quasar | 9cd175451c10b5f9e2dc3987f986b33a0a35294d47826dfde104171e65b84fba

Analysis

max time kernel
147s
max time network
126s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
16-12-2024 15:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9cd175451c10b5f9e2dc3987f986b33a0a35294d47826dfde104171e65b84fba.exe
Size

3.3MB
MD5

f29f701e76e3a435acdd474a41fa60ba
SHA1

10f06b6fc259131d8b6a5423972a1e55b62ce478
SHA256

9cd175451c10b5f9e2dc3987f986b33a0a35294d47826dfde104171e65b84fba
SHA512

0d5088f4f685b6d29edec7cc7e8bfe7c594fa6b3fde2a6b11ee977455d6fe088e04e899203171ff519cf9d2b5a78231f3650774cc17824219f43f947d13a86e9
SSDEEP

49152:gvmI22SsaNYfdPBldt698dBcjHinQ1CGarv2oGdUBTHHB72eh2NT:gvr22SsaNYfdPBldt6+dBcjH6yCO

Score

10^/10

quasar java discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Java

dez3452-33187.portmap.host:33187

Mutex

f0e53bcd-851e-44af-8fd5-07d8ab5ed968

Attributes

encryption_key
65439CE7DEF3E0FAF01C526FEA90388C9FD487A1
install_name
java.exe
log_directory
Logs
reconnect_delay
3000
startup_key
java ©
subdirectory
Programfiles

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 12 IoCs

resource	yara_rule
behavioral1/memory/3052-1-0x00000000012D0000-0x000000000161E000-memory.dmp	family_quasar
behavioral1/files/0x0009000000016ce0-6.dat	family_quasar
behavioral1/memory/2380-9-0x0000000000AB0000-0x0000000000DFE000-memory.dmp	family_quasar
behavioral1/memory/1852-23-0x00000000001E0000-0x000000000052E000-memory.dmp	family_quasar
behavioral1/memory/1784-34-0x0000000000AF0000-0x0000000000E3E000-memory.dmp	family_quasar
behavioral1/memory/3012-45-0x0000000000E00000-0x000000000114E000-memory.dmp	family_quasar
behavioral1/memory/2328-56-0x0000000000FD0000-0x000000000131E000-memory.dmp	family_quasar
behavioral1/memory/836-97-0x0000000000280000-0x00000000005CE000-memory.dmp	family_quasar
behavioral1/memory/1564-109-0x0000000000980000-0x0000000000CCE000-memory.dmp	family_quasar
behavioral1/memory/2236-120-0x00000000002D0000-0x000000000061E000-memory.dmp	family_quasar
behavioral1/memory/748-131-0x00000000008E0000-0x0000000000C2E000-memory.dmp	family_quasar
behavioral1/memory/2324-142-0x0000000000C10000-0x0000000000F5E000-memory.dmp	family_quasar

Executes dropped EXE 13 IoCs

pid	Process
2380	java.exe
1852	java.exe
1784	java.exe
3012	java.exe
2328	java.exe
704	java.exe
952	java.exe
3052	java.exe
836	java.exe
1564	java.exe
2236	java.exe
748	java.exe
2324	java.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 13 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2092	PING.EXE
1484	PING.EXE
2264	PING.EXE
2536	PING.EXE
2272	PING.EXE
2004	PING.EXE
948	PING.EXE
2852	PING.EXE
2864	PING.EXE
2112	PING.EXE
1928	PING.EXE
796	PING.EXE
2336	PING.EXE

Runs ping.exe 1 TTPs 13 IoCs

Remote System Discovery

T1018

pid	Process
796	PING.EXE
2272	PING.EXE
2336	PING.EXE
2004	PING.EXE
948	PING.EXE
2092	PING.EXE
2852	PING.EXE
1484	PING.EXE
2864	PING.EXE
2536	PING.EXE
2264	PING.EXE
2112	PING.EXE
1928	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 14 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1600	schtasks.exe
2608	schtasks.exe
1648	schtasks.exe
1640	schtasks.exe
1048	schtasks.exe
2428	schtasks.exe
2736	schtasks.exe
1456	schtasks.exe
976	schtasks.exe
872	schtasks.exe
928	schtasks.exe
2220	schtasks.exe
868	schtasks.exe
2216	schtasks.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	3052	9cd175451c10b5f9e2dc3987f986b33a0a35294d47826dfde104171e65b84fba.exe
Token: SeDebugPrivilege	2380	java.exe
Token: SeDebugPrivilege	1852	java.exe
Token: SeDebugPrivilege	1784	java.exe
Token: SeDebugPrivilege	3012	java.exe
Token: SeDebugPrivilege	2328	java.exe
Token: SeDebugPrivilege	704	java.exe
Token: SeDebugPrivilege	952	java.exe
Token: SeDebugPrivilege	3052	java.exe
Token: SeDebugPrivilege	836	java.exe
Token: SeDebugPrivilege	1564	java.exe
Token: SeDebugPrivilege	2236	java.exe
Token: SeDebugPrivilege	748	java.exe
Token: SeDebugPrivilege	2324	java.exe

Suspicious use of FindShellTrayWindow 13 IoCs

pid	Process
2380	java.exe
1852	java.exe
1784	java.exe
3012	java.exe
2328	java.exe
704	java.exe
952	java.exe
3052	java.exe
836	java.exe
1564	java.exe
2236	java.exe
748	java.exe
2324	java.exe

Suspicious use of SendNotifyMessage 13 IoCs

pid	Process
2380	java.exe
1852	java.exe
1784	java.exe
3012	java.exe
2328	java.exe
704	java.exe
952	java.exe
3052	java.exe
836	java.exe
1564	java.exe
2236	java.exe
748	java.exe
2324	java.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 2216	3052	9cd175451c10b5f9e2dc3987f986b33a0a35294d47826dfde104171e65b84fba.exe	30
PID 3052 wrote to memory of 2216	3052	9cd175451c10b5f9e2dc3987f986b33a0a35294d47826dfde104171e65b84fba.exe	30
PID 3052 wrote to memory of 2216	3052	9cd175451c10b5f9e2dc3987f986b33a0a35294d47826dfde104171e65b84fba.exe	30
PID 3052 wrote to memory of 2380	3052	9cd175451c10b5f9e2dc3987f986b33a0a35294d47826dfde104171e65b84fba.exe	32
PID 3052 wrote to memory of 2380	3052	9cd175451c10b5f9e2dc3987f986b33a0a35294d47826dfde104171e65b84fba.exe	32
PID 3052 wrote to memory of 2380	3052	9cd175451c10b5f9e2dc3987f986b33a0a35294d47826dfde104171e65b84fba.exe	32
PID 2380 wrote to memory of 2736	2380	java.exe	33
PID 2380 wrote to memory of 2736	2380	java.exe	33
PID 2380 wrote to memory of 2736	2380	java.exe	33
PID 2380 wrote to memory of 2636	2380	java.exe	35
PID 2380 wrote to memory of 2636	2380	java.exe	35
PID 2380 wrote to memory of 2636	2380	java.exe	35
PID 2636 wrote to memory of 2660	2636	cmd.exe	37
PID 2636 wrote to memory of 2660	2636	cmd.exe	37
PID 2636 wrote to memory of 2660	2636	cmd.exe	37
PID 2636 wrote to memory of 796	2636	cmd.exe	38
PID 2636 wrote to memory of 796	2636	cmd.exe	38
PID 2636 wrote to memory of 796	2636	cmd.exe	38
PID 2636 wrote to memory of 1852	2636	cmd.exe	39
PID 2636 wrote to memory of 1852	2636	cmd.exe	39
PID 2636 wrote to memory of 1852	2636	cmd.exe	39
PID 1852 wrote to memory of 1648	1852	java.exe	40
PID 1852 wrote to memory of 1648	1852	java.exe	40
PID 1852 wrote to memory of 1648	1852	java.exe	40
PID 1852 wrote to memory of 2928	1852	java.exe	42
PID 1852 wrote to memory of 2928	1852	java.exe	42
PID 1852 wrote to memory of 2928	1852	java.exe	42
PID 2928 wrote to memory of 2964	2928	cmd.exe	44
PID 2928 wrote to memory of 2964	2928	cmd.exe	44
PID 2928 wrote to memory of 2964	2928	cmd.exe	44
PID 2928 wrote to memory of 2272	2928	cmd.exe	45
PID 2928 wrote to memory of 2272	2928	cmd.exe	45
PID 2928 wrote to memory of 2272	2928	cmd.exe	45
PID 2928 wrote to memory of 1784	2928	cmd.exe	46
PID 2928 wrote to memory of 1784	2928	cmd.exe	46
PID 2928 wrote to memory of 1784	2928	cmd.exe	46
PID 1784 wrote to memory of 872	1784	java.exe	47
PID 1784 wrote to memory of 872	1784	java.exe	47
PID 1784 wrote to memory of 872	1784	java.exe	47
PID 1784 wrote to memory of 780	1784	java.exe	49
PID 1784 wrote to memory of 780	1784	java.exe	49
PID 1784 wrote to memory of 780	1784	java.exe	49
PID 780 wrote to memory of 576	780	cmd.exe	51
PID 780 wrote to memory of 576	780	cmd.exe	51
PID 780 wrote to memory of 576	780	cmd.exe	51
PID 780 wrote to memory of 2336	780	cmd.exe	52
PID 780 wrote to memory of 2336	780	cmd.exe	52
PID 780 wrote to memory of 2336	780	cmd.exe	52
PID 780 wrote to memory of 3012	780	cmd.exe	53
PID 780 wrote to memory of 3012	780	cmd.exe	53
PID 780 wrote to memory of 3012	780	cmd.exe	53
PID 3012 wrote to memory of 1640	3012	java.exe	54
PID 3012 wrote to memory of 1640	3012	java.exe	54
PID 3012 wrote to memory of 1640	3012	java.exe	54
PID 3012 wrote to memory of 2588	3012	java.exe	56
PID 3012 wrote to memory of 2588	3012	java.exe	56
PID 3012 wrote to memory of 2588	3012	java.exe	56
PID 2588 wrote to memory of 2096	2588	cmd.exe	58
PID 2588 wrote to memory of 2096	2588	cmd.exe	58
PID 2588 wrote to memory of 2096	2588	cmd.exe	58
PID 2588 wrote to memory of 2004	2588	cmd.exe	59
PID 2588 wrote to memory of 2004	2588	cmd.exe	59
PID 2588 wrote to memory of 2004	2588	cmd.exe	59
PID 2588 wrote to memory of 2328	2588	cmd.exe	60

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\9cd175451c10b5f9e2dc3987f986b33a0a35294d47826dfde104171e65b84fba.exe
"C:\Users\Admin\AppData\Local\Temp\9cd175451c10b5f9e2dc3987f986b33a0a35294d47826dfde104171e65b84fba.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2216
- C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
  "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2736
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\aeNVxScNoRDX.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2660
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:796
  - - C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
      "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:1852
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1648
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mUYtM0ASOkuZ.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2928
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2964
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2272
      - C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:872
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\AHJjq7QOytjq.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:780
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:576
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2336
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1640
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LzUOmTZ2cqQc.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2096
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2004
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2328
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:976
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jzCYTeHuOBSA.bat" "
        11⤵
        
        PID:1356
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:296
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:948
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:704
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1456
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IjLa6VezvKAN.bat" "
        13⤵
        
        PID:108
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:1336
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2092
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:952
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1600
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OaXxtAIVnv9R.bat" "
        15⤵
        
        PID:2016
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2756
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2852
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3052
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2608
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LNk8z0uGYiZS.bat" "
        17⤵
        
        PID:3068
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:1648
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1484
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:836
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1048
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GKWOQLYfl7h6.bat" "
        19⤵
        
        PID:1052
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2788
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2864
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1564
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2428
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CzRCR83m7vGC.bat" "
        21⤵
        
        PID:2120
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:2140
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2264
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2236
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:928
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bAK1uvaCD7MW.bat" "
        23⤵
        
        PID:1596
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2136
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2112
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:748
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2220
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KYQR7k4jN7V0.bat" "
        25⤵
        
        PID:2556
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:824
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1928
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2324
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:868
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NLQzCpUvnGvP.bat" "
        27⤵
        
        PID:2260
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:1924
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AHJjq7QOytjq.bat

Filesize
211B

MD5
2a85c7093e613d32fdbbfdb73e8e5761

SHA1
f69850cabae91d73572e78dc38f77b3a18ff3aa7

SHA256
659ede40b2c00be5b3753e321bf441578dfb178785b1e2a572d291762f71a3b1

SHA512
2e77a18995d85b31b0131e6956507063397d59617eb68952e9fd2e24f23c7e7eb44258d04fdde30f08f878b94bf603ca3bb23582d098cd18a4c9dd514da5607d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CzRCR83m7vGC.bat

Filesize
211B

MD5
c949479446d1bd58b3bb739d25570675

SHA1
03752c37dc26e208bf9fa68e8f57d1e53d2f5df3

SHA256
a9b7a2b8820b27db91451aa017a1e26f8a87ec54c0a41e8d5781737f69ed351b

SHA512
87d3d18c8c08cf4eddc03eb7ec1428d9b3500ab3c517b8b6e6b0bdcb71a5d2cbce69cf9e729667364d5ee71e14b4e3f46a2a33245bbb48e7f889e00c714c169a

Download Submit
C:\Users\Admin\AppData\Local\Temp\GKWOQLYfl7h6.bat

Filesize
211B

MD5
b8ff4d04a1b63530ac643323503fb95d

SHA1
69240b3d0ac29b493c77501f493a36c006f4e12e

SHA256
0b20c723498f007676c517c7e7f31993ad07ab32e42c3f19fccf1f32490dafb1

SHA512
f1f9022d7621e358f1827c83e1c5d902666e2a73dbabbaba2c694af5a336b20cb12744a8894296789d6e49f24bbb7c85dc4ef746b645f14d95c71988e0e55d2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IjLa6VezvKAN.bat

Filesize
211B

MD5
06868101837880c6db3eecabf31c590f

SHA1
619d3aa62c595dbc2e29d1106c1ca09a16a0fa20

SHA256
5368ea8a33e99c74897e4f6bec54e521e9990a4e06d62b4d1e630ca7f6bb8bbd

SHA512
20bdad56044881e21561b21a50ca2876a60a84c381f493527158d1494b9054d31063ba1e42e66d2109afcfd9b9ef9211b5843f9874aee2afea2d30b36c2fc1b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\KYQR7k4jN7V0.bat

Filesize
211B

MD5
64b3a7a3900e568b6f0e14c133f70e69

SHA1
0687c3bd45eec925d20398936f57260130ff7f42

SHA256
19778d9a766f4f621c14c83d060c6694e91c5ff0b2fe1bd03c1cff82378f764b

SHA512
cf4e6fcd99b15115f958f3686e3b44cce88d8edad18a10addcee84b09a6cfd64ec01866ecad7e519d80a4cd19c25751c1ba126010acd0b4aee97a9ef49950ec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\LNk8z0uGYiZS.bat

Filesize
211B

MD5
d8b087d76d5726ade7d5035969f62b0c

SHA1
d5a0d8b7f3133d4532033bb6881ac634a99bbc64

SHA256
250c13e1e09c6949cf7d6be86faa8c1e4f54b70e0a3b20973d4d80afb4b2ad97

SHA512
7234529db4341801c46a4f7fa65a493bdd5dfe588ec3085959807d7d11bf8cc6b3e627683d9b34c51b9d2ca527c6f1bf1c594246c2b1ae1fbdde5cf663daf3b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzUOmTZ2cqQc.bat

Filesize
211B

MD5
7d2b882e78c65b9fb181c8024e7391de

SHA1
6d9e62307c783332b1dd02ac87a3a417085bc4d0

SHA256
74d903c76ec5d6990cae022205bf8e823e2cbfe5aaf1b07e2031c2039281b9ca

SHA512
ff2e7e222b8c925d665fbfb6771828a37d82f0bb1866a50968375282c86d86f4c75f223a11c20183b0e489de7ba7227a22ddd13f0de0a9e3e038757c9a39331e

Download Submit
C:\Users\Admin\AppData\Local\Temp\NLQzCpUvnGvP.bat

Filesize
211B

MD5
c201d203819ecdb4426ea2bcd5ae6b73

SHA1
624a7a1ef7402bbf99ac647c9a06e20bf83b34a2

SHA256
5a44a9b6c28d5bbcd1109bdd30fade95fe79b08ed2d57754f735b5684bad6a37

SHA512
82ed4f5be8717252ef5a85ceacc9e0dea1120b54312ed8a5f9ab29140516ba0d5ccfb87438985b6e8f90f1381d8602523e72b067c608f0847a14ff95cb0b3796

Download Submit
C:\Users\Admin\AppData\Local\Temp\OaXxtAIVnv9R.bat

Filesize
211B

MD5
8531b2672aa7006643f4c71ba46264ef

SHA1
bea12cb975baac157c1100a89e2f83bfe26cee5e

SHA256
d8d3ef350ee26c2cdbfd2e6a2ad249ea4058aa1215da9e1dad73ecffeab7063e

SHA512
038a3cd4758660a7957189b04de4f952f4a361e7fa55063823a2cac005024b7be5e43959f21973789851c4927d093ff6218845523c3be8d6b0757eec39f1ecef

Download Submit
C:\Users\Admin\AppData\Local\Temp\aeNVxScNoRDX.bat

Filesize
211B

MD5
f6e0c1cdc26e6e1346712afb8069f5f6

SHA1
b7a50c7158cbe758352fe1162901bd84966b4899

SHA256
7942d46e604f659a3f6f3cb2eec0be2c81e02e782e6d0c97a44a5ef26741914d

SHA512
3fe6cd8e0ebac987ad8111a17d52b1c715e9fb9160fa446cdd5826ce529bef29e836a2ff5ff7fe2ddf278918b2ec0ae3f14791529ab97d2ce6bc6dfa4f4922bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\bAK1uvaCD7MW.bat

Filesize
211B

MD5
534ca7d02641afed962c69d13bbdc292

SHA1
c126267d39baece1b85a7e83fe4d620eb6a6ec31

SHA256
78ada1e35b2a32e8306c29f83db5342970c7ef094b8fb9cf9ba3e017fd03b82f

SHA512
dbadf712006d610fbf77765b3e3f59ca1508ddf56e129caca7c58c8ab68d19542fa5318d533348ea45f31b29d1382b59b95f82f94613d82dc95b90f9d4be2062

Download Submit
C:\Users\Admin\AppData\Local\Temp\jzCYTeHuOBSA.bat

Filesize
211B

MD5
39408d2d0edb630f5a441b228542dd6a

SHA1
a69f565f86aafc43bedbb0e4820e782dfa2b2731

SHA256
7b912586cb3b3e52100344ab89d23c72c8f0d429a141466825f55119cabfa97a

SHA512
0ef0eb55d773dfc0d6d58ca2c3d75405acf0bb8fa20beb1ca82b51f8d7691a51fb068de2e593fc62a6a54b8b64aad2c7bad27b79486d83f92dbb7cc8bba041b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\mUYtM0ASOkuZ.bat

Filesize
211B

MD5
8893ba2a7c7796e2d1dfb95ce2b04064

SHA1
a32a88d743c7572eb160c02fdb5225315860cdda

SHA256
801f92dd369ef5dbdc053429a63278d019afc94de076d3314cbbd873badabc49

SHA512
522e5866bef671d9ae354962473fb851384c00fdddce0fed52d6887c234c3ecbb3080941b1dacde52c3521d2d0162eca5af1dc49ea5e2336da83b0462bd2620a

Download Submit
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe

Filesize
3.3MB

MD5
f29f701e76e3a435acdd474a41fa60ba

SHA1
10f06b6fc259131d8b6a5423972a1e55b62ce478

SHA256
9cd175451c10b5f9e2dc3987f986b33a0a35294d47826dfde104171e65b84fba

SHA512
0d5088f4f685b6d29edec7cc7e8bfe7c594fa6b3fde2a6b11ee977455d6fe088e04e899203171ff519cf9d2b5a78231f3650774cc17824219f43f947d13a86e9

Download Submit
memory/748-131-0x00000000008E0000-0x0000000000C2E000-memory.dmp

Filesize
3.3MB

Download
memory/836-97-0x0000000000280000-0x00000000005CE000-memory.dmp

Filesize
3.3MB

Download
memory/1564-109-0x0000000000980000-0x0000000000CCE000-memory.dmp

Filesize
3.3MB

Download
memory/1784-34-0x0000000000AF0000-0x0000000000E3E000-memory.dmp

Filesize
3.3MB

Download
memory/1852-23-0x00000000001E0000-0x000000000052E000-memory.dmp

Filesize
3.3MB

Download
memory/2236-120-0x00000000002D0000-0x000000000061E000-memory.dmp

Filesize
3.3MB

Download
memory/2324-142-0x0000000000C10000-0x0000000000F5E000-memory.dmp

Filesize
3.3MB

Download
memory/2328-56-0x0000000000FD0000-0x000000000131E000-memory.dmp

Filesize
3.3MB

Download
memory/2380-10-0x000007FEF5EF0000-0x000007FEF68DC000-memory.dmp

Filesize
9.9MB

Download
memory/2380-9-0x0000000000AB0000-0x0000000000DFE000-memory.dmp

Filesize
3.3MB

Download
memory/2380-11-0x000007FEF5EF0000-0x000007FEF68DC000-memory.dmp

Filesize
9.9MB

Download
memory/2380-21-0x000007FEF5EF0000-0x000007FEF68DC000-memory.dmp

Filesize
9.9MB

Download
memory/3012-45-0x0000000000E00000-0x000000000114E000-memory.dmp

Filesize
3.3MB

Download
memory/3052-0-0x000007FEF5EF3000-0x000007FEF5EF4000-memory.dmp

Filesize
4KB

Download
memory/3052-8-0x000007FEF5EF0000-0x000007FEF68DC000-memory.dmp

Filesize
9.9MB

Download
memory/3052-2-0x000007FEF5EF0000-0x000007FEF68DC000-memory.dmp

Filesize
9.9MB

Download
memory/3052-1-0x00000000012D0000-0x000000000161E000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads