quasar | 533d8476431fefd3f83fd39d66366277b2420a549cb01e9232f558b2617871fc

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-12-2024 11:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

533d8476431fefd3f83fd39d66366277b2420a549cb01e9232f558b2617871fc.exe
Size

502KB
MD5

a9c9735f6e34482c1cdd09e347a98787
SHA1

6214e43cdc3fd17978955abf9c01a8d8c3ea791e
SHA256

533d8476431fefd3f83fd39d66366277b2420a549cb01e9232f558b2617871fc
SHA512

084b40e683d88e8eda7a60047f1a640310455986629a63382b3b6ffa6a91f295b47963e2ba52115cb113f57f1f727f2adb98f910a9adca1596af242f266b4a50
SSDEEP

6144:sTEgdc0YeX1uRabMR0FdOWbYZTR9UbGzcEKVb8F9ywLlqlHcTR3t:sTEgdfYzRa9uza6FL4lHcdt

Score

10^/10

quasar target discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Target

127.0.0.1:6070

affasdqa.ddns.net:6070

haffasdqa.duckdns.org:6070

Mutex

670d21b7-71ed-4958-9ba7-a58fa54d8203

Attributes

encryption_key
25B2622CE0635F9A273AB61B1B7D7B94220AC509
install_name
svhoste.exe
log_directory
Logs
reconnect_delay
3000
startup_key
svhoste
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/4712-1-0x0000000000E10000-0x0000000000E94000-memory.dmp	family_quasar
behavioral2/files/0x0008000000023ca3-5.dat	family_quasar

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	svhoste.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	svhoste.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	svhoste.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	svhoste.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	svhoste.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	svhoste.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	svhoste.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	svhoste.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	svhoste.exe

Executes dropped EXE 10 IoCs

pid	Process
3296	svhoste.exe
2720	svhoste.exe
3348	svhoste.exe
4560	svhoste.exe
1460	svhoste.exe
4844	svhoste.exe
2624	svhoste.exe
932	svhoste.exe
2556	svhoste.exe
1968	svhoste.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 9 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2300	PING.EXE
2768	PING.EXE
1580	PING.EXE
468	PING.EXE
2012	PING.EXE
4136	PING.EXE
1196	PING.EXE
1620	PING.EXE
2700	PING.EXE

Runs ping.exe 1 TTPs 9 IoCs

Remote System Discovery

T1018

pid	Process
2012	PING.EXE
2768	PING.EXE
1580	PING.EXE
2700	PING.EXE
468	PING.EXE
2300	PING.EXE
4136	PING.EXE
1196	PING.EXE
1620	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 11 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1972	schtasks.exe
1756	schtasks.exe
2056	schtasks.exe
3416	schtasks.exe
3284	schtasks.exe
2552	schtasks.exe
1992	schtasks.exe
2680	schtasks.exe
636	schtasks.exe
1076	schtasks.exe
4044	schtasks.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	4712	533d8476431fefd3f83fd39d66366277b2420a549cb01e9232f558b2617871fc.exe
Token: SeDebugPrivilege	3296	svhoste.exe
Token: SeDebugPrivilege	2720	svhoste.exe
Token: SeDebugPrivilege	3348	svhoste.exe
Token: SeDebugPrivilege	4560	svhoste.exe
Token: SeDebugPrivilege	1460	svhoste.exe
Token: SeDebugPrivilege	4844	svhoste.exe
Token: SeDebugPrivilege	2624	svhoste.exe
Token: SeDebugPrivilege	932	svhoste.exe
Token: SeDebugPrivilege	2556	svhoste.exe
Token: SeDebugPrivilege	1968	svhoste.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
3296	svhoste.exe
2720	svhoste.exe
3348	svhoste.exe
4560	svhoste.exe
1460	svhoste.exe
4844	svhoste.exe
2624	svhoste.exe
932	svhoste.exe
2556	svhoste.exe
1968	svhoste.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4712 wrote to memory of 1076	4712	533d8476431fefd3f83fd39d66366277b2420a549cb01e9232f558b2617871fc.exe	82
PID 4712 wrote to memory of 1076	4712	533d8476431fefd3f83fd39d66366277b2420a549cb01e9232f558b2617871fc.exe	82
PID 4712 wrote to memory of 3296	4712	533d8476431fefd3f83fd39d66366277b2420a549cb01e9232f558b2617871fc.exe	84
PID 4712 wrote to memory of 3296	4712	533d8476431fefd3f83fd39d66366277b2420a549cb01e9232f558b2617871fc.exe	84
PID 3296 wrote to memory of 3416	3296	svhoste.exe	85
PID 3296 wrote to memory of 3416	3296	svhoste.exe	85
PID 3296 wrote to memory of 4280	3296	svhoste.exe	89
PID 3296 wrote to memory of 4280	3296	svhoste.exe	89
PID 4280 wrote to memory of 2940	4280	cmd.exe	91
PID 4280 wrote to memory of 2940	4280	cmd.exe	91
PID 4280 wrote to memory of 2012	4280	cmd.exe	93
PID 4280 wrote to memory of 2012	4280	cmd.exe	93
PID 4280 wrote to memory of 2720	4280	cmd.exe	98
PID 4280 wrote to memory of 2720	4280	cmd.exe	98
PID 2720 wrote to memory of 3284	2720	svhoste.exe	99
PID 2720 wrote to memory of 3284	2720	svhoste.exe	99
PID 2720 wrote to memory of 4268	2720	svhoste.exe	101
PID 2720 wrote to memory of 4268	2720	svhoste.exe	101
PID 4268 wrote to memory of 4964	4268	cmd.exe	103
PID 4268 wrote to memory of 4964	4268	cmd.exe	103
PID 4268 wrote to memory of 2300	4268	cmd.exe	104
PID 4268 wrote to memory of 2300	4268	cmd.exe	104
PID 4268 wrote to memory of 3348	4268	cmd.exe	107
PID 4268 wrote to memory of 3348	4268	cmd.exe	107
PID 3348 wrote to memory of 1972	3348	svhoste.exe	108
PID 3348 wrote to memory of 1972	3348	svhoste.exe	108
PID 3348 wrote to memory of 4292	3348	svhoste.exe	110
PID 3348 wrote to memory of 4292	3348	svhoste.exe	110
PID 4292 wrote to memory of 3136	4292	cmd.exe	112
PID 4292 wrote to memory of 3136	4292	cmd.exe	112
PID 4292 wrote to memory of 4136	4292	cmd.exe	113
PID 4292 wrote to memory of 4136	4292	cmd.exe	113
PID 4292 wrote to memory of 4560	4292	cmd.exe	114
PID 4292 wrote to memory of 4560	4292	cmd.exe	114
PID 4560 wrote to memory of 4044	4560	svhoste.exe	115
PID 4560 wrote to memory of 4044	4560	svhoste.exe	115
PID 4560 wrote to memory of 1896	4560	svhoste.exe	117
PID 4560 wrote to memory of 1896	4560	svhoste.exe	117
PID 1896 wrote to memory of 2140	1896	cmd.exe	119
PID 1896 wrote to memory of 2140	1896	cmd.exe	119
PID 1896 wrote to memory of 1196	1896	cmd.exe	120
PID 1896 wrote to memory of 1196	1896	cmd.exe	120
PID 1896 wrote to memory of 1460	1896	cmd.exe	121
PID 1896 wrote to memory of 1460	1896	cmd.exe	121
PID 1460 wrote to memory of 1756	1460	svhoste.exe	122
PID 1460 wrote to memory of 1756	1460	svhoste.exe	122
PID 1460 wrote to memory of 3672	1460	svhoste.exe	124
PID 1460 wrote to memory of 3672	1460	svhoste.exe	124
PID 3672 wrote to memory of 4820	3672	cmd.exe	126
PID 3672 wrote to memory of 4820	3672	cmd.exe	126
PID 3672 wrote to memory of 2768	3672	cmd.exe	127
PID 3672 wrote to memory of 2768	3672	cmd.exe	127
PID 3672 wrote to memory of 4844	3672	cmd.exe	128
PID 3672 wrote to memory of 4844	3672	cmd.exe	128
PID 4844 wrote to memory of 2552	4844	svhoste.exe	129
PID 4844 wrote to memory of 2552	4844	svhoste.exe	129
PID 4844 wrote to memory of 3056	4844	svhoste.exe	131
PID 4844 wrote to memory of 3056	4844	svhoste.exe	131
PID 3056 wrote to memory of 3800	3056	cmd.exe	133
PID 3056 wrote to memory of 3800	3056	cmd.exe	133
PID 3056 wrote to memory of 1580	3056	cmd.exe	134
PID 3056 wrote to memory of 1580	3056	cmd.exe	134
PID 3056 wrote to memory of 2624	3056	cmd.exe	135
PID 3056 wrote to memory of 2624	3056	cmd.exe	135

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\533d8476431fefd3f83fd39d66366277b2420a549cb01e9232f558b2617871fc.exe
"C:\Users\Admin\AppData\Local\Temp\533d8476431fefd3f83fd39d66366277b2420a549cb01e9232f558b2617871fc.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4712
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "svhoste" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\533d8476431fefd3f83fd39d66366277b2420a549cb01e9232f558b2617871fc.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1076
- C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3296
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "svhoste" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3416
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5t8lcy1E2Chl.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4280
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2940
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2012
  - - C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2720
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhoste" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3284
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UeK66XmeeGss.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4268
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:4964
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2300
      - C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3348
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhoste" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1972
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vaw3MpixjZjI.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4292
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:3136
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4136
        
        C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhoste" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4044
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\imP6RsUmEs8U.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1896
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2140
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1196
        
        C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1460
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhoste" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1756
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tHZGZ7ugfqk8.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:3672
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:4820
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2768
        
        C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4844
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhoste" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2552
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5uEtPBaeQIWW.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:3800
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1580
        
        C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2624
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhoste" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2056
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0XUXtfwyBtkH.bat" "
        15⤵
        
        PID:4928
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:4816
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1620
        
        C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:932
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhoste" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1992
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4dLLYUwWAEBa.bat" "
        17⤵
        
        PID:736
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:3464
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2700
        
        C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2556
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhoste" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2680
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GQYaUWDtBz9X.bat" "
        19⤵
        
        PID:244
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:4668
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:468
        
        C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1968
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhoste" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svhoste.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\0XUXtfwyBtkH.bat

Filesize
208B

MD5
14c8eab7eb93161fd9a4a7ccc286ece7

SHA1
df4ff463e064a57260d4c5f5de5d5871d2378109

SHA256
2afb2690b701d9fea9136962d3e5a426f4c3828efb37dd90a44e6de7e104dd94

SHA512
d52092333792a635d9b6539b72c94ce2fd0e31a175c8244a49ed287756899acafc144479f81dd56a6162677074c8eae53f520cb509e2b2e0bd9e1bb0aea8fe45

Download Submit
C:\Users\Admin\AppData\Local\Temp\4dLLYUwWAEBa.bat

Filesize
208B

MD5
053dc9bf192d064cdbedd6d32d678cc5

SHA1
b16284c791ee0ea21823c5644b5f96f8a7493e1c

SHA256
6abfcde6aa6f2b23b4460d3721d377c2974411079c8bfa567585be49660a4e2f

SHA512
25d11c7e9165201936f74ec5f4394311f6cb626be2dcc300de3cdaf475992f003124d47a86a5318d2b46b411ca993a4507e25dc84b6a4b675c44e99f12d1fdf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\5t8lcy1E2Chl.bat

Filesize
208B

MD5
06bd518b3f5275ee4a19b5fc5523e0bf

SHA1
50edb9ae7a4de17665ed1eee9417ddc6480e38fe

SHA256
b2ed1015fce3a6bb910493f0893e1327d37469e5c9ffcc5bb0989c1cfe762143

SHA512
3638fd86152350d28b761f28aa40e60637b7cdc40c84ba1fb393878697f07759da5dd02ef6dc79ef3f9d7483ef8603f14071a605b06f8175ee4f40861e345b90

Download Submit
C:\Users\Admin\AppData\Local\Temp\5uEtPBaeQIWW.bat

Filesize
208B

MD5
fddef6c2d3d13210613a02e12068ea0d

SHA1
592de0e260cd6e24b11a1c7706f258694f11b182

SHA256
1930ecbe18d9ea5c6c65e3cce982b4612e5153cc66d6187be9cd7f0a522bfbe5

SHA512
ca12f9363679a72d93cc55faee926aad02b0f95779ad9072d5001c50e4602b75c792cb9c5f1d062b1245761418c0c1eabf4a832eec28706e2f212f1fb6933e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GQYaUWDtBz9X.bat

Filesize
208B

MD5
c4055c7956ab35946750cb1fcbbff6e4

SHA1
d654ee96c63b38dd93883d749602c465776af0ae

SHA256
741813b5a286eff040a087052d7469b8a6e330d718c631526ed83603d44357bf

SHA512
68726092e80bdbc416073219d7b7012d6f36659338ebc5e3379adf4c4fa97379b7af4bf697d7a1b89008af3921438f7b9ae3fb2781481938ed17302963028c0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UeK66XmeeGss.bat

Filesize
208B

MD5
7232bb4ab3a08bbbfbf3b5aeeae86a42

SHA1
3de1b544fe98c607e4d395c6423af57ce48b260d

SHA256
b8063afa83e53f2cc338f9c6655e66197309c820c53dd8046800444903ce1f62

SHA512
65b876a6fed2138b00b6b89bec7c89400e3c8fbef9b28275d6b9814375bfef8f2e627399f1a03f617afe07d70e00a9552f8e06a2933886d108cdcf1429305090

Download Submit
C:\Users\Admin\AppData\Local\Temp\imP6RsUmEs8U.bat

Filesize
208B

MD5
6974d52ba042dbd5716dac78cbecebe8

SHA1
5957dd73ec8096fc77c9243551f5eefe2ac71827

SHA256
7d8e6078ebb0c693f45a3af03cc33dc79d75826dce3f6fc6966d4469fe08f453

SHA512
b8b22b4f0f50274f93cc07975343c50ff91ef8f4922d41d12d5341cb11d86cba10639d550b8c99bee4cdb027285047e0a63c16ee72999063b1704e204dd65c9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tHZGZ7ugfqk8.bat

Filesize
208B

MD5
6541914f09828429563e3e982e05f482

SHA1
5c0fffacf5e7f5bffcc4a3ebd5b587b1bc1e6042

SHA256
0691dc2bbec3ae701faa150268fb8b67d5d9f416dd52d35d134c835b294b0de6

SHA512
03891db33c5395e0c6f170b7279544a52fd1ee3b3a8eac12867fe25e4ca1753dee19903be3d74834bfedb4acaa18d3babbb26a7e7e9ec372bc3d3d7abc3375fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\vaw3MpixjZjI.bat

Filesize
208B

MD5
3a76f2d29b5b828802ded148abd86336

SHA1
70c3baeb47d0522f363d870a44ed87169913ffd9

SHA256
458ea24d0557ea80e46027319757d31a3faf19480a39f4ecb1ed48a33798039c

SHA512
1f6602b92620d816304178298c2532e49bf6d9721baa5a79168b1f426446769e3f31aa452d1d1233155f93c7a78b92ce5b5b9989bfe8c92825e118089da72614

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe

Filesize
502KB

MD5
a9c9735f6e34482c1cdd09e347a98787

SHA1
6214e43cdc3fd17978955abf9c01a8d8c3ea791e

SHA256
533d8476431fefd3f83fd39d66366277b2420a549cb01e9232f558b2617871fc

SHA512
084b40e683d88e8eda7a60047f1a640310455986629a63382b3b6ffa6a91f295b47963e2ba52115cb113f57f1f727f2adb98f910a9adca1596af242f266b4a50

Download Submit
memory/3296-17-0x00007FFC0D290000-0x00007FFC0DD51000-memory.dmp

Filesize
10.8MB

Download
memory/3296-12-0x000000001CF10000-0x000000001CFC2000-memory.dmp

Filesize
712KB

Download
memory/3296-11-0x000000001AF40000-0x000000001AF90000-memory.dmp

Filesize
320KB

Download
memory/3296-10-0x00007FFC0D290000-0x00007FFC0DD51000-memory.dmp

Filesize
10.8MB

Download
memory/3296-7-0x00007FFC0D290000-0x00007FFC0DD51000-memory.dmp

Filesize
10.8MB

Download
memory/4712-9-0x00007FFC0D290000-0x00007FFC0DD51000-memory.dmp

Filesize
10.8MB

Download
memory/4712-0-0x00007FFC0D293000-0x00007FFC0D295000-memory.dmp

Filesize
8KB

Download
memory/4712-2-0x00007FFC0D290000-0x00007FFC0DD51000-memory.dmp

Filesize
10.8MB

Download
memory/4712-1-0x0000000000E10000-0x0000000000E94000-memory.dmp

Filesize
528KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads