Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14-12-2024 11:47
Behavioral task
behavioral1
Sample
7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
Resource
win7-20241010-en
General
-
Target
7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe
-
Size
3.1MB
-
MD5
239c5f964b458a0a935a4b42d74bcbda
-
SHA1
7a037d3bd8817adf6e58734b08e807a84083f0ce
-
SHA256
7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c
-
SHA512
2e9e95d5097ce751d2a641a8fc7f8bc824a525a07bc06cd8a60580405fad90543ffa3259e6b2b2e97a70a3c3ed03e73b29f7cb9ebd10e7c62eaef2078805be19
-
SSDEEP
98304:mWV5SgjlbwPdRl5fGO4ZL0luiel9uRJk3HZ2b/aryTnrfvnM3A2Ozvhk:JTQzG
Malware Config
Extracted
quasar
1.4.1
ZJEB
VIPEEK1990-25013.portmap.host:25013
ad21b115-2c1b-40cb-adba-a50736b76c21
-
encryption_key
3EBA8BC34FA983893A9B07B831E7CEB183F7492D
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Security Service
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 1 IoCs
resource yara_rule behavioral2/memory/1324-1-0x00000000005C0000-0x00000000008E4000-memory.dmp family_quasar -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 116 PING.EXE 1540 PING.EXE 3632 PING.EXE 3616 PING.EXE 3852 PING.EXE 2236 PING.EXE 4220 PING.EXE 4496 PING.EXE 1836 PING.EXE 3976 PING.EXE 4848 PING.EXE 4524 PING.EXE 1472 PING.EXE 2156 PING.EXE 992 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
pid Process 3976 PING.EXE 4496 PING.EXE 1540 PING.EXE 1472 PING.EXE 3852 PING.EXE 1836 PING.EXE 3632 PING.EXE 4848 PING.EXE 3616 PING.EXE 2156 PING.EXE 116 PING.EXE 2236 PING.EXE 4524 PING.EXE 4220 PING.EXE 992 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4728 schtasks.exe 3208 schtasks.exe 1088 schtasks.exe 1268 schtasks.exe 3000 schtasks.exe 1364 schtasks.exe 1848 schtasks.exe 1552 schtasks.exe 1716 schtasks.exe 3064 schtasks.exe 336 schtasks.exe 1492 schtasks.exe 2104 schtasks.exe 1216 schtasks.exe 2440 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
description pid Process Token: SeDebugPrivilege 1324 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe Token: SeDebugPrivilege 4324 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe Token: SeDebugPrivilege 4264 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe Token: SeDebugPrivilege 3688 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe Token: SeDebugPrivilege 3144 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe Token: SeDebugPrivilege 412 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe Token: SeDebugPrivilege 2040 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe Token: SeDebugPrivilege 3068 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe Token: SeDebugPrivilege 3868 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe Token: SeDebugPrivilege 1608 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe Token: SeDebugPrivilege 4860 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe Token: SeDebugPrivilege 4548 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe Token: SeDebugPrivilege 1788 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe Token: SeDebugPrivilege 2688 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe Token: SeDebugPrivilege 4652 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1324 wrote to memory of 3208 1324 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe 82 PID 1324 wrote to memory of 3208 1324 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe 82 PID 1324 wrote to memory of 948 1324 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe 84 PID 1324 wrote to memory of 948 1324 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe 84 PID 948 wrote to memory of 1856 948 cmd.exe 86 PID 948 wrote to memory of 1856 948 cmd.exe 86 PID 948 wrote to memory of 1472 948 cmd.exe 87 PID 948 wrote to memory of 1472 948 cmd.exe 87 PID 948 wrote to memory of 4324 948 cmd.exe 92 PID 948 wrote to memory of 4324 948 cmd.exe 92 PID 4324 wrote to memory of 1716 4324 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe 93 PID 4324 wrote to memory of 1716 4324 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe 93 PID 4324 wrote to memory of 3300 4324 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe 95 PID 4324 wrote to memory of 3300 4324 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe 95 PID 3300 wrote to memory of 1688 3300 cmd.exe 97 PID 3300 wrote to memory of 1688 3300 cmd.exe 97 PID 3300 wrote to memory of 2156 3300 cmd.exe 98 PID 3300 wrote to memory of 2156 3300 cmd.exe 98 PID 3300 wrote to memory of 4264 3300 cmd.exe 102 PID 3300 wrote to memory of 4264 3300 cmd.exe 102 PID 4264 wrote to memory of 1088 4264 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe 103 PID 4264 wrote to memory of 1088 4264 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe 103 PID 4264 wrote to memory of 3924 4264 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe 105 PID 4264 wrote to memory of 3924 4264 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe 105 PID 3924 wrote to memory of 4828 3924 cmd.exe 107 PID 3924 wrote to memory of 4828 3924 cmd.exe 107 PID 3924 wrote to memory of 3852 3924 cmd.exe 108 PID 3924 wrote to memory of 3852 3924 cmd.exe 108 PID 3924 wrote to memory of 3688 3924 cmd.exe 110 PID 3924 wrote to memory of 3688 3924 cmd.exe 110 PID 3688 wrote to memory of 2104 3688 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe 111 PID 3688 wrote to memory of 2104 3688 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe 111 PID 3688 wrote to memory of 5084 3688 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe 114 PID 3688 wrote to memory of 5084 3688 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe 114 PID 5084 wrote to memory of 2052 5084 cmd.exe 116 PID 5084 wrote to memory of 2052 5084 cmd.exe 116 PID 5084 wrote to memory of 3976 5084 cmd.exe 117 PID 5084 wrote to memory of 3976 5084 cmd.exe 117 PID 5084 wrote to memory of 3144 5084 cmd.exe 118 PID 5084 wrote to memory of 3144 5084 cmd.exe 118 PID 3144 wrote to memory of 3064 3144 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe 119 PID 3144 wrote to memory of 3064 3144 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe 119 PID 3144 wrote to memory of 3012 3144 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe 121 PID 3144 wrote to memory of 3012 3144 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe 121 PID 3012 wrote to memory of 4496 3012 cmd.exe 123 PID 3012 wrote to memory of 4496 3012 cmd.exe 123 PID 3012 wrote to memory of 116 3012 cmd.exe 124 PID 3012 wrote to memory of 116 3012 cmd.exe 124 PID 3012 wrote to memory of 412 3012 cmd.exe 125 PID 3012 wrote to memory of 412 3012 cmd.exe 125 PID 412 wrote to memory of 336 412 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe 126 PID 412 wrote to memory of 336 412 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe 126 PID 412 wrote to memory of 1788 412 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe 128 PID 412 wrote to memory of 1788 412 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe 128 PID 1788 wrote to memory of 4764 1788 cmd.exe 130 PID 1788 wrote to memory of 4764 1788 cmd.exe 130 PID 1788 wrote to memory of 2236 1788 cmd.exe 131 PID 1788 wrote to memory of 2236 1788 cmd.exe 131 PID 1788 wrote to memory of 2040 1788 cmd.exe 132 PID 1788 wrote to memory of 2040 1788 cmd.exe 132 PID 2040 wrote to memory of 3000 2040 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe 133 PID 2040 wrote to memory of 3000 2040 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe 133 PID 2040 wrote to memory of 3652 2040 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe 135 PID 2040 wrote to memory of 3652 2040 7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe 135 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:3208
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2xEfYJhOaGbD.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:1856
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1472
-
-
C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"3⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4324 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
PID:1716
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4ojcl0btPiyM.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:3300 -
C:\Windows\system32\chcp.comchcp 650015⤵PID:1688
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost5⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2156
-
-
C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"5⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4264 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f6⤵
- Scheduled Task/Job: Scheduled Task
PID:1088
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AgaGJ2Bt4lnD.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Windows\system32\chcp.comchcp 650017⤵PID:4828
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost7⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3852
-
-
C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"7⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3688 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f8⤵
- Scheduled Task/Job: Scheduled Task
PID:2104
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\43jBt57uhH3C.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Windows\system32\chcp.comchcp 650019⤵PID:2052
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost9⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3976
-
-
C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"9⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3144 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f10⤵
- Scheduled Task/Job: Scheduled Task
PID:3064
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bxftFGOpNBIB.bat" "10⤵
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\system32\chcp.comchcp 6500111⤵PID:4496
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost11⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:116
-
-
C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"11⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:412 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f12⤵
- Scheduled Task/Job: Scheduled Task
PID:336
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LLnvw9lKCdKQ.bat" "12⤵
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\system32\chcp.comchcp 6500113⤵PID:4764
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2236
-
-
C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"13⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f14⤵
- Scheduled Task/Job: Scheduled Task
PID:3000
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7NrKssaaiuDs.bat" "14⤵PID:3652
-
C:\Windows\system32\chcp.comchcp 6500115⤵PID:4948
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost15⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4848
-
-
C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"15⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:3068 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f16⤵
- Scheduled Task/Job: Scheduled Task
PID:1268
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0dt3DIAp0YpB.bat" "16⤵PID:1880
-
C:\Windows\system32\chcp.comchcp 6500117⤵PID:3736
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost17⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4524
-
-
C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"17⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:3868 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f18⤵
- Scheduled Task/Job: Scheduled Task
PID:1364
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WOlrV1LFOz4s.bat" "18⤵PID:468
-
C:\Windows\system32\chcp.comchcp 6500119⤵PID:4808
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost19⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4220
-
-
C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"19⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:1608 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f20⤵
- Scheduled Task/Job: Scheduled Task
PID:1216
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ggji4RJHBkwF.bat" "20⤵PID:2164
-
C:\Windows\system32\chcp.comchcp 6500121⤵PID:2212
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost21⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3616
-
-
C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"21⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:4860 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f22⤵
- Scheduled Task/Job: Scheduled Task
PID:1848
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qCydzg65nSae.bat" "22⤵PID:3036
-
C:\Windows\system32\chcp.comchcp 6500123⤵PID:2464
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost23⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4496
-
-
C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"23⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:4548 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f24⤵
- Scheduled Task/Job: Scheduled Task
PID:1492
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HTCIVxJKPMCL.bat" "24⤵PID:868
-
C:\Windows\system32\chcp.comchcp 6500125⤵PID:3776
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost25⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1540
-
-
C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"25⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:1788 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f26⤵
- Scheduled Task/Job: Scheduled Task
PID:4728
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\THpsCv7yClnA.bat" "26⤵PID:3644
-
C:\Windows\system32\chcp.comchcp 6500127⤵PID:3684
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost27⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:992
-
-
C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"27⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:2688 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f28⤵
- Scheduled Task/Job: Scheduled Task
PID:2440
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dIPxKgaET1h6.bat" "28⤵PID:2380
-
C:\Windows\system32\chcp.comchcp 6500129⤵PID:3300
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost29⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1836
-
-
C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"C:\Users\Admin\AppData\Local\Temp\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe"29⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:4652 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f30⤵
- Scheduled Task/Job: Scheduled Task
PID:1552
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EUPCB6yYMhu6.bat" "30⤵PID:1132
-
C:\Windows\system32\chcp.comchcp 6500131⤵PID:2556
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost31⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3632
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\7809ab9c004fbd18f185c7b54554440d7b31f201980aee6e0c62a97c0e4a984c.exe.log
Filesize2KB
MD58f0271a63446aef01cf2bfc7b7c7976b
SHA1b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA51278a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5
-
Filesize
261B
MD5650e61d995a9934fbc60f2da0d1cf3dd
SHA177af5fed6367ab785b2f7504f6af053568467c5f
SHA25678d7611c0dc2227f32abb6b41bd9e32cbc720591de55a2d01487e7fab114c211
SHA5127f24f49b5ebab44d89750f3180b1535584ff8a5b65880e53109d7bb2f25d08172111104d28547976aa4aa075af2e230d2a036816adf51fe570c4c64fc4fd8c3d
-
Filesize
261B
MD5edd123165681e0e7ccafaf3f8fd12b11
SHA1187d4d706436bba7addb768b0a2704ea6258bc21
SHA256fd9d55baccda1d1d52e057aee1ba6981acc929b8a962469204fc336b347c5b7f
SHA5127179437c33f741fb5d42c6ff4e6cd10cb102aad4957eb7adc8d8973c0a924927e243e97fc854da177470197ca2a1c66aaee030b43564e44533f0fd296805e7f7
-
Filesize
261B
MD5fceae675b16c0143f2e7740505c2fde4
SHA14e5d3b38bd0459396ab574f019a24478d1a33c33
SHA256664fe4f45c9a84c3a1990e18375be343da70c1afd58ba204d4a1aa474b4b6a7f
SHA51252c208f1c76d1a061815a7f2521cd2c1a5ef88616783a5851d52e65be3fb934666634227c22ab3863471b8cc2c71b15291ff8e1795d6cc39ae88d4411bf171e6
-
Filesize
261B
MD5cf1c39706a479a8ae53d9b5b95edd0d8
SHA1bd40d2af4c422dd8b2b5d949305c5b400d4d53de
SHA2565323eb8e7c74e5dd18b7a313bbad47ed37acca4e4a41f6d41410c5d5e7c25e97
SHA5125cc43ab3da69b00fb1fc070a4fb1a50c5900e446680a9ff10dd61bdce04ad0b140a59ccf643c1c601249bb13f9f94862c4918d8509f837106d55d8160de6fb2a
-
Filesize
261B
MD5ac36f84ac1d31f0f34b7f768e05b50eb
SHA122e40c6b84256f7bd2ae0534c75e4c86d27e61d5
SHA256250f348658d98d9dbd2e45781ebe3be103217ae1b14319604cdff747ad478010
SHA512e7426f7bfa0a02dbf003cca0af81b7f6df9bad42bf95dd9cc84be671bc5df5cb85575ca1a31165e1837d6292c447e23e72ea9a646975f712a482dbe76d88c291
-
Filesize
261B
MD5edcbc6c57ddf0718296233a49c8eab35
SHA11555299740c3913833487f1c558f41df892414a8
SHA25657c005ed6c800ab63be3fdd017c11ac50e373f248d86f2d597b94757c610dd35
SHA512d772ffa79c217c5a59dc253abecef533a8f6b4f2a843419449064ff647fa321060761aca2e14882b667baa7020a9543157f67bea42fcd7304839b2ee88279e88
-
Filesize
261B
MD5cc24da64beb440976b5ca7d995c6d385
SHA1f1527a6066843fd1c5f4b2949e87a1162ec09bd2
SHA25613e5a61e5fd27739805ec350d13d6162f81ec7a0da77360c2b06e018498fd99a
SHA5127fde57a5d5207a96edf1386b26f964d1440af0b084204569c8e8844e215dc69438b25d5f54060bd3061866053c2982b313e06da775865b4b0b9341066c49e36f
-
Filesize
261B
MD5acfcb04d82a6b61e527f00b0f21adfc1
SHA173523b26a2de21bb0196e1d9ebafbe208501a1ef
SHA2565cc015989964097e2562c4323481715ac9b4c3d9a5ebf2f9a641d6845141fbed
SHA5123776597af7aee52e0b06e54a0c94c0f39f00b43e82004f612668ca8b9b9923d5b834863d7f4addf0a2cd489bcd1a7bad7d45050b9c795f24d1a1a1809e829f48
-
Filesize
261B
MD574d6b47d6789e4b8ed924cdcb173220d
SHA1cc29a97cbd999cb3eca01c79e68399fbf98668c2
SHA256dc3a4b53b0569d45b553f21bc0967afe70ddb743a156b071d75dc7ac80410f2b
SHA512bd472f69037582a3f1619cca60bccac8c4e19e50ba1c04cf9f9587b0044e6e21f005fd2453ddc880d515c67b47571efdc1e337aabadcebe8cec468daf47aed9c
-
Filesize
261B
MD5ef372140151b250060b23f9535e74523
SHA1a2c9c693f12e7c9a102c034dc2117dd878209194
SHA2567d29251a89d5272d5dea0aa955e37fba6648518c7b75eaf6e58a64738340616d
SHA5129c99989fc56f955f00d1f50fb5b250b8f21e5580fdf7fb8eedaa9e0cc9fcd5508edcaf5aee165a9b4ae89ca001d755b7d2c36c9d4c996c04095b5f471f68b1f7
-
Filesize
261B
MD5a4ea480490fa34e6d38ad957e64e01b6
SHA1bc49d356b74d1f368e96269315aa812cc518b0cd
SHA256d752ab750882430ab87d53b6b91def45ac0c9ff02edd882d11ed29d65eab03f9
SHA512f9a7034b88dfc1a1882cdc1132bcfd1a8d7e902168fe9378445e84b7c3e45200977e4bf3b4e8b26bf447f4f8fa2d817f68450a8a822c45e32957e34bf8888273
-
Filesize
261B
MD507f0d4b62f2722d74c937b77aac112ad
SHA1d30d962e5f8fb1790fd440b3e85511ef17937ed1
SHA25614ebaa32b3c6ad0b6916ba1042c73d96ee5d5126f41c6f3ab3d0f670acc8e52a
SHA512b8434d0669b98e4502c2b9a88ae740dbcc54bc592d15122cf2fbf333ffb61f93cbfe7515ba39ab20eb42da7b2a7796eda984dbc1fbc32ed6e8c0e32ea512a380
-
Filesize
261B
MD5299f25fd0066c53b96832ed95df46de9
SHA18a9b5eb33251015f698020b4f2c69ebcff12daf4
SHA2568962ebf973cdaf07bf69beca52a9bfd96e6fe3075c9faafe39efcf692b9e789c
SHA512f96223e44e30b5bb443b876f653d274ef1ccea4330742ac0c4214a12d6caaaf2a4eae40226a0d5aa2ac686d5d70f461b1aab47b6c4aefc0c137ab2ebf7151a2c
-
Filesize
261B
MD5644fcad62be38ebd44749c5d09b42bc3
SHA1b0b98710aea02ea66a9b5b6aea39a9cceab8c6a6
SHA2566da3584b534bfee52752210b92ea9ef7c66e911f9abfe356222ebfc5463742c1
SHA5129d65ce64396f55eb12449ce251223ad7c9ad6575e0ec3e334029e260a9967d2dd2e3f2bf42a868652fbbb600d30de18902f2604d13af1681a4923bdb7c0b1d37
-
Filesize
261B
MD5671ac0cea5fe2c523277be849252c33d
SHA18105e1fea73ddd3bfa5920048ee87b377a0137ed
SHA256b6407ceb643ecf6e754d98f7d8a98bd43cd1fb8fb69d2ebcdfc56bba16e5f6c1
SHA512393a377cc9a14c62e67eb5e74c81a98ab9f3b2b1198543f357ab7152ebea1b5dfb06c86cf71c8d83b9b2ab30005679be9fa52a45e8fe6e12fcdc738cf9d4d17c