quasar | b2de1e13497b1864e100fea605fa1136adc6f782b1dea5f6fe5f11656b098c0e

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-12-2024 06:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JY7XH_Client-built.exe
Size

3.1MB
MD5

f9fd797dbef56a3900d2fe9d0a6e2e86
SHA1

c5d002cc63bd21fa35fdad428ca4c909f34c4309
SHA256

b2de1e13497b1864e100fea605fa1136adc6f782b1dea5f6fe5f11656b098c0e
SHA512

c4d170855397e2e62d754883b2caab00d14f58787463924141d2077997ee03b25cd752565354c1c4cbace637cf1c053c45a162d0b61b31caa73f1ec70b998ce1
SSDEEP

49152:ivkt62XlaSFNWPjljiFa2RoUYIobRJ6MbR3LoGdNwhTHHB72eh2NT:iv462XlaSFNWPjljiFXRoUYIobRJ6WK

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

biseo-48321.portmap.host:48321

Mutex

cb74f432-50f1-4947-8163-7687a0292fb0

Attributes

encryption_key
D1BBEF3C04D88FE8F97EE2745041632CE9C760EE
install_name
Svchost.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Svchost
subdirectory
Svchost

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/1180-1-0x0000000000A50000-0x0000000000D74000-memory.dmp	family_quasar
behavioral2/files/0x0007000000023ca0-6.dat	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Svchost.exe

Executes dropped EXE 15 IoCs

pid	Process
4700	Svchost.exe
704	Svchost.exe
1360	Svchost.exe
4796	Svchost.exe
2484	Svchost.exe
1444	Svchost.exe
2988	Svchost.exe
2396	Svchost.exe
492	Svchost.exe
2484	Svchost.exe
1992	Svchost.exe
3760	Svchost.exe
404	Svchost.exe
2720	Svchost.exe
1080	Svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2660	PING.EXE
2280	PING.EXE
2644	PING.EXE
2644	PING.EXE
3424	PING.EXE
1140	PING.EXE
2092	PING.EXE
4812	PING.EXE
3960	PING.EXE
2608	PING.EXE
4856	PING.EXE
2052	PING.EXE
4532	PING.EXE
4808	PING.EXE
2356	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
2644	PING.EXE
2608	PING.EXE
2660	PING.EXE
4808	PING.EXE
2280	PING.EXE
2356	PING.EXE
4812	PING.EXE
4532	PING.EXE
4856	PING.EXE
2052	PING.EXE
2092	PING.EXE
3960	PING.EXE
1140	PING.EXE
2644	PING.EXE
3424	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4428	schtasks.exe
2940	schtasks.exe
4908	schtasks.exe
3328	schtasks.exe
1404	schtasks.exe
4944	schtasks.exe
4444	schtasks.exe
2740	schtasks.exe
4980	schtasks.exe
1616	schtasks.exe
5080	schtasks.exe
876	schtasks.exe
4560	schtasks.exe
4784	schtasks.exe
2772	schtasks.exe
2092	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	1180	JY7XH_Client-built.exe
Token: SeDebugPrivilege	4700	Svchost.exe
Token: SeDebugPrivilege	704	Svchost.exe
Token: SeDebugPrivilege	1360	Svchost.exe
Token: SeDebugPrivilege	4796	Svchost.exe
Token: SeDebugPrivilege	2484	Svchost.exe
Token: SeDebugPrivilege	1444	Svchost.exe
Token: SeDebugPrivilege	2988	Svchost.exe
Token: SeDebugPrivilege	2396	Svchost.exe
Token: SeDebugPrivilege	492	Svchost.exe
Token: SeDebugPrivilege	2484	Svchost.exe
Token: SeDebugPrivilege	1992	Svchost.exe
Token: SeDebugPrivilege	3760	Svchost.exe
Token: SeDebugPrivilege	404	Svchost.exe
Token: SeDebugPrivilege	2720	Svchost.exe
Token: SeDebugPrivilege	1080	Svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1180 wrote to memory of 4784	1180	JY7XH_Client-built.exe	83
PID 1180 wrote to memory of 4784	1180	JY7XH_Client-built.exe	83
PID 1180 wrote to memory of 4700	1180	JY7XH_Client-built.exe	85
PID 1180 wrote to memory of 4700	1180	JY7XH_Client-built.exe	85
PID 4700 wrote to memory of 4980	4700	Svchost.exe	86
PID 4700 wrote to memory of 4980	4700	Svchost.exe	86
PID 4700 wrote to memory of 3148	4700	Svchost.exe	88
PID 4700 wrote to memory of 3148	4700	Svchost.exe	88
PID 3148 wrote to memory of 1880	3148	cmd.exe	90
PID 3148 wrote to memory of 1880	3148	cmd.exe	90
PID 3148 wrote to memory of 2092	3148	cmd.exe	91
PID 3148 wrote to memory of 2092	3148	cmd.exe	91
PID 3148 wrote to memory of 704	3148	cmd.exe	93
PID 3148 wrote to memory of 704	3148	cmd.exe	93
PID 704 wrote to memory of 1616	704	Svchost.exe	94
PID 704 wrote to memory of 1616	704	Svchost.exe	94
PID 704 wrote to memory of 4060	704	Svchost.exe	97
PID 704 wrote to memory of 4060	704	Svchost.exe	97
PID 4060 wrote to memory of 1800	4060	cmd.exe	99
PID 4060 wrote to memory of 1800	4060	cmd.exe	99
PID 4060 wrote to memory of 2644	4060	cmd.exe	100
PID 4060 wrote to memory of 2644	4060	cmd.exe	100
PID 4060 wrote to memory of 1360	4060	cmd.exe	103
PID 4060 wrote to memory of 1360	4060	cmd.exe	103
PID 1360 wrote to memory of 3328	1360	Svchost.exe	107
PID 1360 wrote to memory of 3328	1360	Svchost.exe	107
PID 1360 wrote to memory of 3656	1360	Svchost.exe	110
PID 1360 wrote to memory of 3656	1360	Svchost.exe	110
PID 3656 wrote to memory of 4544	3656	cmd.exe	112
PID 3656 wrote to memory of 4544	3656	cmd.exe	112
PID 3656 wrote to memory of 4812	3656	cmd.exe	113
PID 3656 wrote to memory of 4812	3656	cmd.exe	113
PID 3656 wrote to memory of 4796	3656	cmd.exe	121
PID 3656 wrote to memory of 4796	3656	cmd.exe	121
PID 4796 wrote to memory of 4428	4796	Svchost.exe	123
PID 4796 wrote to memory of 4428	4796	Svchost.exe	123
PID 4796 wrote to memory of 2608	4796	Svchost.exe	126
PID 4796 wrote to memory of 2608	4796	Svchost.exe	126
PID 2608 wrote to memory of 764	2608	cmd.exe	128
PID 2608 wrote to memory of 764	2608	cmd.exe	128
PID 2608 wrote to memory of 4532	2608	cmd.exe	129
PID 2608 wrote to memory of 4532	2608	cmd.exe	129
PID 2608 wrote to memory of 2484	2608	cmd.exe	130
PID 2608 wrote to memory of 2484	2608	cmd.exe	130
PID 2484 wrote to memory of 1404	2484	Svchost.exe	131
PID 2484 wrote to memory of 1404	2484	Svchost.exe	131
PID 2484 wrote to memory of 756	2484	Svchost.exe	133
PID 2484 wrote to memory of 756	2484	Svchost.exe	133
PID 756 wrote to memory of 3148	756	cmd.exe	136
PID 756 wrote to memory of 3148	756	cmd.exe	136
PID 756 wrote to memory of 2660	756	cmd.exe	137
PID 756 wrote to memory of 2660	756	cmd.exe	137
PID 756 wrote to memory of 1444	756	cmd.exe	138
PID 756 wrote to memory of 1444	756	cmd.exe	138
PID 1444 wrote to memory of 2940	1444	Svchost.exe	139
PID 1444 wrote to memory of 2940	1444	Svchost.exe	139
PID 1444 wrote to memory of 3124	1444	Svchost.exe	142
PID 1444 wrote to memory of 3124	1444	Svchost.exe	142
PID 3124 wrote to memory of 2820	3124	cmd.exe	144
PID 3124 wrote to memory of 2820	3124	cmd.exe	144
PID 3124 wrote to memory of 2644	3124	cmd.exe	145
PID 3124 wrote to memory of 2644	3124	cmd.exe	145
PID 3124 wrote to memory of 2988	3124	cmd.exe	147
PID 3124 wrote to memory of 2988	3124	cmd.exe	147

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JY7XH_Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\JY7XH_Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1180
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4784
- C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe
  "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4700
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BwGEGsT7mvcN.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3148
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:1880
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2092
  - - C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe
      "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:704
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1616
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9c6kxSCxmzT4.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4060
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1800
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2644
      - C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1360
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3328
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zupqjirwL1GJ.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3656
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:4544
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4812
        
        C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4796
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4428
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\V3QlQhcTducT.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2608
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:764
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4532
        
        C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1404
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Tjb8mToTOz6v.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:756
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:3148
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2660
        
        C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1444
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2940
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AJNVYORomHe0.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:3124
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2820
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2644
        
        C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2988
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4944
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\V7CuBc9IsL6m.bat" "
        15⤵
        
        PID:1308
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:64
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3960
        
        C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2396
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5080
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GG6c6i2zruL3.bat" "
        17⤵
        
        PID:2200
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:1640
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3424
        
        C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:492
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2772
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\c7D2Jd4fh0px.bat" "
        19⤵
        
        PID:1272
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:4560
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2608
        
        C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2484
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2092
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OBCGaLAlwrd9.bat" "
        21⤵
        
        PID:2660
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:488
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4856
        
        C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1992
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:876
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eVRmCwaytFMO.bat" "
        23⤵
        
        PID:1688
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:1856
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2052
        
        C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3760
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4444
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GQBQB15VluzH.bat" "
        25⤵
        
        PID:3972
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2352
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1140
        
        C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:404
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4908
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VU7AoefmyLEa.bat" "
        27⤵
        
        PID:2404
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:3860
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4808
        
        C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2720
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4560
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1RxbVSUuSIsY.bat" "
        29⤵
        
        PID:1088
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:5088
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2280
        
        C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1080
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2740
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\anpt7tHZTh9z.bat" "
        31⤵
        
        PID:708
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:4504
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Svchost.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1RxbVSUuSIsY.bat

Filesize
209B

MD5
623b8dc77806eae78722370e3f143bba

SHA1
dcd72ea51f9679b75ef5736cc4a3ef9237a103d9

SHA256
0d5090dc40c6b26091c543f1bf077d009544cdd005f6e9431bffce4ce8118a02

SHA512
bcdfd53af388e11a1da21281476a18fd757f546341baf63f4b6334c19313bf7edf4615be7af8e49d24a66c9fd6294a394ed25b7925501566f5c2507f26f6313c

Download Submit
C:\Users\Admin\AppData\Local\Temp\9c6kxSCxmzT4.bat

Filesize
209B

MD5
a72a42eddabeccb1b780484cca24452a

SHA1
d68b20ddb8d84674f09454adb898889d83ea25ee

SHA256
3f8b255a21e279bc31deeb99f8dbd1ccd6eff0e984cce27f94df92229c7221a1

SHA512
fc7aeec88a8d5557371b88f82d82e1790b818cc9342f29376effac0f0610c42d283257ab0cfa154cbe2add3ab938b093ff588ff7f2a6d615ba7de43876ce8922

Download Submit
C:\Users\Admin\AppData\Local\Temp\AJNVYORomHe0.bat

Filesize
209B

MD5
7b80c5d6072569f012bf76a9f40a5883

SHA1
84b3e84c2b0a3173e9a589f911c436eda68bf644

SHA256
85e0f3bca380d6683d1a5981ce7814c0be74932b8784e35b05a709de187dafa0

SHA512
548cf93a69109e80fbaa3a3ef06da1da43ee62fff82e7eed18e4565283c975bc645407f69e27dc54e246a1a819f38fccfabb6e275729e856b8b64773f33ba1a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\BwGEGsT7mvcN.bat

Filesize
209B

MD5
cd536d190179b16dc59716d47de20afb

SHA1
503570af7c93ca59bed55fd863b1ed4d32a58269

SHA256
082df1bbc572ece0531541b311edc819bb9abf4b1d34b3f2235d5a8893d58572

SHA512
74847e7bc38c1d151a9f7ce00276a65066e3ab109154b5533013188ba20d21ecaabd83a8bd4ead4438b713f8c8d32468f48818f95fbd0ea5fbcd02bb948869d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\GG6c6i2zruL3.bat

Filesize
209B

MD5
de6e49cea017a3c83c95b593b3be8dc0

SHA1
135d7424c08bb1b6452ae22b776dfc42b5c23793

SHA256
6b6f633d0ac0c7fc78bf33e9ac0b881b5473681dcad097479a67dc6fb6d2c8c1

SHA512
a1414f5394f591289109d57888ca97da632f34cfc3a1790ab7979d1914017c22a9cca9bf507766873d2e1b7b228952ddc81c2d2cfa6a6bdb40d2087c72407389

Download Submit
C:\Users\Admin\AppData\Local\Temp\GQBQB15VluzH.bat

Filesize
209B

MD5
b817eff39ad39ffaf396a676f72d4142

SHA1
e470efdd0cbe95a04e5c57992c3efedd6c6ac43c

SHA256
5ad8895fab1ccb578ec5a2b45e6b1597d62d4db97cb9c3449f7d91e8bf4cd53e

SHA512
b1e6caa4b8b64c034e67df0e680c1fe8411622c8b8385f922434964240ff6d8977c5b5a9fc91d12a97a10f63409309c0f9101b465ae616b8530ce7161c256bf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\OBCGaLAlwrd9.bat

Filesize
209B

MD5
9114690253807ffe0e1d6fad38470efa

SHA1
0652a2c5b9e82b3bb3e2558e66829372423c98dd

SHA256
5f849bc2e38852f2558d1100d8e945a3cb10f5b42caad1236700031d42d0ede8

SHA512
830e134058c3249d1c73b4330aa8cdf8a1d61444d2813101ef6173a0f7bd82e6c3e0afa814fb2a25c8d8cc258389558a4ec3b806dd100584429b0bedda76847d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tjb8mToTOz6v.bat

Filesize
209B

MD5
ae830c4c95ed5251ec77bfa0a7ff4bc7

SHA1
a715c006763ab5ebbab2a63c294d81fbbef763eb

SHA256
9656c1303b403f8b78e2233937eecc9247b23ad71c06c52ece79bd31b2baa37f

SHA512
8d0cbaf3f235c7b355a478e118b4e3e42ea93cdc2f5dc853eda59935b2c9ea33d743acebe18f96b1880733200666fd617fe562c28fce1d4693e07909debbda0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\V3QlQhcTducT.bat

Filesize
209B

MD5
727a26012bda0eba8cff9525b7317b35

SHA1
309b380c94818dcca2e765eb16001afdf7918955

SHA256
0b84691d861cb70596f29ec98dcfd463a8e0c0718f276de84e77acaf2d00b556

SHA512
7914f16eaa35bc9af774524285ee181cebbfdaa6d984c5f7e68f2fb73abe5d7e13b5366d3e6259115c6f6b11d2862c3907e5e3b70749faa263d92d44beddd2e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\V7CuBc9IsL6m.bat

Filesize
209B

MD5
e724a4bd7e9d2b1e844ab81a1c40c86a

SHA1
60c6b3a395eac1f3dac20cd775214a607c98fb75

SHA256
02f2635a997c4b54af11a4fa494da5f2bbd34eda3f5213dc6c68a40e81d91bf4

SHA512
f4e8d1f00eb32ddc9ce3d4fbf0954bb254e08b316ee5deb5eb8a53d109efe6bb64fefaac65b65e362ad85227bad6da9ad75a57dbeef481a125849544eb0934f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\VU7AoefmyLEa.bat

Filesize
209B

MD5
2fc1c7c65e454a20f00bb7d781935fd9

SHA1
c8546bd311839642553c26afff5d911680902d6c

SHA256
dfa7cf64cb999843850a5f6fb6c231f1945cd7bbfa11ed1cd1b2c180ab6f26ac

SHA512
249003661e9c57070d8d4399aa65563bb65b509576a79c5e0da58c1ddeb5bbbf39f23c2537c3277b185c0f559cf79c95574eb86728738b501b0cff26b1677661

Download Submit
C:\Users\Admin\AppData\Local\Temp\anpt7tHZTh9z.bat

Filesize
209B

MD5
4a1d67e0759714a009d44bf900294507

SHA1
7e99d551e6cd1c838e1affe9ea994271e6cc7e38

SHA256
0de2a9ea366ed1756bcf92c558a00c84a06b809eba81ee4fedd11cea7b2e25e6

SHA512
e1325094b36ab24c0c5eacb1a83a3fcee534872fdbfc9371701808e85066751c9faeb1835b859e4d87188d1bd0cab311bb9ebaf5a7564f913db340677be26f7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\c7D2Jd4fh0px.bat

Filesize
209B

MD5
b35b359f87490f1d588301d9ffcb11f9

SHA1
1e1ff5d2ef7d698ac57dd3f7f48608118c12c502

SHA256
e0a8996a839e7289a4fe59b0326d1dcd3efafa67c0a10cac2944f2be3eeedc2c

SHA512
ac49fc3cc7c4044ed6a1e9b0b90d5df875565137c00dfc9c3efcc779df4b97d874a52e3dfe06217f57fdc6c1d340c589a3b1e3c9cfc8a69258f3d6e2a59897fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\eVRmCwaytFMO.bat

Filesize
209B

MD5
44fcd930b2cd548ad848881ccb6b3c21

SHA1
9426c0cf14ce3a8e49359c725bf8201e5436d655

SHA256
c747878f61f7486df0e6ea150d5750683f4cfccb858a66b6935bb2619c921a63

SHA512
d989b7bfc33e92afe8b0250a02d3fd768dcd59247ef0898e70f153d16d52074a9005958953d417a316e7f03f18db8bb4e6058a2de8fcbeeb4ee3c08058e9daf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\zupqjirwL1GJ.bat

Filesize
209B

MD5
b7748679a2fecea9c19dc36cf5653551

SHA1
6ea2b00627cef2c2535a5064ea20ab6adf7adb19

SHA256
59c1e26e73ffc88cfa252ea0f1d065193ea6c85af73851b09dc3b99f5f089c16

SHA512
bb48706be05acb755bdff729d948c5902ac12de865f10c3ced755433896aabc0d62813a9687ae458c76947fe00d5596c4397b0b15540e2ae5bc72151f4ca558a

Download Submit
C:\Users\Admin\AppData\Roaming\Svchost\Svchost.exe

Filesize
3.1MB

MD5
f9fd797dbef56a3900d2fe9d0a6e2e86

SHA1
c5d002cc63bd21fa35fdad428ca4c909f34c4309

SHA256
b2de1e13497b1864e100fea605fa1136adc6f782b1dea5f6fe5f11656b098c0e

SHA512
c4d170855397e2e62d754883b2caab00d14f58787463924141d2077997ee03b25cd752565354c1c4cbace637cf1c053c45a162d0b61b31caa73f1ec70b998ce1

Download Submit
memory/1180-0-0x00007FFE55323000-0x00007FFE55325000-memory.dmp

Filesize
8KB

Download
memory/1180-10-0x00007FFE55320000-0x00007FFE55DE1000-memory.dmp

Filesize
10.8MB

Download
memory/1180-2-0x00007FFE55320000-0x00007FFE55DE1000-memory.dmp

Filesize
10.8MB

Download
memory/1180-1-0x0000000000A50000-0x0000000000D74000-memory.dmp

Filesize
3.1MB

Download
memory/4700-17-0x00007FFE55320000-0x00007FFE55DE1000-memory.dmp

Filesize
10.8MB

Download
memory/4700-12-0x000000001CDC0000-0x000000001CE72000-memory.dmp

Filesize
712KB

Download
memory/4700-11-0x000000001C5A0000-0x000000001C5F0000-memory.dmp

Filesize
320KB

Download
memory/4700-9-0x00007FFE55320000-0x00007FFE55DE1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads