quasar | 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c

Analysis

max time kernel
141s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-12-2024 10:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

seksiak.exe
Size

3.1MB
MD5

239c5f964b458a0a935a4b42d74bcbda
SHA1

7a037d3bd8817adf6e58734b08e807a84083f0ce
SHA256

7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c
SHA512

2e9e95d5097ce751d2a641a8fc7f8bc824a525a07bc06cd8a60580405fad90543ffa3259e6b2b2e97a70a3c3ed03e73b29f7cb9ebd10e7c62eaef2078805be19
SSDEEP

98304:mWV5SgjlbwPdRl5fGO4ZL0luiel9uRJk3HZ2b/aryTnrfvnM3A2Ozvhk:JTQzG

Score

10^/10

quasar zjeb discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

ZJEB

VIPEEK1990-25013.portmap.host:25013

Mutex

ad21b115-2c1b-40cb-adba-a50736b76c21

Attributes

encryption_key
3EBA8BC34FA983893A9B07B831E7CEB183F7492D
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Security Service
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 9 IoCs

resource	yara_rule
behavioral1/memory/2676-1-0x0000000000E40000-0x0000000001164000-memory.dmp	family_quasar
behavioral1/memory/2604-13-0x0000000001350000-0x0000000001674000-memory.dmp	family_quasar
behavioral1/memory/2600-33-0x00000000001E0000-0x0000000000504000-memory.dmp	family_quasar
behavioral1/memory/836-43-0x0000000000980000-0x0000000000CA4000-memory.dmp	family_quasar
behavioral1/memory/588-53-0x0000000000100000-0x0000000000424000-memory.dmp	family_quasar
behavioral1/memory/2392-63-0x0000000000210000-0x0000000000534000-memory.dmp	family_quasar
behavioral1/memory/2792-73-0x0000000000FC0000-0x00000000012E4000-memory.dmp	family_quasar
behavioral1/memory/2424-92-0x0000000001250000-0x0000000001574000-memory.dmp	family_quasar
behavioral1/memory/2624-139-0x0000000001370000-0x0000000001694000-memory.dmp	family_quasar

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2900	PING.EXE
2756	PING.EXE
2336	PING.EXE
2544	PING.EXE
2912	PING.EXE
1976	PING.EXE
928	PING.EXE
496	PING.EXE
2556	PING.EXE
2628	PING.EXE
2304	PING.EXE
1848	PING.EXE
912	PING.EXE
1924	PING.EXE
1044	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
2336	PING.EXE
912	PING.EXE
2304	PING.EXE
1848	PING.EXE
928	PING.EXE
1976	PING.EXE
496	PING.EXE
1044	PING.EXE
2628	PING.EXE
1924	PING.EXE
2756	PING.EXE
2556	PING.EXE
2900	PING.EXE
2544	PING.EXE
2912	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1708	schtasks.exe
2984	schtasks.exe
796	schtasks.exe
2232	schtasks.exe
1332	schtasks.exe
1964	schtasks.exe
1092	schtasks.exe
2164	schtasks.exe
2724	schtasks.exe
776	schtasks.exe
2368	schtasks.exe
2684	schtasks.exe
3040	schtasks.exe
2140	schtasks.exe
2924	schtasks.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2676	seksiak.exe
Token: SeDebugPrivilege	2604	seksiak.exe
Token: SeDebugPrivilege	2888	seksiak.exe
Token: SeDebugPrivilege	2600	seksiak.exe
Token: SeDebugPrivilege	836	seksiak.exe
Token: SeDebugPrivilege	588	seksiak.exe
Token: SeDebugPrivilege	2392	seksiak.exe
Token: SeDebugPrivilege	2792	seksiak.exe
Token: SeDebugPrivilege	2908	seksiak.exe
Token: SeDebugPrivilege	2424	seksiak.exe
Token: SeDebugPrivilege	2316	seksiak.exe
Token: SeDebugPrivilege	1372	seksiak.exe
Token: SeDebugPrivilege	1728	seksiak.exe
Token: SeDebugPrivilege	2308	seksiak.exe
Token: SeDebugPrivilege	2624	seksiak.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 2984	2676	seksiak.exe	30
PID 2676 wrote to memory of 2984	2676	seksiak.exe	30
PID 2676 wrote to memory of 2984	2676	seksiak.exe	30
PID 2676 wrote to memory of 2812	2676	seksiak.exe	32
PID 2676 wrote to memory of 2812	2676	seksiak.exe	32
PID 2676 wrote to memory of 2812	2676	seksiak.exe	32
PID 2812 wrote to memory of 2620	2812	cmd.exe	34
PID 2812 wrote to memory of 2620	2812	cmd.exe	34
PID 2812 wrote to memory of 2620	2812	cmd.exe	34
PID 2812 wrote to memory of 2556	2812	cmd.exe	35
PID 2812 wrote to memory of 2556	2812	cmd.exe	35
PID 2812 wrote to memory of 2556	2812	cmd.exe	35
PID 2812 wrote to memory of 2604	2812	cmd.exe	36
PID 2812 wrote to memory of 2604	2812	cmd.exe	36
PID 2812 wrote to memory of 2604	2812	cmd.exe	36
PID 2604 wrote to memory of 2140	2604	seksiak.exe	37
PID 2604 wrote to memory of 2140	2604	seksiak.exe	37
PID 2604 wrote to memory of 2140	2604	seksiak.exe	37
PID 2604 wrote to memory of 2912	2604	seksiak.exe	39
PID 2604 wrote to memory of 2912	2604	seksiak.exe	39
PID 2604 wrote to memory of 2912	2604	seksiak.exe	39
PID 2912 wrote to memory of 2160	2912	cmd.exe	41
PID 2912 wrote to memory of 2160	2912	cmd.exe	41
PID 2912 wrote to memory of 2160	2912	cmd.exe	41
PID 2912 wrote to memory of 2628	2912	cmd.exe	42
PID 2912 wrote to memory of 2628	2912	cmd.exe	42
PID 2912 wrote to memory of 2628	2912	cmd.exe	42
PID 2912 wrote to memory of 2888	2912	cmd.exe	43
PID 2912 wrote to memory of 2888	2912	cmd.exe	43
PID 2912 wrote to memory of 2888	2912	cmd.exe	43
PID 2888 wrote to memory of 1964	2888	seksiak.exe	44
PID 2888 wrote to memory of 1964	2888	seksiak.exe	44
PID 2888 wrote to memory of 1964	2888	seksiak.exe	44
PID 2888 wrote to memory of 2248	2888	seksiak.exe	46
PID 2888 wrote to memory of 2248	2888	seksiak.exe	46
PID 2888 wrote to memory of 2248	2888	seksiak.exe	46
PID 2248 wrote to memory of 2868	2248	cmd.exe	48
PID 2248 wrote to memory of 2868	2248	cmd.exe	48
PID 2248 wrote to memory of 2868	2248	cmd.exe	48
PID 2248 wrote to memory of 2900	2248	cmd.exe	49
PID 2248 wrote to memory of 2900	2248	cmd.exe	49
PID 2248 wrote to memory of 2900	2248	cmd.exe	49
PID 2248 wrote to memory of 2600	2248	cmd.exe	50
PID 2248 wrote to memory of 2600	2248	cmd.exe	50
PID 2248 wrote to memory of 2600	2248	cmd.exe	50
PID 2600 wrote to memory of 776	2600	seksiak.exe	51
PID 2600 wrote to memory of 776	2600	seksiak.exe	51
PID 2600 wrote to memory of 776	2600	seksiak.exe	51
PID 2600 wrote to memory of 1780	2600	seksiak.exe	53
PID 2600 wrote to memory of 1780	2600	seksiak.exe	53
PID 2600 wrote to memory of 1780	2600	seksiak.exe	53
PID 1780 wrote to memory of 2156	1780	cmd.exe	55
PID 1780 wrote to memory of 2156	1780	cmd.exe	55
PID 1780 wrote to memory of 2156	1780	cmd.exe	55
PID 1780 wrote to memory of 2336	1780	cmd.exe	56
PID 1780 wrote to memory of 2336	1780	cmd.exe	56
PID 1780 wrote to memory of 2336	1780	cmd.exe	56
PID 1780 wrote to memory of 836	1780	cmd.exe	57
PID 1780 wrote to memory of 836	1780	cmd.exe	57
PID 1780 wrote to memory of 836	1780	cmd.exe	57
PID 836 wrote to memory of 1092	836	seksiak.exe	58
PID 836 wrote to memory of 1092	836	seksiak.exe	58
PID 836 wrote to memory of 1092	836	seksiak.exe	58
PID 836 wrote to memory of 848	836	seksiak.exe	60

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\seksiak.exe
"C:\Users\Admin\AppData\Local\Temp\seksiak.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2984
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\OrdxjwT6ibNa.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2620
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2556
- - C:\Users\Admin\AppData\Local\Temp\seksiak.exe
    "C:\Users\Admin\AppData\Local\Temp\seksiak.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2140
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\3UY2zBxSGfwC.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2912
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2160
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2628
    - - C:\Users\Admin\AppData\Local\Temp\seksiak.exe
        
        "C:\Users\Admin\AppData\Local\Temp\seksiak.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2888
      - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1964
      - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jye7q2x25xFE.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2868
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\seksiak.exe
        
        "C:\Users\Admin\AppData\Local\Temp\seksiak.exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:776
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qi1U4LTUEm7F.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1780
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:2156
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\seksiak.exe
        
        "C:\Users\Admin\AppData\Local\Temp\seksiak.exe"
        9⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:836
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        10⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1092
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UnQIp4FhtFC5.bat" "
        10⤵
        
        PID:848
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:3024
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\seksiak.exe
        
        "C:\Users\Admin\AppData\Local\Temp\seksiak.exe"
        11⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:588
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        12⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2368
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\d2txh0w01Arp.bat" "
        12⤵
        
        PID:1972
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:2404
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\seksiak.exe
        
        "C:\Users\Admin\AppData\Local\Temp\seksiak.exe"
        13⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2392
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        14⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2924
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tJB7Nj6wGQ94.bat" "
        14⤵
        
        PID:896
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:2216
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\seksiak.exe
        
        "C:\Users\Admin\AppData\Local\Temp\seksiak.exe"
        15⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2792
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        16⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2684
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kki8nvmEBidQ.bat" "
        16⤵
        
        PID:2808
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:2644
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\seksiak.exe
        
        "C:\Users\Admin\AppData\Local\Temp\seksiak.exe"
        17⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2908
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        18⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3040
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iUW3pjEj8CDS.bat" "
        18⤵
        
        PID:2860
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:2936
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\seksiak.exe
        
        "C:\Users\Admin\AppData\Local\Temp\seksiak.exe"
        19⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2424
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        20⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2232
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wGkU1kyv941e.bat" "
        20⤵
        
        PID:2212
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:2248
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\seksiak.exe
        
        "C:\Users\Admin\AppData\Local\Temp\seksiak.exe"
        21⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2316
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        22⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1332
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fpXlkm2kk55k.bat" "
        22⤵
        
        PID:2060
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:1780
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\seksiak.exe
        
        "C:\Users\Admin\AppData\Local\Temp\seksiak.exe"
        23⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1372
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        24⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2164
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fQ2ElVYGJgTm.bat" "
        24⤵
        
        PID:944
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:1288
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:928
        
        C:\Users\Admin\AppData\Local\Temp\seksiak.exe
        
        "C:\Users\Admin\AppData\Local\Temp\seksiak.exe"
        25⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1728
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        26⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2724
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bYTjab33g9z5.bat" "
        26⤵
        
        PID:2400
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:2828
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:496
        
        C:\Users\Admin\AppData\Local\Temp\seksiak.exe
        
        "C:\Users\Admin\AppData\Local\Temp\seksiak.exe"
        27⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2308
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        28⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:796
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KIWruobvDye9.bat" "
        28⤵
        
        PID:1752
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:2292
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        29⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\seksiak.exe
        
        "C:\Users\Admin\AppData\Local\Temp\seksiak.exe"
        29⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        30⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1708
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KNMGa1OPS7W3.bat" "
        30⤵
        
        PID:2984
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:2660
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        31⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3UY2zBxSGfwC.bat

Filesize
204B

MD5
693f6c567679e71159cc18cbc4113113

SHA1
2ffe8d082269041f443560b973a9698e586db5e3

SHA256
eb993f75a196547d28f777bc62a9f8b2227c20e0953e28fa1f042911309b00f3

SHA512
d3c5cc822b8238d6a43aa55c97fc36f426d3835f1cb5a2d9e331bf45e418908c5231d91ee9bb9a6482ae7d6b69f19098db6e7897a0ed680453eb4d357eabd96f

Download Submit
C:\Users\Admin\AppData\Local\Temp\KIWruobvDye9.bat

Filesize
204B

MD5
b0743794ba971dfaf7d57a554f5b11af

SHA1
516806177bb92d6e197d8e7783679b1a3933e6dd

SHA256
14bf44e1a37ed678ac2d253e6dc27b343f386e1a524a7a1f0669f5a60f872245

SHA512
6b7c7a4f3374d0379af6b5bbff26b5eac19f3d5e619ecbd3f9a503eec11945b4c0f512265a92360e7720035582279e81ade4a4b99abfe2ed3248e57169626ba8

Download Submit
C:\Users\Admin\AppData\Local\Temp\KNMGa1OPS7W3.bat

Filesize
204B

MD5
78269fd55d5513f2a570da72f7f530e4

SHA1
59c73cb7e141a26e06389a7be4e9481ec57d6ea4

SHA256
19886a6c47901125661ad4e0bb3bc169575bcb622d0ccf97a229da65fbe21d97

SHA512
45453a16688664828a07b4313686712434474748b0377fae7e218ace063dc24f115d86c914f1f39b92a344bfbf746309115d725c5cd121415b2c001ce1cf4ddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\OrdxjwT6ibNa.bat

Filesize
204B

MD5
1d0dde50e11743f2f1fd28a764ffb181

SHA1
a3641b17d6abf461490e406f6ef83532e9ca50e2

SHA256
7baef77208b249d241b9c68799ce118448cc3f44343856449f1d1fdd4b140e30

SHA512
9b39e2b2fd781c3da2b0d8b2bf6974c2b7e2c6a3358376dd77c3410469f018f8299278a04c550f82ded03afe15c017184ec2e9f4261a5c743b2f6d56906b324c

Download Submit
C:\Users\Admin\AppData\Local\Temp\UnQIp4FhtFC5.bat

Filesize
204B

MD5
8b56591473dff5799752b35c0e66d2da

SHA1
c0108e1bf53df278cf130c4bd3f2760b547a0738

SHA256
1f200ce536801a80e9a9878b37fcdb6b281bd30f8da638f6aa7a33ddc126bfb9

SHA512
4b3d3c936209e216e3597331d5591d7cc164f85e8b590775888ea895fa2a6b1b616828f7371afbbbcd69eaff3898d7b1c950df4f5f51eca35d12d3e72c41d0b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\bYTjab33g9z5.bat

Filesize
204B

MD5
6b2fb2becca13fe9a096e8fc5a93924f

SHA1
defb5b5e033cf6b96e615a565d7cc51e269d0a56

SHA256
23e3b38b5a42a2503ee07d4522670d762b6634938c4cb0789256ef46694dfeeb

SHA512
821b4e64f282bc5f8f45b791de8a1b167c8a73bd6c8c91b72a14f10a9c4ccf0a96682bc9f78fd1731fa45e536bacf090f36633b8a5301f8cfd5ea6b065b73fde

Download Submit
C:\Users\Admin\AppData\Local\Temp\d2txh0w01Arp.bat

Filesize
204B

MD5
e20cd8841235bef0e0166b45922a2ff6

SHA1
80267489d8a22f6776a5c11fa5fb0127ca81b2d8

SHA256
08dbfd8897878c7b90f15ede5686ae101aab07a845c3d1cee7e9601b879774b7

SHA512
6c9d49f401473da71935e886ebe0894872c731942aac844010926ee3521e2a235c7f901e3596c4454ffa356aee55e93087b5e4139d4c88e0a4b5eb4b43aa090d

Download Submit
C:\Users\Admin\AppData\Local\Temp\fQ2ElVYGJgTm.bat

Filesize
204B

MD5
fac113feef64d65f36b8d266f6b62d9b

SHA1
f473a3026a9736dd6f33fb8482d1f4c344053d45

SHA256
c8977cf89f3bd4a351b5e0a703a4570d50e150a903f1260b40f40ba7ec0e619c

SHA512
5a62b79c34540d496ffae2cf90b2b5014393e97e1753dd7602154a0831c71422be6a612cbd1b2d9733ff11f9bcac6769c748869c5402be574d0a18f1fd13fd27

Download Submit
C:\Users\Admin\AppData\Local\Temp\fpXlkm2kk55k.bat

Filesize
204B

MD5
01b671d04603a428b654b31e737a1d14

SHA1
0ebfebf11f4c86e40138f633fa7d534f02372313

SHA256
f5925a08bea454828f67500d77fdcc360c65f4d41ac59a3b11de7436bd9aebae

SHA512
909e614359d9a9e090f38c263db9047cd01e27e21e27cc6995064c139b33211ca7c4eaeececf85a509500d176a223bc88b7261e3d5874b024741dc30c04849e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\iUW3pjEj8CDS.bat

Filesize
204B

MD5
581e8d0473ac4f6e636d479d82c6da1b

SHA1
a96b8052e816c0fa67a556117bbec734597087b8

SHA256
b64add7e5a5890d54cc367a02046e9bcc12018ec312feff7d7e5b57aba92461c

SHA512
2f9712a8ccf28dcf8d23af4b3b784d4fbf667bb370d7fbbd1aff5e778eaeb1e9ac09767e5327f7f14ace2fa14ba47fb415950577f6f59510d71c49d4b649c99b

Download Submit
C:\Users\Admin\AppData\Local\Temp\jye7q2x25xFE.bat

Filesize
204B

MD5
8012db11e89459c7a463d61b32d29eac

SHA1
9e93eea14b106d83d09f144675aa12494105beeb

SHA256
561846235a95da7090a9b1e085186e96330041b16e571cf2b1dbfc202e01ab21

SHA512
919a17d187f678f1d234e527f92228c6bf1cd454e6547581ccf9545699c5b99cbbe6aea5626af8ea7dd50015af1e9efb759d54e53220c8c59651d4164260a079

Download Submit
C:\Users\Admin\AppData\Local\Temp\kki8nvmEBidQ.bat

Filesize
204B

MD5
338a3e0ef2b28082ed9deecf58053503

SHA1
3ec82e536a3f61c4e77be124216645ed1e9f9c8b

SHA256
af23b8ff868a6799f7973a2a4458a61288e84d1f2d9a015162b83895a95994de

SHA512
52471b7ccf67e5be8b74bebfa20206a72bbca78d69ddbcd2ae31e9da08570685702c7f902b3292f5f7fa1d4f5bf73f0ef4798f33f278083ecec1c445a911f4f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\qi1U4LTUEm7F.bat

Filesize
204B

MD5
022dff5ac21305801f5527ac258c35df

SHA1
0ac76d9a98a9d7782b224e1eae10415634bef04b

SHA256
2de032208b8764a37a269af1f71eb07359b90febd2e0ad0e199e9da171fb963f

SHA512
bdfa283ec6e180da66a5afd7e526893efb232d160da36eed2fba191eb7d2d0a89a9c805376a2ca47a1843b17a4c19799949ee44d46a0af96b5443bc53a150478

Download Submit
C:\Users\Admin\AppData\Local\Temp\tJB7Nj6wGQ94.bat

Filesize
204B

MD5
5436e9a799aa346e9a5d34ec8d3b25a8

SHA1
7d9b4f6cc78e1a0e8337da0c2da38b82e16bb313

SHA256
55076e07a589bce3ef2a42dc7a459b9417fd96e96cf207e1a07112c5da7b58ef

SHA512
9a3ee37839304aeecd4d4f197270f3d108a9c2aab0492997f353ab799671497007ff2a45c6324201b06827b66e490b92bc3626901e06924a538ac20f4c8ccfba

Download Submit
C:\Users\Admin\AppData\Local\Temp\wGkU1kyv941e.bat

Filesize
204B

MD5
8f44003a625de9b04de61cb04db1ac63

SHA1
5f62eefc6f80ef2cbe9030ddbdf1f4445192138d

SHA256
5c31d495bff1ae44badff0126d2ad5fa9734b4b26e2da3b9905a42f4603631d6

SHA512
e3d879ea6cb8bcd9300477238c5b974b0276eeffa2b6b4dd2c74f45c6155c1ad63df29f6a9db0f126b60043c06e3124ba4923a16dac2aee98bc4de4525aa4df3

Download Submit
memory/588-53-0x0000000000100000-0x0000000000424000-memory.dmp

Filesize
3.1MB

Download
memory/836-43-0x0000000000980000-0x0000000000CA4000-memory.dmp

Filesize
3.1MB

Download
memory/2392-63-0x0000000000210000-0x0000000000534000-memory.dmp

Filesize
3.1MB

Download
memory/2424-92-0x0000000001250000-0x0000000001574000-memory.dmp

Filesize
3.1MB

Download
memory/2600-33-0x00000000001E0000-0x0000000000504000-memory.dmp

Filesize
3.1MB

Download
memory/2604-13-0x0000000001350000-0x0000000001674000-memory.dmp

Filesize
3.1MB

Download
memory/2624-139-0x0000000001370000-0x0000000001694000-memory.dmp

Filesize
3.1MB

Download
memory/2676-0-0x000007FEF54C3000-0x000007FEF54C4000-memory.dmp

Filesize
4KB

Download
memory/2676-12-0x000007FEF54C0000-0x000007FEF5EAC000-memory.dmp

Filesize
9.9MB

Download
memory/2676-2-0x000007FEF54C0000-0x000007FEF5EAC000-memory.dmp

Filesize
9.9MB

Download
memory/2676-1-0x0000000000E40000-0x0000000001164000-memory.dmp

Filesize
3.1MB

Download
memory/2792-73-0x0000000000FC0000-0x00000000012E4000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads