quasar | 815ce2d6945fa3d5b5e7ea7d7c4b65d318255e700aa503ae70fa347217114b65

Analysis

max time kernel
145s
max time network
147s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
07-12-2024 19:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

latest.exe
Size

3.1MB
MD5

987547ab64e63245ed07964daef37f3b
SHA1

ea23278cfefdd48b9da3dd07ebb94e1194817587
SHA256

815ce2d6945fa3d5b5e7ea7d7c4b65d318255e700aa503ae70fa347217114b65
SHA512

2648df67c0e6654327539d00ce27ff79fdf4e357072ad82c5624eb74c9d53bc90ee91017d27ed31d9577fb9e5439a2ea8e2f27e0a934afee58b98c9de56a4e25
SSDEEP

49152:rvHG42pda6D+/PjlLOlg6yQipV8KRJ6ebR3LoGduTHHB72eh2NT:rvm42pda6D+/PjlLOlZyQipV8KRJ6Y

Score

10^/10

quasar thecoolfile discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

thecoolfile

dfsgmnhsrf23456623423456-51636.portmap.host:51636

Mutex

372f3f9f-1eba-429d-9b98-7c94499b8dbf

Attributes

encryption_key
B42CE86AEBA4D8818352F4D811EA7BBB472E229A
install_name
windows defender.exe
log_directory
Logs
reconnect_delay
3000
startup_key
discord
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/memory/980-1-0x00000000000E0000-0x0000000000404000-memory.dmp	family_quasar
behavioral1/files/0x001a00000002aab3-6.dat	family_quasar

Executes dropped EXE 15 IoCs

pid	Process
3552	windows defender.exe
3588	windows defender.exe
4684	windows defender.exe
1924	windows defender.exe
2812	windows defender.exe
3920	windows defender.exe
2488	windows defender.exe
1540	windows defender.exe
2956	windows defender.exe
3060	windows defender.exe
4664	windows defender.exe
3996	windows defender.exe
5056	windows defender.exe
1572	windows defender.exe
1836	windows defender.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3964	PING.EXE
440	PING.EXE
2860	PING.EXE
2920	PING.EXE
4060	PING.EXE
2488	PING.EXE
4880	PING.EXE
4420	PING.EXE
2260	PING.EXE
920	PING.EXE
2900	PING.EXE
2384	PING.EXE
4636	PING.EXE
2788	PING.EXE
5052	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
2860	PING.EXE
4880	PING.EXE
4060	PING.EXE
4636	PING.EXE
2920	PING.EXE
4420	PING.EXE
2260	PING.EXE
920	PING.EXE
2900	PING.EXE
440	PING.EXE
2788	PING.EXE
5052	PING.EXE
3964	PING.EXE
2384	PING.EXE
2488	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4036	schtasks.exe
736	schtasks.exe
948	schtasks.exe
3644	schtasks.exe
1956	schtasks.exe
3200	schtasks.exe
3820	schtasks.exe
4512	schtasks.exe
356	schtasks.exe
668	schtasks.exe
4680	schtasks.exe
1588	schtasks.exe
3776	schtasks.exe
3320	schtasks.exe
3524	schtasks.exe
2516	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	980	latest.exe
Token: SeDebugPrivilege	3552	windows defender.exe
Token: SeDebugPrivilege	3588	windows defender.exe
Token: SeDebugPrivilege	4684	windows defender.exe
Token: SeDebugPrivilege	1924	windows defender.exe
Token: SeDebugPrivilege	2812	windows defender.exe
Token: SeDebugPrivilege	3920	windows defender.exe
Token: SeDebugPrivilege	2488	windows defender.exe
Token: SeDebugPrivilege	1540	windows defender.exe
Token: SeDebugPrivilege	2956	windows defender.exe
Token: SeDebugPrivilege	3060	windows defender.exe
Token: SeDebugPrivilege	4664	windows defender.exe
Token: SeDebugPrivilege	3996	windows defender.exe
Token: SeDebugPrivilege	5056	windows defender.exe
Token: SeDebugPrivilege	1572	windows defender.exe
Token: SeDebugPrivilege	1836	windows defender.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 980 wrote to memory of 3820	980	latest.exe	77
PID 980 wrote to memory of 3820	980	latest.exe	77
PID 980 wrote to memory of 3552	980	latest.exe	79
PID 980 wrote to memory of 3552	980	latest.exe	79
PID 3552 wrote to memory of 4036	3552	windows defender.exe	80
PID 3552 wrote to memory of 4036	3552	windows defender.exe	80
PID 3552 wrote to memory of 3924	3552	windows defender.exe	82
PID 3552 wrote to memory of 3924	3552	windows defender.exe	82
PID 3924 wrote to memory of 4640	3924	cmd.exe	84
PID 3924 wrote to memory of 4640	3924	cmd.exe	84
PID 3924 wrote to memory of 4636	3924	cmd.exe	85
PID 3924 wrote to memory of 4636	3924	cmd.exe	85
PID 3924 wrote to memory of 3588	3924	cmd.exe	86
PID 3924 wrote to memory of 3588	3924	cmd.exe	86
PID 3588 wrote to memory of 3776	3588	windows defender.exe	87
PID 3588 wrote to memory of 3776	3588	windows defender.exe	87
PID 3588 wrote to memory of 968	3588	windows defender.exe	89
PID 3588 wrote to memory of 968	3588	windows defender.exe	89
PID 968 wrote to memory of 5096	968	cmd.exe	91
PID 968 wrote to memory of 5096	968	cmd.exe	91
PID 968 wrote to memory of 440	968	cmd.exe	92
PID 968 wrote to memory of 440	968	cmd.exe	92
PID 968 wrote to memory of 4684	968	cmd.exe	93
PID 968 wrote to memory of 4684	968	cmd.exe	93
PID 4684 wrote to memory of 4512	4684	windows defender.exe	94
PID 4684 wrote to memory of 4512	4684	windows defender.exe	94
PID 4684 wrote to memory of 3900	4684	windows defender.exe	96
PID 4684 wrote to memory of 3900	4684	windows defender.exe	96
PID 3900 wrote to memory of 740	3900	cmd.exe	98
PID 3900 wrote to memory of 740	3900	cmd.exe	98
PID 3900 wrote to memory of 2860	3900	cmd.exe	99
PID 3900 wrote to memory of 2860	3900	cmd.exe	99
PID 3900 wrote to memory of 1924	3900	cmd.exe	100
PID 3900 wrote to memory of 1924	3900	cmd.exe	100
PID 1924 wrote to memory of 736	1924	windows defender.exe	101
PID 1924 wrote to memory of 736	1924	windows defender.exe	101
PID 1924 wrote to memory of 1456	1924	windows defender.exe	103
PID 1924 wrote to memory of 1456	1924	windows defender.exe	103
PID 1456 wrote to memory of 3560	1456	cmd.exe	105
PID 1456 wrote to memory of 3560	1456	cmd.exe	105
PID 1456 wrote to memory of 2920	1456	cmd.exe	106
PID 1456 wrote to memory of 2920	1456	cmd.exe	106
PID 1456 wrote to memory of 2812	1456	cmd.exe	107
PID 1456 wrote to memory of 2812	1456	cmd.exe	107
PID 2812 wrote to memory of 948	2812	windows defender.exe	108
PID 2812 wrote to memory of 948	2812	windows defender.exe	108
PID 2812 wrote to memory of 3832	2812	windows defender.exe	110
PID 2812 wrote to memory of 3832	2812	windows defender.exe	110
PID 3832 wrote to memory of 2776	3832	cmd.exe	112
PID 3832 wrote to memory of 2776	3832	cmd.exe	112
PID 3832 wrote to memory of 2788	3832	cmd.exe	113
PID 3832 wrote to memory of 2788	3832	cmd.exe	113
PID 3832 wrote to memory of 3920	3832	cmd.exe	114
PID 3832 wrote to memory of 3920	3832	cmd.exe	114
PID 3920 wrote to memory of 668	3920	windows defender.exe	115
PID 3920 wrote to memory of 668	3920	windows defender.exe	115
PID 3920 wrote to memory of 1548	3920	windows defender.exe	117
PID 3920 wrote to memory of 1548	3920	windows defender.exe	117
PID 1548 wrote to memory of 1528	1548	cmd.exe	119
PID 1548 wrote to memory of 1528	1548	cmd.exe	119
PID 1548 wrote to memory of 5052	1548	cmd.exe	120
PID 1548 wrote to memory of 5052	1548	cmd.exe	120
PID 1548 wrote to memory of 2488	1548	cmd.exe	121
PID 1548 wrote to memory of 2488	1548	cmd.exe	121

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\latest.exe
"C:\Users\Admin\AppData\Local\Temp\latest.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:980
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3820
- C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3552
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eShf84TnOVSa.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3924
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:4640
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4636
  - - C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3588
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3776
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VC1608et4Eou.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:968
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:5096
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:440
      - C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4684
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4512
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cyvghDlqE9zc.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3900
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:740
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2860
        
        C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:736
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\z7GJHr5qHAR2.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1456
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:3560
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2920
        
        C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:948
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rqjn26p8jviA.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:3832
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:2776
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2788
        
        C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3920
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:668
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Y8MGrprKk1pc.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:1528
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5052
        
        C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2488
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3644
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rxIvZ8LjXubk.bat" "
        15⤵
        
        PID:4816
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:3744
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4880
        
        C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1540
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1956
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\M5NwGEAxYEU8.bat" "
        17⤵
        
        PID:3396
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:1028
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4420
        
        C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2956
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:356
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4Ui8smowvslF.bat" "
        19⤵
        
        PID:1200
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:424
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2260
        
        C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3060
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3320
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QGrtPwJ79EFt.bat" "
        21⤵
        
        PID:1124
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:3924
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4060
        
        C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4664
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3524
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KRS5iUelwVLH.bat" "
        23⤵
        
        PID:2816
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:3132
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:920
        
        C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3996
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4680
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4pf2BJCluO6R.bat" "
        25⤵
        
        PID:2808
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:1384
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2900
        
        C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5056
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1588
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\T7LBB2z8ZdiK.bat" "
        27⤵
        
        PID:4516
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:2920
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3964
        
        C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1572
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3200
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\m1SLg7egctyv.bat" "
        29⤵
        
        PID:2892
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:3220
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2384
        
        C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1836
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2516
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AyRrOYZxGzWg.bat" "
        31⤵
        
        PID:2136
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:2872
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\windows defender.exe.log

Filesize
2KB

MD5
15eab799098760706ed95d314e75449d

SHA1
273fb07e40148d5c267ca53f958c5075d24c4444

SHA256
45030bd997f50bb52c481f7bc86fac5f375d08911bcc106b98d9d8f0c2ce9778

SHA512
50c125e2a98740db0a0122d7f4de97c50d84623e800b3d3e173049c8e28ff0fbe4add7677bc56cb2228f78ed17522f67ae8f1b85f62824012414ce38ce0b500c

Download Submit
C:\Users\Admin\AppData\Local\Temp\4Ui8smowvslF.bat

Filesize
217B

MD5
3392c9d9e1eefe6545a57bf51838123c

SHA1
1a324b7d27b8c8796a5285882b30323924364c71

SHA256
3143c491ed645ece1ffb238ccc04fda4980f1f7696ab5c838be66f9f6cd10ac6

SHA512
ce534135f2383081cd0ada4812c9013abbd4dd13d4e751f3c2130cb60e14a0c207b8399c2c2056c20b41ac7353aeaf6d841e113fb7fa2fd1a3ebd6b0f29ddbc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\4pf2BJCluO6R.bat

Filesize
217B

MD5
857549da2f65f8845f6e972c6a41b427

SHA1
eb1f308c2bc620cca98611baa4d56f4ff1d6395e

SHA256
c040fc758cd335cd05b9d92eea9ac884a31ab1c8effa5e916efd6c28a8d4b00e

SHA512
9764430021c31bce27487f4d695806559bb98e7c85bf471fde9ee57141c9dc8135ef6adcd34bd301e904a5dd6915c8569a4073898ce06628c8e950232834c3f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\AyRrOYZxGzWg.bat

Filesize
217B

MD5
e7af3f355bf682a1b5e65cbba8ffd200

SHA1
7f5b75250f70e5319d0675082524abaa498b73ea

SHA256
4ff9d34c98dda9f001279a06b730dd924012053472941d3b4ca902d14832ea8b

SHA512
2443b95b166a646d3574766a1cda40dea75ded9bd81b3ab92e045c78157ecbbd09ce52aa4295a9db5150a5c3a4d0eac97e1b7442ff513cce12fbb0ca4f17f1cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\KRS5iUelwVLH.bat

Filesize
217B

MD5
4988e4bc186f9d9f71f107571bebbc34

SHA1
7a92325d1950ae32b658dff880ac6cb8149741ba

SHA256
e192c251b2058b2de958fdf2b3d4eafcf814b25f3bf23b22746f214fd03b661f

SHA512
24fa167060523ae6debf1b8d3719021a1ae00a0f5ba5ae8f947317844b1bbd1fa8714b23d545fe884f96cae809a44276971c39974f0e37d88c25f8b8e5bd2fdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\M5NwGEAxYEU8.bat

Filesize
217B

MD5
5d60171ec6823285413f88e8eb89141c

SHA1
9ce26758f94daf0acde93049dc2d743297c931e3

SHA256
20ad47883ca966677858529f57908be74fc092e4a333697e747f2c1e55fcc413

SHA512
e8d4c9aea989ba11d9b6471a0e43836aa16f438ae29e0a165f131a225bc817eb7d1b7029b6b7e9ca331a7d52a9332c2c9f92233e79cef0c23ac9f7dab9e579f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\QGrtPwJ79EFt.bat

Filesize
217B

MD5
d2762f85aa8acf43e0a04bc6b1137eeb

SHA1
be7c3cae0de8f9b6f07f17b88b6daa9987029922

SHA256
81836f41cfc96797cb486bc3eed33bd1a35af8be7d0a2716e86a74a516f36212

SHA512
46a90b8a1fef4e24ec780bf417ac5a709f06a2938e9415a80bfebf15b669657e5491cf241192eec70d00c336008afcdec388178d020ed2f586440d5cf9682db3

Download Submit
C:\Users\Admin\AppData\Local\Temp\T7LBB2z8ZdiK.bat

Filesize
217B

MD5
57ccd46fa1637b788b52db14332b4473

SHA1
8cfbef2ea2654741251d06c8d65efc8611d09b97

SHA256
bca28817a852033d45935131aa7db96e095976d4ca7c40601d982122f894add7

SHA512
a8e667badaea1913b3e43fc70649f04e95887912297c9927da4fe3011351bd08f0b2d597bb92f3ccfba656ba47a08c2725eeb4806b8227c299c1b81f5bbfa3dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\VC1608et4Eou.bat

Filesize
217B

MD5
8c6c959de1e3f281efac3c49f99ddaa0

SHA1
04c12e7483e96ab74e9c8ce69f6608e9d3d1212b

SHA256
fb1357964aff5b9adc7fb14f74a8e298aa06c7df957b087942ded9ac62699dfe

SHA512
cfa52edba0c5f2f6623afc692f45559a764bc4739d5f59a0f62640d19c514b34ce2c49d46d7f8770b77671c9e55ccb9af1cac7a83444e41c4d34229563bbb3cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Y8MGrprKk1pc.bat

Filesize
217B

MD5
86027dd232a07045a84b45dbbbc71cd5

SHA1
c31450a2eb641f66ff4469cf5c16712132317715

SHA256
010dbb52078aefbb4516b2de09aca80a86148e84633d365057a4deaa81c359f6

SHA512
07420c79379b9094603216d7174de5b0da92efc5e127454f7edf8c112df049e98797dc55452cb7667727f068aa6b9db69160f142fa2cdecce0b835f065d9128a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cyvghDlqE9zc.bat

Filesize
217B

MD5
7c7811f1e9a6a082d787ded6500ae534

SHA1
3a5d91002e9885557c37f62a3f82280a18ff1fbc

SHA256
548418c17ee635e3e75de6b6dc1454fb1ca458717d59530f482778a18dbe4ad7

SHA512
efbb20b87f26c645a5437b58aeedbac1f2a3c819fd8685d65cac651941459b2944a1a7ccccb11a2cf8c81623c744ac5653ec629e0d95e5e5a8c1c5b543ef364e

Download Submit
C:\Users\Admin\AppData\Local\Temp\eShf84TnOVSa.bat

Filesize
217B

MD5
8954f21d39c726fe1d97b176940bc350

SHA1
8572810b2bac831aea809a23772bcf3564cda587

SHA256
415c4cd74ec646efa8e5bf8f26b65adbb6e7be083d8a187b9da166a3ded6f2bb

SHA512
dab8c6d44e48fdb395451e700e67fb6724d60a5ab36bab2afc9040287960a9e461a4fa4e729abc2eab2af8373df8bbb6f36a0bbbf7103c28fd48b6c4c9022d28

Download Submit
C:\Users\Admin\AppData\Local\Temp\m1SLg7egctyv.bat

Filesize
217B

MD5
d4cb8832905733c0e4773e62e1b0777f

SHA1
a378830ad598441b523e18a4f379da270fb3fd11

SHA256
72718c52a094384a9e9c47a60120b44eacdb308a43e3889cc6b90294d16f2122

SHA512
66745309d01ba6ef591ce7eee8e13bf2cff6a262e82c8b5f4cc2fcfbbed9d038fde9e8caaad135297b3771b70a15980ff33c860569be5f6c1bdac5603d68205f

Download Submit
C:\Users\Admin\AppData\Local\Temp\rqjn26p8jviA.bat

Filesize
217B

MD5
2751ed3055c5a1cffcf512ae42d367c2

SHA1
9747ff0882f731f8af019adc1224029a8f8016b3

SHA256
954424dc124591f5f977d920f6ce5c8dafb52aa12c2a8663e55fbc254142d1cd

SHA512
dc65b48ada84196431a9f2e9ce0acdf099b6dfb01eeb5b4201dd00aedc624009aefa0e2f1d5f1f1f44c620f9bee2261121646761ad2de0a71070dba22450e919

Download Submit
C:\Users\Admin\AppData\Local\Temp\rxIvZ8LjXubk.bat

Filesize
217B

MD5
98e9e82b144456fa9f2c4ef1e9fd6d99

SHA1
910858d186532630e22b8b02256eff1681c37a28

SHA256
26d5a6b1968ce6b949ff0583123f125c6199b0614de216b7402a2a3b21db6571

SHA512
c96f9226b10b4e65d4a7e74dc7896919475a198c4f4d3cc6515bbba903639a539234aeb858308b4c3ade198aba777f6f67057732838a38e4896c2a05bb112bc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\z7GJHr5qHAR2.bat

Filesize
217B

MD5
61232ff9ea27420a5cce39b8fdac0200

SHA1
3aecc413fe49a57c00be806146dab01e85b65b57

SHA256
bbb5fd359019da0b296292462c072bb783cf0ff76dbe89463acfc4123f65c253

SHA512
9a1ff2be1b691c08a99f02a008938821ce58f1a882ca4e5d5419a837da634b37f571814f5cac43a4eccd6d44477e5bdd10206e366fbf8c5e1951a3799865e88e

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe

Filesize
3.1MB

MD5
987547ab64e63245ed07964daef37f3b

SHA1
ea23278cfefdd48b9da3dd07ebb94e1194817587

SHA256
815ce2d6945fa3d5b5e7ea7d7c4b65d318255e700aa503ae70fa347217114b65

SHA512
2648df67c0e6654327539d00ce27ff79fdf4e357072ad82c5624eb74c9d53bc90ee91017d27ed31d9577fb9e5439a2ea8e2f27e0a934afee58b98c9de56a4e25

Download Submit
memory/980-0-0x00007FFFEFC43000-0x00007FFFEFC45000-memory.dmp

Filesize
8KB

Download
memory/980-9-0x00007FFFEFC40000-0x00007FFFF0702000-memory.dmp

Filesize
10.8MB

Download
memory/980-2-0x00007FFFEFC40000-0x00007FFFF0702000-memory.dmp

Filesize
10.8MB

Download
memory/980-1-0x00000000000E0000-0x0000000000404000-memory.dmp

Filesize
3.1MB

Download
memory/3552-18-0x00007FFFEFC40000-0x00007FFFF0702000-memory.dmp

Filesize
10.8MB

Download
memory/3552-12-0x000000001B640000-0x000000001B690000-memory.dmp

Filesize
320KB

Download
memory/3552-11-0x00007FFFEFC40000-0x00007FFFF0702000-memory.dmp

Filesize
10.8MB

Download
memory/3552-10-0x00007FFFEFC40000-0x00007FFFF0702000-memory.dmp

Filesize
10.8MB

Download
memory/3552-13-0x000000001BED0000-0x000000001BF82000-memory.dmp

Filesize
712KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads