quasar | 092efd70b090bbfc0af8facff15b06f818ebfa87a1b4034abf7e0b749bc079fb

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-12-2024 01:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

092efd70b090bbfc0af8facff15b06f818ebfa87a1b4034abf7e0b749bc079fb.exe
Size

3.1MB
MD5

7b3cdbe64809334591697b1424193cdc
SHA1

489dc1a891a4eca75df696a5c139e991277be9c7
SHA256

092efd70b090bbfc0af8facff15b06f818ebfa87a1b4034abf7e0b749bc079fb
SHA512

811eb77ba66402dbf8ccbeacae131d36b0a97b7c813d335819d96370f904ffd7a6c9b2410f47fc2f0eac43675849e6b3473ab56ecfa0d934e97dbdc8b3e4fb74
SSDEEP

49152:zvelL26AaNeWgPhlmVqvMQ7XSKjizD+YMfrDoGdfTHHB72eh2NTt:zvOL26AaNeWgPhlmVqkQ7XSKjizD+LQ

Score

10^/10

quasar roar discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

roar

fojeweb571-59106.portmap.host:59106

Mutex

0c203952-83f0-40e8-a93c-b701163cc930

Attributes

encryption_key
B42CE86AEBA4D8818352F4D811EA7BBB472E229A
install_name
windows defender.exe
log_directory
Logs
reconnect_delay
3000
startup_key
discord
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 14 IoCs

resource	yara_rule
behavioral1/memory/1884-1-0x0000000000BD0000-0x0000000000EF4000-memory.dmp	family_quasar
behavioral1/files/0x0009000000015d7e-6.dat	family_quasar
behavioral1/memory/2276-9-0x00000000003B0000-0x00000000006D4000-memory.dmp	family_quasar
behavioral1/memory/1912-23-0x0000000000DE0000-0x0000000001104000-memory.dmp	family_quasar
behavioral1/memory/2840-34-0x0000000000250000-0x0000000000574000-memory.dmp	family_quasar
behavioral1/memory/2012-45-0x00000000003C0000-0x00000000006E4000-memory.dmp	family_quasar
behavioral1/memory/2612-56-0x0000000000A70000-0x0000000000D94000-memory.dmp	family_quasar
behavioral1/memory/236-67-0x0000000000150000-0x0000000000474000-memory.dmp	family_quasar
behavioral1/memory/1108-78-0x00000000000C0000-0x00000000003E4000-memory.dmp	family_quasar
behavioral1/memory/2920-89-0x0000000000ED0000-0x00000000011F4000-memory.dmp	family_quasar
behavioral1/memory/2444-100-0x0000000001260000-0x0000000001584000-memory.dmp	family_quasar
behavioral1/memory/1032-131-0x00000000012E0000-0x0000000001604000-memory.dmp	family_quasar
behavioral1/memory/1824-142-0x0000000000180000-0x00000000004A4000-memory.dmp	family_quasar
behavioral1/memory/2180-153-0x00000000001A0000-0x00000000004C4000-memory.dmp	family_quasar

Executes dropped EXE 15 IoCs

pid	Process
2276	windows defender.exe
1912	windows defender.exe
2840	windows defender.exe
2012	windows defender.exe
2612	windows defender.exe
236	windows defender.exe
1108	windows defender.exe
2920	windows defender.exe
2444	windows defender.exe
2820	windows defender.exe
3020	windows defender.exe
1032	windows defender.exe
1824	windows defender.exe
2180	windows defender.exe
2316	windows defender.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
496	PING.EXE
496	PING.EXE
1704	PING.EXE
2968	PING.EXE
1364	PING.EXE
352	PING.EXE
912	PING.EXE
448	PING.EXE
2248	PING.EXE
2380	PING.EXE
2116	PING.EXE
2748	PING.EXE
1352	PING.EXE
2696	PING.EXE
2212	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
2968	PING.EXE
912	PING.EXE
496	PING.EXE
1704	PING.EXE
1364	PING.EXE
448	PING.EXE
2248	PING.EXE
2212	PING.EXE
2748	PING.EXE
2380	PING.EXE
2696	PING.EXE
2116	PING.EXE
352	PING.EXE
1352	PING.EXE
496	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2652	schtasks.exe
2996	schtasks.exe
2072	schtasks.exe
2160	schtasks.exe
1260	schtasks.exe
1824	schtasks.exe
2640	schtasks.exe
832	schtasks.exe
2628	schtasks.exe
2832	schtasks.exe
1464	schtasks.exe
2500	schtasks.exe
1264	schtasks.exe
2296	schtasks.exe
1900	schtasks.exe
1808	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	1884	092efd70b090bbfc0af8facff15b06f818ebfa87a1b4034abf7e0b749bc079fb.exe
Token: SeDebugPrivilege	2276	windows defender.exe
Token: SeDebugPrivilege	1912	windows defender.exe
Token: SeDebugPrivilege	2840	windows defender.exe
Token: SeDebugPrivilege	2012	windows defender.exe
Token: SeDebugPrivilege	2612	windows defender.exe
Token: SeDebugPrivilege	236	windows defender.exe
Token: SeDebugPrivilege	1108	windows defender.exe
Token: SeDebugPrivilege	2920	windows defender.exe
Token: SeDebugPrivilege	2444	windows defender.exe
Token: SeDebugPrivilege	2820	windows defender.exe
Token: SeDebugPrivilege	3020	windows defender.exe
Token: SeDebugPrivilege	1032	windows defender.exe
Token: SeDebugPrivilege	1824	windows defender.exe
Token: SeDebugPrivilege	2180	windows defender.exe
Token: SeDebugPrivilege	2316	windows defender.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2276	windows defender.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1884 wrote to memory of 1464	1884	092efd70b090bbfc0af8facff15b06f818ebfa87a1b4034abf7e0b749bc079fb.exe	30
PID 1884 wrote to memory of 1464	1884	092efd70b090bbfc0af8facff15b06f818ebfa87a1b4034abf7e0b749bc079fb.exe	30
PID 1884 wrote to memory of 1464	1884	092efd70b090bbfc0af8facff15b06f818ebfa87a1b4034abf7e0b749bc079fb.exe	30
PID 1884 wrote to memory of 2276	1884	092efd70b090bbfc0af8facff15b06f818ebfa87a1b4034abf7e0b749bc079fb.exe	32
PID 1884 wrote to memory of 2276	1884	092efd70b090bbfc0af8facff15b06f818ebfa87a1b4034abf7e0b749bc079fb.exe	32
PID 1884 wrote to memory of 2276	1884	092efd70b090bbfc0af8facff15b06f818ebfa87a1b4034abf7e0b749bc079fb.exe	32
PID 2276 wrote to memory of 2500	2276	windows defender.exe	33
PID 2276 wrote to memory of 2500	2276	windows defender.exe	33
PID 2276 wrote to memory of 2500	2276	windows defender.exe	33
PID 2276 wrote to memory of 2224	2276	windows defender.exe	35
PID 2276 wrote to memory of 2224	2276	windows defender.exe	35
PID 2276 wrote to memory of 2224	2276	windows defender.exe	35
PID 2224 wrote to memory of 2184	2224	cmd.exe	37
PID 2224 wrote to memory of 2184	2224	cmd.exe	37
PID 2224 wrote to memory of 2184	2224	cmd.exe	37
PID 2224 wrote to memory of 2748	2224	cmd.exe	38
PID 2224 wrote to memory of 2748	2224	cmd.exe	38
PID 2224 wrote to memory of 2748	2224	cmd.exe	38
PID 2224 wrote to memory of 1912	2224	cmd.exe	40
PID 2224 wrote to memory of 1912	2224	cmd.exe	40
PID 2224 wrote to memory of 1912	2224	cmd.exe	40
PID 1912 wrote to memory of 2652	1912	windows defender.exe	41
PID 1912 wrote to memory of 2652	1912	windows defender.exe	41
PID 1912 wrote to memory of 2652	1912	windows defender.exe	41
PID 1912 wrote to memory of 2676	1912	windows defender.exe	43
PID 1912 wrote to memory of 2676	1912	windows defender.exe	43
PID 1912 wrote to memory of 2676	1912	windows defender.exe	43
PID 2676 wrote to memory of 556	2676	cmd.exe	45
PID 2676 wrote to memory of 556	2676	cmd.exe	45
PID 2676 wrote to memory of 556	2676	cmd.exe	45
PID 2676 wrote to memory of 912	2676	cmd.exe	46
PID 2676 wrote to memory of 912	2676	cmd.exe	46
PID 2676 wrote to memory of 912	2676	cmd.exe	46
PID 2676 wrote to memory of 2840	2676	cmd.exe	47
PID 2676 wrote to memory of 2840	2676	cmd.exe	47
PID 2676 wrote to memory of 2840	2676	cmd.exe	47
PID 2840 wrote to memory of 1260	2840	windows defender.exe	48
PID 2840 wrote to memory of 1260	2840	windows defender.exe	48
PID 2840 wrote to memory of 1260	2840	windows defender.exe	48
PID 2840 wrote to memory of 604	2840	windows defender.exe	50
PID 2840 wrote to memory of 604	2840	windows defender.exe	50
PID 2840 wrote to memory of 604	2840	windows defender.exe	50
PID 604 wrote to memory of 648	604	cmd.exe	52
PID 604 wrote to memory of 648	604	cmd.exe	52
PID 604 wrote to memory of 648	604	cmd.exe	52
PID 604 wrote to memory of 448	604	cmd.exe	53
PID 604 wrote to memory of 448	604	cmd.exe	53
PID 604 wrote to memory of 448	604	cmd.exe	53
PID 604 wrote to memory of 2012	604	cmd.exe	54
PID 604 wrote to memory of 2012	604	cmd.exe	54
PID 604 wrote to memory of 2012	604	cmd.exe	54
PID 2012 wrote to memory of 2996	2012	windows defender.exe	55
PID 2012 wrote to memory of 2996	2012	windows defender.exe	55
PID 2012 wrote to memory of 2996	2012	windows defender.exe	55
PID 2012 wrote to memory of 1904	2012	windows defender.exe	57
PID 2012 wrote to memory of 1904	2012	windows defender.exe	57
PID 2012 wrote to memory of 1904	2012	windows defender.exe	57
PID 1904 wrote to memory of 2220	1904	cmd.exe	59
PID 1904 wrote to memory of 2220	1904	cmd.exe	59
PID 1904 wrote to memory of 2220	1904	cmd.exe	59
PID 1904 wrote to memory of 2248	1904	cmd.exe	60
PID 1904 wrote to memory of 2248	1904	cmd.exe	60
PID 1904 wrote to memory of 2248	1904	cmd.exe	60
PID 1904 wrote to memory of 2612	1904	cmd.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\092efd70b090bbfc0af8facff15b06f818ebfa87a1b4034abf7e0b749bc079fb.exe
"C:\Users\Admin\AppData\Local\Temp\092efd70b090bbfc0af8facff15b06f818ebfa87a1b4034abf7e0b749bc079fb.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1884
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1464
- C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2276
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2500
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\iILx34RXGEHr.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2224
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2184
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2748
  - - C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1912
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2652
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mfwrtjhgfRlY.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2676
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:556
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:912
      - C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1260
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JWBaasuys2VI.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:604
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:648
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:448
        
        C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2996
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UhzFdCbkFBCb.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1904
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2220
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2248
        
        C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2612
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1264
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lv0Sfn5CRU9L.bat" "
        11⤵
        
        PID:3048
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:2188
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:496
        
        C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:236
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1824
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ArJYFTD3IYwM.bat" "
        13⤵
        
        PID:1564
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2564
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:352
        
        C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1108
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2072
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\pfegy8Uj0ICN.bat" "
        15⤵
        
        PID:2264
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:1732
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1704
        
        C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2920
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2640
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\oXcbQWuRrYrl.bat" "
        17⤵
        
        PID:2844
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2792
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2212
        
        C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2444
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2628
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DyjqskhzRbPd.bat" "
        19⤵
        
        PID:1520
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1896
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2968
        
        C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2820
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2832
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mEk7zk04kXST.bat" "
        21⤵
        
        PID:1044
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:2976
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2380
        
        C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3020
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2296
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SL3CnpyXETQB.bat" "
        23⤵
        
        PID:1000
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:1632
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1352
        
        C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1032
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1900
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\0ViDaxfdJe5G.bat" "
        25⤵
        
        PID:1340
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:916
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:496
        
        C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1824
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:832
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\7VEdGv6i56uw.bat" "
        27⤵
        
        PID:1792
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:1688
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2116
        
        C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2180
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1808
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KtrUbfvqkx8e.bat" "
        29⤵
        
        PID:1248
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:2712
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1364
        
        C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2316
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2160
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\o2fUiWzeg06C.bat" "
        31⤵
        
        PID:2936
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:2792
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0ViDaxfdJe5G.bat

Filesize
217B

MD5
bf29dccf097fd6106a76bde4ef9ebf76

SHA1
c5873b5fd5cd10e41e7041ec2272cea58f47d12d

SHA256
b9a0a7aaae6613877b6cf7dee59dbe0332a026be4f91a0319e576905def6dec8

SHA512
8780a30ddb403315142cc7ed1773f9b61ee211594ba4287176ec87f43613c262c8560c4ce542dddcc36f18fe68faec49d8aff4617586600ed39cafd0e665af18

Download Submit
C:\Users\Admin\AppData\Local\Temp\7VEdGv6i56uw.bat

Filesize
217B

MD5
9c1b65950d968567d696ff005d4d6b19

SHA1
48ba65b3e06afbdb37377b41b9605f1d72692c2b

SHA256
e35448bd0d72b807a7accec636ec90e807b0f227ca4cf38806271ae6ef738b78

SHA512
94267d6556c449ee99f9cb4b32fdf554d7b684d9b08e945c43619065659e6da1dafc32a3a461f5774b1a55b023becaf3170f9b34b9d0b46bd3563f7971d09643

Download Submit
C:\Users\Admin\AppData\Local\Temp\ArJYFTD3IYwM.bat

Filesize
217B

MD5
8ade450f6f4466ac7842f8531035a912

SHA1
b52253bca7884795628bd53ba1ff7635f0888ac8

SHA256
554e6bb4a95d02174fef017babd3c0e77ac9ebe30add03831a89b85587da3137

SHA512
83088ec3858b5b207db6ce15944a2dc2a4f354c3095fa7442bad3f0797dda14278aaa30310517b77e9708274775ca4b07168914d5a0f7004746bb26d1f240f50

Download Submit
C:\Users\Admin\AppData\Local\Temp\DyjqskhzRbPd.bat

Filesize
217B

MD5
aef34035bef874b734f4c603f2aba5e7

SHA1
95085ca3cb352c810e6e9437b1ba01889d4ca7f1

SHA256
6105250c2acd18ddf175929f4dc8bdfe7eb37ed745eb35f97112dbf982d06256

SHA512
bfb8a50af427ee59b6f30ce925b986427f433f4cd78177b0375966f857cf9b6a413b60a7e3046966439c32392d36466912470cc7d43360e644557cace4dca709

Download Submit
C:\Users\Admin\AppData\Local\Temp\JWBaasuys2VI.bat

Filesize
217B

MD5
1421ebc9cab20886cc9224a34b3668f9

SHA1
906bcb17931ab075887849513046a7847e98179c

SHA256
1d5e38ccc44eaa697bd91d57f555b8fc39552b238ceac52f85d2c46fb4bff1a0

SHA512
1f286786a73295e130cd9088f1f8c78eed8099b25d89fc0eef8ee0c1ca5bbea7b7ec32e9a7da70b12125b879ab024889e60c78b34c0d11a5c86b22903029f239

Download Submit
C:\Users\Admin\AppData\Local\Temp\KtrUbfvqkx8e.bat

Filesize
217B

MD5
1a8813ee0c33f9e61ad0ad1ae7913cda

SHA1
06269d193dba1028ef7755a1f151583e78635cc7

SHA256
286f26bf97000c33850549f4f45227cfb348d58dd092ddf6598cf8eabbe778cc

SHA512
38cd3ca08d3dcac84ae33885a61013df4b685e09c8fac3ed5cff1ee0d71acd49e67d93adf77e1977ce67ec1f30bd7a3ea68ebfc486511e404b0ea2ae49c24af1

Download Submit
C:\Users\Admin\AppData\Local\Temp\SL3CnpyXETQB.bat

Filesize
217B

MD5
f0a5d7d5d4cb63afeae5d7e790b59376

SHA1
366a9d62f3e726188c7d405cfc51e352d8569fc5

SHA256
25566a3b69a9a649fda47bad3e8e67cae9c6f4991fc325ba1f64b2edc8ff2099

SHA512
d86378d031260af39e9881f089c8672dd972ceed8dbd1e18ed9c733d6996a9dbd32507fe4486f17fbbd500fe64521a21c92c3822a88d596bbdeb26628c02b027

Download Submit
C:\Users\Admin\AppData\Local\Temp\UhzFdCbkFBCb.bat

Filesize
217B

MD5
0329c3998a6be68d9de19f45807c46b3

SHA1
8bf5adbd9b20f264d18815494fe2a9c7bf0b9bdc

SHA256
957ebfec204e7201534d0140f77a3fadec13ec49cf5e1143cb6298aeeb08de7a

SHA512
0549c9bb5cf675d7576ef115f6109cb159e0e35c75fbe72fabdbfe8207f2a9a5919a40803c7701baf98044c47c70653452fb7a120fc410aca03157d1a0597715

Download Submit
C:\Users\Admin\AppData\Local\Temp\iILx34RXGEHr.bat

Filesize
217B

MD5
878ec402417ac1e6cb2ba0f384e73a7c

SHA1
8765851cd2a508bea8a30ea20a63f9a9d5615601

SHA256
a16aebc4fc1a0dd79be812540830676e816b8d4bb0f9cda66f35220a5b040b96

SHA512
05f5a3e464cc73c5c0cbbe9c79fdf84d75ddf45de7a9b6a71d6b457d5980b914e3c939367346ceb4f7b4fd7a8da6f575dab4ccec820278dce80d770d2570c198

Download Submit
C:\Users\Admin\AppData\Local\Temp\lv0Sfn5CRU9L.bat

Filesize
217B

MD5
1f329e80bc9817e58466d6718a859fbb

SHA1
e92a805f36378154dab5d99c0f2224606f7e32bd

SHA256
a69efc3bf6195eb434a85bed3bc1121a6cf5c70b4ba6228bf5b4fdfa3103e563

SHA512
4b41ccd9748453dcb10d7ab12d955fb8e59dd5802452fbb7150907aec62ccf3b6931045c423b2d2a987b5a00a0d68b648db267fc9541e39e075315463e2778aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\mEk7zk04kXST.bat

Filesize
217B

MD5
3aee8f9e611f292286bb13cbbede2931

SHA1
09124cc7f2fbe8ad79da1dbc6e15601e54c622c5

SHA256
42a60f3ad1f2653cd9d60f76d097ee12551ae4f1f3ee4031bc99e9dd0cbdd4fa

SHA512
d2d6331f19e82345f7055b3759685de7b7d78c09ea9dfd58c06f12194cc1139447edada47de992de8aee0131e78d189fe5c9a96b1dd4439c2bf54edce27932b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\mfwrtjhgfRlY.bat

Filesize
217B

MD5
05ebfef79ad526eb12623f3fef5634b0

SHA1
85eb1a5d55a1ffbf12cf303c7f5e2164afe8d5d8

SHA256
2d785b8aafec19c5142dd1a981aa30a6775272da11dc43268c7fbf33e207c969

SHA512
e54d0b9f0bd032088ff413dfd6ce3b1472ba3f472141c5d03e30a963d71261d2a89834fac1f8d4a7886231c3fdca75fe8754a3b233baad7ccf7f35781df731d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\o2fUiWzeg06C.bat

Filesize
217B

MD5
57ad4e809f40eb66d5a212d632321b7b

SHA1
be7f2baaf694e141c4d36ddc8fd478229a99bc57

SHA256
59a8192e2d7eb9460ff501520923a599960230c484d6b676a24b3b34417f1dff

SHA512
817e798c03479dde58e39467c217ddcd290194ff85f2362de139f38f1b6f0608cd60447dd7255d30a964c16578c490c19e6457e42f2e27dda9bdc21d653402e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\oXcbQWuRrYrl.bat

Filesize
217B

MD5
f036b111abd9d7d5da9242cc6e4a1505

SHA1
476fb7018bfecc53091145a7e3608d256e8961bf

SHA256
fe50ec834c20935f4dec590d795a0f6d874de58fe5e1f699b6af633c91a01f13

SHA512
aeec923eebc99c9db8ac3a18138cb9824b879e30eb1ea1d38e650476535d63e791491637d7d67e3fa327e05a8c6ab9505d708e4e6bd37b92aacb56f0ca03494b

Download Submit
C:\Users\Admin\AppData\Local\Temp\pfegy8Uj0ICN.bat

Filesize
217B

MD5
bb66cd0f5e3059d9212ca42168c076ba

SHA1
01940434b8f3d92b92c609676ad61917f1a59497

SHA256
4bb335f726d25e52150604cfdba5e9f7281df01e513e46de9120ca7f8ab8c227

SHA512
c97968aff0af73cef5a75a04d776d7c387b8b81b2c7f86d2b51e573461543fa78d0d3b391249d9cc929c0ae8f21b1500272f7808352f3234df7a333801098654

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\windows defender.exe

Filesize
3.1MB

MD5
7b3cdbe64809334591697b1424193cdc

SHA1
489dc1a891a4eca75df696a5c139e991277be9c7

SHA256
092efd70b090bbfc0af8facff15b06f818ebfa87a1b4034abf7e0b749bc079fb

SHA512
811eb77ba66402dbf8ccbeacae131d36b0a97b7c813d335819d96370f904ffd7a6c9b2410f47fc2f0eac43675849e6b3473ab56ecfa0d934e97dbdc8b3e4fb74

Download Submit
memory/236-67-0x0000000000150000-0x0000000000474000-memory.dmp

Filesize
3.1MB

Download
memory/1032-131-0x00000000012E0000-0x0000000001604000-memory.dmp

Filesize
3.1MB

Download
memory/1108-78-0x00000000000C0000-0x00000000003E4000-memory.dmp

Filesize
3.1MB

Download
memory/1824-142-0x0000000000180000-0x00000000004A4000-memory.dmp

Filesize
3.1MB

Download
memory/1884-8-0x000007FEF5B20000-0x000007FEF650C000-memory.dmp

Filesize
9.9MB

Download
memory/1884-2-0x000007FEF5B20000-0x000007FEF650C000-memory.dmp

Filesize
9.9MB

Download
memory/1884-1-0x0000000000BD0000-0x0000000000EF4000-memory.dmp

Filesize
3.1MB

Download
memory/1884-0-0x000007FEF5B23000-0x000007FEF5B24000-memory.dmp

Filesize
4KB

Download
memory/1912-23-0x0000000000DE0000-0x0000000001104000-memory.dmp

Filesize
3.1MB

Download
memory/2012-45-0x00000000003C0000-0x00000000006E4000-memory.dmp

Filesize
3.1MB

Download
memory/2180-153-0x00000000001A0000-0x00000000004C4000-memory.dmp

Filesize
3.1MB

Download
memory/2276-21-0x000007FEF5B20000-0x000007FEF650C000-memory.dmp

Filesize
9.9MB

Download
memory/2276-11-0x000007FEF5B20000-0x000007FEF650C000-memory.dmp

Filesize
9.9MB

Download
memory/2276-9-0x00000000003B0000-0x00000000006D4000-memory.dmp

Filesize
3.1MB

Download
memory/2276-10-0x000007FEF5B20000-0x000007FEF650C000-memory.dmp

Filesize
9.9MB

Download
memory/2444-100-0x0000000001260000-0x0000000001584000-memory.dmp

Filesize
3.1MB

Download
memory/2612-56-0x0000000000A70000-0x0000000000D94000-memory.dmp

Filesize
3.1MB

Download
memory/2840-34-0x0000000000250000-0x0000000000574000-memory.dmp

Filesize
3.1MB

Download
memory/2920-89-0x0000000000ED0000-0x00000000011F4000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads