quasar | 2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58

Analysis

max time kernel
144s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-12-2024 12:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
Size

3.1MB
MD5

4522bc113a6f5b984e9ffac278f9f064
SHA1

392ec955d7b5c5da965f7af9f929b89c33409b03
SHA256

2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58
SHA512

c0980d621a154adb63bdb8a4e7adc863a40d1af8d98d18bd0671fc07721639d66b10d471d4dddc0e78cc127d4c0429f3084618f227919e4a552d6de4ee7793ff
SSDEEP

98304:6WV5SgjlbwPdRl5fGO4ZL0luiel9uRJk3HZ2b/aryTnrfvnM3A2Ozvg:FTQzo

Score

10^/10

quasar zjeb discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

ZJEB

VIPEEK1990-25013.portmap.host:25013

Mutex

ebef1e3c-805b-4b1a-aa24-bf4dcab44476

Attributes

encryption_key
3EBA8BC34FA983893A9B07B831E7CEB183F7492D
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Security Service
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/memory/1084-1-0x0000000000720000-0x0000000000A44000-memory.dmp	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4904	PING.EXE
4780	PING.EXE
4860	PING.EXE
4496	PING.EXE
4996	PING.EXE
5036	PING.EXE
4424	PING.EXE
4752	PING.EXE
4164	PING.EXE
2628	PING.EXE
3252	PING.EXE
1516	PING.EXE
4944	PING.EXE
2176	PING.EXE
4892	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
4996	PING.EXE
5036	PING.EXE
4904	PING.EXE
4780	PING.EXE
4496	PING.EXE
4752	PING.EXE
2176	PING.EXE
3252	PING.EXE
4860	PING.EXE
4944	PING.EXE
2628	PING.EXE
4424	PING.EXE
1516	PING.EXE
4164	PING.EXE
4892	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
892	schtasks.exe
4584	schtasks.exe
2936	schtasks.exe
1124	schtasks.exe
1064	schtasks.exe
4908	schtasks.exe
5024	schtasks.exe
2192	schtasks.exe
2136	schtasks.exe
1868	schtasks.exe
2868	schtasks.exe
3044	schtasks.exe
1384	schtasks.exe
2036	schtasks.exe
1140	schtasks.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	1084	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
Token: SeDebugPrivilege	5104	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
Token: SeDebugPrivilege	3296	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
Token: SeDebugPrivilege	4120	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
Token: SeDebugPrivilege	3428	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
Token: SeDebugPrivilege	4848	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
Token: SeDebugPrivilege	2140	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
Token: SeDebugPrivilege	2948	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
Token: SeDebugPrivilege	532	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
Token: SeDebugPrivilege	3404	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
Token: SeDebugPrivilege	1300	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
Token: SeDebugPrivilege	3792	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
Token: SeDebugPrivilege	4832	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
Token: SeDebugPrivilege	3912	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1084 wrote to memory of 2192	1084	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe	82
PID 1084 wrote to memory of 2192	1084	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe	82
PID 1084 wrote to memory of 3104	1084	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe	84
PID 1084 wrote to memory of 3104	1084	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe	84
PID 3104 wrote to memory of 2752	3104	cmd.exe	86
PID 3104 wrote to memory of 2752	3104	cmd.exe	86
PID 3104 wrote to memory of 4996	3104	cmd.exe	87
PID 3104 wrote to memory of 4996	3104	cmd.exe	87
PID 3104 wrote to memory of 5104	3104	cmd.exe	93
PID 3104 wrote to memory of 5104	3104	cmd.exe	93
PID 5104 wrote to memory of 892	5104	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe	94
PID 5104 wrote to memory of 892	5104	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe	94
PID 5104 wrote to memory of 3832	5104	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe	96
PID 5104 wrote to memory of 3832	5104	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe	96
PID 3832 wrote to memory of 1028	3832	cmd.exe	98
PID 3832 wrote to memory of 1028	3832	cmd.exe	98
PID 3832 wrote to memory of 2176	3832	cmd.exe	99
PID 3832 wrote to memory of 2176	3832	cmd.exe	99
PID 3832 wrote to memory of 3296	3832	cmd.exe	102
PID 3832 wrote to memory of 3296	3832	cmd.exe	102
PID 3296 wrote to memory of 2868	3296	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe	103
PID 3296 wrote to memory of 2868	3296	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe	103
PID 3296 wrote to memory of 532	3296	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe	105
PID 3296 wrote to memory of 532	3296	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe	105
PID 532 wrote to memory of 4304	532	cmd.exe	107
PID 532 wrote to memory of 4304	532	cmd.exe	107
PID 532 wrote to memory of 3252	532	cmd.exe	108
PID 532 wrote to memory of 3252	532	cmd.exe	108
PID 532 wrote to memory of 4120	532	cmd.exe	110
PID 532 wrote to memory of 4120	532	cmd.exe	110
PID 4120 wrote to memory of 3044	4120	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe	111
PID 4120 wrote to memory of 3044	4120	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe	111
PID 4120 wrote to memory of 4192	4120	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe	113
PID 4120 wrote to memory of 4192	4120	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe	113
PID 4192 wrote to memory of 3572	4192	cmd.exe	115
PID 4192 wrote to memory of 3572	4192	cmd.exe	115
PID 4192 wrote to memory of 5036	4192	cmd.exe	116
PID 4192 wrote to memory of 5036	4192	cmd.exe	116
PID 4192 wrote to memory of 2332	4192	cmd.exe	118
PID 4192 wrote to memory of 2332	4192	cmd.exe	118
PID 4156 wrote to memory of 2544	4156	cmd.exe	123
PID 4156 wrote to memory of 2544	4156	cmd.exe	123
PID 4156 wrote to memory of 4164	4156	cmd.exe	124
PID 4156 wrote to memory of 4164	4156	cmd.exe	124
PID 4156 wrote to memory of 3428	4156	cmd.exe	125
PID 4156 wrote to memory of 3428	4156	cmd.exe	125
PID 3428 wrote to memory of 2936	3428	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe	126
PID 3428 wrote to memory of 2936	3428	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe	126
PID 3428 wrote to memory of 1260	3428	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe	128
PID 3428 wrote to memory of 1260	3428	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe	128
PID 1260 wrote to memory of 4160	1260	cmd.exe	130
PID 1260 wrote to memory of 4160	1260	cmd.exe	130
PID 1260 wrote to memory of 4904	1260	cmd.exe	131
PID 1260 wrote to memory of 4904	1260	cmd.exe	131
PID 1260 wrote to memory of 4848	1260	cmd.exe	132
PID 1260 wrote to memory of 4848	1260	cmd.exe	132
PID 4848 wrote to memory of 1124	4848	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe	133
PID 4848 wrote to memory of 1124	4848	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe	133
PID 4848 wrote to memory of 3104	4848	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe	135
PID 4848 wrote to memory of 3104	4848	2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe	135
PID 3104 wrote to memory of 2932	3104	cmd.exe	137
PID 3104 wrote to memory of 2932	3104	cmd.exe	137
PID 3104 wrote to memory of 2628	3104	cmd.exe	138
PID 3104 wrote to memory of 2628	3104	cmd.exe	138

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
"C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1084
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2192
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XEYaVesPulra.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3104
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2752
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4996
- - C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
    "C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5104
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:892
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cV3rJqpfJrxG.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3832
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:1028
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2176
    - - C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"
        5⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3296
      - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2868
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7KrAhvPo0vkE.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:532
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:4304
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3252
        
        C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"
        7⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4120
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3044
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TnVoit3GrcpB.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4192
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:3572
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"
        9⤵
        Checks computer location settings
        
        PID:2332
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        10⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4584
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\i51Kj2G20fIR.bat" "
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4156
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:2544
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4164
        
        C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"
        11⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3428
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        12⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2936
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xvzBf9rc6w5W.bat" "
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1260
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:4160
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"
        13⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4848
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        14⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1124
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RhgKTt5zP1fP.bat" "
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:3104
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:2932
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"
        15⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2140
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        16⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1064
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pW8H4TlJqfFd.bat" "
        16⤵
        
        PID:428
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:4364
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"
        17⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2948
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        18⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1384
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\J5p1WL2iTFsY.bat" "
        18⤵
        
        PID:3296
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:2644
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"
        19⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:532
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        20⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2136
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B1ULEbzXmsCU.bat" "
        20⤵
        
        PID:1376
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:856
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"
        21⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:3404
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        22⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2036
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BogcYUqVbOQI.bat" "
        22⤵
        
        PID:2732
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:3592
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"
        23⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1300
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        24⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5024
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7DcvIzF4yUrn.bat" "
        24⤵
        
        PID:2696
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:3932
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4944
        
        C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"
        25⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:3792
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        26⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4908
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6o1xCUWNHnem.bat" "
        26⤵
        
        PID:1512
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:2916
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4424
        
        C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"
        27⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:4832
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        28⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1868
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RwKQAp94hDO3.bat" "
        28⤵
        
        PID:3852
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:1932
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        29⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe"
        29⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:3912
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        30⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1140
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EiwwBEKr6F4j.bat" "
        30⤵
        
        PID:1392
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:428
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        31⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\6o1xCUWNHnem.bat

Filesize
261B

MD5
312f2105861043ba85f937393d8d3ae7

SHA1
011662458c3d1a34f7a059f8b84e4e56672bc086

SHA256
1b9a022cef854767f4feedc271f09de73ea2d5efd81b0988ab061b91404e68ff

SHA512
ce8e7e7f9380a0c7493e92644a861fa7966cae6e3fd261bd37d02aeec4ae95d46c5b20aa3b76f6dba60aad3e3c246d1a0dbd9752683fbe862c534b6b165dc53b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7DcvIzF4yUrn.bat

Filesize
261B

MD5
84361ce50200f079dd48270504d5995b

SHA1
d646b5a5580bbb48086bcbc92633b00374fe99d0

SHA256
4b0a1e0e68c340bfd23349b6cc90676bde476f64ad23344ea76f71fad4a5b8a4

SHA512
c42f7fb46c5dab3d2552ede66baca98eb4286539579f4b5d70545b6a0b77dd1476442708fcb8d6942b2c10fa606c49eeb17471bb3f09b9b7ca831e4ea661e5c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7KrAhvPo0vkE.bat

Filesize
261B

MD5
13a9b4940b89aaf48cd2a3d0a9ce3d69

SHA1
e1728aa4cfdeb0e11a9481d897488d4745ec6c0e

SHA256
cc5a677ab4519714862e365acc1ea7a3f486bda63ef4901ed7d21571fe1d38be

SHA512
934908d56d52a002899acc5a5ab15fae0e282b4eff3b9425e82de9a874653981ffe08db34340e7fc588ee032b34e141c2d9811a52fb471125bf7da3964b669d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\B1ULEbzXmsCU.bat

Filesize
261B

MD5
bb526f7e7b4c07aabe7077de51d95a1f

SHA1
d6534392e2a58878a03cbb1e0121d07995e9d7a1

SHA256
c614f97e6c636ccd59602309c4d32005d4667d5992710bc12afec8e667b99bd3

SHA512
bba9c99f6b26d896275e9973dd738ff6c323306a654d9e203a891ddad86f7564ad4bda939a70b77fa8a87373a03c2da63ab3c886c22f8b183ad9590d5f1cab19

Download Submit
C:\Users\Admin\AppData\Local\Temp\BogcYUqVbOQI.bat

Filesize
261B

MD5
6c706370b8d610d722bfacd13e5252a6

SHA1
c8d92a837b9f1560464194e6e8ea95b8128497bd

SHA256
893bf08e8f712820e4b696f69b908c8f7f60ef7afdb7c85e8ce4204ea5410874

SHA512
bdf71123ef5aa59f81a2043bd931a4527f87fff6bf1cea722a9a98d69d63afd9f9779925fd910d2cb643df47eaadf53acbcd72f820e80a749455d917809794c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\EiwwBEKr6F4j.bat

Filesize
261B

MD5
50f4ff840016100bbcb9b04de617ad58

SHA1
2a655c3ac473e62a83089de28af927304e299e96

SHA256
51740f5f0aa26a31179c39e68682ce083b3ca9cf439c6086e1e331d5575f4e43

SHA512
acd423d115a8b637bcf5b700624026d5c591bd8d8fc957cdbe4dc34cd500d9550b0592768ccb82ad6e1bbd8a13318f10a79181ed353ad7664039bade4bab4abd

Download Submit
C:\Users\Admin\AppData\Local\Temp\J5p1WL2iTFsY.bat

Filesize
261B

MD5
1ed2c0aad45630aa7cddcf3dcfdc19eb

SHA1
5735099f4c81966d4eb6db0c880488affa826645

SHA256
67a5729e1cd18fc7d7acdeec32dfd60ad35f3726a18a7ce2a0e2b6c2fac6e624

SHA512
ab4618cfe14d7df144f738c0ecc2e626a2e5884704ee6504c342c7b933db4eb6f37d4d72581e5b90548d18c7300f0338a2c5790f244098f88bb632c3291f811b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RhgKTt5zP1fP.bat

Filesize
261B

MD5
850146c82e8a306ce28808191cbb5dd3

SHA1
0ecf30c5a101ea5afe14c71e532b7195c7858d10

SHA256
e4963df21bb2eeeec4405a65260e52fc4ad5b8670214d829ceecfeaa90befb96

SHA512
ffcdf00be332e457edb0b673fa216c16f72611fecfabb51b9513a01f7ba4c1cb74c7b9f04150310401124e334a35ab46841d53a8b17ca9c9f9c2ef46c4da9223

Download Submit
C:\Users\Admin\AppData\Local\Temp\RwKQAp94hDO3.bat

Filesize
261B

MD5
4748a7750daf08b6bcbf6deb97286bc9

SHA1
357484158396b729f915519dad349ac2b5fd6b41

SHA256
b1db128ae11e95324287381d4cc32045cd5452f678dc0f60ba336ec4072e3a41

SHA512
e4d0ee13d67ea4d2d1006b5adf4cf06f9d93f6b4c512fb43dd6d162610d0e9f19987a49cd2a27eca9df46d75e73aa3f0b34b10e6d085afd148dd8f72d5001a7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TnVoit3GrcpB.bat

Filesize
261B

MD5
68bed425f750463c8c4d504fbe72a39e

SHA1
d5cce8980f5d0fc14a5b28f2e404e4c556fd09f9

SHA256
cfdc22d0d6356addba7fd249dd8df87be108451857cc2ca37e2f3b5ca4d3e774

SHA512
398c7b9d3a19f7722b4010a14481353a0ff0eee7d54a754434a15e4957ecb76eb3e685bfaa2febf80006cb5bb44e750bd0752f9501d747d5f37510c852b6d035

Download Submit
C:\Users\Admin\AppData\Local\Temp\XEYaVesPulra.bat

Filesize
261B

MD5
221f2a0f90e99ac8536a53606c318c5c

SHA1
eac96d203809d858917cb7f463598bf0cf92447c

SHA256
116bb4477154317db9cef7b9b40e0c2d6da2d14d1a0ec5d2ed6ad8e9c40ff8fc

SHA512
a57dfa4884c3354448049dc5b89378ef16fc8546c4b198c97831b6ff897436f0250155bce21741fc44a388d0d427130c95d99b61a6b9517becff875eb125f291

Download Submit
C:\Users\Admin\AppData\Local\Temp\cV3rJqpfJrxG.bat

Filesize
261B

MD5
a000a34a6cc8cf8f87c1ccde55c2abdd

SHA1
df53f2872f1107d1934ca89416cce952a78dcd51

SHA256
edc34366660e8a97db2fcb2d374a67979630c3bdc76b566b68c03e1d5c71bf7f

SHA512
421c1957ecfe6254614c151d1cc349534023b1a60c66ae086256454803d9a7f6e5fd66ae3a03ea642da4a76cfa217984c68aaccf6445cfa13919ba282a47197e

Download Submit
C:\Users\Admin\AppData\Local\Temp\pW8H4TlJqfFd.bat

Filesize
261B

MD5
bcea33a7d3c7be6d26d199eab4fa911c

SHA1
7b9acd865bb17a0423fe16801ad2c0b0e1a6616d

SHA256
812e31a0cf56727b1bf6e98cfe8407524712a1136591e7baddfc9f4e2d6e99d2

SHA512
5c4beb0e2835fa856f8357c3b26011b66607d370c21aacbda7da3fe0f33e3a0bcb121a5684bf829336f596c847613c9fe3040cf30e4d61632336ec56540b4468

Download Submit
C:\Users\Admin\AppData\Local\Temp\xvzBf9rc6w5W.bat

Filesize
261B

MD5
57cd5de53cbefa6b4705c0c4d3ebb758

SHA1
9cecb0c7c72a121666e080bca0dc437fc66ff55f

SHA256
8e1c01bab7a0c29e7b6b66e2974f164ad92d14f34fd98b8c0da8aadbd6925542

SHA512
13468255e7040de936e23dbf02a38d9e46639db003abab821baf8d7b17be3267e80e8e599e99a7896249c9cd005a64a506e4f3ed28d0329b0e65274efcc8ef52

Download Submit
memory/1084-0-0x00007FFF66363000-0x00007FFF66365000-memory.dmp

Filesize
8KB

Download
memory/1084-9-0x00007FFF66360000-0x00007FFF66E21000-memory.dmp

Filesize
10.8MB

Download
memory/1084-4-0x000000001D750000-0x000000001D802000-memory.dmp

Filesize
712KB

Download
memory/1084-3-0x000000001D640000-0x000000001D690000-memory.dmp

Filesize
320KB

Download
memory/1084-2-0x00007FFF66360000-0x00007FFF66E21000-memory.dmp

Filesize
10.8MB

Download
memory/1084-1-0x0000000000720000-0x0000000000A44000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads