quasar | 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c

Analysis

max time kernel
144s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-12-2024 10:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

seksiak.exe
Size

3.1MB
MD5

239c5f964b458a0a935a4b42d74bcbda
SHA1

7a037d3bd8817adf6e58734b08e807a84083f0ce
SHA256

7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c
SHA512

2e9e95d5097ce751d2a641a8fc7f8bc824a525a07bc06cd8a60580405fad90543ffa3259e6b2b2e97a70a3c3ed03e73b29f7cb9ebd10e7c62eaef2078805be19
SSDEEP

98304:mWV5SgjlbwPdRl5fGO4ZL0luiel9uRJk3HZ2b/aryTnrfvnM3A2Ozvhk:JTQzG

Score

10^/10

quasar zjeb discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

ZJEB

VIPEEK1990-25013.portmap.host:25013

Mutex

ad21b115-2c1b-40cb-adba-a50736b76c21

Attributes

encryption_key
3EBA8BC34FA983893A9B07B831E7CEB183F7492D
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Security Service
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/memory/4380-1-0x0000000000DA0000-0x00000000010C4000-memory.dmp	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	seksiak.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	seksiak.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	seksiak.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	seksiak.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	seksiak.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	seksiak.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	seksiak.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	seksiak.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	seksiak.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	seksiak.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	seksiak.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	seksiak.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	seksiak.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	seksiak.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	seksiak.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4720	PING.EXE
3416	PING.EXE
3424	PING.EXE
3700	PING.EXE
4436	PING.EXE
2564	PING.EXE
668	PING.EXE
3084	PING.EXE
2288	PING.EXE
1924	PING.EXE
408	PING.EXE
1148	PING.EXE
392	PING.EXE
3360	PING.EXE
3468	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
1924	PING.EXE
4720	PING.EXE
3416	PING.EXE
2564	PING.EXE
4436	PING.EXE
3424	PING.EXE
3360	PING.EXE
3084	PING.EXE
408	PING.EXE
668	PING.EXE
392	PING.EXE
1148	PING.EXE
3468	PING.EXE
2288	PING.EXE
3700	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2540	schtasks.exe
1248	schtasks.exe
1464	schtasks.exe
2516	schtasks.exe
1604	schtasks.exe
4648	schtasks.exe
4492	schtasks.exe
2224	schtasks.exe
4468	schtasks.exe
3400	schtasks.exe
4900	schtasks.exe
3428	schtasks.exe
620	schtasks.exe
4840	schtasks.exe
4456	schtasks.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	4380	seksiak.exe
Token: SeDebugPrivilege	1936	seksiak.exe
Token: SeDebugPrivilege	4404	seksiak.exe
Token: SeDebugPrivilege	936	seksiak.exe
Token: SeDebugPrivilege	1968	seksiak.exe
Token: SeDebugPrivilege	4432	seksiak.exe
Token: SeDebugPrivilege	4904	seksiak.exe
Token: SeDebugPrivilege	4292	seksiak.exe
Token: SeDebugPrivilege	2284	seksiak.exe
Token: SeDebugPrivilege	2368	seksiak.exe
Token: SeDebugPrivilege	1452	seksiak.exe
Token: SeDebugPrivilege	3384	seksiak.exe
Token: SeDebugPrivilege	3084	seksiak.exe
Token: SeDebugPrivilege	1924	seksiak.exe
Token: SeDebugPrivilege	1852	seksiak.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4380 wrote to memory of 4456	4380	seksiak.exe	82
PID 4380 wrote to memory of 4456	4380	seksiak.exe	82
PID 4380 wrote to memory of 3632	4380	seksiak.exe	84
PID 4380 wrote to memory of 3632	4380	seksiak.exe	84
PID 3632 wrote to memory of 820	3632	cmd.exe	86
PID 3632 wrote to memory of 820	3632	cmd.exe	86
PID 3632 wrote to memory of 3424	3632	cmd.exe	87
PID 3632 wrote to memory of 3424	3632	cmd.exe	87
PID 3632 wrote to memory of 1936	3632	cmd.exe	88
PID 3632 wrote to memory of 1936	3632	cmd.exe	88
PID 1936 wrote to memory of 1604	1936	seksiak.exe	89
PID 1936 wrote to memory of 1604	1936	seksiak.exe	89
PID 1936 wrote to memory of 4640	1936	seksiak.exe	91
PID 1936 wrote to memory of 4640	1936	seksiak.exe	91
PID 4640 wrote to memory of 4084	4640	cmd.exe	93
PID 4640 wrote to memory of 4084	4640	cmd.exe	93
PID 4640 wrote to memory of 668	4640	cmd.exe	94
PID 4640 wrote to memory of 668	4640	cmd.exe	94
PID 4640 wrote to memory of 4404	4640	cmd.exe	100
PID 4640 wrote to memory of 4404	4640	cmd.exe	100
PID 4404 wrote to memory of 620	4404	seksiak.exe	103
PID 4404 wrote to memory of 620	4404	seksiak.exe	103
PID 4404 wrote to memory of 1168	4404	seksiak.exe	105
PID 4404 wrote to memory of 1168	4404	seksiak.exe	105
PID 1168 wrote to memory of 1316	1168	cmd.exe	107
PID 1168 wrote to memory of 1316	1168	cmd.exe	107
PID 1168 wrote to memory of 392	1168	cmd.exe	108
PID 1168 wrote to memory of 392	1168	cmd.exe	108
PID 1168 wrote to memory of 936	1168	cmd.exe	110
PID 1168 wrote to memory of 936	1168	cmd.exe	110
PID 936 wrote to memory of 3428	936	seksiak.exe	111
PID 936 wrote to memory of 3428	936	seksiak.exe	111
PID 936 wrote to memory of 5080	936	seksiak.exe	113
PID 936 wrote to memory of 5080	936	seksiak.exe	113
PID 5080 wrote to memory of 4896	5080	cmd.exe	115
PID 5080 wrote to memory of 4896	5080	cmd.exe	115
PID 5080 wrote to memory of 3360	5080	cmd.exe	116
PID 5080 wrote to memory of 3360	5080	cmd.exe	116
PID 5080 wrote to memory of 1968	5080	cmd.exe	118
PID 5080 wrote to memory of 1968	5080	cmd.exe	118
PID 1968 wrote to memory of 4468	1968	seksiak.exe	119
PID 1968 wrote to memory of 4468	1968	seksiak.exe	119
PID 1968 wrote to memory of 4872	1968	seksiak.exe	121
PID 1968 wrote to memory of 4872	1968	seksiak.exe	121
PID 4872 wrote to memory of 3868	4872	cmd.exe	123
PID 4872 wrote to memory of 3868	4872	cmd.exe	123
PID 4872 wrote to memory of 3468	4872	cmd.exe	124
PID 4872 wrote to memory of 3468	4872	cmd.exe	124
PID 4872 wrote to memory of 4432	4872	cmd.exe	125
PID 4872 wrote to memory of 4432	4872	cmd.exe	125
PID 4432 wrote to memory of 2540	4432	seksiak.exe	126
PID 4432 wrote to memory of 2540	4432	seksiak.exe	126
PID 4432 wrote to memory of 4492	4432	seksiak.exe	128
PID 4432 wrote to memory of 4492	4432	seksiak.exe	128
PID 4492 wrote to memory of 2712	4492	cmd.exe	130
PID 4492 wrote to memory of 2712	4492	cmd.exe	130
PID 4492 wrote to memory of 3084	4492	cmd.exe	131
PID 4492 wrote to memory of 3084	4492	cmd.exe	131
PID 4492 wrote to memory of 4904	4492	cmd.exe	132
PID 4492 wrote to memory of 4904	4492	cmd.exe	132
PID 4904 wrote to memory of 4840	4904	seksiak.exe	133
PID 4904 wrote to memory of 4840	4904	seksiak.exe	133
PID 4904 wrote to memory of 2224	4904	seksiak.exe	135
PID 4904 wrote to memory of 2224	4904	seksiak.exe	135

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\seksiak.exe
"C:\Users\Admin\AppData\Local\Temp\seksiak.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4380
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OgJRF7F2Vpof.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3632
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:820
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3424
- - C:\Users\Admin\AppData\Local\Temp\seksiak.exe
    "C:\Users\Admin\AppData\Local\Temp\seksiak.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1936
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1604
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XYkJQcjbA6lx.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4640
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:4084
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:668
    - - C:\Users\Admin\AppData\Local\Temp\seksiak.exe
        
        "C:\Users\Admin\AppData\Local\Temp\seksiak.exe"
        5⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4404
      - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:620
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FrTaYEWSxRbH.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1168
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:1316
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\seksiak.exe
        
        "C:\Users\Admin\AppData\Local\Temp\seksiak.exe"
        7⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:936
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3428
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vbatBm4n6Dry.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:5080
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:4896
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3360
        
        C:\Users\Admin\AppData\Local\Temp\seksiak.exe
        
        "C:\Users\Admin\AppData\Local\Temp\seksiak.exe"
        9⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        10⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4468
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\M8bdbLJXaF1s.bat" "
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4872
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:3868
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3468
        
        C:\Users\Admin\AppData\Local\Temp\seksiak.exe
        
        "C:\Users\Admin\AppData\Local\Temp\seksiak.exe"
        11⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4432
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        12⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2540
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TFdJMO9IB44m.bat" "
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:4492
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:2712
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3084
        
        C:\Users\Admin\AppData\Local\Temp\seksiak.exe
        
        "C:\Users\Admin\AppData\Local\Temp\seksiak.exe"
        13⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4904
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        14⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4840
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\b0RNMfkmgtw7.bat" "
        14⤵
        
        PID:2224
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:2640
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\seksiak.exe
        
        "C:\Users\Admin\AppData\Local\Temp\seksiak.exe"
        15⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:4292
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        16⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3400
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\noibFf60ewvK.bat" "
        16⤵
        
        PID:3532
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:620
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:408
        
        C:\Users\Admin\AppData\Local\Temp\seksiak.exe
        
        "C:\Users\Admin\AppData\Local\Temp\seksiak.exe"
        17⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2284
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        18⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1248
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aMarYWLOQQJ6.bat" "
        18⤵
        
        PID:688
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:2776
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4720
        
        C:\Users\Admin\AppData\Local\Temp\seksiak.exe
        
        "C:\Users\Admin\AppData\Local\Temp\seksiak.exe"
        19⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2368
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        20⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1464
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Q1cqUwusiTIc.bat" "
        20⤵
        
        PID:4184
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:936
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\seksiak.exe
        
        "C:\Users\Admin\AppData\Local\Temp\seksiak.exe"
        21⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1452
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        22⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4648
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Dw9aRZQB4oPH.bat" "
        22⤵
        
        PID:2424
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:2448
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3416
        
        C:\Users\Admin\AppData\Local\Temp\seksiak.exe
        
        "C:\Users\Admin\AppData\Local\Temp\seksiak.exe"
        23⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:3384
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        24⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4900
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gICvXvVG5wQd.bat" "
        24⤵
        
        PID:1420
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:4524
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\seksiak.exe
        
        "C:\Users\Admin\AppData\Local\Temp\seksiak.exe"
        25⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:3084
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        26⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4492
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yYeVhnEVdZJ9.bat" "
        26⤵
        
        PID:4160
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:1880
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\seksiak.exe
        
        "C:\Users\Admin\AppData\Local\Temp\seksiak.exe"
        27⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1924
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        28⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2224
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fTviVZqLNWS1.bat" "
        28⤵
        
        PID:3012
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:2008
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        29⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\seksiak.exe
        
        "C:\Users\Admin\AppData\Local\Temp\seksiak.exe"
        29⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1852
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        30⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2516
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EDOBIudJFEdt.bat" "
        30⤵
        
        PID:2128
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:5020
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        31⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\seksiak.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dw9aRZQB4oPH.bat

Filesize
204B

MD5
6ce21f6ff90e79bb2f08138f8dc1b0d3

SHA1
b3af5f26e7bcc102de4135f9ada0a3ede2afba83

SHA256
9062bcaa6be78788e90561f47ce50e6768e24f8ac66c7bdbc4cb224cebf92413

SHA512
1228d599221acd78bab46e512288e55f55583bda132699419af5d4b46bc174732c24025e0a753eaaf33587e3692a9a84263c72649f82a90b8f63aec2e130ed4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\EDOBIudJFEdt.bat

Filesize
204B

MD5
7be5f3d667e25f8f364b517daf791e9f

SHA1
5d2f2cb2f792115ad7a4df066f2fdc78e0d44504

SHA256
3442af3f83a327f02b31a0da5b12814659f6bd7eaaa9981156df310631635407

SHA512
c45c8d4742ceb1c5de447a94ae32ce0f650f45ee52c578f5a9d3c772bf6d1a009d96f8b8a6df5688a81fdeec4ecd70c198c4c35c721bb15c177f5385f1495fea

Download Submit
C:\Users\Admin\AppData\Local\Temp\FrTaYEWSxRbH.bat

Filesize
204B

MD5
d498d33ecdd894febc36ae01535cfa00

SHA1
0797b9cb7f40d6a305337016e307ae8f93f9d7b3

SHA256
09c0b3aac0c617cf1e88bae8450f0df9b73b368b2f1d90d94aa59989d73a66f6

SHA512
ce8cddd8b8749d28d3afa0f8b5c046dd3605185ec370725caf1b5c63bbd69f277cbf4bcef6e71279643e2e61245ce140f981ee8586dc7096563b45724e0a0364

Download Submit
C:\Users\Admin\AppData\Local\Temp\M8bdbLJXaF1s.bat

Filesize
204B

MD5
9322a82bb9d216c7f759b1b3bd103d68

SHA1
fce25a5df8b2234f52b33c2ec6ef0c0399efb7fa

SHA256
73e10a30b318cf546adf7d8c5406aa8962aee002f1730e456f049f97280ebad6

SHA512
66769a347695c7f41831b8874978f8292d3efeeec43e0b5d6330d9b511a3ee75a87f2d9d0fbe3c6c2ea6bae6507f51d29dda4e5c32c6473ed81b7d0c12586375

Download Submit
C:\Users\Admin\AppData\Local\Temp\OgJRF7F2Vpof.bat

Filesize
204B

MD5
441c194cdb98ec0a6ce0ddda0b0e06e5

SHA1
fbc3fa39ade5fd11f60ce9bef7c8d765727ebd79

SHA256
65e79f1a23f314cbfefa76e9f963dd6671df8cf804f2ca9d606a672139aa32a0

SHA512
4276e1935ea4f46708a49978e997e21ab0d4304d1654a80f1c2b3c74585a27a48165ade41656d8600a78ece540ebf307634b83c13768e871be81454d36cf4fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Q1cqUwusiTIc.bat

Filesize
204B

MD5
d1ee4b282d2f7361120a104543eadd68

SHA1
57fa2a4e84889ac432617dec70e97ab08fdcdae8

SHA256
0b1fb212ee4fb8ef21b5ba12d21fc3105c4d380bc372a1fbf620ca1950f5f8cc

SHA512
eeee568e5a6f285b1809d1ba2beb5d9ae090cfe14eef830a060c302053d8879afa5e1067ec186053fd802d520dde6f5daee51aa64aa32a1f2a701a9b97820aa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\TFdJMO9IB44m.bat

Filesize
204B

MD5
6c692bf5f001c30f9dd6b8e369c7e620

SHA1
e141c594d4a6d7c60203ade5e48e84f4625fb3b3

SHA256
a6ec612334efae80be5e8ceff0ab5b3a6b9f9598cd8eeebdbe996c1c13ac57c7

SHA512
69dea00b82ae1fe9cb9a7079b35ce62174cd2c0d8370717a51f61e641c903697d5c56c4ee78e8cef5eb4a27e7d624f1025c51c604354beda5916425918b4976c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XYkJQcjbA6lx.bat

Filesize
204B

MD5
9038d87aca19e63fb659b37a40ff7091

SHA1
116248a93aa976c7ea603253d2e53a1b0f7f3077

SHA256
25c5c4aae6bb8da9bb8943b42181e567c5e6860bc11e52b65e1454c7205a37c2

SHA512
14738dd90c42fc9bc2ca5da29e1946dbf69c1d80a52b2f5a24c0210e653f497f27ef9cac65cd9b0315d290d4bce5a29b3b27d6842f822e5ea4c3d3e8e7a3cee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\aMarYWLOQQJ6.bat

Filesize
204B

MD5
e567ac2837db37ca86d91ba328bda8cc

SHA1
7adef6d5ed3fbd269d7714d701ebdb191d0efe06

SHA256
040e09166025062b55dfc3e13b28864520eac27815b63f9dbdead96c515fe80a

SHA512
83db1b6f9d17ba11763b28686983f4429a9ec63860962e26858292c171cfb9be07c64d2e4985404e6192556cef73782e3a241a55717df63a9a612f26f4ba3fc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\b0RNMfkmgtw7.bat

Filesize
204B

MD5
f9402a661feb8d1e3064aea3ff7a7f82

SHA1
b27c3b91d505070093b066985096f0f7393ac2b3

SHA256
aa040b4fb15b9a7996f8fcf31b45a00fabb7ce7e7d95cfea675d97542a38a272

SHA512
f3c0a0b78584b983b0fdf050d56a3acec0677314c5b97cdd8b17871bc6017d56a348fe72e8cf5c3b5972d4bf1d67f0bb104769d5bfebf82de312fa37fc44802b

Download Submit
C:\Users\Admin\AppData\Local\Temp\fTviVZqLNWS1.bat

Filesize
204B

MD5
4fc1237d85f0552f7a1d0e38078bdd7b

SHA1
14f1417ccc8f1d693cddfbbaf5969c3117ba7982

SHA256
295f4a021b831137f88c4d63fd9efccb01bdba0335fcce2d08c602b46cdc3fd1

SHA512
7273357d5c589ff1f6ca1f602b46eeb9cd0202550cf74cfa745f73b7e1bffe04537a9900f7b221ca13110b842491e3da62128afe99dab42082f58f20b1d0e43b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gICvXvVG5wQd.bat

Filesize
204B

MD5
3c66dfdbed75cb1a3e81dd783b6a96c6

SHA1
6f3b580fd864d542b198c6e97ab8678e5747f760

SHA256
8b32cd48136dca41cb5355932a156f65dae9abe8bfc44ffacadbc219b35332fa

SHA512
62584d5769d9360db1647c5fc4130b3ace3b06697c3fa27ba495afdd74de655852835481365aa862b9cb5a8adb6fbc7e77bcce64bd890d612c79864e3688ab1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\noibFf60ewvK.bat

Filesize
204B

MD5
621d9a41a7950e7a4453b268e44eaff2

SHA1
06e96056b375a6d1a0f052227131776e9e40aac9

SHA256
4e9a2f79794a7ac8d1ffde1d810959e514bd15f24114bd82c3b6c00ddbfc271b

SHA512
8bd195257cb1c83291d570306fdddc1740fa711b99737b387c35e3f383bcb92e3d59f466d3d1855622ec30fbf303b4db0501ead42aaf35d26b06cc5644f38dde

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbatBm4n6Dry.bat

Filesize
204B

MD5
52b33a76640d23f734ca227bb2960986

SHA1
4e358aa2617520b877fd09b10ea077136774c65c

SHA256
e98a1c8356baf6829d5a5fce7e0f642e4e7afe8343dd628fbdb8147cebb1e014

SHA512
8b057cf9698f908bdcb9bfe1bdf8e036f3dd51cdbb783e4ac80419d11a73afaafa92348d0f92f3afeb4a33f5facce8c5b561bf704a938b07055c314abc5c8e16

Download Submit
C:\Users\Admin\AppData\Local\Temp\yYeVhnEVdZJ9.bat

Filesize
204B

MD5
3676dfadaa2a1b8e5c42a7af76573e60

SHA1
9476b894777ab3677a2e990dffad0793194714ab

SHA256
0d89443cb498b12feb53c4e99f17b7b202788fb719aa57fec884fc1dc9ade73b

SHA512
b4c436538deb1574ab1432ad51fced5a11bd18abd0b1c41d50be987343483d8b398037cfcc564f8ba58755376094766cf244dddfad3de2006145c258f7530ff6

Download Submit
memory/4380-0-0x00007FFC2E373000-0x00007FFC2E375000-memory.dmp

Filesize
8KB

Download
memory/4380-9-0x00007FFC2E370000-0x00007FFC2EE31000-memory.dmp

Filesize
10.8MB

Download
memory/4380-4-0x000000001DDF0000-0x000000001DEA2000-memory.dmp

Filesize
712KB

Download
memory/4380-3-0x0000000003240000-0x0000000003290000-memory.dmp

Filesize
320KB

Download
memory/4380-2-0x00007FFC2E370000-0x00007FFC2EE31000-memory.dmp

Filesize
10.8MB

Download
memory/4380-1-0x0000000000DA0000-0x00000000010C4000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads