quasar | 9ad36e247204c18b819993885ea7a99fa5b142456a41494a9878cf45cfed2dde

Analysis

max time kernel
147s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2024 16:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Solara.exe
Size

3.1MB
MD5

d80e76b6962401ba306ce0ce9adc43ef
SHA1

e607bd7cdecf84d80b28e67d2836ea882a4f771f
SHA256

9ad36e247204c18b819993885ea7a99fa5b142456a41494a9878cf45cfed2dde
SHA512

85881abbcb6260e9b327b4dcb4db98c24fbc3ca8ea731fb3b1b08c96dabc3745c8fdc778e0dd7f6a8049b24b44c3074b7fd93033dc5f0d7a793755b79ac5f866
SSDEEP

49152:uvRuf2NUaNmwzPWlvdaKM7ZxTwRJishuOar7ToGdXTHHB72eh2NT:uvsf2NUaNmwzPWlvdaB7ZxTwnruP

Score

10^/10

quasar client discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Client

Synapsedoggystyle-51191.portmap.host:51191

192.168.68.107:4782

Mutex

54e60454-c931-4922-b1b7-695913934b39

Attributes

encryption_key
33F77912B4CF70A0AD1E582014B5294301E27672
install_name
AtlasX.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Java Updator
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/2332-1-0x0000000000370000-0x0000000000694000-memory.dmp	family_quasar
behavioral2/files/0x000a000000023b6f-6.dat	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	AtlasX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	AtlasX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	AtlasX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	AtlasX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	AtlasX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	AtlasX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	AtlasX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	AtlasX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	AtlasX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	AtlasX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	AtlasX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	AtlasX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	AtlasX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	AtlasX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	AtlasX.exe

Executes dropped EXE 15 IoCs

pid	Process
216	AtlasX.exe
3536	AtlasX.exe
4320	AtlasX.exe
4724	AtlasX.exe
4448	AtlasX.exe
1356	AtlasX.exe
3004	AtlasX.exe
2180	AtlasX.exe
2528	AtlasX.exe
3024	AtlasX.exe
316	AtlasX.exe
640	AtlasX.exe
5008	AtlasX.exe
3212	AtlasX.exe
540	AtlasX.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2224	PING.EXE
1372	PING.EXE
2372	PING.EXE
3328	PING.EXE
4468	PING.EXE
4176	PING.EXE
2168	PING.EXE
4760	PING.EXE
2568	PING.EXE
1172	PING.EXE
3552	PING.EXE
3704	PING.EXE
1500	PING.EXE
1172	PING.EXE
1708	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
1172	PING.EXE
4760	PING.EXE
2168	PING.EXE
3328	PING.EXE
2224	PING.EXE
3704	PING.EXE
1708	PING.EXE
1500	PING.EXE
4468	PING.EXE
1372	PING.EXE
2568	PING.EXE
1172	PING.EXE
2372	PING.EXE
4176	PING.EXE
3552	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
224	schtasks.exe
2424	schtasks.exe
1512	schtasks.exe
3636	schtasks.exe
2472	schtasks.exe
1220	schtasks.exe
1732	schtasks.exe
3676	schtasks.exe
3920	schtasks.exe
1644	schtasks.exe
2588	schtasks.exe
3132	schtasks.exe
640	schtasks.exe
1328	schtasks.exe
1220	schtasks.exe
1012	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2332	Solara.exe
Token: SeDebugPrivilege	216	AtlasX.exe
Token: SeDebugPrivilege	3536	AtlasX.exe
Token: SeDebugPrivilege	4320	AtlasX.exe
Token: SeDebugPrivilege	4724	AtlasX.exe
Token: SeDebugPrivilege	4448	AtlasX.exe
Token: SeDebugPrivilege	1356	AtlasX.exe
Token: SeDebugPrivilege	3004	AtlasX.exe
Token: SeDebugPrivilege	2180	AtlasX.exe
Token: SeDebugPrivilege	2528	AtlasX.exe
Token: SeDebugPrivilege	3024	AtlasX.exe
Token: SeDebugPrivilege	316	AtlasX.exe
Token: SeDebugPrivilege	640	AtlasX.exe
Token: SeDebugPrivilege	5008	AtlasX.exe
Token: SeDebugPrivilege	3212	AtlasX.exe
Token: SeDebugPrivilege	540	AtlasX.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3004	AtlasX.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 224	2332	Solara.exe	82
PID 2332 wrote to memory of 224	2332	Solara.exe	82
PID 2332 wrote to memory of 216	2332	Solara.exe	84
PID 2332 wrote to memory of 216	2332	Solara.exe	84
PID 216 wrote to memory of 1644	216	AtlasX.exe	85
PID 216 wrote to memory of 1644	216	AtlasX.exe	85
PID 216 wrote to memory of 1508	216	AtlasX.exe	87
PID 216 wrote to memory of 1508	216	AtlasX.exe	87
PID 1508 wrote to memory of 1512	1508	cmd.exe	89
PID 1508 wrote to memory of 1512	1508	cmd.exe	89
PID 1508 wrote to memory of 1500	1508	cmd.exe	90
PID 1508 wrote to memory of 1500	1508	cmd.exe	90
PID 1508 wrote to memory of 3536	1508	cmd.exe	93
PID 1508 wrote to memory of 3536	1508	cmd.exe	93
PID 3536 wrote to memory of 3636	3536	AtlasX.exe	96
PID 3536 wrote to memory of 3636	3536	AtlasX.exe	96
PID 3536 wrote to memory of 1896	3536	AtlasX.exe	98
PID 3536 wrote to memory of 1896	3536	AtlasX.exe	98
PID 1896 wrote to memory of 4376	1896	cmd.exe	100
PID 1896 wrote to memory of 4376	1896	cmd.exe	100
PID 1896 wrote to memory of 4760	1896	cmd.exe	101
PID 1896 wrote to memory of 4760	1896	cmd.exe	101
PID 1896 wrote to memory of 4320	1896	cmd.exe	105
PID 1896 wrote to memory of 4320	1896	cmd.exe	105
PID 4320 wrote to memory of 2588	4320	AtlasX.exe	106
PID 4320 wrote to memory of 2588	4320	AtlasX.exe	106
PID 4320 wrote to memory of 1612	4320	AtlasX.exe	108
PID 4320 wrote to memory of 1612	4320	AtlasX.exe	108
PID 1612 wrote to memory of 2840	1612	cmd.exe	110
PID 1612 wrote to memory of 2840	1612	cmd.exe	110
PID 1612 wrote to memory of 1172	1612	cmd.exe	111
PID 1612 wrote to memory of 1172	1612	cmd.exe	111
PID 1612 wrote to memory of 4724	1612	cmd.exe	114
PID 1612 wrote to memory of 4724	1612	cmd.exe	114
PID 4724 wrote to memory of 3132	4724	AtlasX.exe	115
PID 4724 wrote to memory of 3132	4724	AtlasX.exe	115
PID 4724 wrote to memory of 2372	4724	AtlasX.exe	117
PID 4724 wrote to memory of 2372	4724	AtlasX.exe	117
PID 4448 wrote to memory of 2472	4448	AtlasX.exe	122
PID 4448 wrote to memory of 2472	4448	AtlasX.exe	122
PID 4448 wrote to memory of 1588	4448	AtlasX.exe	124
PID 4448 wrote to memory of 1588	4448	AtlasX.exe	124
PID 1588 wrote to memory of 4888	1588	cmd.exe	126
PID 1588 wrote to memory of 4888	1588	cmd.exe	126
PID 1588 wrote to memory of 1372	1588	cmd.exe	127
PID 1588 wrote to memory of 1372	1588	cmd.exe	127
PID 1588 wrote to memory of 1356	1588	cmd.exe	128
PID 1588 wrote to memory of 1356	1588	cmd.exe	128
PID 1356 wrote to memory of 640	1356	AtlasX.exe	129
PID 1356 wrote to memory of 640	1356	AtlasX.exe	129
PID 1356 wrote to memory of 4972	1356	AtlasX.exe	131
PID 1356 wrote to memory of 4972	1356	AtlasX.exe	131
PID 4972 wrote to memory of 4708	4972	cmd.exe	133
PID 4972 wrote to memory of 4708	4972	cmd.exe	133
PID 4972 wrote to memory of 4176	4972	cmd.exe	134
PID 4972 wrote to memory of 4176	4972	cmd.exe	134
PID 4972 wrote to memory of 3004	4972	cmd.exe	135
PID 4972 wrote to memory of 3004	4972	cmd.exe	135
PID 3004 wrote to memory of 1220	3004	AtlasX.exe	136
PID 3004 wrote to memory of 1220	3004	AtlasX.exe	136
PID 3004 wrote to memory of 4256	3004	AtlasX.exe	138
PID 3004 wrote to memory of 4256	3004	AtlasX.exe	138
PID 4256 wrote to memory of 4376	4256	cmd.exe	140
PID 4256 wrote to memory of 4376	4256	cmd.exe	140

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Solara.exe
"C:\Users\Admin\AppData\Local\Temp\Solara.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Java Updator" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:224
- C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:216
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Java Updator" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1644
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\E9M0JJ8u1UvI.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1508
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:1512
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1500
  - - C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3536
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Java Updator" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3636
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rhSm0zYmIEig.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1896
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:4376
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4760
      - C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4320
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Java Updator" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2588
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XTNSVZdPel5m.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2840
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1172
        
        C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4724
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Java Updator" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3132
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GhSpZR0hVlpG.bat" "
        9⤵
        
        PID:2372
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:4676
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4468
        
        C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4448
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Java Updator" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2472
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5tXz0SBl4LHX.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:4888
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1372
        
        C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1356
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Java Updator" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:640
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dRdmIfJ79BoY.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:4972
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:4708
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4176
        
        C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Java Updator" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1220
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B4n2XErN5nV8.bat" "
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:4256
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:4376
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2168
        
        C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2180
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Java Updator" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2424
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7Bfkgr4PNKQx.bat" "
        17⤵
        
        PID:4476
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:1164
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2568
        
        C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2528
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Java Updator" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1328
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EDjVUEzENM5M.bat" "
        19⤵
        
        PID:1944
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1688
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1172
        
        C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3024
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Java Updator" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1732
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wtlTVhPYLAQI.bat" "
        21⤵
        
        PID:3116
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:4052
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2372
        
        C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:316
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Java Updator" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3920
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cDMBWGnwP2pe.bat" "
        23⤵
        
        PID:4960
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:1472
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1708
        
        C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:640
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Java Updator" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1512
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AN92iYTPGaJB.bat" "
        25⤵
        
        PID:2492
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:4660
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3328
        
        C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5008
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Java Updator" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1220
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fKKVkVA4oYes.bat" "
        27⤵
        
        PID:3536
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:3480
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2224
        
        C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3212
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Java Updator" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3676
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bqd9mbwQr3O0.bat" "
        29⤵
        
        PID:628
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:4740
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3552
        
        C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:540
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Java Updator" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1012
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qSrauNOuBeY6.bat" "
        31⤵
        
        PID:4268
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:1700
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AtlasX.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\5tXz0SBl4LHX.bat

Filesize
207B

MD5
a8dba694f99d99daca2f9d547de6c18a

SHA1
8ee9dbb2134a301c70fd327c7dd1b9a61af3933b

SHA256
5f72385d4ff7fb93fa3be6a514986e930a9d0cf051c80638e472219ec18ae6d4

SHA512
44b6fc71635e0ea4c1791da843ac33098ee5262b37c0b59512f8fa28d913aaa791c8a0541ce70d402076fe5f5ff3a41364fd4cf8e4f4953bb4fffb54bbe9586f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7Bfkgr4PNKQx.bat

Filesize
207B

MD5
00e5a83836f2fd4c39bad93bae6ffbbf

SHA1
0599104012dada8afaf1df183e35bd2b1bdc57d8

SHA256
b6e6a4d7a7ee1331b781651a94cebb0cc7bdd75b54ac7e8b3bea866b9529ac91

SHA512
dde87d122a8fc42fb3389b4b48c4f90de27384afdfeaa1b0b5e44e801ad207bf4364eeefe9e53d1c3e3bbb54d15fd4a018a3d041acff56bc1e258bdd3b7e0107

Download Submit
C:\Users\Admin\AppData\Local\Temp\AN92iYTPGaJB.bat

Filesize
207B

MD5
7642bc59663297d0377c290dc28156d9

SHA1
14cf77e3aee36d2ea528b434925639eb193d4d8c

SHA256
f802b9b82d3b579c43f8d14d439f28e990c0a86fdcaf0d2c72f1d2ce5891dcfd

SHA512
047128c8ca2b63a29d457d282b80750ad233b89ee48cadfa0ab2bb8d0680c0a5a720f6f41bc1f6cfddcb2dc99980bbdbe09dfd554814f155317fd4bce8bea68e

Download Submit
C:\Users\Admin\AppData\Local\Temp\B4n2XErN5nV8.bat

Filesize
207B

MD5
01b4d392f749205b3c0410077f1bc116

SHA1
02664bd258392bcf07dfb11f7fe45494daf8eb09

SHA256
3c781cc7a2de599df92cd2cfd808e0498ce0481de0ae9a578390ee032d688792

SHA512
8bee82ba69c18b82dd978582775ba0a8765b8dad319ce0e8db5d499bfaeecb30a7fc993f668a32948439c7a4c78b45c9440f5616bd10480a0ff0ffba35fdd8ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\E9M0JJ8u1UvI.bat

Filesize
207B

MD5
8a09d4634f0c9fe15731310860814aab

SHA1
e15f7ca5504a28094606d553e65be30574791fd1

SHA256
3ac73aedd7ee633f9630ea13755d2f74e5baa46686163c3bc3d1984792b352b8

SHA512
76d57822bb33f2d9357fbfca02bb81e7516ecb3d7c910c9c2f11b2597dcf134787d1d8ed49b61e2d13aae6da84352f2cf18c42e0da24e0e87a2482e2f6222ff9

Download Submit
C:\Users\Admin\AppData\Local\Temp\EDjVUEzENM5M.bat

Filesize
207B

MD5
bb057ae4802e326ef5cdb68fdb20d4bf

SHA1
51fa1017c1b48c3f34d910c5dd2e2a22e50a230d

SHA256
54ce4f0ee27909913197109dab0a68cf2d7ff95d9446d3d95b58bf4d298cb72e

SHA512
a086069174e05fe61cf8794df2acba92e4f9a0b97f16cdb532862a505502aab5639043e5fd1f0d658211292ce5a1d7aa4d4b97c65a82321e8cd8e0c9338b1a46

Download Submit
C:\Users\Admin\AppData\Local\Temp\XTNSVZdPel5m.bat

Filesize
207B

MD5
bfadbbc0379d3cc79db0f09df642e12c

SHA1
9ec6376031941d8114f2144ac5967587028488f7

SHA256
13ea8f46242429a823fdeb2a96a90e0727d20040b6529cedda90b702d1af99e5

SHA512
a50c9e790936236a5bd48eedb43f3de77f3b13522ff907bcce2b086693b7f2fc4e568d5b94c007498c81bb50d3e6ae8d90c710f190d49e3016dc7c7ce0bd04bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\bqd9mbwQr3O0.bat

Filesize
207B

MD5
7ca8eaf11d4ad54054880025cc211dd6

SHA1
baf058efd1652deebdc979350a9e730acd43e370

SHA256
95715cc4482cdc8821ad96ca34811e3d663c6f72d9cc594e3e3bd13407277154

SHA512
03c8329385157e76d35a6da27b978d6cfe27cddf90903ce185fa00ed39acc4d3642521d4e9322f432b87c0df2d616520e0a8c0c05237b05abc38bcaa1a4973ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\cDMBWGnwP2pe.bat

Filesize
207B

MD5
0612dbf0423f8faba4582a72902dfe93

SHA1
5617f8ff65a5ade4613aa0700c24bae6f5c90170

SHA256
d44af25000fa624ce22599dff08049462113b223c08f166a7367f53eb75265e8

SHA512
00b2eaf19d717d6adc6581ce70890177e88449383418703c886b4a57ca1aef18733f2543379b91ddcac37be8ef0675a9eeea24183280da9cb6ef2a3e023a871b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dRdmIfJ79BoY.bat

Filesize
207B

MD5
d6659c6d1d7c66f4a20d46dfda96031f

SHA1
e00dbde15a88deaa659a7b7528684a99eb6f13a8

SHA256
cb0c00d2523cf83e060e6875a5ab3c1ad3144e205b13d5869c1ab669117fe46c

SHA512
4d890fe9324841c1ef382759e85c1a9597382f283da481e92bd1c138568e87debb9c22cf08786b461b603eb78bdafe698d690ae48b53070cba02c56b3f1907f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\fKKVkVA4oYes.bat

Filesize
207B

MD5
caff204e354cdaee444f1c9d9d1fe686

SHA1
6eff707f61c0308b9a2c4573554bf1f3095bf9fa

SHA256
33773899ec2857f451b2a8b1eef89c90d373074c4181fd71226a14b0fae2e1b4

SHA512
f9972818a960b25c2e2f2c100c4c1fdc19695fbbcea7f12353d9f38f43f763037f612fc2efad01d0ae65c096f7593054787aee022dbe76265ad111852d9c34d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\qSrauNOuBeY6.bat

Filesize
207B

MD5
64f5f48fe9c96c0288ed1810751e70ea

SHA1
8f5fbbe1a59f053a0c684d7649d748bc8ccefd05

SHA256
24de7385da0cfc684b1733f47531faadb06d78ee5cafeb4648b9b7ff696bd7cd

SHA512
7bebc21d9c0da8f54a8bc870f4ac497c66dedc4ae2a11f5585b78eefece7a315cbd6644c3a014b1c4e6b588c54234e62bc845ca36bbdc433309a7893df8fe0f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\rhSm0zYmIEig.bat

Filesize
207B

MD5
94511d9f2f02e9beac878b2a1bbdfb73

SHA1
14f1565d9de697ea07b420e53e8f2bb4a2576c53

SHA256
fc9ee91e074dbef7cf9c5eebd34c1957b174c64083cdcfd21bf81b40cb0f9443

SHA512
87e3f1d898b593680fc223cdefde3864a6070943aa91541945cc02a6a74744960e8607573717fd05df6d6a5e6de2f033bde9b14e8485fa26e74460077eb6940b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wtlTVhPYLAQI.bat

Filesize
207B

MD5
1c33cf39b5f3dfcfebc19fa853db80ef

SHA1
e466feadda34fb55fc4457c53e3c059abd06a2e1

SHA256
9d5c18c7e3b3c4c4889c1bc2fccdc5d2b21f29b8c3782659e816348f20e8938e

SHA512
1c07819a05fd168598b6caecda0bde535314d49934306eaa5ed8ae04ea4bafcdde3e0788434bd87c2ae02c0e14b8012c2c4b05a946adf34339fb0ecd8f4a644e

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\AtlasX.exe

Filesize
3.1MB

MD5
d80e76b6962401ba306ce0ce9adc43ef

SHA1
e607bd7cdecf84d80b28e67d2836ea882a4f771f

SHA256
9ad36e247204c18b819993885ea7a99fa5b142456a41494a9878cf45cfed2dde

SHA512
85881abbcb6260e9b327b4dcb4db98c24fbc3ca8ea731fb3b1b08c96dabc3745c8fdc778e0dd7f6a8049b24b44c3074b7fd93033dc5f0d7a793755b79ac5f866

Download Submit
memory/216-17-0x00007FFDB5640000-0x00007FFDB6101000-memory.dmp

Filesize
10.8MB

Download
memory/216-12-0x000000001BF10000-0x000000001BFC2000-memory.dmp

Filesize
712KB

Download
memory/216-11-0x000000001BE00000-0x000000001BE50000-memory.dmp

Filesize
320KB

Download
memory/216-10-0x00007FFDB5640000-0x00007FFDB6101000-memory.dmp

Filesize
10.8MB

Download
memory/216-9-0x00007FFDB5640000-0x00007FFDB6101000-memory.dmp

Filesize
10.8MB

Download
memory/2332-0-0x00007FFDB5643000-0x00007FFDB5645000-memory.dmp

Filesize
8KB

Download
memory/2332-19-0x00007FFDB5640000-0x00007FFDB6101000-memory.dmp

Filesize
10.8MB

Download
memory/2332-2-0x00007FFDB5640000-0x00007FFDB6101000-memory.dmp

Filesize
10.8MB

Download
memory/2332-1-0x0000000000370000-0x0000000000694000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads