quasar | 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c

Analysis

max time kernel
143s
max time network
123s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
14-12-2024 11:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Size

3.1MB
MD5

239c5f964b458a0a935a4b42d74bcbda
SHA1

7a037d3bd8817adf6e58734b08e807a84083f0ce
SHA256

7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c
SHA512

2e9e95d5097ce751d2a641a8fc7f8bc824a525a07bc06cd8a60580405fad90543ffa3259e6b2b2e97a70a3c3ed03e73b29f7cb9ebd10e7c62eaef2078805be19
SSDEEP

98304:mWV5SgjlbwPdRl5fGO4ZL0luiel9uRJk3HZ2b/aryTnrfvnM3A2Ozvhk:JTQzG

Score

10^/10

quasar zjeb discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

ZJEB

VIPEEK1990-25013.portmap.host:25013

Mutex

ad21b115-2c1b-40cb-adba-a50736b76c21

Attributes

encryption_key
3EBA8BC34FA983893A9B07B831E7CEB183F7492D
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Security Service
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 9 IoCs

resource	yara_rule
behavioral1/memory/1684-1-0x0000000001030000-0x0000000001354000-memory.dmp	family_quasar
behavioral1/memory/2684-13-0x0000000001330000-0x0000000001654000-memory.dmp	family_quasar
behavioral1/memory/2240-33-0x0000000000140000-0x0000000000464000-memory.dmp	family_quasar
behavioral1/memory/2136-43-0x0000000000340000-0x0000000000664000-memory.dmp	family_quasar
behavioral1/memory/2560-54-0x0000000000CC0000-0x0000000000FE4000-memory.dmp	family_quasar
behavioral1/memory/1036-74-0x0000000000390000-0x00000000006B4000-memory.dmp	family_quasar
behavioral1/memory/2936-84-0x0000000000DB0000-0x00000000010D4000-memory.dmp	family_quasar
behavioral1/memory/3044-94-0x0000000000100000-0x0000000000424000-memory.dmp	family_quasar
behavioral1/memory/1248-104-0x00000000013D0000-0x00000000016F4000-memory.dmp	family_quasar

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2636	PING.EXE
2268	PING.EXE
300	PING.EXE
2276	PING.EXE
1252	PING.EXE
2304	PING.EXE
2752	PING.EXE
1348	PING.EXE
1040	PING.EXE
2708	PING.EXE
3036	PING.EXE
2288	PING.EXE
2288	PING.EXE
1576	PING.EXE
980	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
2708	PING.EXE
3036	PING.EXE
2752	PING.EXE
2304	PING.EXE
300	PING.EXE
2288	PING.EXE
2276	PING.EXE
2288	PING.EXE
1252	PING.EXE
2636	PING.EXE
2268	PING.EXE
1576	PING.EXE
1348	PING.EXE
980	PING.EXE
1040	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2236	schtasks.exe
1536	schtasks.exe
2488	schtasks.exe
1332	schtasks.exe
1304	schtasks.exe
1124	schtasks.exe
920	schtasks.exe
2060	schtasks.exe
2944	schtasks.exe
1472	schtasks.exe
2368	schtasks.exe
1112	schtasks.exe
1556	schtasks.exe
2008	schtasks.exe
2984	schtasks.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	1684	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Token: SeDebugPrivilege	2684	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Token: SeDebugPrivilege	2552	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Token: SeDebugPrivilege	2240	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Token: SeDebugPrivilege	2136	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Token: SeDebugPrivilege	2560	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Token: SeDebugPrivilege	2580	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Token: SeDebugPrivilege	1036	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Token: SeDebugPrivilege	2936	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Token: SeDebugPrivilege	3044	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Token: SeDebugPrivilege	1248	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Token: SeDebugPrivilege	872	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Token: SeDebugPrivilege	1052	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Token: SeDebugPrivilege	868	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Token: SeDebugPrivilege	2420	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 2008	1684	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	30
PID 1684 wrote to memory of 2008	1684	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	30
PID 1684 wrote to memory of 2008	1684	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	30
PID 1684 wrote to memory of 2572	1684	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	32
PID 1684 wrote to memory of 2572	1684	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	32
PID 1684 wrote to memory of 2572	1684	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	32
PID 2572 wrote to memory of 2856	2572	cmd.exe	34
PID 2572 wrote to memory of 2856	2572	cmd.exe	34
PID 2572 wrote to memory of 2856	2572	cmd.exe	34
PID 2572 wrote to memory of 2288	2572	cmd.exe	35
PID 2572 wrote to memory of 2288	2572	cmd.exe	35
PID 2572 wrote to memory of 2288	2572	cmd.exe	35
PID 2572 wrote to memory of 2684	2572	cmd.exe	37
PID 2572 wrote to memory of 2684	2572	cmd.exe	37
PID 2572 wrote to memory of 2684	2572	cmd.exe	37
PID 2684 wrote to memory of 2984	2684	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	38
PID 2684 wrote to memory of 2984	2684	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	38
PID 2684 wrote to memory of 2984	2684	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	38
PID 2684 wrote to memory of 2844	2684	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	40
PID 2684 wrote to memory of 2844	2684	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	40
PID 2684 wrote to memory of 2844	2684	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	40
PID 2844 wrote to memory of 2688	2844	cmd.exe	42
PID 2844 wrote to memory of 2688	2844	cmd.exe	42
PID 2844 wrote to memory of 2688	2844	cmd.exe	42
PID 2844 wrote to memory of 2708	2844	cmd.exe	43
PID 2844 wrote to memory of 2708	2844	cmd.exe	43
PID 2844 wrote to memory of 2708	2844	cmd.exe	43
PID 2844 wrote to memory of 2552	2844	cmd.exe	44
PID 2844 wrote to memory of 2552	2844	cmd.exe	44
PID 2844 wrote to memory of 2552	2844	cmd.exe	44
PID 2552 wrote to memory of 920	2552	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	45
PID 2552 wrote to memory of 920	2552	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	45
PID 2552 wrote to memory of 920	2552	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	45
PID 2552 wrote to memory of 2940	2552	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	47
PID 2552 wrote to memory of 2940	2552	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	47
PID 2552 wrote to memory of 2940	2552	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	47
PID 2940 wrote to memory of 2920	2940	cmd.exe	49
PID 2940 wrote to memory of 2920	2940	cmd.exe	49
PID 2940 wrote to memory of 2920	2940	cmd.exe	49
PID 2940 wrote to memory of 3036	2940	cmd.exe	50
PID 2940 wrote to memory of 3036	2940	cmd.exe	50
PID 2940 wrote to memory of 3036	2940	cmd.exe	50
PID 2940 wrote to memory of 2240	2940	cmd.exe	51
PID 2940 wrote to memory of 2240	2940	cmd.exe	51
PID 2940 wrote to memory of 2240	2940	cmd.exe	51
PID 2240 wrote to memory of 2488	2240	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	52
PID 2240 wrote to memory of 2488	2240	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	52
PID 2240 wrote to memory of 2488	2240	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	52
PID 2240 wrote to memory of 2512	2240	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	54
PID 2240 wrote to memory of 2512	2240	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	54
PID 2240 wrote to memory of 2512	2240	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	54
PID 2512 wrote to memory of 2272	2512	cmd.exe	56
PID 2512 wrote to memory of 2272	2512	cmd.exe	56
PID 2512 wrote to memory of 2272	2512	cmd.exe	56
PID 2512 wrote to memory of 2636	2512	cmd.exe	57
PID 2512 wrote to memory of 2636	2512	cmd.exe	57
PID 2512 wrote to memory of 2636	2512	cmd.exe	57
PID 2512 wrote to memory of 2136	2512	cmd.exe	58
PID 2512 wrote to memory of 2136	2512	cmd.exe	58
PID 2512 wrote to memory of 2136	2512	cmd.exe	58
PID 2136 wrote to memory of 1472	2136	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	59
PID 2136 wrote to memory of 1472	2136	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	59
PID 2136 wrote to memory of 1472	2136	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	59
PID 2136 wrote to memory of 1100	2136	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
"C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2008
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Krc8mqZzHv4s.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2856
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2288
- - C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
    "C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2984
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\ybnni91kJxW5.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2844
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2688
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2708
    - - C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2552
      - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:920
      - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ymvaTEUH7q75.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2920
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2488
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vjgbHK4sPvGc.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2512
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:2272
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"
        9⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        10⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1472
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BErq8Tu6CFI8.bat" "
        10⤵
        
        PID:1100
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:776
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"
        11⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2560
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        12⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1332
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\3qUGXPlbi9Tm.bat" "
        12⤵
        
        PID:836
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:3048
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"
        13⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2580
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        14⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2060
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\6jqNmrLj64xu.bat" "
        14⤵
        
        PID:2344
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:2340
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"
        15⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1036
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        16⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2368
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\G58WRuw5dYZX.bat" "
        16⤵
        
        PID:2880
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:2164
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"
        17⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2936
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        18⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2236
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\E6zmZqUOoO5H.bat" "
        18⤵
        
        PID:1908
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:2728
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"
        19⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3044
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        20⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2944
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\f8IMsjfM8AVV.bat" "
        20⤵
        
        PID:2920
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:2736
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:980
        
        C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"
        21⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1248
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        22⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1304
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Aoh5OVNcMuz7.bat" "
        22⤵
        
        PID:2508
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:540
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1252
        
        C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"
        23⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:872
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        24⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1124
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\eNk2r8SWkzHy.bat" "
        24⤵
        
        PID:1364
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:1700
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1348
        
        C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"
        25⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1052
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        26⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1536
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QxZq3dOWvHId.bat" "
        26⤵
        
        PID:304
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:1756
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"
        27⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:868
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        28⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1112
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hKQW6U3kPDEr.bat" "
        28⤵
        
        PID:2080
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:2220
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        29⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"
        29⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2420
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        30⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1556
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Gnmis302iTaC.bat" "
        30⤵
        
        PID:656
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:1232
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        31⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3qUGXPlbi9Tm.bat

Filesize
261B

MD5
086d8fcc6a0ea2bf343de6937fae30a0

SHA1
113620913270d65f0920c0ce6a259add9fa41ef1

SHA256
5014dee117abc78527c566fdd3bb4dbd1d586bcfb1bb7847a1bd175422b5e400

SHA512
1d2f6bd26820efc173a991cb0be56789534d42457b15c15ccf908fe30603b38d74f11d1b4bd87d5fb2285a03cc07fe9ed133395d38fee9073127fef78cb46c33

Download Submit
C:\Users\Admin\AppData\Local\Temp\6jqNmrLj64xu.bat

Filesize
261B

MD5
5f3a292d07fd4933ca67e0444e2ce879

SHA1
0d0921ba153e76386cdb8cb6a411df219157c111

SHA256
969e7f0836437bf5d4a5635f0e77bb11c10001223ec359a33dc09f5f3cbfd3b2

SHA512
a6384069ca3de66af6e90891456774b3753fddc955ed609128138b94a003df75385d5ab753c4c19e5d458aae6bca999db1bb148d1db9986dfd93912307e83844

Download Submit
C:\Users\Admin\AppData\Local\Temp\Aoh5OVNcMuz7.bat

Filesize
261B

MD5
32b363beac4ca3d0c9917e8d0f6bbf53

SHA1
061563830c5e659ca1b0c98c362e4fe5cbe6b240

SHA256
e761f879603b1df71f370d430fb8564db8da3cc92c8315b1831e051c96b56f15

SHA512
cf31bec09ea4eb98be669efd4b76e58cb3f390301b59e9850f3715d9eaf1a4a0712560e095684d1fc70c279e9ed8b8d005cf02e83466f7dfb0726cbdb18d4e43

Download Submit
C:\Users\Admin\AppData\Local\Temp\BErq8Tu6CFI8.bat

Filesize
261B

MD5
95b7d6970b68021c43cf567b9ebca2d0

SHA1
7af7d535a8ff56fe50de22d42fc1d2638b64fd43

SHA256
e6248ed1a7087315dec899a85f57de2f38a6593ec9ec52de6315023f02f29af3

SHA512
a3af51fdc6d4cfc97dd1be04a4dbe07a7ea59783eda8b770c069a6208b4925b7d383548612b2ac01ac022408c00a1a1920bccca1f2d2573ed85fc2ee21f8b6ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\E6zmZqUOoO5H.bat

Filesize
261B

MD5
5c2d95d480730d3961eb457c17b817d2

SHA1
9b4fa5b76e93edfc166bd3c9a7fc34c69f3ec7bc

SHA256
bcbebaaca97794aa4df512286c21fa1c3e4fe088b41efed279d59e22e7d1807c

SHA512
143a8a189c79980f17af038ab2cb5e4d37df61612859fe56e2f2eaffbeed882101611cb61e27344ff78786d222067c501482ecb92624840aec198240bf956309

Download Submit
C:\Users\Admin\AppData\Local\Temp\G58WRuw5dYZX.bat

Filesize
261B

MD5
e842d6f800120dc4913d891b1dab86f7

SHA1
46661b4dd399a360df65d7d4f92fddfea516765b

SHA256
fa7f0c6204976903de51965e69e0058cde5e69bfa2ebd146d78574e8d3e60886

SHA512
a6c2da8927aefa6e173499f7206060d6287ddebc159a5dd10470ef1b231df192b287a821f0717af6b8091061ac0468ecd4bd643b0651d37b2fa8c98c27fddcc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gnmis302iTaC.bat

Filesize
261B

MD5
474a35d521d93cacd6ef84a9e24de13e

SHA1
45732613b7f0b8a8623bdf19a7ff5dfa4c55b626

SHA256
2efe408fcd0c4247159bae5ef0671d9c51e9de577886bc1de6d7bcdcb28e3d24

SHA512
2dec0495bce2e18f3887c72567c9f513b728c77cc6fcfddbaa051f4262a62f7b1428d792397a8f1aa58e84f8db32a544714a23fc81810f5650b4326942850990

Download Submit
C:\Users\Admin\AppData\Local\Temp\Krc8mqZzHv4s.bat

Filesize
261B

MD5
c7fb423970674150f5cc9dd54c6a9f8d

SHA1
d020f89b0c8b8430f1a0cd44ca0d16fe29725ae2

SHA256
d9a687b62b8f837c4bc0bc9b96a8f32db399afdd71fc08382b33cc8de1dd5457

SHA512
02b793724c07e923c90e01cf7ff67b69e70a609f6598e8f1c22d8b0c025daa1dd1eeff36e5d3d45d1b9b50da9ddab9cca8c654fbd2235a7e6483b5cf4a4ff47e

Download Submit
C:\Users\Admin\AppData\Local\Temp\QxZq3dOWvHId.bat

Filesize
261B

MD5
e5da54bc0cec7442ba10f5fcfae93142

SHA1
0ac5ebbb37ca22b1c343c3eb8da72a57c9237364

SHA256
23463fe32a1c5f512d76cf969cdebf83033fadd56892f4d6765eb753357880ab

SHA512
0e7260ecb549b952e0185327912f60b2ae646ee5bfe85a2924f0e8e3a7a175b30d5fa3bc83895f0b2c1cc29d1790a40e4a480ec06125b0bed9368ad85cee7c55

Download Submit
C:\Users\Admin\AppData\Local\Temp\eNk2r8SWkzHy.bat

Filesize
261B

MD5
96fae1f187ee7060d6be3e5adfd51f1c

SHA1
d2a95aeb4ac1df576c479712303a4b336a1a3346

SHA256
47f91fa600fcec8e888f876a3a1ef7d99a4b946d6696880f27239d47571b5640

SHA512
f1f9e42a2a1db6995ae392870f840a403ccfb0f07548573b7f0c03639c4bd31b248ee8748f823292440472e381472a0322559b01f4eb59dc31e1ac0a6209e1e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\f8IMsjfM8AVV.bat

Filesize
261B

MD5
c2d6ca43fcc818b58d7a8526990744aa

SHA1
2637ac2c7e1201546bc9da782fa9b26283566cf8

SHA256
07c39b886be97663e9385be06c377bac0f0d04dec4be50a2b64f1d82f3b17c21

SHA512
2f5c2c45a822cf57eae7f239c938cb96176842e61077d808c5a8628b209937d9920809844aa527be6896d182f0fc8d322ec57a0151f72e4a9c3f034bcea79f02

Download Submit
C:\Users\Admin\AppData\Local\Temp\hKQW6U3kPDEr.bat

Filesize
261B

MD5
77815dcd5ef7261d24893348d819d266

SHA1
5a0274ca15cb6561dabdaca4b966cbbf8e240d24

SHA256
fb8b7d8481c94252d19147dd4bf31c56507d1a77954ad176a0fb91295bfcd4c5

SHA512
f1cf5ca847fd1029ed309e9800db7ff5fcece9b43d5ce783799d1e7edae9c66af7df66bd7416fc757536b7c80da9d4af92fb60249ec58e7c8750d0c13ed4e3de

Download Submit
C:\Users\Admin\AppData\Local\Temp\vjgbHK4sPvGc.bat

Filesize
261B

MD5
67f7f93da87468a6b4fe5f574f30943e

SHA1
4c852c48a4158311edd076c810bdf71bff3b35a2

SHA256
e12bcc112be1cb1214cf8c6d782dd20e2853f6a5e7a0ec091a9fbdeaee830cae

SHA512
f7c2ded85cb361faaa4dc0299bdfa1c960adcedae121df90f66f3567df6671b44965c0fb9c5bcad5d06c9c562f4011ebcc147ba4970cff923f39267e9b3b80aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ybnni91kJxW5.bat

Filesize
261B

MD5
3c5866f5d794a792ab2f4537d4e84f61

SHA1
e42ee165b14d031b511d63a229f10f4a437b82da

SHA256
b8b4f3f2da10393d8a85ad930132d5ccd8629c7a7bf2f18d0126db659d42d052

SHA512
71fff2902e2b35008c70320fcc5740c52e8fffe9bc65390462485ac0e846be0e076eb0923848f2f4e458824d8b9eb0ecd520d3f7944bd2730e56b25aa14388a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ymvaTEUH7q75.bat

Filesize
261B

MD5
66d88f7227371e1cb4a0cf6ba84ee471

SHA1
f6085360d73d56c0d6ea30719a574502fba46ee5

SHA256
e500ed69e7e49624f0bcb81e09264fa629a07c7760ddccd1547939b4ef9f48ed

SHA512
e501186fae8bcb5b110f4ac915757e5e6290d922e4a5a0e0a7f81f68373c11cc340abba40fbf40d9a0c1bd8fc7471144e92136e77fbec56685b5ce1e34235337

Download Submit
memory/1036-74-0x0000000000390000-0x00000000006B4000-memory.dmp

Filesize
3.1MB

Download
memory/1248-104-0x00000000013D0000-0x00000000016F4000-memory.dmp

Filesize
3.1MB

Download
memory/1684-11-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

Filesize
9.9MB

Download
memory/1684-0-0x000007FEF5BC3000-0x000007FEF5BC4000-memory.dmp

Filesize
4KB

Download
memory/1684-2-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

Filesize
9.9MB

Download
memory/1684-1-0x0000000001030000-0x0000000001354000-memory.dmp

Filesize
3.1MB

Download
memory/2136-43-0x0000000000340000-0x0000000000664000-memory.dmp

Filesize
3.1MB

Download
memory/2240-33-0x0000000000140000-0x0000000000464000-memory.dmp

Filesize
3.1MB

Download
memory/2560-54-0x0000000000CC0000-0x0000000000FE4000-memory.dmp

Filesize
3.1MB

Download
memory/2684-13-0x0000000001330000-0x0000000001654000-memory.dmp

Filesize
3.1MB

Download
memory/2936-84-0x0000000000DB0000-0x00000000010D4000-memory.dmp

Filesize
3.1MB

Download
memory/3044-94-0x0000000000100000-0x0000000000424000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads