quasar | 033d335780d49949daea53acdb1b3ef162efc4bf02233ca8cd9e8d0a6533c8ea

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2024 17:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

033d335780d49949daea53acdb1b3ef162efc4bf02233ca8cd9e8d0a6533c8ea.exe
Size

3.1MB
MD5

82222cff36f2c338159b23a7f18a4815
SHA1

8beccbb99e38248a080d5de1de8d87617ca428c2
SHA256

033d335780d49949daea53acdb1b3ef162efc4bf02233ca8cd9e8d0a6533c8ea
SHA512

ed1a66e9d925291b14131b129e28e02494d6a174b3abde8d724d35a502f805ef472e5a780d37ce0ed2548a5f7071afbccbbd769ff938e04458d7eb409371ef55
SSDEEP

49152:qUd1/DM2zv8aMlqCPwln5+Hjdh+EuvQ1VeiroGnGTHHB72eh2NTe:qUPrM2zEaMlqCPwln5+Ddh+Zvus

Score

10^/10

quasar rat1 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

rat1

unitedrat.ddns.net:4782

Mutex

5100ab61-a5a5-407f-af55-9e7766b9d637

Attributes

encryption_key
AB7A97D9E0F9B0A44190A0D500EAB7AF37629802
install_name
System32.exe
log_directory
Logs
reconnect_delay
3000
startup_key
System32
subdirectory
System32

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/2760-1-0x0000000000480000-0x00000000007A4000-memory.dmp	family_quasar
behavioral2/files/0x000a000000023b73-5.dat	family_quasar

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	System32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	System32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	System32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	System32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	System32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	System32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	System32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	System32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	System32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	System32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	System32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	System32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	System32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	System32.exe

Executes dropped EXE 15 IoCs

pid	Process
1544	System32.exe
4344	System32.exe
3520	System32.exe
1104	System32.exe
2408	System32.exe
4492	System32.exe
3256	System32.exe
2704	System32.exe
4500	System32.exe
1816	System32.exe
4176	System32.exe
2460	System32.exe
2304	System32.exe
3324	System32.exe
4120	System32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 14 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
312	PING.EXE
4560	PING.EXE
1404	PING.EXE
4820	PING.EXE
444	PING.EXE
208	PING.EXE
440	PING.EXE
1952	PING.EXE
4232	PING.EXE
2532	PING.EXE
3788	PING.EXE
2020	PING.EXE
4368	PING.EXE
1892	PING.EXE

Runs ping.exe 1 TTPs 14 IoCs

Remote System Discovery

T1018

pid	Process
1952	PING.EXE
4232	PING.EXE
4820	PING.EXE
312	PING.EXE
440	PING.EXE
3788	PING.EXE
444	PING.EXE
4560	PING.EXE
1892	PING.EXE
208	PING.EXE
2020	PING.EXE
1404	PING.EXE
4368	PING.EXE
2532	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1768	schtasks.exe
1212	schtasks.exe
3988	schtasks.exe
1688	schtasks.exe
4356	schtasks.exe
1112	schtasks.exe
1512	schtasks.exe
736	schtasks.exe
1580	schtasks.exe
4964	schtasks.exe
4116	schtasks.exe
2292	schtasks.exe
420	schtasks.exe
3280	schtasks.exe
552	schtasks.exe
3868	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2760	033d335780d49949daea53acdb1b3ef162efc4bf02233ca8cd9e8d0a6533c8ea.exe
Token: SeDebugPrivilege	1544	System32.exe
Token: SeDebugPrivilege	4344	System32.exe
Token: SeDebugPrivilege	3520	System32.exe
Token: SeDebugPrivilege	1104	System32.exe
Token: SeDebugPrivilege	2408	System32.exe
Token: SeDebugPrivilege	4492	System32.exe
Token: SeDebugPrivilege	3256	System32.exe
Token: SeDebugPrivilege	2704	System32.exe
Token: SeDebugPrivilege	4500	System32.exe
Token: SeDebugPrivilege	1816	System32.exe
Token: SeDebugPrivilege	4176	System32.exe
Token: SeDebugPrivilege	2460	System32.exe
Token: SeDebugPrivilege	2304	System32.exe
Token: SeDebugPrivilege	3324	System32.exe
Token: SeDebugPrivilege	4120	System32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2760 wrote to memory of 1212	2760	033d335780d49949daea53acdb1b3ef162efc4bf02233ca8cd9e8d0a6533c8ea.exe	82
PID 2760 wrote to memory of 1212	2760	033d335780d49949daea53acdb1b3ef162efc4bf02233ca8cd9e8d0a6533c8ea.exe	82
PID 2760 wrote to memory of 1544	2760	033d335780d49949daea53acdb1b3ef162efc4bf02233ca8cd9e8d0a6533c8ea.exe	84
PID 2760 wrote to memory of 1544	2760	033d335780d49949daea53acdb1b3ef162efc4bf02233ca8cd9e8d0a6533c8ea.exe	84
PID 1544 wrote to memory of 736	1544	System32.exe	85
PID 1544 wrote to memory of 736	1544	System32.exe	85
PID 1544 wrote to memory of 3844	1544	System32.exe	87
PID 1544 wrote to memory of 3844	1544	System32.exe	87
PID 3844 wrote to memory of 5088	3844	cmd.exe	89
PID 3844 wrote to memory of 5088	3844	cmd.exe	89
PID 3844 wrote to memory of 208	3844	cmd.exe	90
PID 3844 wrote to memory of 208	3844	cmd.exe	90
PID 3844 wrote to memory of 4344	3844	cmd.exe	91
PID 3844 wrote to memory of 4344	3844	cmd.exe	91
PID 4344 wrote to memory of 3988	4344	System32.exe	92
PID 4344 wrote to memory of 3988	4344	System32.exe	92
PID 4344 wrote to memory of 1456	4344	System32.exe	94
PID 4344 wrote to memory of 1456	4344	System32.exe	94
PID 1456 wrote to memory of 3472	1456	cmd.exe	96
PID 1456 wrote to memory of 3472	1456	cmd.exe	96
PID 1456 wrote to memory of 312	1456	cmd.exe	97
PID 1456 wrote to memory of 312	1456	cmd.exe	97
PID 1456 wrote to memory of 3520	1456	cmd.exe	102
PID 1456 wrote to memory of 3520	1456	cmd.exe	102
PID 3520 wrote to memory of 420	3520	System32.exe	103
PID 3520 wrote to memory of 420	3520	System32.exe	103
PID 3520 wrote to memory of 4060	3520	System32.exe	105
PID 3520 wrote to memory of 4060	3520	System32.exe	105
PID 4060 wrote to memory of 4400	4060	cmd.exe	107
PID 4060 wrote to memory of 4400	4060	cmd.exe	107
PID 4060 wrote to memory of 4560	4060	cmd.exe	108
PID 4060 wrote to memory of 4560	4060	cmd.exe	108
PID 4060 wrote to memory of 1104	4060	cmd.exe	113
PID 4060 wrote to memory of 1104	4060	cmd.exe	113
PID 1104 wrote to memory of 1768	1104	System32.exe	115
PID 1104 wrote to memory of 1768	1104	System32.exe	115
PID 1104 wrote to memory of 760	1104	System32.exe	117
PID 1104 wrote to memory of 760	1104	System32.exe	117
PID 760 wrote to memory of 1620	760	cmd.exe	119
PID 760 wrote to memory of 1620	760	cmd.exe	119
PID 760 wrote to memory of 4368	760	cmd.exe	120
PID 760 wrote to memory of 4368	760	cmd.exe	120
PID 760 wrote to memory of 2408	760	cmd.exe	121
PID 760 wrote to memory of 2408	760	cmd.exe	121
PID 2408 wrote to memory of 1580	2408	System32.exe	122
PID 2408 wrote to memory of 1580	2408	System32.exe	122
PID 2408 wrote to memory of 2760	2408	System32.exe	124
PID 2408 wrote to memory of 2760	2408	System32.exe	124
PID 2760 wrote to memory of 3956	2760	cmd.exe	126
PID 2760 wrote to memory of 3956	2760	cmd.exe	126
PID 2760 wrote to memory of 440	2760	cmd.exe	127
PID 2760 wrote to memory of 440	2760	cmd.exe	127
PID 2760 wrote to memory of 4492	2760	cmd.exe	128
PID 2760 wrote to memory of 4492	2760	cmd.exe	128
PID 4492 wrote to memory of 4964	4492	System32.exe	129
PID 4492 wrote to memory of 4964	4492	System32.exe	129
PID 4492 wrote to memory of 3800	4492	System32.exe	131
PID 4492 wrote to memory of 3800	4492	System32.exe	131
PID 3800 wrote to memory of 1284	3800	cmd.exe	133
PID 3800 wrote to memory of 1284	3800	cmd.exe	133
PID 3800 wrote to memory of 1952	3800	cmd.exe	134
PID 3800 wrote to memory of 1952	3800	cmd.exe	134
PID 3800 wrote to memory of 3256	3800	cmd.exe	135
PID 3800 wrote to memory of 3256	3800	cmd.exe	135

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\033d335780d49949daea53acdb1b3ef162efc4bf02233ca8cd9e8d0a6533c8ea.exe
"C:\Users\Admin\AppData\Local\Temp\033d335780d49949daea53acdb1b3ef162efc4bf02233ca8cd9e8d0a6533c8ea.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2760
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1212
- C:\Users\Admin\AppData\Roaming\System32\System32.exe
  "C:\Users\Admin\AppData\Roaming\System32\System32.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1544
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4m3pwD6vlKjA.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3844
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:5088
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:208
  - - C:\Users\Admin\AppData\Roaming\System32\System32.exe
      "C:\Users\Admin\AppData\Roaming\System32\System32.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4344
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3988
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\h4le7aN7QbrD.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1456
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:3472
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:312
      - C:\Users\Admin\AppData\Roaming\System32\System32.exe
        
        "C:\Users\Admin\AppData\Roaming\System32\System32.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3520
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:420
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YDDnBs2OmLEz.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4060
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:4400
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4560
        
        C:\Users\Admin\AppData\Roaming\System32\System32.exe
        
        "C:\Users\Admin\AppData\Roaming\System32\System32.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1104
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1768
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oHKe5ejxWNYx.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:760
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:1620
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4368
        
        C:\Users\Admin\AppData\Roaming\System32\System32.exe
        
        "C:\Users\Admin\AppData\Roaming\System32\System32.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2408
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1580
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HRxlcdcUFTTn.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:3956
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:440
        
        C:\Users\Admin\AppData\Roaming\System32\System32.exe
        
        "C:\Users\Admin\AppData\Roaming\System32\System32.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4492
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4964
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OxxUOJXxLzl0.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:3800
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:1284
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1952
        
        C:\Users\Admin\AppData\Roaming\System32\System32.exe
        
        "C:\Users\Admin\AppData\Roaming\System32\System32.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3256
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1688
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\U0VOOS8ZgAyx.bat" "
        15⤵
        
        PID:4392
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2284
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4232
        
        C:\Users\Admin\AppData\Roaming\System32\System32.exe
        
        "C:\Users\Admin\AppData\Roaming\System32\System32.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2704
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4116
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fchS92HiA6N9.bat" "
        17⤵
        
        PID:2116
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:1476
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2532
        
        C:\Users\Admin\AppData\Roaming\System32\System32.exe
        
        "C:\Users\Admin\AppData\Roaming\System32\System32.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4500
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3280
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YnAYKvRs7fcu.bat" "
        19⤵
        
        PID:1852
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:4580
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1892
        
        C:\Users\Admin\AppData\Roaming\System32\System32.exe
        
        "C:\Users\Admin\AppData\Roaming\System32\System32.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1816
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2292
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IwbTGs6UkINV.bat" "
        21⤵
        
        PID:4568
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:4744
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3788
        
        C:\Users\Admin\AppData\Roaming\System32\System32.exe
        
        "C:\Users\Admin\AppData\Roaming\System32\System32.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4176
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4356
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KcxD3eaB6Msw.bat" "
        23⤵
        
        PID:3892
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:872
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1404
        
        C:\Users\Admin\AppData\Roaming\System32\System32.exe
        
        "C:\Users\Admin\AppData\Roaming\System32\System32.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2460
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:552
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CHhfqgcQyNCb.bat" "
        25⤵
        
        PID:1704
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:3976
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2020
        
        C:\Users\Admin\AppData\Roaming\System32\System32.exe
        
        "C:\Users\Admin\AppData\Roaming\System32\System32.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2304
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3868
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WwNksJeWK97l.bat" "
        27⤵
        
        PID:2140
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:1240
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4820
        
        C:\Users\Admin\AppData\Roaming\System32\System32.exe
        
        "C:\Users\Admin\AppData\Roaming\System32\System32.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3324
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1112
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\u2nclcuOmsMW.bat" "
        29⤵
        
        PID:3076
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:2380
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:444
        
        C:\Users\Admin\AppData\Roaming\System32\System32.exe
        
        "C:\Users\Admin\AppData\Roaming\System32\System32.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4120
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\System32\System32.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1512
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7NV69Lx84b00.bat" "
        31⤵
        
        PID:1540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\System32.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\4m3pwD6vlKjA.bat

Filesize
211B

MD5
6a0e0237363585b5db024d12c1a65be0

SHA1
87cd85b9cb5aededd6ec469719210e45a6da654a

SHA256
c80409b6484f728bca446c85aa1fb1a776c18f61f4abdbc9dafddc2cda1b9661

SHA512
1c8fe46fb3400a4920b40c8c03a774d5641a967950c43243196625689c792de120bef5d2df89dfd7dcb5b27800d2b721a94007661ff374ec40297ef0da3bbc60

Download Submit
C:\Users\Admin\AppData\Local\Temp\CHhfqgcQyNCb.bat

Filesize
211B

MD5
6abb9ecd91b4a87ac70f41f9debc247b

SHA1
312d911f0a13f3f3a72a98cbed6f3b26bfae6e34

SHA256
6283f14286baa864ed0caacccfe130e6f469ff88e99a81001306128e3e6114ee

SHA512
bf9936c30574841dc0fcfc4ea370cf6492fdb6f0e1f1a2e6a0eed4c18a3e34076f87963bf7ee2dff3d030e989ebefae16ad3cf68e005113e7350297748a9d695

Download Submit
C:\Users\Admin\AppData\Local\Temp\HRxlcdcUFTTn.bat

Filesize
211B

MD5
ca04d341c867bade39cf3bb3e7fe393c

SHA1
b05916edbfbd5b0c06b70a65406c5b101a8c9baa

SHA256
8c341235034fb1f9592a5f0e21bcd58bb61c1f65dcd35a86f897ca9930c48118

SHA512
a4271f36da2ff2a20429040bb119cafb9b675e3e80ae3e68476921fbc6c26b025f0167df5cdac6f4ba73fd4e21cf0110feab9ea06ebea3d8099e0d62df660b91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IwbTGs6UkINV.bat

Filesize
211B

MD5
8e124b85e5e188f16063417475260164

SHA1
fa3990da2c2e68d35fb67badbbcdab61fc38c11a

SHA256
7a44c093f84af9a1549da93eff5c4eefd7254990c44de1a91125f470eb83d907

SHA512
0a420b7709b67d5e7b7463bf31deedb5a6f0a869d8ebfaaf91132dc64ca547e3a308dcfad5a4601b22f3cd995221f18d1e345e454a0ca087c5a5c20648777359

Download Submit
C:\Users\Admin\AppData\Local\Temp\KcxD3eaB6Msw.bat

Filesize
211B

MD5
34d535a9b379c54e3a43d8bbc6aada2a

SHA1
2c8335dc9e97f381482d7c931ad282ae2f16e7a5

SHA256
8272c0d7031b7f99c1178eeb69bffd3382afcaaaddabe97629b002c65a0990cc

SHA512
6edb4f4107660a7bd0924a7ca0dcc583a9c7eb00cb8b7002946008003cacae07ac6944e7f8418b6d2ecce638da656f2fd983256e293bd6fd36362d7300ba7df3

Download Submit
C:\Users\Admin\AppData\Local\Temp\OxxUOJXxLzl0.bat

Filesize
211B

MD5
216882ad90aa785a14df84bba7323914

SHA1
7f2a983927a79ab61625cebe8839bf62514bd4d9

SHA256
a4c1e8d8d8035fa8421fd1ad2f3f4bc6133567637ddfc5a090f085a6fa24bfbc

SHA512
310b06b2a6997d943ae27c49140bfe9a442a93fc96c7759c7dbdd7af6cbee530bb8bb7446121f1a155e44f6dad78f2fa1b607ec64ab110c0c58ed23d0aea0d54

Download Submit
C:\Users\Admin\AppData\Local\Temp\U0VOOS8ZgAyx.bat

Filesize
211B

MD5
584671748f11dda18d4c554f83435f69

SHA1
f25bfa51532b92b1ac269fa714bf501157bf556b

SHA256
4fb8498ad7272e481d4cf695e9f3b1e000ea79fa8439d836f789cb0d0e06d595

SHA512
4c84ca8db96c7644c213ecaa346d0e855aca92f0aeb20896740d88a090cbcf93fd2d01e78099186bebcdfe74fb929f5570723986b7de12f9744c3d4f1f063807

Download Submit
C:\Users\Admin\AppData\Local\Temp\WwNksJeWK97l.bat

Filesize
211B

MD5
02e9296a8c082ce17e33e78568828ae8

SHA1
c58eb6ea055c44bc6ff1495d7c00cf7965935aac

SHA256
862df2ea10d7010507e52a41f763ca75087e2328ff72c4b055f4ba60e096e746

SHA512
da00386fc4fdb0c7251c1b218f6b02d74e9fa2336f1e93ff54aad0e9663dc079bc870ff1a64ee7616c0a487b406e2df37c319aa68a6cdbd8f00ed847b16436d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\YDDnBs2OmLEz.bat

Filesize
211B

MD5
b8c704743dacc9745e77b2439e417ba3

SHA1
baa012e4c1ea585ddfd2735a8b7d0b035e011139

SHA256
e8f5f629526da55e4ec904f38cf17b13022170b6acf023f69c5f93efe97de8ef

SHA512
2fe2179f6b5df5e953ef582879873caf5134b8c123f7a39911da20505b62bd46b70a8e13febfdb15cf1f4b3ed42db4bf48bf24b9277a13c5526bceb15de6b501

Download Submit
C:\Users\Admin\AppData\Local\Temp\YnAYKvRs7fcu.bat

Filesize
211B

MD5
4e4cf61034091cd5516adf939fc4a33d

SHA1
3dde6f2dcb65899a37dbf2b0f79d36085698ddbf

SHA256
d3b4b915e4a5ccea98174ddd5d0d59dab0edddfffcb5e892936099e2d2d7f842

SHA512
2c939cc4dc9af256c2a18c67b627bb6c19059c44ae016d6efc13d5ccdd0ef3671ea7cf0a9902abe5c05d48594c48829192e809283131e7e92edbcb9ac98aa38a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fchS92HiA6N9.bat

Filesize
211B

MD5
1d95d6ba86e971e88bc967522c9ddf1c

SHA1
8c84dad4dfda77b5dcc7c26e42f84d259ff14440

SHA256
b4a30aba1d17b9d571bea856b10d80b991afc2ebc32457776bbb59cc278be578

SHA512
a1c3cab3b0050edbab16e9a51160b7e8834ffb38e6ac54abe4b905aa5e836fc914a22202a603c8d57ea4cf3141f375c515b5b994e577604f803cb7fa1a00b3cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\h4le7aN7QbrD.bat

Filesize
211B

MD5
2df6badb656c85f8986243732a2b5287

SHA1
cfbbcbbd40252aadc324f8f2d076d3a66c3f7f7c

SHA256
a9831f3b033301bafb5a0da83d4698b6aa7fbb8bf97c756af18a18de63f98ebc

SHA512
5149f29ca615d5a5fe6644b07c0c597a67bb8a9ce20885084ecf97272803e7f8c71e34d33e449f4cb5529dc34e9c22f5d5d056783b73ee42f5f37ced6ffbf2ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\oHKe5ejxWNYx.bat

Filesize
211B

MD5
bceb13962a1c10a00eb1dd7c0aa7addf

SHA1
0b379fcbc300329fe29ba8099eebe536ab6ddf71

SHA256
bb30a1113c452dd28cf0970b2e1b13f7427c0d20fce24eac169e3a29c52f43ac

SHA512
4c0dc8c521ceb15c8be1304eea9ab270a7b7a43b408a5f643983e98e3ae69573a85c9a20d71370b722880d697a93f7679c972f2b91df05faa9695daae3aab709

Download Submit
C:\Users\Admin\AppData\Local\Temp\u2nclcuOmsMW.bat

Filesize
211B

MD5
6c3727471b0aeadcb1584fa9cfe741d0

SHA1
2f8f0e599a8051b3d9dc72d5a802008d0aaa41fc

SHA256
636af877d3bf27072289f8b3fa352f03fb6c7f95166391a730ee80a98100edcb

SHA512
f0f6f553a1b4d248ac890e96d13404e33bb7c399f7952679695a0ddb3afdb7f7ff622fc6aca18e62d10f5badd1ae79a371e1125d497de1c7410f0b364f19221b

Download Submit
C:\Users\Admin\AppData\Roaming\System32\System32.exe

Filesize
3.1MB

MD5
82222cff36f2c338159b23a7f18a4815

SHA1
8beccbb99e38248a080d5de1de8d87617ca428c2

SHA256
033d335780d49949daea53acdb1b3ef162efc4bf02233ca8cd9e8d0a6533c8ea

SHA512
ed1a66e9d925291b14131b129e28e02494d6a174b3abde8d724d35a502f805ef472e5a780d37ce0ed2548a5f7071afbccbbd769ff938e04458d7eb409371ef55

Download Submit
memory/1544-17-0x00007FF901870000-0x00007FF902331000-memory.dmp

Filesize
10.8MB

Download
memory/1544-12-0x000000001C260000-0x000000001C312000-memory.dmp

Filesize
712KB

Download
memory/1544-11-0x000000001C150000-0x000000001C1A0000-memory.dmp

Filesize
320KB

Download
memory/1544-10-0x00007FF901870000-0x00007FF902331000-memory.dmp

Filesize
10.8MB

Download
memory/1544-9-0x00007FF901870000-0x00007FF902331000-memory.dmp

Filesize
10.8MB

Download
memory/2760-0-0x00007FF901873000-0x00007FF901875000-memory.dmp

Filesize
8KB

Download
memory/2760-8-0x00007FF901870000-0x00007FF902331000-memory.dmp

Filesize
10.8MB

Download
memory/2760-2-0x00007FF901870000-0x00007FF902331000-memory.dmp

Filesize
10.8MB

Download
memory/2760-1-0x0000000000480000-0x00000000007A4000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads