15b7ec178a376924f8440bf0d83c

SHA512
66353e1a0cd0e58336ffd97db014b8ed09d4803a354303d5297bedeb9c9c73a9d3b2ac6c78f9c31f8a5199249a5dedec1a50f6350f7d4ec20af3496752217cb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd8HQ0c0N8ek.bat

Filesize
211B

MD5
40fb1587c155819be49d81ef68b3b905

SHA1
03a0ad035fde642b43fa0e5fd8640b82f63f5466

SHA256
d4da4c457cf5ca71274e5759a78c9ab9c164cc99ef02614caf846a50907549b0

SHA512
500b65e038aa4e516992f18df1ac720b10b392ec7c64dc2b7d2945aa703e3ed76d1462f660cca563ceb4c6b55ba4839bca8040d0f3b68f68204410c1af808333

Download Submit
C:\Users\Admin\AppData\Local\Temp\eglvBLxPvR5X.bat

Filesize
211B

MD5
adae5a151a4c54f25c5c9adf61d32a24

SHA1
4ba8cacce726277248a3619f87f0f1cb71c80fe4

SHA256
537e320968d1c79fdf5d64cb93738e27bdc3fb1c5165423b39faa16df7f2b3b9

SHA512
e7d8a18fbda072e77c4f03898e55072965153e28fce5d0e77d48a8b24bb5111a0734109fd24d62ef8b724478c79f6f96743065c89f68a19af6b62706a6ebdb1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\iVOIw5jaePBX.bat

Filesize
211B

MD5
677eddf916d230c66d195504efede6a4

SHA1
b359bbd0e7819fde4b671b71956cb0fdc38ff027

SHA256
b048234e9a6facd8da2e4d32d8620e0596a3387866a12c834b1e9954ca927114

SHA512
f2a299fa5405ba9e0d3bdcd20fd8a9bd594a9c091893b22ea665346949aa26769d2008748879a9d0d3c017362a65038d7a46dd2fbde4a020784e7d4dabd76edb

Download Submit
C:\Users\Admin\AppData\Local\Temp\n8Cq8q3EAjTp.bat

Filesize
211B

MD5
1d52ef80d08522074a82db17f80e380d

SHA1
74828460ea7b0535cedad95ec68527c8eedd7c57

SHA256
21a932f2d289e5a58fd1ecdc5b1a5599a6949b2e0204b8073df8a0d022d7af96

SHA512
1b9ae1e49e63789405e0c71b9fdc147581d750ab80b2660d49072be974204dff5703ceaa90c0775ab5244df025a8f269e089daa04c83b1d933f502c47aa7dc6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\t2Xp2immML5N.bat

Filesize
211B

MD5
253587df01ab7196f10e97b20c57c28e

SHA1
2f0f43677b24a2b98b0affc953351c0c592a4772

SHA256
e0d0a0bdc9151838ab9e2630a9ee58a15bbc33985d4223eec242870aaefc1f44

SHA512
fa32306e5add0c949306b7c0b58867a2b40b04d29c4c2d0c5f830230738a75af2c860a7a03ad57caef46654e0dd16af6ea16b866b49da963a1dfb734fab852b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tT7qwyaM1mHS.bat

Filesize
211B

MD5
98f38979ce6e613587fb391c104d6ef2

SHA1
840498ca3928a5177f958a102226aa866bdd4a25

SHA256
9973992568dcfe688d31e99d4e6a5165e9913fbd11cc1a45826abb4116a7db20

SHA512
64b522d9c52ddf60d874559373cec3c8dd081cc9b103306c9ad52a13584acbcacf90fd220bec51e846f48a9860f3376f4f4ecab955e5c62455ab81cb7c512316

Download Submit
C:\Users\Admin\AppData\Local\Temp\vFHaGyIRFKyV.bat

Filesize
211B

MD5
12068ff6e6ca7c91cde2d39dedaaffe9

SHA1
0d4aa381bfda90d96a44f7cd0cd8300ae052b6c6

SHA256
26d6e7fb0e26bdf60b20ebb4b4d6e7c2d49a4f061dbdca49bf1d01486319b126

SHA512
7d86b257c95cf5116147c73809ccc5d616b2803eabf2f900a75d904ec059d55a877608aa621ca943f6de3ee79eb5f0d228720ad28d669151ae060ce3f0400c45

Download Submit
C:\Users\Admin\AppData\Local\Temp\xRYnIYbNSQgK.bat

Filesize
211B

MD5
bfb1e11a7e6bf93cdd4c80e2a4dd48ae

SHA1
ed5920ec74c60ece6785e9bc3f073ee716b58279

SHA256
793f4c7b50e65c6d8606a5bc2f6cd0e9b278b591c9ee17785ed2dc0a790bdfca

SHA512
9e387a74b9927bd52e014252c8d5a29ac9b4f19d2c87fbca8607a205ac65a526baf85faf5467761d7437fb77432d68035d3f799e8491f2bc7946d6fbff3f3449

Download Submit
C:\Users\Admin\AppData\Roaming\System32\System32.exe

Filesize
3.1MB

MD5
82222cff36f2c338159b23a7f18a4815

SHA1
8beccbb99e38248a080d5de1de8d87617ca428c2

SHA256
033d335780d49949daea53acdb1b3ef162efc4bf02233ca8cd9e8d0a6533c8ea

SHA512
ed1a66e9d925291b14131b129e28e02494d6a174b3abde8d724d35a502f805ef472e5a780d37ce0ed2548a5f7071afbccbbd769ff938e04458d7eb409371ef55

Download Submit
memory/612-147-0x0000000000B50000-0x0000000000E74000-memory.dmp

Filesize
3.1MB

Download
memory/1132-45-0x00000000000A0000-0x00000000003C4000-memory.dmp

Filesize
3.1MB

Download
memory/1224-79-0x0000000000230000-0x0000000000554000-memory.dmp

Filesize
3.1MB

Download
memory/1772-57-0x0000000001260000-0x0000000001584000-memory.dmp

Filesize
3.1MB

Download
memory/1964-101-0x00000000002F0000-0x0000000000614000-memory.dmp

Filesize
3.1MB

Download
memory/2004-34-0x0000000000980000-0x0000000000CA4000-memory.dmp

Filesize
3.1MB

Download
memory/2060-113-0x00000000000C0000-0x00000000003E4000-memory.dmp

Filesize
3.1MB

Download
memory/2072-124-0x0000000000C50000-0x0000000000F74000-memory.dmp

Filesize
3.1MB

Download
memory/2520-136-0x0000000000150000-0x0000000000474000-memory.dmp

Filesize
3.1MB

Download
memory/2548-90-0x0000000001300000-0x0000000001624000-memory.dmp

Filesize
3.1MB

Download
memory/2776-169-0x0000000000040000-0x0000000000364000-memory.dmp

Filesize
3.1MB

Download
memory/2912-9-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/2912-7-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/2912-8-0x0000000000370000-0x0000000000694000-memory.dmp

Filesize
3.1MB

Download
memory/2912-18-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/2992-22-0x0000000000900000-0x0000000000C24000-memory.dmp

Filesize
3.1MB

Download
memory/3048-2-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/3048-0-0x000007FEF5433000-0x000007FEF5434000-memory.dmp

Filesize
4KB

Download
memory/3048-1-0x0000000001130000-0x0000000001454000-memory.dmp

Filesize
3.1MB

Download
memory/3048-20-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads