quasar | 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58

Analysis

max time kernel
150s
max time network
18s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
16-12-2024 12:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
Size

3.1MB
MD5

4522bc113a6f5b984e9ffac278f9f064
SHA1

392ec955d7b5c5da965f7af9f929b89c33409b03
SHA256

2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58
SHA512

c0980d621a154adb63bdb8a4e7adc863a40d1af8d98d18bd0671fc07721639d66b10d471d4dddc0e78cc127d4c0429f3084618f227919e4a552d6de4ee7793ff
SSDEEP

98304:6WV5SgjlbwPdRl5fGO4ZL0luiel9uRJk3HZ2b/aryTnrfvnM3A2Ozvg:FTQzo

Score

10^/10

quasar zjeb discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

ZJEB

VIPEEK1990-25013.portmap.host:25013

Mutex

ebef1e3c-805b-4b1a-aa24-bf4dcab44476

Attributes

encryption_key
3EBA8BC34FA983893A9B07B831E7CEB183F7492D
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Security Service
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 6 IoCs

resource	yara_rule
behavioral1/memory/2348-1-0x0000000000970000-0x0000000000C94000-memory.dmp	family_quasar
behavioral1/memory/2096-22-0x0000000001390000-0x00000000016B4000-memory.dmp	family_quasar
behavioral1/memory/1768-42-0x00000000001C0000-0x00000000004E4000-memory.dmp	family_quasar
behavioral1/memory/2152-52-0x00000000002C0000-0x00000000005E4000-memory.dmp	family_quasar
behavioral1/memory/1220-62-0x0000000001180000-0x00000000014A4000-memory.dmp	family_quasar
behavioral1/memory/3044-90-0x00000000013D0000-0x00000000016F4000-memory.dmp	family_quasar

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 13 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1532	PING.EXE
2256	PING.EXE
1008	PING.EXE
2540	PING.EXE
2884	PING.EXE
568	PING.EXE
2256	PING.EXE
776	PING.EXE
1716	PING.EXE
2928	PING.EXE
2588	PING.EXE
2316	PING.EXE
2704	PING.EXE

Runs ping.exe 1 TTPs 13 IoCs

Remote System Discovery

T1018

pid	Process
2884	PING.EXE
2704	PING.EXE
2540	PING.EXE
2588	PING.EXE
2316	PING.EXE
568	PING.EXE
2256	PING.EXE
1532	PING.EXE
776	PING.EXE
1716	PING.EXE
2928	PING.EXE
2256	PING.EXE
1008	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2180	schtasks.exe
2344	schtasks.exe
852	schtasks.exe
812	schtasks.exe
3004	schtasks.exe
2040	schtasks.exe
2176	schtasks.exe
2688	schtasks.exe
2992	schtasks.exe
2784	schtasks.exe
2832	schtasks.exe
2608	schtasks.exe
2232	schtasks.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2348	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
Token: SeDebugPrivilege	2916	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
Token: SeDebugPrivilege	2096	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
Token: SeDebugPrivilege	892	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
Token: SeDebugPrivilege	1768	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
Token: SeDebugPrivilege	2152	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
Token: SeDebugPrivilege	1220	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
Token: SeDebugPrivilege	2636	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
Token: SeDebugPrivilege	1740	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
Token: SeDebugPrivilege	3044	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
Token: SeDebugPrivilege	2428	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
Token: SeDebugPrivilege	2176	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
Token: SeDebugPrivilege	2688	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
Token: SeDebugPrivilege	616	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2348	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 2608	2348	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe	29
PID 2348 wrote to memory of 2608	2348	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe	29
PID 2348 wrote to memory of 2608	2348	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe	29
PID 2348 wrote to memory of 2952	2348	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe	31
PID 2348 wrote to memory of 2952	2348	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe	31
PID 2348 wrote to memory of 2952	2348	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe	31
PID 2952 wrote to memory of 2940	2952	cmd.exe	33
PID 2952 wrote to memory of 2940	2952	cmd.exe	33
PID 2952 wrote to memory of 2940	2952	cmd.exe	33
PID 2952 wrote to memory of 2884	2952	cmd.exe	34
PID 2952 wrote to memory of 2884	2952	cmd.exe	34
PID 2952 wrote to memory of 2884	2952	cmd.exe	34
PID 2952 wrote to memory of 2916	2952	cmd.exe	35
PID 2952 wrote to memory of 2916	2952	cmd.exe	35
PID 2952 wrote to memory of 2916	2952	cmd.exe	35
PID 2916 wrote to memory of 3004	2916	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe	36
PID 2916 wrote to memory of 3004	2916	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe	36
PID 2916 wrote to memory of 3004	2916	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe	36
PID 2916 wrote to memory of 2816	2916	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe	38
PID 2916 wrote to memory of 2816	2916	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe	38
PID 2916 wrote to memory of 2816	2916	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe	38
PID 2816 wrote to memory of 2576	2816	cmd.exe	40
PID 2816 wrote to memory of 2576	2816	cmd.exe	40
PID 2816 wrote to memory of 2576	2816	cmd.exe	40
PID 2816 wrote to memory of 2704	2816	cmd.exe	41
PID 2816 wrote to memory of 2704	2816	cmd.exe	41
PID 2816 wrote to memory of 2704	2816	cmd.exe	41
PID 2816 wrote to memory of 2096	2816	cmd.exe	42
PID 2816 wrote to memory of 2096	2816	cmd.exe	42
PID 2816 wrote to memory of 2096	2816	cmd.exe	42
PID 2096 wrote to memory of 2232	2096	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe	43
PID 2096 wrote to memory of 2232	2096	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe	43
PID 2096 wrote to memory of 2232	2096	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe	43
PID 2096 wrote to memory of 2164	2096	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe	45
PID 2096 wrote to memory of 2164	2096	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe	45
PID 2096 wrote to memory of 2164	2096	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe	45
PID 2164 wrote to memory of 1924	2164	cmd.exe	47
PID 2164 wrote to memory of 1924	2164	cmd.exe	47
PID 2164 wrote to memory of 1924	2164	cmd.exe	47
PID 2164 wrote to memory of 568	2164	cmd.exe	48
PID 2164 wrote to memory of 568	2164	cmd.exe	48
PID 2164 wrote to memory of 568	2164	cmd.exe	48
PID 2164 wrote to memory of 892	2164	cmd.exe	49
PID 2164 wrote to memory of 892	2164	cmd.exe	49
PID 2164 wrote to memory of 892	2164	cmd.exe	49
PID 892 wrote to memory of 2040	892	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe	50
PID 892 wrote to memory of 2040	892	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe	50
PID 892 wrote to memory of 2040	892	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe	50
PID 892 wrote to memory of 2368	892	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe	52
PID 892 wrote to memory of 2368	892	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe	52
PID 892 wrote to memory of 2368	892	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe	52
PID 2368 wrote to memory of 2372	2368	cmd.exe	54
PID 2368 wrote to memory of 2372	2368	cmd.exe	54
PID 2368 wrote to memory of 2372	2368	cmd.exe	54
PID 2368 wrote to memory of 2256	2368	cmd.exe	55
PID 2368 wrote to memory of 2256	2368	cmd.exe	55
PID 2368 wrote to memory of 2256	2368	cmd.exe	55
PID 2368 wrote to memory of 1768	2368	cmd.exe	56
PID 2368 wrote to memory of 1768	2368	cmd.exe	56
PID 2368 wrote to memory of 1768	2368	cmd.exe	56
PID 1768 wrote to memory of 2176	1768	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe	57
PID 1768 wrote to memory of 2176	1768	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe	57
PID 1768 wrote to memory of 2176	1768	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe	57
PID 1768 wrote to memory of 2696	1768	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe	59

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
"C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2608
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Uay0z8f9r1lO.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2940
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2884
- - C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
    "C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2916
  - - C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3004
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\5yScdKLRoAJn.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2816
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2576
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2704
    - - C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2096
      - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2232
      - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Z8xgjs9bKRdB.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:1924
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:568
        
        C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:892
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2040
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Z0M69z4pXfrj.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2368
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:2372
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"
        9⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        10⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2176
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MxKSvNAFIQHF.bat" "
        10⤵
        
        PID:2696
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:700
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"
        11⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2152
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        12⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2688
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\5zX238gSOHk9.bat" "
        12⤵
        
        PID:644
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:2432
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:776
        
        C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"
        13⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1220
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        14⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2180
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\2nk9zT2CWj4o.bat" "
        14⤵
        
        PID:1696
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:1616
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"
        15⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2636
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        16⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2992
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WMQIILYXSTlg.bat" "
        16⤵
        
        PID:2900
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:3024
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"
        17⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1740
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        18⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2784
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ayy8Y6NECzaC.bat" "
        18⤵
        
        PID:112
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:940
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"
        19⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3044
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        20⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2832
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NOu7OKdVowCo.bat" "
        20⤵
        
        PID:2148
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:2448
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"
        21⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2428
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        22⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2344
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\2gaocGBGhOxE.bat" "
        22⤵
        
        PID:2452
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:2920
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"
        23⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2176
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        24⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:852
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\eVYK2AhUKB2a.bat" "
        24⤵
        
        PID:1576
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:2508
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"
        25⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2688
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        26⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:812
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BiaRRAwDDW7K.bat" "
        26⤵
        
        PID:2620
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:2528
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"
        27⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2gaocGBGhOxE.bat

Filesize
261B

MD5
8527c073bfa5648782b3ea7f0359fa09

SHA1
9270c406a44f26761f54e27b3fcaaa9584a5a9ab

SHA256
b39fc414b5a49c6ab19c997a239b61b2d8637a4a57245f7e6c2832da1376f029

SHA512
01bda0552e8270c87b1e87db46ea216608189a92186b8202ff16320106558854906cf14db32614984912f93524f516eec860855ad57c3767bbb586759331e554

Download Submit
C:\Users\Admin\AppData\Local\Temp\2nk9zT2CWj4o.bat

Filesize
261B

MD5
3128c84c4286259c472eea1cc4da8671

SHA1
726c136f7169473761effd5edc568a8d788ebb4d

SHA256
61db146b585652ac0e322775659788368949e9166f03e86e4c0e8dc683d3b7e3

SHA512
ee1532057e58f4484a585b2612e6adda4f02b48053446b2e320f9b0085170d894652930d2d93dade6a31c5688275f830f50ac7468b333a824c08875101f4029d

Download Submit
C:\Users\Admin\AppData\Local\Temp\5yScdKLRoAJn.bat

Filesize
261B

MD5
124097c930297e7a675290abfdd8e5d1

SHA1
dd3d0007bd558d4adb173429d0b7aafeb71fdf67

SHA256
f46d3f4dd3036a5772f0d9897172c7dccf726b01fd6ad82c113ad377b1c2a650

SHA512
805e206ca1a956a965b7f779159e70adeca4a872afdf1c0010bd40ce98375002f18f0ca824435f52c8ec0c8eddfbb970aa33a5de228e8c6d154ecb1773aa1518

Download Submit
C:\Users\Admin\AppData\Local\Temp\5zX238gSOHk9.bat

Filesize
261B

MD5
4638c0214b0df49e6cbab9c0dff790e5

SHA1
e7844234231400aafa85378827ce11e543e7c499

SHA256
3c300910071970e8b161cb45920e23560150ff6127222dd4207d88f347379ebc

SHA512
91fe9400c6806fc3375f6aa5e371f2e85553e653a44506c9ea84c407a2073396bd16af72c169550e63d848885f9508c062abc6d5d6e5accd0decf25c6f039045

Download Submit
C:\Users\Admin\AppData\Local\Temp\BiaRRAwDDW7K.bat

Filesize
261B

MD5
6192052e01f863d6c89728196d564818

SHA1
a0099f38de1fdacf8430d8a9e3421c7a24e609e7

SHA256
67565e59a4f087576bd207eeb8f5a85511d96d431c02bb1efcd0c75b090d3131

SHA512
882d8e1579ae9771eea9088e210932f43930983b905af49ad88baa790a40dd12ad7700db20d87e62915d016ed1716cc123e1b43435d14fd11e12c056b227faad

Download Submit
C:\Users\Admin\AppData\Local\Temp\MxKSvNAFIQHF.bat

Filesize
261B

MD5
aec2f0ab3e5a597fb3b6be1943f2f7b8

SHA1
cad7bea952fe6431620409adf607275d362b439b

SHA256
802c138767b19ee28982a7897f7e515f4b93312e6e78fcaa53e9530a9fab9302

SHA512
edbc4c467107121d52eb58ad60fb941ae824cbf40283fd6f739cce7b0817ef407b8234272105d7563643837ae4548a048614289fe52578c3f37616a6e00cf666

Download Submit
C:\Users\Admin\AppData\Local\Temp\NOu7OKdVowCo.bat

Filesize
261B

MD5
7eb37449937e3b0a3cc3ea0c5db64d7d

SHA1
d013f9fd4a76b8a5ca4c3383ad9851fdb13a1d51

SHA256
5aec8a5c423fccf23e17fef6dd3e1a693405afdd9048ec9d76a01b4e85f80f2c

SHA512
36f8717a99d384910007aa3a5098bd47f1aab6e3e9e39cdb0f7c1f3ecfc0342c2ab0dabdca312b667d24d4a72ed4e07842da37d7f7dda4906307914753a48427

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uay0z8f9r1lO.bat

Filesize
261B

MD5
13b2dded68daa373e26e1e49d8f3d5ee

SHA1
1c785aff1816a9e6013167649035e8bf18fd4cb0

SHA256
6b12bfb00b4542d660880c8613fc1e97921577d545ac26418b42f7c1426a98e7

SHA512
df699adc635707b5486ba6f7eeb582051fa5209b73fce3ba775f97aa88ddf1ecfbbe17ca070e314b372f0f7df0b0e2aa906c91e30011528d4361cc812deee8c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\WMQIILYXSTlg.bat

Filesize
261B

MD5
05ea093658bade5434f137f9e8fca140

SHA1
c393896d9a1735aca8a61e15c6abf5463994b3cf

SHA256
0d92d5d609f7915d8d78dbb67667d0c14b0cccd0391804db5f6363dcffdd69c5

SHA512
d7fdb8bfe68375c09f9be7d82cd40a41fef8478c37cccaf8cc8d7a9e71d96100530eba9096bb36ba2ba5931a3d074adeac7d1f79228caf58bfaeabc876ccd075

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z0M69z4pXfrj.bat

Filesize
261B

MD5
9c1afe8eff025d0c6ce6b529686cad91

SHA1
550a9225c5bb8c258497fb1ddb807039aca02010

SHA256
08b768110a0f629557f6f3484573332fcccfbf467f8359d46e44fe93dfce2cdb

SHA512
f352b65df8a2de465b8bc7c050b8f14366940b19bed7c3b321ebbc9721c896c077b2b985e769f05332622929e4422cd1b8b09cf292bf7c2d132458562216823e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z8xgjs9bKRdB.bat

Filesize
261B

MD5
4b929c6587f9c758953860e01068f7a6

SHA1
fe01664d41ffa3c087273b154d08237890b0e263

SHA256
a478e05618d360abf9fba6e959caa729a33e71b764cdd96c817797327d8fae72

SHA512
b2064ccb5fe677927d01803e3bbb760864ef772579cf5d1542ba7f40d17500f0709946b93325894bb52e60bf56adf32b95314f89bf7f24efda4dfca54966c8f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ayy8Y6NECzaC.bat

Filesize
261B

MD5
dc853eececd01a8e17629a03adec08ff

SHA1
da79b0bbc64b56854f9630487b85698e3533c8d2

SHA256
7d9b2b4d8b9feab03542dcef7249730ab20474391ead65cd5393e1ba50e30ed4

SHA512
b3ff05d4f82d25464b249bdd897306360d6efd0bfe651064d39f6215ab3a1a043434af550d06ade3bb84e979359d58df18f49ac140fe057204e2e4783b108746

Download Submit
C:\Users\Admin\AppData\Local\Temp\eVYK2AhUKB2a.bat

Filesize
261B

MD5
083979400d38a58f9e952eaa19240be8

SHA1
0137ac07a28d78af4866b8e74fbfb07eadb88af0

SHA256
e7ce0121b6a57aa18ef27bfb1315084b3df17f4f722b27c712ef86f5fd10bfa4

SHA512
b908cfc4f7e31484fa94f8aad50e6a2c1b2ad085d9313d20c03303b01d333e5252aa883bdc42553697c181c273fb1cf074b6e8e24d23fbce2fd8ea8630195ecf

Download Submit
memory/1220-62-0x0000000001180000-0x00000000014A4000-memory.dmp

Filesize
3.1MB

Download
memory/1768-42-0x00000000001C0000-0x00000000004E4000-memory.dmp

Filesize
3.1MB

Download
memory/2096-22-0x0000000001390000-0x00000000016B4000-memory.dmp

Filesize
3.1MB

Download
memory/2152-52-0x00000000002C0000-0x00000000005E4000-memory.dmp

Filesize
3.1MB

Download
memory/2348-2-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

Filesize
9.9MB

Download
memory/2348-0-0x000007FEF6003000-0x000007FEF6004000-memory.dmp

Filesize
4KB

Download
memory/2348-1-0x0000000000970000-0x0000000000C94000-memory.dmp

Filesize
3.1MB

Download
memory/2348-12-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

Filesize
9.9MB

Download
memory/3044-90-0x00000000013D0000-0x00000000016F4000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads