quasar | 9ad36e247204c18b819993885ea7a99fa5b142456a41494a9878cf45cfed2dde

Analysis

max time kernel
147s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-12-2024 16:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Solara.exe
Size

3.1MB
MD5

d80e76b6962401ba306ce0ce9adc43ef
SHA1

e607bd7cdecf84d80b28e67d2836ea882a4f771f
SHA256

9ad36e247204c18b819993885ea7a99fa5b142456a41494a9878cf45cfed2dde
SHA512

85881abbcb6260e9b327b4dcb4db98c24fbc3ca8ea731fb3b1b08c96dabc3745c8fdc778e0dd7f6a8049b24b44c3074b7fd93033dc5f0d7a793755b79ac5f866
SSDEEP

49152:uvRuf2NUaNmwzPWlvdaKM7ZxTwRJishuOar7ToGdXTHHB72eh2NT:uvsf2NUaNmwzPWlvdaB7ZxTwnruP

Score

10^/10

quasar client discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Client

Synapsedoggystyle-51191.portmap.host:51191

192.168.68.107:4782

Mutex

54e60454-c931-4922-b1b7-695913934b39

Attributes

encryption_key
33F77912B4CF70A0AD1E582014B5294301E27672
install_name
AtlasX.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Java Updator
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 13 IoCs

resource	yara_rule
behavioral1/memory/2684-1-0x0000000000850000-0x0000000000B74000-memory.dmp	family_quasar
behavioral1/files/0x0008000000015415-6.dat	family_quasar
behavioral1/memory/2340-10-0x00000000008D0000-0x0000000000BF4000-memory.dmp	family_quasar
behavioral1/memory/2156-23-0x0000000000BA0000-0x0000000000EC4000-memory.dmp	family_quasar
behavioral1/memory/1032-34-0x0000000001190000-0x00000000014B4000-memory.dmp	family_quasar
behavioral1/memory/2976-67-0x00000000012B0000-0x00000000015D4000-memory.dmp	family_quasar
behavioral1/memory/1244-78-0x0000000000390000-0x00000000006B4000-memory.dmp	family_quasar
behavioral1/memory/3000-90-0x00000000013B0000-0x00000000016D4000-memory.dmp	family_quasar
behavioral1/memory/1296-121-0x0000000000260000-0x0000000000584000-memory.dmp	family_quasar
behavioral1/memory/3068-133-0x00000000009F0000-0x0000000000D14000-memory.dmp	family_quasar
behavioral1/memory/1756-144-0x0000000000E10000-0x0000000001134000-memory.dmp	family_quasar
behavioral1/memory/1596-156-0x00000000002F0000-0x0000000000614000-memory.dmp	family_quasar
behavioral1/memory/2804-167-0x00000000010C0000-0x00000000013E4000-memory.dmp	family_quasar

Executes dropped EXE 15 IoCs

pid	Process
2340	AtlasX.exe
2156	AtlasX.exe
1032	AtlasX.exe
2172	AtlasX.exe
956	AtlasX.exe
2976	AtlasX.exe
1244	AtlasX.exe
3000	AtlasX.exe
2312	AtlasX.exe
1352	AtlasX.exe
1296	AtlasX.exe
3068	AtlasX.exe
1756	AtlasX.exe
1596	AtlasX.exe
2804	AtlasX.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2876	PING.EXE
1772	PING.EXE
992	PING.EXE
1012	PING.EXE
2984	PING.EXE
1652	PING.EXE
2880	PING.EXE
932	PING.EXE
1132	PING.EXE
1624	PING.EXE
1384	PING.EXE
592	PING.EXE
2092	PING.EXE
2628	PING.EXE
1056	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
1012	PING.EXE
2876	PING.EXE
932	PING.EXE
2628	PING.EXE
2880	PING.EXE
1132	PING.EXE
1384	PING.EXE
1056	PING.EXE
2984	PING.EXE
2092	PING.EXE
1652	PING.EXE
1772	PING.EXE
992	PING.EXE
1624	PING.EXE
592	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2728	schtasks.exe
2676	schtasks.exe
2440	schtasks.exe
2812	schtasks.exe
576	schtasks.exe
2120	schtasks.exe
2192	schtasks.exe
776	schtasks.exe
2212	schtasks.exe
1804	schtasks.exe
2680	schtasks.exe
2276	schtasks.exe
560	schtasks.exe
2688	schtasks.exe
2160	schtasks.exe
1796	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2684	Solara.exe
Token: SeDebugPrivilege	2340	AtlasX.exe
Token: SeDebugPrivilege	2156	AtlasX.exe
Token: SeDebugPrivilege	1032	AtlasX.exe
Token: SeDebugPrivilege	2172	AtlasX.exe
Token: SeDebugPrivilege	956	AtlasX.exe
Token: SeDebugPrivilege	2976	AtlasX.exe
Token: SeDebugPrivilege	1244	AtlasX.exe
Token: SeDebugPrivilege	3000	AtlasX.exe
Token: SeDebugPrivilege	2312	AtlasX.exe
Token: SeDebugPrivilege	1352	AtlasX.exe
Token: SeDebugPrivilege	1296	AtlasX.exe
Token: SeDebugPrivilege	3068	AtlasX.exe
Token: SeDebugPrivilege	1756	AtlasX.exe
Token: SeDebugPrivilege	1596	AtlasX.exe
Token: SeDebugPrivilege	2804	AtlasX.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2684 wrote to memory of 2440	2684	Solara.exe	30
PID 2684 wrote to memory of 2440	2684	Solara.exe	30
PID 2684 wrote to memory of 2440	2684	Solara.exe	30
PID 2684 wrote to memory of 2340	2684	Solara.exe	32
PID 2684 wrote to memory of 2340	2684	Solara.exe	32
PID 2684 wrote to memory of 2340	2684	Solara.exe	32
PID 2340 wrote to memory of 2812	2340	AtlasX.exe	33
PID 2340 wrote to memory of 2812	2340	AtlasX.exe	33
PID 2340 wrote to memory of 2812	2340	AtlasX.exe	33
PID 2340 wrote to memory of 2732	2340	AtlasX.exe	35
PID 2340 wrote to memory of 2732	2340	AtlasX.exe	35
PID 2340 wrote to memory of 2732	2340	AtlasX.exe	35
PID 2732 wrote to memory of 2816	2732	cmd.exe	37
PID 2732 wrote to memory of 2816	2732	cmd.exe	37
PID 2732 wrote to memory of 2816	2732	cmd.exe	37
PID 2732 wrote to memory of 2628	2732	cmd.exe	38
PID 2732 wrote to memory of 2628	2732	cmd.exe	38
PID 2732 wrote to memory of 2628	2732	cmd.exe	38
PID 2732 wrote to memory of 2156	2732	cmd.exe	40
PID 2732 wrote to memory of 2156	2732	cmd.exe	40
PID 2732 wrote to memory of 2156	2732	cmd.exe	40
PID 2156 wrote to memory of 2212	2156	AtlasX.exe	41
PID 2156 wrote to memory of 2212	2156	AtlasX.exe	41
PID 2156 wrote to memory of 2212	2156	AtlasX.exe	41
PID 2156 wrote to memory of 2960	2156	AtlasX.exe	43
PID 2156 wrote to memory of 2960	2156	AtlasX.exe	43
PID 2156 wrote to memory of 2960	2156	AtlasX.exe	43
PID 2960 wrote to memory of 1160	2960	cmd.exe	45
PID 2960 wrote to memory of 1160	2960	cmd.exe	45
PID 2960 wrote to memory of 1160	2960	cmd.exe	45
PID 2960 wrote to memory of 992	2960	cmd.exe	46
PID 2960 wrote to memory of 992	2960	cmd.exe	46
PID 2960 wrote to memory of 992	2960	cmd.exe	46
PID 2960 wrote to memory of 1032	2960	cmd.exe	47
PID 2960 wrote to memory of 1032	2960	cmd.exe	47
PID 2960 wrote to memory of 1032	2960	cmd.exe	47
PID 1032 wrote to memory of 576	1032	AtlasX.exe	48
PID 1032 wrote to memory of 576	1032	AtlasX.exe	48
PID 1032 wrote to memory of 576	1032	AtlasX.exe	48
PID 1032 wrote to memory of 2500	1032	AtlasX.exe	50
PID 1032 wrote to memory of 2500	1032	AtlasX.exe	50
PID 1032 wrote to memory of 2500	1032	AtlasX.exe	50
PID 2500 wrote to memory of 1960	2500	cmd.exe	52
PID 2500 wrote to memory of 1960	2500	cmd.exe	52
PID 2500 wrote to memory of 1960	2500	cmd.exe	52
PID 2500 wrote to memory of 1012	2500	cmd.exe	53
PID 2500 wrote to memory of 1012	2500	cmd.exe	53
PID 2500 wrote to memory of 1012	2500	cmd.exe	53
PID 2500 wrote to memory of 2172	2500	cmd.exe	54
PID 2500 wrote to memory of 2172	2500	cmd.exe	54
PID 2500 wrote to memory of 2172	2500	cmd.exe	54
PID 2172 wrote to memory of 2120	2172	AtlasX.exe	55
PID 2172 wrote to memory of 2120	2172	AtlasX.exe	55
PID 2172 wrote to memory of 2120	2172	AtlasX.exe	55
PID 2172 wrote to memory of 2584	2172	AtlasX.exe	57
PID 2172 wrote to memory of 2584	2172	AtlasX.exe	57
PID 2172 wrote to memory of 2584	2172	AtlasX.exe	57
PID 2584 wrote to memory of 2228	2584	cmd.exe	59
PID 2584 wrote to memory of 2228	2584	cmd.exe	59
PID 2584 wrote to memory of 2228	2584	cmd.exe	59
PID 2584 wrote to memory of 1132	2584	cmd.exe	60
PID 2584 wrote to memory of 1132	2584	cmd.exe	60
PID 2584 wrote to memory of 1132	2584	cmd.exe	60
PID 2584 wrote to memory of 956	2584	cmd.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Solara.exe
"C:\Users\Admin\AppData\Local\Temp\Solara.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "Java Updator" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2440
- C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Java Updator" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2812
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\aKeBnNsYG3Mp.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2816
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2628
  - - C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2156
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Java Updator" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2212
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\3WAQOZHxikht.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2960
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1160
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:992
      - C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1032
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Java Updator" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:576
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\3izwtgCUogzR.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2500
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1960
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1012
        
        C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2172
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Java Updator" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2120
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UM0Vuy2Envi2.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2228
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1132
        
        C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:956
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Java Updator" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2160
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hnD148FUyMiC.bat" "
        11⤵
        
        PID:1592
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:3064
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1624
        
        C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2976
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Java Updator" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1804
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zKIbbaACnq4Z.bat" "
        13⤵
        
        PID:1752
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:684
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1384
        
        C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1244
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Java Updator" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2680
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\9ME6LPSF89Xl.bat" "
        15⤵
        
        PID:2352
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2216
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2876
        
        C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3000
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Java Updator" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2192
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\5f1CxtfzmrjP.bat" "
        17⤵
        
        PID:2608
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2008
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:592
        
        C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2312
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Java Updator" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2688
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\P3mheVrAEmVs.bat" "
        19⤵
        
        PID:2844
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2960
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2984
        
        C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1352
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Java Updator" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:776
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\7ljzCWNeGxNV.bat" "
        21⤵
        
        PID:2548
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1964
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2092
        
        C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1296
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Java Updator" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1796
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fLZXIFJv5Qwd.bat" "
        23⤵
        
        PID:2264
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:1108
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1056
        
        C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3068
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Java Updator" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2276
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CJ2Rm42EG8Yb.bat" "
        25⤵
        
        PID:2224
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:1936
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1652
        
        C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1756
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Java Updator" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:560
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wZrRdvSD1Yn4.bat" "
        27⤵
        
        PID:1384
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:1576
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1772
        
        C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1596
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Java Updator" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2728
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yWmvKm3yPQCB.bat" "
        29⤵
        
        PID:2744
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:2768
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2880
        
        C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2804
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Java Updator" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2676
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZK07pIkTElDn.bat" "
        31⤵
        
        PID:2056
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:1484
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3WAQOZHxikht.bat

Filesize
207B

MD5
a96d16bf0875f969c44ec5238c226826

SHA1
4fabc073c99284b10916d8fbae542eb1053d5c8e

SHA256
1223a5bf05a03386008c4ddab671f010de4a74031b3dc2d3207f3cb5370862a4

SHA512
80a0cf98c2bc5c3217153c0db58bf0ba39a40d8fcbe4bed5e0ae20088e4dd756ff3e635fece5811055b437c4668adebc04a911efed79f70705dc09fc04bb7cda

Download Submit
C:\Users\Admin\AppData\Local\Temp\3izwtgCUogzR.bat

Filesize
207B

MD5
6ce18e23ae9bc61fa9c18f874c734cba

SHA1
60ef575a012b681813f7bd3aba96b3bed9636d94

SHA256
b647bece07c4370ea96fde29cb4c53e629b22d974531442453b837a9c24c2162

SHA512
832ad355535dfafcbb4cf08c18baf685770536d350f6dad6d618dbda44308b8675184e9926a1e3a1c466eec6e64502eb00915c5c05c895ba821b438349e6467a

Download Submit
C:\Users\Admin\AppData\Local\Temp\5f1CxtfzmrjP.bat

Filesize
207B

MD5
28ddbc3fdd34b2edb29089e15fdd5dcd

SHA1
72645bad24b4aa803bcb8c0f44a7a1cc7002104c

SHA256
ccdc55b1e83bde38653d797370242f9107ce3b6b5ac6338f4196a9509df9a3d1

SHA512
ecddf4812e5fdf8fd70ef60ef29ff497ff9f3488e4cb0f4dfc4a7cc3e33836f897d6c86ffa607dc3f163c6f1b4cb16ec446ad04bf5ef84f1374d5dc427efa2f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ljzCWNeGxNV.bat

Filesize
207B

MD5
3391232fa22d2e23771cc8b43a96a94d

SHA1
46df09d0cfdecd9f957d4405bf2e7d45d43c9e92

SHA256
64703f47c5ea9c34c86818130f8bc6f7a27aada40090ea9b3bf7d7dcbe9750a5

SHA512
2581316f7c92f0f3ab231cd5ae23eb9e792c7fe0238e914eac5ad5432e5a79b7e081023065bebfe37fc6f762b9e92833bc5af8ff47459129795dcca50d772e34

Download Submit
C:\Users\Admin\AppData\Local\Temp\9ME6LPSF89Xl.bat

Filesize
207B

MD5
23061f0635ec7297111b039b51993081

SHA1
49d630bb793dd03aa0cd7ad492fda7e45f81e312

SHA256
a2a5cbf068849f73d6d7df71e93f11344e2da26ac2246f5c18659374e9db3be2

SHA512
56f580d1f0cf5b9b5258a919820f94242adb72448574f4c108571dc9eadc79875fe2c7eb8378a2d4eb1c7b936096c1b7a1145f0bf177c003aad5d8b7876007f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\CJ2Rm42EG8Yb.bat

Filesize
207B

MD5
6bd1dd9289e64c11756af40772cf8a17

SHA1
4f9fce5c17781e63fafe2b1b37c85c2fc56adef2

SHA256
1eba10d448268f2a94d6a1de64fd3380f8bb2c8ee4c412a2889d0404b8a36249

SHA512
7f7e350496da7c817c3a4fa6f4a509ab960aa9638eca2681c5a285014fa6b849bd4117c86e0d2d59123e5c76cc48a046b67bcdc185e1138a273a97147edb9695

Download Submit
C:\Users\Admin\AppData\Local\Temp\P3mheVrAEmVs.bat

Filesize
207B

MD5
4758cbc7216404ee1ebdb97b6d4bb70a

SHA1
98e45f7e9e2708e3a32ace4114457583253c3800

SHA256
9e5d4712eb281f63fa72e19a2903db6a10d32bd0c90b9bbf0854e09e66eb9441

SHA512
d0094bdf36c89a13bb9b3520364f9ba22dd7133c158525a619aaf52d6048d15018e7e4d98082641bfc61242d6368cbda3f88d1caab7a91d72318ae8f33d58132

Download Submit
C:\Users\Admin\AppData\Local\Temp\UM0Vuy2Envi2.bat

Filesize
207B

MD5
2dba9af30b2eb54e86716306fb249016

SHA1
7d013b5aae9a074139cc09a4d3d40fd9884bf31c

SHA256
41ecb0efa62f0a9db675141cde8ab7bc3609580b21adfa206aef5b6b73e92892

SHA512
0f348929f9a074fef3e4d4cb1de845288490200ff774c57c1d29df1db3b7738e34b0c642e1ca7347e550efa3d2c5b55f05a04d7e793284ffe2e3217235835107

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZK07pIkTElDn.bat

Filesize
207B

MD5
2e3f15ffb3f80188061737b45b79d40f

SHA1
9d4f4f4ac89d41c01d8d7592ed0c5e3a89f9382e

SHA256
7fd0c5378db01782a967ddaede67c3c5be25fdebe62b9ee276310d55484bc050

SHA512
95353d74c0be481d11e26fb193193782b67e9b9bc8ec03940e83d67479d008c938ac4c48fc9344e2102d1257786a5b2487c16b619bcba084087f004d96996926

Download Submit
C:\Users\Admin\AppData\Local\Temp\aKeBnNsYG3Mp.bat

Filesize
207B

MD5
034f7bee3b155b51365685745ea8a1d3

SHA1
80770186952796b670695b1d59b1ebb5632b58a5

SHA256
80f95b7c23656b0b161100dfbc97a0bf91f6b3a5441a0eade7f2aca57ae6fd7f

SHA512
28d2e01b8b02031b3ed29772eaf08262e3d2f15876c4f55bddce9353e9f0a8da109cd1b834c19d01b9b95b1d5a9c0f10bb800255057dc5a35d0a6babfb3f38e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\fLZXIFJv5Qwd.bat

Filesize
207B

MD5
a200c52ae14d55e637d638cd5e5ed8c8

SHA1
01d3fd812a9189ab763bfe78f0402aeff1d4d9e6

SHA256
97d338a764d90a5efc4d05a810c579810565c348944b71a60d959a339cad837f

SHA512
c7a204d0ccfac980a451a37cf027b3588557b9b8018d09835932c1b025fa2310a2faab2515318b38fe50cdb4ca60ef6c52df95557292ec076c160e180088d556

Download Submit
C:\Users\Admin\AppData\Local\Temp\hnD148FUyMiC.bat

Filesize
207B

MD5
7d6a42aec69c7a5ab08c0dd0ce94f02a

SHA1
3acf939d1949c5141881aae1c4ba6bd5e792e9d4

SHA256
c98e95c03e2e24dc4b653e874e8035d485c30f4979d6f723f9e6e5c974d7d4b8

SHA512
b67a3844251cb9d30e6b8fef99ed354b1de3fabe7c0bf3a8eea29349ab93b0b242b88ac90eac5ae62b9f9366379b78a5588a87206a6ca40fd0f60cd3bd799ad8

Download Submit
C:\Users\Admin\AppData\Local\Temp\wZrRdvSD1Yn4.bat

Filesize
207B

MD5
2ce90c031d10b0eae5cf19d7a3da7982

SHA1
5c1a2740fed08060beaefd74ccb060e657c7d8b2

SHA256
807c6e263ab4ffd193fb0c39c4bb91ce16c794fdefe89c0542ab927b06ae084f

SHA512
30d49c0af91b6151b3ec684eeb4c566e297d5b6535191d1c9ab7e48df809f0d981c0326397dce6dbcc20e2d33ab1e7fa8a79087c7735dbb212e4e27f75489ccf

Download Submit
C:\Users\Admin\AppData\Local\Temp\yWmvKm3yPQCB.bat

Filesize
207B

MD5
ef4b5f0b0c81b1a229279c466905b1b4

SHA1
b1c8618740869e7daa578f6a8374e007bd5dcd7d

SHA256
35132b0f6efc9f84500f7d22510d77ff5384d44d941d2f1b396eabe3d27c466e

SHA512
58bf06999f33500061fb2ca45e095d010d681ff6e6a3f3214a47369c043d8f075a8227592bed4c13eb88999f85bd5f685c42ee85510ba8587e68b4684b8f23f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\zKIbbaACnq4Z.bat

Filesize
207B

MD5
f51bf7804f0c156216e6612781a4820b

SHA1
b5da87086367effb55d3939c045872ec24da68e6

SHA256
0648a3e50d38d051b7c451c7c3f5a0f1404a4c662310b027a1d3a7c5aaa83491

SHA512
2287a36352c062e17d05c424164907740b352f4642a17a97979c3277e0c7f4ec5c6f0e49e6215dcd89ce98c83b81318362a0cd9afe6a4b3f3b87e9869d3a6277

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe

Filesize
3.1MB

MD5
d80e76b6962401ba306ce0ce9adc43ef

SHA1
e607bd7cdecf84d80b28e67d2836ea882a4f771f

SHA256
9ad36e247204c18b819993885ea7a99fa5b142456a41494a9878cf45cfed2dde

SHA512
85881abbcb6260e9b327b4dcb4db98c24fbc3ca8ea731fb3b1b08c96dabc3745c8fdc778e0dd7f6a8049b24b44c3074b7fd93033dc5f0d7a793755b79ac5f866

Download Submit
memory/1032-34-0x0000000001190000-0x00000000014B4000-memory.dmp

Filesize
3.1MB

Download
memory/1244-78-0x0000000000390000-0x00000000006B4000-memory.dmp

Filesize
3.1MB

Download
memory/1296-121-0x0000000000260000-0x0000000000584000-memory.dmp

Filesize
3.1MB

Download
memory/1596-156-0x00000000002F0000-0x0000000000614000-memory.dmp

Filesize
3.1MB

Download
memory/1756-144-0x0000000000E10000-0x0000000001134000-memory.dmp

Filesize
3.1MB

Download
memory/2156-23-0x0000000000BA0000-0x0000000000EC4000-memory.dmp

Filesize
3.1MB

Download
memory/2340-9-0x000007FEF5480000-0x000007FEF5E6C000-memory.dmp

Filesize
9.9MB

Download
memory/2340-10-0x00000000008D0000-0x0000000000BF4000-memory.dmp

Filesize
3.1MB

Download
memory/2340-11-0x000007FEF5480000-0x000007FEF5E6C000-memory.dmp

Filesize
9.9MB

Download
memory/2340-20-0x000007FEF5480000-0x000007FEF5E6C000-memory.dmp

Filesize
9.9MB

Download
memory/2684-8-0x000007FEF5480000-0x000007FEF5E6C000-memory.dmp

Filesize
9.9MB

Download
memory/2684-2-0x000007FEF5480000-0x000007FEF5E6C000-memory.dmp

Filesize
9.9MB

Download
memory/2684-0-0x000007FEF5483000-0x000007FEF5484000-memory.dmp

Filesize
4KB

Download
memory/2684-1-0x0000000000850000-0x0000000000B74000-memory.dmp

Filesize
3.1MB

Download
memory/2804-167-0x00000000010C0000-0x00000000013E4000-memory.dmp

Filesize
3.1MB

Download
memory/2976-67-0x00000000012B0000-0x00000000015D4000-memory.dmp

Filesize
3.1MB

Download
memory/3000-90-0x00000000013B0000-0x00000000016D4000-memory.dmp

Filesize
3.1MB

Download
memory/3068-133-0x00000000009F0000-0x0000000000D14000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads