quasar | 03b2932cc0f1fff6bf01c1e561ad3b02b0e3db0c9cacd02f4f3198902b1ad7df

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
10-12-2024 22:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03b2932cc0f1fff6bf01c1e561ad3b02b0e3db0c9cacd02f4f3198902b1ad7dfN.exe
Size

3.1MB
MD5

59f414f74a8a0bae1a8ff0ea4b045020
SHA1

23500e649843bf0e3075da18b3c5789dc4fa6505
SHA256

03b2932cc0f1fff6bf01c1e561ad3b02b0e3db0c9cacd02f4f3198902b1ad7df
SHA512

a471c66f59311fc97dada64846a9c10109c3d455f8673b2c09f09f4513370d5384cb6509b63f549a212efefef33c37d0dda9225c49dd44b45f50fc3d42ff0d62
SSDEEP

49152:zvelL26AaNeWgPhlmVqvMQ7XSKjizD+YMfrDoGdfTHHB72eh2NT:zvOL26AaNeWgPhlmVqkQ7XSKjizD+L

Score

10^/10

quasar roar discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

roar

fojeweb571-59106.portmap.host:59106

Mutex

0c203952-83f0-40e8-a93c-b701163cc930

Attributes

encryption_key
B42CE86AEBA4D8818352F4D811EA7BBB472E229A
install_name
windows defender.exe
log_directory
Logs
reconnect_delay
3000
startup_key
discord
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 8 IoCs

resource	yara_rule
behavioral1/memory/2624-1-0x0000000000DB0000-0x00000000010D4000-memory.dmp	family_quasar
behavioral1/files/0x0008000000015d41-6.dat	family_quasar
behavioral1/memory/2376-9-0x0000000000E30000-0x0000000001154000-memory.dmp	family_quasar
behavioral1/memory/2868-54-0x0000000001110000-0x0000000001434000-memory.dmp	family_quasar
behavioral1/memory/872-76-0x0000000000310000-0x0000000000634000-memory.dmp	family_quasar
behavioral1/memory/2940-87-0x0000000000F70000-0x0000000001294000-memory.dmp	family_quasar
behavioral1/memory/1888-98-0x0000000001270000-0x0000000001594000-memory.dmp	family_quasar
behavioral1/memory/1164-119-0x00000000012A0000-0x00000000015C4000-memory.dmp	family_quasar

Executes dropped EXE 12 IoCs

pid	Process
2376	windows defender.exe
2692	windows defender.exe
1092	windows defender.exe
2772	windows defender.exe
2868	windows defender.exe
1552	windows defender.exe
872	windows defender.exe
2940	windows defender.exe
1888	windows defender.exe
656	windows defender.exe
1164	windows defender.exe
864	windows defender.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 12 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1688	PING.EXE
1632	PING.EXE
880	PING.EXE
2076	PING.EXE
1036	PING.EXE
2804	PING.EXE
2132	PING.EXE
1352	PING.EXE
2840	PING.EXE
1760	PING.EXE
2140	PING.EXE
2540	PING.EXE

Runs ping.exe 1 TTPs 12 IoCs

Remote System Discovery

T1018

pid	Process
1352	PING.EXE
2840	PING.EXE
1760	PING.EXE
1632	PING.EXE
880	PING.EXE
2076	PING.EXE
1688	PING.EXE
2140	PING.EXE
2540	PING.EXE
2804	PING.EXE
1036	PING.EXE
2132	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
948	schtasks.exe
1244	schtasks.exe
584	schtasks.exe
2388	schtasks.exe
2504	schtasks.exe
844	schtasks.exe
1916	schtasks.exe
2104	schtasks.exe
1400	schtasks.exe
3028	schtasks.exe
2748	schtasks.exe
2252	schtasks.exe
756	schtasks.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	2624	03b2932cc0f1fff6bf01c1e561ad3b02b0e3db0c9cacd02f4f3198902b1ad7dfN.exe
Token: SeDebugPrivilege	2376	windows defender.exe
Token: SeDebugPrivilege	2692	windows defender.exe
Token: SeDebugPrivilege	1092	windows defender.exe
Token: SeDebugPrivilege	2772	windows defender.exe
Token: SeDebugPrivilege	2868	windows defender.exe
Token: SeDebugPrivilege	1552	windows defender.exe
Token: SeDebugPrivilege	872	windows defender.exe
Token: SeDebugPrivilege	2940	windows defender.exe
Token: SeDebugPrivilege	1888	windows defender.exe
Token: SeDebugPrivilege	656	windows defender.exe
Token: SeDebugPrivilege	1164	windows defender.exe
Token: SeDebugPrivilege	864	windows defender.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2376	windows defender.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2624 wrote to memory of 2388	2624	03b2932cc0f1fff6bf01c1e561ad3b02b0e3db0c9cacd02f4f3198902b1ad7dfN.exe	30
PID 2624 wrote to memory of 2388	2624	03b2932cc0f1fff6bf01c1e561ad3b02b0e3db0c9cacd02f4f3198902b1ad7dfN.exe	30
PID 2624 wrote to memory of 2388	2624	03b2932cc0f1fff6bf01c1e561ad3b02b0e3db0c9cacd02f4f3198902b1ad7dfN.exe	30
PID 2624 wrote to memory of 2376	2624	03b2932cc0f1fff6bf01c1e561ad3b02b0e3db0c9cacd02f4f3198902b1ad7dfN.exe	32
PID 2624 wrote to memory of 2376	2624	03b2932cc0f1fff6bf01c1e561ad3b02b0e3db0c9cacd02f4f3198902b1ad7dfN.exe	32
PID 2624 wrote to memory of 2376	2624	03b2932cc0f1fff6bf01c1e561ad3b02b0e3db0c9cacd02f4f3198902b1ad7dfN.exe	32
PID 2376 wrote to memory of 2504	2376	windows defender.exe	33
PID 2376 wrote to memory of 2504	2376	windows defender.exe	33
PID 2376 wrote to memory of 2504	2376	windows defender.exe	33
PID 2376 wrote to memory of 2872	2376	windows defender.exe	35
PID 2376 wrote to memory of 2872	2376	windows defender.exe	35
PID 2376 wrote to memory of 2872	2376	windows defender.exe	35
PID 2872 wrote to memory of 2528	2872	cmd.exe	37
PID 2872 wrote to memory of 2528	2872	cmd.exe	37
PID 2872 wrote to memory of 2528	2872	cmd.exe	37
PID 2872 wrote to memory of 2840	2872	cmd.exe	38
PID 2872 wrote to memory of 2840	2872	cmd.exe	38
PID 2872 wrote to memory of 2840	2872	cmd.exe	38
PID 2872 wrote to memory of 2692	2872	cmd.exe	40
PID 2872 wrote to memory of 2692	2872	cmd.exe	40
PID 2872 wrote to memory of 2692	2872	cmd.exe	40
PID 2692 wrote to memory of 844	2692	windows defender.exe	41
PID 2692 wrote to memory of 844	2692	windows defender.exe	41
PID 2692 wrote to memory of 844	2692	windows defender.exe	41
PID 2692 wrote to memory of 1692	2692	windows defender.exe	43
PID 2692 wrote to memory of 1692	2692	windows defender.exe	43
PID 2692 wrote to memory of 1692	2692	windows defender.exe	43
PID 1692 wrote to memory of 1492	1692	cmd.exe	45
PID 1692 wrote to memory of 1492	1692	cmd.exe	45
PID 1692 wrote to memory of 1492	1692	cmd.exe	45
PID 1692 wrote to memory of 1760	1692	cmd.exe	46
PID 1692 wrote to memory of 1760	1692	cmd.exe	46
PID 1692 wrote to memory of 1760	1692	cmd.exe	46
PID 1692 wrote to memory of 1092	1692	cmd.exe	47
PID 1692 wrote to memory of 1092	1692	cmd.exe	47
PID 1692 wrote to memory of 1092	1692	cmd.exe	47
PID 1092 wrote to memory of 1916	1092	windows defender.exe	48
PID 1092 wrote to memory of 1916	1092	windows defender.exe	48
PID 1092 wrote to memory of 1916	1092	windows defender.exe	48
PID 1092 wrote to memory of 2992	1092	windows defender.exe	50
PID 1092 wrote to memory of 2992	1092	windows defender.exe	50
PID 1092 wrote to memory of 2992	1092	windows defender.exe	50
PID 2992 wrote to memory of 1728	2992	cmd.exe	52
PID 2992 wrote to memory of 1728	2992	cmd.exe	52
PID 2992 wrote to memory of 1728	2992	cmd.exe	52
PID 2992 wrote to memory of 1632	2992	cmd.exe	53
PID 2992 wrote to memory of 1632	2992	cmd.exe	53
PID 2992 wrote to memory of 1632	2992	cmd.exe	53
PID 2992 wrote to memory of 2772	2992	cmd.exe	54
PID 2992 wrote to memory of 2772	2992	cmd.exe	54
PID 2992 wrote to memory of 2772	2992	cmd.exe	54
PID 2772 wrote to memory of 2104	2772	windows defender.exe	55
PID 2772 wrote to memory of 2104	2772	windows defender.exe	55
PID 2772 wrote to memory of 2104	2772	windows defender.exe	55
PID 2772 wrote to memory of 876	2772	windows defender.exe	57
PID 2772 wrote to memory of 876	2772	windows defender.exe	57
PID 2772 wrote to memory of 876	2772	windows defender.exe	57
PID 876 wrote to memory of 2660	876	cmd.exe	59
PID 876 wrote to memory of 2660	876	cmd.exe	59
PID 876 wrote to memory of 2660	876	cmd.exe	59
PID 876 wrote to memory of 2140	876	cmd.exe	60
PID 876 wrote to memory of 2140	876	cmd.exe	60
PID 876 wrote to memory of 2140	876	cmd.exe	60
PID 876 wrote to memory of 2868	876	cmd.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\03b2932cc0f1fff6bf01c1e561ad3b02b0e3db0c9cacd02f4f3198902b1ad7dfN.exe
"C:\Users\Admin\AppData\Local\Temp\03b2932cc0f1fff6bf01c1e561ad3b02b0e3db0c9cacd02f4f3198902b1ad7dfN.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2624
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2388
- C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2504
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\Vn0I4kpqxo8A.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2872
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2528
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2840
  - - C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2692
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:844
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mEsHXTUA62bF.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1692
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1492
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1760
      - C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1092
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1916
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kkrXPjB3oOgr.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1728
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1632
        
        C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2104
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qbjvURhpYybB.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:876
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2660
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2140
        
        C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2868
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:948
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\il5ATYxAAAWw.bat" "
        11⤵
        
        PID:1772
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1696
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2540
        
        C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1552
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1244
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\I1qn8IRfzOTi.bat" "
        13⤵
        
        PID:2460
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2744
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:880
        
        C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:872
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1400
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\0xiRhQHONqd5.bat" "
        15⤵
        
        PID:2380
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:1704
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2076
        
        C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2940
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3028
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qDNfFiBoNykn.bat" "
        17⤵
        
        PID:2960
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2840
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2804
        
        C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1888
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2748
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\6nogcUWGIjv7.bat" "
        19⤵
        
        PID:2224
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:772
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1036
        
        C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:656
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:584
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\3ZVmgAHxvIWA.bat" "
        21⤵
        
        PID:1004
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1684
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2132
        
        C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1164
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2252
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PC5zRgHLbEZr.bat" "
        23⤵
        
        PID:3060
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:1796
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1688
        
        C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:864
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:756
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\y0I884J3gxLN.bat" "
        25⤵
        
        PID:900
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:832
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0xiRhQHONqd5.bat

Filesize
217B

MD5
4a0ffbdafd3b4d99dcc83b673b61c017

SHA1
30e0208d3c69014435ccfe556a485f4f836e32bc

SHA256
1d62e1288b5567744a0587780ad5295ce4a78954dac51280381c6de1bdc795b0

SHA512
51c6c49eecd2023f5c56c92d0f94738950c829bedc73ee23f64ecd85ba084ac7019476bf28622b989ff75c3fd3d15c1d97f4fff54681868dc9bb5a4f970e9592

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ZVmgAHxvIWA.bat

Filesize
217B

MD5
0ae013c3347c6bc8e8d5b9a15a621be9

SHA1
70105ef3b69caf432a374d2ae39f3d681a168d8c

SHA256
8247de7062e2f71ef215d620004a1cd2e95a45426a2fbba10e8cfdea4ec6fe8a

SHA512
e17cba7dded09bb72aa308f268c8c80ff417ff2083f9bab2908bc1708f5bf4165c9e94ae417b232a8ef008649f13c9074fc926f22500bfadca693da066ef89fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\6nogcUWGIjv7.bat

Filesize
217B

MD5
b29d361d867aadc7c9ef9c486b90aa4f

SHA1
f16378416bfba524bc2f0cfc81a14f7a72275e10

SHA256
47b5032d4b3f20c5b83bf6bf178753de89f74c3e6025127bc95f6b22232857d5

SHA512
ff0e215a35b7f9ce7bb447b31afa73a2566e30f72960981353eda29853d100c1d018a271674876ec9116170260da3f46c09b54abe47fd525b58da1107d910e73

Download Submit
C:\Users\Admin\AppData\Local\Temp\I1qn8IRfzOTi.bat

Filesize
217B

MD5
79cbc35b3ea6679caf6b192b8168860d

SHA1
3656dd3220e3205f4f558d5932dffc42efd2700d

SHA256
541f81abd02383f2941c28eefc0db168d69b9d52288c1307ad54d920c4e96ee0

SHA512
5b585aef02491d0ee51b2efed0ea632df147016d228277ee884399b15a6b6ca27516e826102672349b537f013f84d782bededa155da203c430f9218bce2f4ad0

Download Submit
C:\Users\Admin\AppData\Local\Temp\PC5zRgHLbEZr.bat

Filesize
217B

MD5
3ff491633825be32858b410253ffa36d

SHA1
046f7610f101922c898c13c5f0d57244708ff195

SHA256
51f469f380d4300089b90fd27bc4a633470f0c736770541ada41fa84941cb595

SHA512
a292f7c3e97eed91c42a063f81c6bf90496ed9da437374779154949cbc662bf99acd8663705ea21926fc59901004c5085d4e6bb33639d5003803399550ed1deb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vn0I4kpqxo8A.bat

Filesize
217B

MD5
dbc5ce9de379722fb1544ae456c2f3f5

SHA1
794fed3cd215990a6e6f4fa42a093c03897fb19e

SHA256
fe310052a8c83251c028069a027830ea4b91e150bb51df5744f3e5243439f8f9

SHA512
47db065986124add769b64a46699eab41f5a139939d9d381030eddc1428bc555aec9bb4dbc7d7afa38a9a5c73f7e478a1c8df178e448d3456ff7e27079fef1e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\il5ATYxAAAWw.bat

Filesize
217B

MD5
efdc6f95a1b8b697f4314dada97e6f8b

SHA1
ff822725760577da10424f74c2368a2e01a9962a

SHA256
54b1a737fa6fa76fd3546bbfaedb23959007f3d8d0bf7d54644b5e2740c45ded

SHA512
d7f1e14a680ad99ae8321d77b611c4808f4db52f0e02fbc1ed3a742a08fe6c92a374f519a3570c0a879d35a022377d9a6c548d95923921d0616f8bbd7ab822a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkrXPjB3oOgr.bat

Filesize
217B

MD5
15844514bf0eedc8a94cd601746bcee5

SHA1
f1eeaf138bb47d2cc05473a63a3469727070a853

SHA256
ef87911d1eea1e4e9b669402441ec77084c88840c6df79bc1f59e66ca52fc9fa

SHA512
72e86ecc940ffbcbe8c9baa2e86ff6e8475b6809233d0579bccb1e449b17fb3357082a58d76f50784f45254fc05d61b7a50e8265c856dc11ed1245ec3f2ea217

Download Submit
C:\Users\Admin\AppData\Local\Temp\mEsHXTUA62bF.bat

Filesize
217B

MD5
629032c3c2929561deb3423229534863

SHA1
49988321f517d39a78333f587bb6e9da59a9832e

SHA256
02db6bb57e5f587e4c536437ad5a52957d5035dc449de63153a0f21eca458fc7

SHA512
999e0f6be4806584e961edbe16722137e66456451b8f9d7e87d9cd14fa5ec1c723130ae41800f0dae643e576fcae85629b5251af1f2e17180799bc591ea3c343

Download Submit
C:\Users\Admin\AppData\Local\Temp\qDNfFiBoNykn.bat

Filesize
217B

MD5
d82148f422455f56ebdc423533ffe231

SHA1
979ac5d8a5d351d8f6d6006da4a4cc8143cae72e

SHA256
a20a2247bff5064c9307c85c31f2739586276f9cead375297cfa9cb37ead0225

SHA512
8a1f74cbb9f222987238f9d2144d6732f3461f516ab76e365a1a9f396ede797873744bc58871e6418dbe7285eb5fbb2225dd9146c7e0f2bc2a4a8dfa3122ff8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\qbjvURhpYybB.bat

Filesize
217B

MD5
914f839ab87556f7beb8e11c46a2068b

SHA1
5acb8758e53dd2d3a63f594612fdddf0f7f043d8

SHA256
4194cb85e478ecbc03b70851d9f022ea5f97008004aac7dba2ace3c39e854d0f

SHA512
171cea7192e751e542bcbd4e8c92069db43e3c58337e58955410c455589fa42275007144944756514aeee420bc6f2c1a28637d9d89064faf14443cdc83e77860

Download Submit
C:\Users\Admin\AppData\Local\Temp\y0I884J3gxLN.bat

Filesize
217B

MD5
8fbc5de936ac904ca09fecae1284c115

SHA1
87c89bc11260c0e6458cf6b083af11e033a5a4a0

SHA256
95956b3588e516200ec16b41a15ec810654b52b6250f39562930ccba52579330

SHA512
974bcd443a0857b1bd5f24b896caa1cf7ace9f308606e14ba31b7fe48533174fd74a027a22e551ba2e48b0722484f18d94809f5020125e5dd1ec4bb9068cfcf8

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe

Filesize
3.1MB

MD5
59f414f74a8a0bae1a8ff0ea4b045020

SHA1
23500e649843bf0e3075da18b3c5789dc4fa6505

SHA256
03b2932cc0f1fff6bf01c1e561ad3b02b0e3db0c9cacd02f4f3198902b1ad7df

SHA512
a471c66f59311fc97dada64846a9c10109c3d455f8673b2c09f09f4513370d5384cb6509b63f549a212efefef33c37d0dda9225c49dd44b45f50fc3d42ff0d62

Download Submit
memory/872-76-0x0000000000310000-0x0000000000634000-memory.dmp

Filesize
3.1MB

Download
memory/1164-119-0x00000000012A0000-0x00000000015C4000-memory.dmp

Filesize
3.1MB

Download
memory/1888-98-0x0000000001270000-0x0000000001594000-memory.dmp

Filesize
3.1MB

Download
memory/2376-9-0x0000000000E30000-0x0000000001154000-memory.dmp

Filesize
3.1MB

Download
memory/2376-11-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

Filesize
9.9MB

Download
memory/2376-21-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

Filesize
9.9MB

Download
memory/2376-10-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

Filesize
9.9MB

Download
memory/2624-8-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

Filesize
9.9MB

Download
memory/2624-0-0x000007FEF55E3000-0x000007FEF55E4000-memory.dmp

Filesize
4KB

Download
memory/2624-2-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

Filesize
9.9MB

Download
memory/2624-1-0x0000000000DB0000-0x00000000010D4000-memory.dmp

Filesize
3.1MB

Download
memory/2868-54-0x0000000001110000-0x0000000001434000-memory.dmp

Filesize
3.1MB

Download
memory/2940-87-0x0000000000F70000-0x0000000001294000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads