quasar | 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-12-2024 11:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Size

3.1MB
MD5

239c5f964b458a0a935a4b42d74bcbda
SHA1

7a037d3bd8817adf6e58734b08e807a84083f0ce
SHA256

7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c
SHA512

2e9e95d5097ce751d2a641a8fc7f8bc824a525a07bc06cd8a60580405fad90543ffa3259e6b2b2e97a70a3c3ed03e73b29f7cb9ebd10e7c62eaef2078805be19
SSDEEP

98304:mWV5SgjlbwPdRl5fGO4ZL0luiel9uRJk3HZ2b/aryTnrfvnM3A2Ozvhk:JTQzG

Score

10^/10

quasar zjeb discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

ZJEB

VIPEEK1990-25013.portmap.host:25013

Mutex

ad21b115-2c1b-40cb-adba-a50736b76c21

Attributes

encryption_key
3EBA8BC34FA983893A9B07B831E7CEB183F7492D
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Security Service
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/memory/880-1-0x00000000006C0000-0x00000000009E4000-memory.dmp	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3520	PING.EXE
3868	PING.EXE
4552	PING.EXE
1736	PING.EXE
2856	PING.EXE
2860	PING.EXE
1192	PING.EXE
3516	PING.EXE
1084	PING.EXE
1244	PING.EXE
2736	PING.EXE
2896	PING.EXE
3588	PING.EXE
3648	PING.EXE
1048	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
2860	PING.EXE
2896	PING.EXE
3588	PING.EXE
3516	PING.EXE
2856	PING.EXE
4552	PING.EXE
1736	PING.EXE
2736	PING.EXE
3648	PING.EXE
1048	PING.EXE
3520	PING.EXE
1084	PING.EXE
1244	PING.EXE
1192	PING.EXE
3868	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2096	schtasks.exe
3156	schtasks.exe
4696	schtasks.exe
4916	schtasks.exe
1864	schtasks.exe
1228	schtasks.exe
1756	schtasks.exe
2716	schtasks.exe
2856	schtasks.exe
456	schtasks.exe
3384	schtasks.exe
3484	schtasks.exe
3732	schtasks.exe
2232	schtasks.exe
832	schtasks.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	880	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Token: SeDebugPrivilege	3000	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Token: SeDebugPrivilege	2352	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Token: SeDebugPrivilege	5092	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Token: SeDebugPrivilege	3120	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Token: SeDebugPrivilege	4412	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Token: SeDebugPrivilege	876	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Token: SeDebugPrivilege	2996	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Token: SeDebugPrivilege	2336	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Token: SeDebugPrivilege	3996	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Token: SeDebugPrivilege	1356	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Token: SeDebugPrivilege	4500	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Token: SeDebugPrivilege	4804	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Token: SeDebugPrivilege	2328	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Token: SeDebugPrivilege	1088	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 880 wrote to memory of 1864	880	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	82
PID 880 wrote to memory of 1864	880	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	82
PID 880 wrote to memory of 2812	880	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	84
PID 880 wrote to memory of 2812	880	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	84
PID 2812 wrote to memory of 2736	2812	cmd.exe	86
PID 2812 wrote to memory of 2736	2812	cmd.exe	86
PID 2812 wrote to memory of 2896	2812	cmd.exe	87
PID 2812 wrote to memory of 2896	2812	cmd.exe	87
PID 2812 wrote to memory of 3000	2812	cmd.exe	88
PID 2812 wrote to memory of 3000	2812	cmd.exe	88
PID 3000 wrote to memory of 2856	3000	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	91
PID 3000 wrote to memory of 2856	3000	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	91
PID 3000 wrote to memory of 3688	3000	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	93
PID 3000 wrote to memory of 3688	3000	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	93
PID 3688 wrote to memory of 5104	3688	cmd.exe	95
PID 3688 wrote to memory of 5104	3688	cmd.exe	95
PID 3688 wrote to memory of 3520	3688	cmd.exe	96
PID 3688 wrote to memory of 3520	3688	cmd.exe	96
PID 3688 wrote to memory of 2352	3688	cmd.exe	102
PID 3688 wrote to memory of 2352	3688	cmd.exe	102
PID 2352 wrote to memory of 3732	2352	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	103
PID 2352 wrote to memory of 3732	2352	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	103
PID 2352 wrote to memory of 2504	2352	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	105
PID 2352 wrote to memory of 2504	2352	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	105
PID 2504 wrote to memory of 5028	2504	cmd.exe	107
PID 2504 wrote to memory of 5028	2504	cmd.exe	107
PID 2504 wrote to memory of 3588	2504	cmd.exe	108
PID 2504 wrote to memory of 3588	2504	cmd.exe	108
PID 2504 wrote to memory of 5092	2504	cmd.exe	110
PID 2504 wrote to memory of 5092	2504	cmd.exe	110
PID 5092 wrote to memory of 2232	5092	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	111
PID 5092 wrote to memory of 2232	5092	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	111
PID 5092 wrote to memory of 4132	5092	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	113
PID 5092 wrote to memory of 4132	5092	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	113
PID 4132 wrote to memory of 1800	4132	cmd.exe	115
PID 4132 wrote to memory of 1800	4132	cmd.exe	115
PID 4132 wrote to memory of 1736	4132	cmd.exe	116
PID 4132 wrote to memory of 1736	4132	cmd.exe	116
PID 4132 wrote to memory of 3120	4132	cmd.exe	118
PID 4132 wrote to memory of 3120	4132	cmd.exe	118
PID 3120 wrote to memory of 2096	3120	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	119
PID 3120 wrote to memory of 2096	3120	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	119
PID 3120 wrote to memory of 2176	3120	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	121
PID 3120 wrote to memory of 2176	3120	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	121
PID 2176 wrote to memory of 2132	2176	cmd.exe	123
PID 2176 wrote to memory of 2132	2176	cmd.exe	123
PID 2176 wrote to memory of 3516	2176	cmd.exe	124
PID 2176 wrote to memory of 3516	2176	cmd.exe	124
PID 2176 wrote to memory of 4412	2176	cmd.exe	125
PID 2176 wrote to memory of 4412	2176	cmd.exe	125
PID 4412 wrote to memory of 3156	4412	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	126
PID 4412 wrote to memory of 3156	4412	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	126
PID 4412 wrote to memory of 4504	4412	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	128
PID 4412 wrote to memory of 4504	4412	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	128
PID 4504 wrote to memory of 1916	4504	cmd.exe	130
PID 4504 wrote to memory of 1916	4504	cmd.exe	130
PID 4504 wrote to memory of 1084	4504	cmd.exe	131
PID 4504 wrote to memory of 1084	4504	cmd.exe	131
PID 4504 wrote to memory of 876	4504	cmd.exe	132
PID 4504 wrote to memory of 876	4504	cmd.exe	132
PID 876 wrote to memory of 456	876	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	133
PID 876 wrote to memory of 456	876	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	133
PID 876 wrote to memory of 3064	876	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	135
PID 876 wrote to memory of 3064	876	7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe	135

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
"C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:880
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1864
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iWNCHSFwjRwZ.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2736
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2896
- - C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
    "C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3000
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2856
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nTOM7oA8eh2a.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3688
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:5104
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3520
    - - C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"
        5⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2352
      - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3732
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tStOLpMnrogn.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:5028
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3588
        
        C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"
        7⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5092
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2232
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YA0zwHA5Mki5.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4132
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:1800
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"
        9⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3120
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        10⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2096
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5mSBchYuT6FH.bat" "
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:2132
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3516
        
        C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"
        11⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4412
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        12⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3156
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0SuT1AqpsUnB.bat" "
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:4504
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:1916
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"
        13⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:876
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        14⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:456
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5xKFkQQYZs3Z.bat" "
        14⤵
        
        PID:3064
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:4772
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"
        15⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2996
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        16⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4696
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dlCCaHPxfdtC.bat" "
        16⤵
        
        PID:5112
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:1148
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"
        17⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2336
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        18⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4916
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zdzsitnNA9Pg.bat" "
        18⤵
        
        PID:4448
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:116
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"
        19⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:3996
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        20⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1228
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\66CFeZdWpM9b.bat" "
        20⤵
        
        PID:2780
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:5108
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1192
        
        C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"
        21⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1356
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        22⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1756
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DOgcHgb8WCyd.bat" "
        22⤵
        
        PID:2096
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:1764
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3868
        
        C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"
        23⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:4500
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        24⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3384
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uIpoLF8bqTqA.bat" "
        24⤵
        
        PID:4364
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:4748
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4552
        
        C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"
        25⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:4804
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        26⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3484
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SfBRTCvysYTb.bat" "
        26⤵
        
        PID:2836
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:3924
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"
        27⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2328
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        28⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:832
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5A6UK2fIturR.bat" "
        28⤵
        
        PID:244
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:2684
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        29⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3648
        
        C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"
        29⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1088
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        30⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2716
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2hdnbCnAsJrr.bat" "
        30⤵
        
        PID:1028
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:4916
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        31⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\0SuT1AqpsUnB.bat

Filesize
261B

MD5
33970fb4480f99291136200211caad39

SHA1
f2a023c2e9e84d54fa7fb754ef15a4bfedc6a18d

SHA256
7cf7cab2de8443a0a7ef6514f0684175fc8ba5f88ad0bcb5ef828bc58a7f4a5e

SHA512
5eeff517c2fb5d7dc2db0607213f8e12bd75b7f05e5a100e78a82df01eee9645bc0bccc2e4a4b4a09fd83a119f5c18777b5482c59ff7fffa26d4748e03d77106

Download Submit
C:\Users\Admin\AppData\Local\Temp\2hdnbCnAsJrr.bat

Filesize
261B

MD5
222f6ccaa063651f68a58e3e3c5db94f

SHA1
f98456850dac87b028f2ef5f752497c6e9072177

SHA256
05b783b482b31a0a33123fc65189da54a776edb9d8553214e57d65b5bfffc1e3

SHA512
9e918b5b14c2bf9b407c02033da6210a3696b95897889bcb6271e7cc2b1ae85fc81d42f01da32265d395304b9b3d06413a900778247d1bb2f1715c8c714c1818

Download Submit
C:\Users\Admin\AppData\Local\Temp\5A6UK2fIturR.bat

Filesize
261B

MD5
7939d551a25bffa7f1c710ab3fd0f397

SHA1
5f2a2d1e6a9e7bcde175bb0b46c5e71d3ecf678c

SHA256
f2352e37ab09611f9a0ea679ea4f8f59c5e85e4f8ab14c6fea75c7c9f063d849

SHA512
7753201d05821718e6abeabfff65280f8bc30a7c4d1bf41b13bae49d6c04f732a07e2827e5fe23400a2b59ba072058602b33474f524e78c6539cd7473bb8c541

Download Submit
C:\Users\Admin\AppData\Local\Temp\5mSBchYuT6FH.bat

Filesize
261B

MD5
f461cbeb2f68c194073b3f82d202d4bf

SHA1
8fccbeb651b98b6cf8f9fc2604c910c67bfccf5e

SHA256
3d84794449f6db967a79afdf8e9f45cbb30b06d781fd6f73ae83e84e153dcd90

SHA512
aa9babf98922eb804a877a034daa5a89a5b93fa8e4614cb289507bd1a6298fecc7dd79cc5c2bf2b33cfd7f17c38e20ed3f56b9add5170f5ac27e6efd3ffc0c63

Download Submit
C:\Users\Admin\AppData\Local\Temp\5xKFkQQYZs3Z.bat

Filesize
261B

MD5
fe02ed2f3cae65527f8ecca379d49ee8

SHA1
50fadf2ab0f1e85d2408d2658fdedc90c2bae3f8

SHA256
bdca10a7f0a65181595c6c77c520c6b9a11fea2c27b477510cf64d1214dbd541

SHA512
cd6bb14fb75aa20b2f933d1545dde4ac4d30dcd6503744503d075ad75f8655aaab4b818feaa40adf720c880e0bc89fe2493c62bb5a674b20b4f16277accfa96a

Download Submit
C:\Users\Admin\AppData\Local\Temp\66CFeZdWpM9b.bat

Filesize
261B

MD5
92864bab93fb19501b19369c48ed0eca

SHA1
628cbdfcacbe4e3cbe9bc8fe6d60dc4194d9820c

SHA256
dfa9c668661690e3eaa210be47957f1dadf3a91b08f8f79d868e81e9920a4b10

SHA512
d2a656ff4b144ebc4de7b8135bb2b4098bac7697e672b163c5236da3cd710ab793d1343f713e5ece54c2dd7f55b8816ce173e92e075fc0c847ffe94d23ae958a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DOgcHgb8WCyd.bat

Filesize
261B

MD5
62acf9009e9314b536133bdd1b127670

SHA1
0fcbbe7dc1217d6089714f5dad917a634f376513

SHA256
ce01477516cdd8138d8c551069c85ef3d26075bddca9e2bf681067cbbafa54e1

SHA512
ea270fd5341885a39a9dd240e7a35d290d7727cd6030dc0d74374c1e09558d915826dc8eaf993f10052d7e1af551535ba41fb1c84acfcae698c0d0b4a29e00b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SfBRTCvysYTb.bat

Filesize
261B

MD5
d9c25f34339f59d319a708d068ede9fd

SHA1
2d8ee7cd9a3c0ae907a174c43ef3cbcf5a9e02c2

SHA256
045c36ea28e51932beac454001e7283e9b784a529bb2b323744902adad7a7bc3

SHA512
aad4dc4b6ebff0b34165ff1ca41319da15d398e011dec77369e85f7b2f78bbdae775e837c4b1387d77cc9dcaf0d01fd4b56f549057a1c68ec1af5cdf53dca5d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\YA0zwHA5Mki5.bat

Filesize
261B

MD5
d80f1bf2254aa452915e554950c6647f

SHA1
c6d3291cb9b490a57dbdd9e991a9d7cb00f35d73

SHA256
c8984db3cd51fb798142d1a49e87a9d54c29eda68f78579e040e6ea3b22d6de6

SHA512
1d3ef19880af9d6a390faadd9d5c2cdba0a8d7420574a9a1314fda7a29675d403cde157c0c1397af95d8368660306b592d9eca34d69d96f13ac7e7da1cc0c0e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\dlCCaHPxfdtC.bat

Filesize
261B

MD5
da6afad6ff342f778a5c8087f9d4ab26

SHA1
1a62ed5afa9aa0166d30170b033446c32b478377

SHA256
78033d7dcee1a2d7e820e68eeb8296b033dd2b49540d7c02506560cd99f1b3cb

SHA512
595ae7390cfa6d9a1c017d84767f5857bda611449e54323d3e39b20e177d899a255deeaea21628ed89417a30ba2cd1a63ba6302ace56f7803d3ed483069ea2ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\iWNCHSFwjRwZ.bat

Filesize
261B

MD5
0242ba6bb1292ab5334c9cf36d29a351

SHA1
d82dcb32f8ec239d30255b686289eaeb34305dbe

SHA256
1d02b14b590b76c0c68ffd817bddbb791405fe7056207dfc65cae04427090177

SHA512
f75db0d6adfc2b6843c87718f93c08652497367c74302d9fffcfab23346f7a1b207072840d14be534d848956fe3eaf23d52df438aece01bf168b592fdf93a57a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nTOM7oA8eh2a.bat

Filesize
261B

MD5
478815ba3ec478bdb658f3614d5f1716

SHA1
9d1892653ad31e767dceefb6f639e7b2e97319ac

SHA256
e6d8c63162eb286e1f303cdea3af2c5f3488b1a2653084e31e2abc633be55af1

SHA512
86ffde3d66aab163b3f8e02c62ca3fed5dde68cdf95a5c11637111a8722fb35dcff7ada07e2ff06c71b2ab2cfc8fbdeeb28eac6b7d4447a6eaee84ae330d2f14

Download Submit
C:\Users\Admin\AppData\Local\Temp\tStOLpMnrogn.bat

Filesize
261B

MD5
75e58134d02132fc80989c4ceea5c72e

SHA1
9e0193aa9867d7918b86e95bfb8653ec1c05e023

SHA256
ac2616ac1d66454bc7230f8dc0111c02ae8a5d47a5b781000dc6dfef13c3f4e7

SHA512
7689cfce891b0ad90e4dfc59cef0e48b701427768118e9c64e299cdb718f305017b8ce5b799aa55d543103bfac1f60f09c00a6492fd15b9f6d4924c10dee8419

Download Submit
C:\Users\Admin\AppData\Local\Temp\uIpoLF8bqTqA.bat

Filesize
261B

MD5
31d5313a8ff0f321c68b0c995756f75c

SHA1
688831df6f966377f121878a6f1ca02f6a1b1784

SHA256
0acfddfecd1bb1bf95b6832a94af1b6948f212245cb9c4b9bef0ee3d08b8301b

SHA512
d43f226301a8d1f948a90a00fee32aadd58a47c992e85335658e3edf4dfce206a706931b9d1cb6f889b814d48c1c0b4b807c684f2e2c2b899cdd58051e441382

Download Submit
C:\Users\Admin\AppData\Local\Temp\zdzsitnNA9Pg.bat

Filesize
261B

MD5
f52a950c4053e682653dbd4835c3b70d

SHA1
da1d709037fef5eb640c3d8defdbda46adbf373f

SHA256
4109ba8f5a188c040474367b2219cd175628d4145179dcf588834597425d037d

SHA512
83152ca10fbce5baa7c5c947031d15f07b4466c0ea3b2c40cd672e859cd212de7da1b1f4bcce6f5513013de169d049b4fa48128dfe92fc723c9738f1a29148fc

Download Submit
memory/880-0-0x00007FFCFD083000-0x00007FFCFD085000-memory.dmp

Filesize
8KB

Download
memory/880-9-0x00007FFCFD080000-0x00007FFCFDB41000-memory.dmp

Filesize
10.8MB

Download
memory/880-4-0x000000001D7D0000-0x000000001D882000-memory.dmp

Filesize
712KB

Download
memory/880-3-0x000000001B570000-0x000000001B5C0000-memory.dmp

Filesize
320KB

Download
memory/880-2-0x00007FFCFD080000-0x00007FFCFDB41000-memory.dmp

Filesize
10.8MB

Download
memory/880-1-0x00000000006C0000-0x00000000009E4000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads