quasar | 71d5442831a53d429d61cfdb48bb92ea0a30ca91782fb3b219bd9b3fe3d9cff2

Analysis

max time kernel
149s
max time network
141s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
16-12-2024 18:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FlashingSoftwarePRO.exe
Size

3.1MB
MD5

71b0a3eb76e864f63a108192fce45858
SHA1

e7bc4b311934f8223ef98483a8092c3c9cc5b95a
SHA256

71d5442831a53d429d61cfdb48bb92ea0a30ca91782fb3b219bd9b3fe3d9cff2
SHA512

a35ddfe5d194be8ec7b5444b4e1e0756de8cc7957f59cea217fe26446b299519c6676eafece1fd49e5107c34721af47402dc8aefb76f040deb5bcd51e7a2eef1
SSDEEP

49152:rvSe821/aQWl8P0lSk3aKA3Z+nHPLk9h4vJeLoGd+THHB72eh2NT:rvp821/aQWl8P0lSk3DA3Z+nIhZ

Score

10^/10

quasar svchost discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

svchost

quasqy10-51732.portmap.host:4782

193.161.193.99:4782

quasqy10-51732.portmap.host:1194

Mutex

1254c7bb-0f09-42ad-83dc-450c6528bddb

Attributes

encryption_key
BDB44181C868606DFCA1741A69056AAA62DADEFC
install_name
svchost.exe
log_directory
Logs
reconnect_delay
3000
startup_key
RuntimeBroker
subdirectory
System32

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/memory/5000-1-0x0000000000E20000-0x0000000001144000-memory.dmp	family_quasar
behavioral1/files/0x0028000000046113-3.dat	family_quasar

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000\Control Panel\International\Geo\Nation	svchost.exe

Executes dropped EXE 15 IoCs

pid	Process
2980	svchost.exe
3416	svchost.exe
2288	svchost.exe
1252	svchost.exe
2644	svchost.exe
564	svchost.exe
3820	svchost.exe
4628	svchost.exe
3728	svchost.exe
2556	svchost.exe
1816	svchost.exe
3700	svchost.exe
3716	svchost.exe
1156	svchost.exe
720	svchost.exe

Drops file in System32 directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\System32	FlashingSoftwarePRO.exe
File opened for modification	C:\Windows\system32\System32	svchost.exe
File opened for modification	C:\Windows\system32\System32	svchost.exe
File opened for modification	C:\Windows\system32\System32	svchost.exe
File opened for modification	C:\Windows\system32\System32	svchost.exe
File created	C:\Windows\system32\System32\svchost.exe	FlashingSoftwarePRO.exe
File opened for modification	C:\Windows\system32\System32	svchost.exe
File opened for modification	C:\Windows\system32\System32	svchost.exe
File opened for modification	C:\Windows\system32\System32	svchost.exe
File opened for modification	C:\Windows\system32\System32	svchost.exe
File opened for modification	C:\Windows\system32\System32	svchost.exe
File opened for modification	C:\Windows\system32\System32	svchost.exe
File opened for modification	C:\Windows\system32\System32	svchost.exe
File opened for modification	C:\Windows\system32\System32	svchost.exe
File opened for modification	C:\Windows\system32\System32	svchost.exe
File opened for modification	C:\Windows\system32\System32	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 14 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3700	PING.EXE
1168	PING.EXE
3148	PING.EXE
4128	PING.EXE
4956	PING.EXE
3068	PING.EXE
3660	PING.EXE
2104	PING.EXE
4860	PING.EXE
2984	PING.EXE
4768	PING.EXE
1836	PING.EXE
1756	PING.EXE
5116	PING.EXE

Runs ping.exe 1 TTPs 14 IoCs

Remote System Discovery

T1018

pid	Process
1836	PING.EXE
4860	PING.EXE
5116	PING.EXE
3148	PING.EXE
3700	PING.EXE
4128	PING.EXE
1168	PING.EXE
1756	PING.EXE
4768	PING.EXE
3660	PING.EXE
4956	PING.EXE
3068	PING.EXE
2104	PING.EXE
2984	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4828	schtasks.exe
4420	schtasks.exe
796	schtasks.exe
3048	schtasks.exe
4604	schtasks.exe
2588	schtasks.exe
3980	schtasks.exe
3600	schtasks.exe
4248	schtasks.exe
1952	schtasks.exe
3832	schtasks.exe
1772	schtasks.exe
2144	schtasks.exe
2960	schtasks.exe
3444	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	5000	FlashingSoftwarePRO.exe
Token: SeDebugPrivilege	2980	svchost.exe
Token: SeDebugPrivilege	3416	svchost.exe
Token: SeDebugPrivilege	2288	svchost.exe
Token: SeDebugPrivilege	1252	svchost.exe
Token: SeDebugPrivilege	2644	svchost.exe
Token: SeDebugPrivilege	564	svchost.exe
Token: SeDebugPrivilege	3820	svchost.exe
Token: SeDebugPrivilege	4628	svchost.exe
Token: SeDebugPrivilege	3728	svchost.exe
Token: SeDebugPrivilege	2556	svchost.exe
Token: SeDebugPrivilege	1816	svchost.exe
Token: SeDebugPrivilege	3700	svchost.exe
Token: SeDebugPrivilege	3716	svchost.exe
Token: SeDebugPrivilege	1156	svchost.exe
Token: SeDebugPrivilege	720	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5000 wrote to memory of 4604	5000	FlashingSoftwarePRO.exe	81
PID 5000 wrote to memory of 4604	5000	FlashingSoftwarePRO.exe	81
PID 5000 wrote to memory of 2980	5000	FlashingSoftwarePRO.exe	83
PID 5000 wrote to memory of 2980	5000	FlashingSoftwarePRO.exe	83
PID 2980 wrote to memory of 1952	2980	svchost.exe	84
PID 2980 wrote to memory of 1952	2980	svchost.exe	84
PID 2980 wrote to memory of 2868	2980	svchost.exe	86
PID 2980 wrote to memory of 2868	2980	svchost.exe	86
PID 2868 wrote to memory of 4076	2868	cmd.exe	88
PID 2868 wrote to memory of 4076	2868	cmd.exe	88
PID 2868 wrote to memory of 3660	2868	cmd.exe	89
PID 2868 wrote to memory of 3660	2868	cmd.exe	89
PID 2868 wrote to memory of 3416	2868	cmd.exe	90
PID 2868 wrote to memory of 3416	2868	cmd.exe	90
PID 3416 wrote to memory of 3832	3416	svchost.exe	91
PID 3416 wrote to memory of 3832	3416	svchost.exe	91
PID 3416 wrote to memory of 3604	3416	svchost.exe	93
PID 3416 wrote to memory of 3604	3416	svchost.exe	93
PID 3604 wrote to memory of 2840	3604	cmd.exe	95
PID 3604 wrote to memory of 2840	3604	cmd.exe	95
PID 3604 wrote to memory of 3148	3604	cmd.exe	96
PID 3604 wrote to memory of 3148	3604	cmd.exe	96
PID 3604 wrote to memory of 2288	3604	cmd.exe	97
PID 3604 wrote to memory of 2288	3604	cmd.exe	97
PID 2288 wrote to memory of 2144	2288	svchost.exe	98
PID 2288 wrote to memory of 2144	2288	svchost.exe	98
PID 2288 wrote to memory of 4092	2288	svchost.exe	100
PID 2288 wrote to memory of 4092	2288	svchost.exe	100
PID 4092 wrote to memory of 1152	4092	cmd.exe	102
PID 4092 wrote to memory of 1152	4092	cmd.exe	102
PID 4092 wrote to memory of 4768	4092	cmd.exe	103
PID 4092 wrote to memory of 4768	4092	cmd.exe	103
PID 4092 wrote to memory of 1252	4092	cmd.exe	106
PID 4092 wrote to memory of 1252	4092	cmd.exe	106
PID 1252 wrote to memory of 1772	1252	svchost.exe	107
PID 1252 wrote to memory of 1772	1252	svchost.exe	107
PID 1252 wrote to memory of 3040	1252	svchost.exe	109
PID 1252 wrote to memory of 3040	1252	svchost.exe	109
PID 3040 wrote to memory of 1968	3040	cmd.exe	111
PID 3040 wrote to memory of 1968	3040	cmd.exe	111
PID 3040 wrote to memory of 3700	3040	cmd.exe	112
PID 3040 wrote to memory of 3700	3040	cmd.exe	112
PID 3040 wrote to memory of 2644	3040	cmd.exe	113
PID 3040 wrote to memory of 2644	3040	cmd.exe	113
PID 2644 wrote to memory of 2960	2644	svchost.exe	114
PID 2644 wrote to memory of 2960	2644	svchost.exe	114
PID 2644 wrote to memory of 1528	2644	svchost.exe	116
PID 2644 wrote to memory of 1528	2644	svchost.exe	116
PID 1528 wrote to memory of 3540	1528	cmd.exe	118
PID 1528 wrote to memory of 3540	1528	cmd.exe	118
PID 1528 wrote to memory of 4128	1528	cmd.exe	119
PID 1528 wrote to memory of 4128	1528	cmd.exe	119
PID 1528 wrote to memory of 564	1528	cmd.exe	120
PID 1528 wrote to memory of 564	1528	cmd.exe	120
PID 564 wrote to memory of 4828	564	svchost.exe	121
PID 564 wrote to memory of 4828	564	svchost.exe	121
PID 564 wrote to memory of 4548	564	svchost.exe	123
PID 564 wrote to memory of 4548	564	svchost.exe	123
PID 4548 wrote to memory of 4560	4548	cmd.exe	125
PID 4548 wrote to memory of 4560	4548	cmd.exe	125
PID 4548 wrote to memory of 4956	4548	cmd.exe	126
PID 4548 wrote to memory of 4956	4548	cmd.exe	126
PID 4548 wrote to memory of 3820	4548	cmd.exe	127
PID 4548 wrote to memory of 3820	4548	cmd.exe	127

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\FlashingSoftwarePRO.exe
"C:\Users\Admin\AppData\Local\Temp\FlashingSoftwarePRO.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5000
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4604
- C:\Windows\system32\System32\svchost.exe
  "C:\Windows\system32\System32\svchost.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SQMtxJmWpaCh.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2868
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:4076
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3660
  - - C:\Windows\system32\System32\svchost.exe
      "C:\Windows\system32\System32\svchost.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3416
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3832
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HEbbUuMEeezw.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3604
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2840
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3148
      - C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2144
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\T6ctC3YsTx4V.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4092
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1152
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4768
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1252
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1772
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ow0eusIySeps.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:1968
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3700
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2960
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\p8eSKodasVdu.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:3540
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4128
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:564
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4828
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2qbL0BrvXdxQ.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:4560
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4956
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3820
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4420
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\J9TAKTHL5cbL.bat" "
        15⤵
        
        PID:3608
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:4136
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3068
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4628
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2588
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Lbl4XZQmleqo.bat" "
        17⤵
        
        PID:3520
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:5044
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1836
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3728
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:796
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CNkuKEWdxNfV.bat" "
        19⤵
        
        PID:4120
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:4748
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2104
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2556
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3444
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iprmp7jukFH2.bat" "
        21⤵
        
        PID:2908
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1524
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1168
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1816
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3980
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\81Zu2x0S3MqO.bat" "
        23⤵
        
        PID:1592
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:3196
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4860
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3700
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3600
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Qakdm5IafgX8.bat" "
        25⤵
        
        PID:1940
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:3436
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1756
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3716
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3048
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fcvIOHLUWwf7.bat" "
        27⤵
        
        PID:2576
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:4660
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5116
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1156
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4248
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ngtegxel3mCC.bat" "
        29⤵
        
        PID:2392
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:1096
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2984
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log

Filesize
2KB

MD5
7787ce173dfface746f5a9cf5477883d

SHA1
4587d870e914785b3a8fb017fec0c0f1c7ec0004

SHA256
c339149818fa8f9e5af4627715c3afe4f42bc1267df17d77a278d4c811ed8df1

SHA512
3a630053ae99114292f8cf8d45600f8fe72125795252bf76677663476bd2275be084a1af2fcb4ce30409ba1b5829b2b3ffb6795de46d2a703c3314017a86f1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\2qbL0BrvXdxQ.bat

Filesize
199B

MD5
c0af29582e8cc39c511edc71986486ac

SHA1
b92ee3019530e58d4470259f4e27e998a2d0cca9

SHA256
88f18c921286148e24805f356472f41c0a6011b644ed89febdfe04668cd2b77b

SHA512
36161c5b23609052d1edf64ebcfc236f9590312be09c79c62966b9a0b5e02563accf75e172af79de81e5d9b709c775139e69ae8b12f7edaaccaeb7ffbf9a87aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\81Zu2x0S3MqO.bat

Filesize
199B

MD5
40abac4d275931662f809a9663aa0734

SHA1
21fc2c688e7a0c0d54de99849ffbc0220e31b582

SHA256
4027441d334f818b402ef452491e591e302929629aa0bd3537925ab15104531b

SHA512
36c077547754544d8b523c7cdf2226e8d6a1ad3764acce868f00515285235e114c263690934cd35f671198e9cdc73ae4309fd5d4b8cee9f6bd0b0ed0c4522f35

Download Submit
C:\Users\Admin\AppData\Local\Temp\CNkuKEWdxNfV.bat

Filesize
199B

MD5
ae8e6b0b97f98cf74114466c21395738

SHA1
8a3630d71d0e61b32a19e2d942f0d136b69dadc5

SHA256
8ebeb6cbfaa19d0b934566714591142dda970442f0a0258b44de10d5ee60f3df

SHA512
d11cafe2eb335032d1afb9fee61e7a0cb6c1d964b07ef703f3acfd328279b465030e2d0003e5d0c108b895305f54991d97d9ff68cfb9e4c82d82cb03087d1220

Download Submit
C:\Users\Admin\AppData\Local\Temp\HEbbUuMEeezw.bat

Filesize
199B

MD5
88d6d79325c02fd1685ea026d8913637

SHA1
225d549c2d745d27d8000c1f0f59df238578f51d

SHA256
a76ae1da57383599560a9d3c9b4a5de8a536e7252e215c241be3eb5c2550c77b

SHA512
32934df32139b7de2192eb45137acae03f02142767db5556c9b4e2cd3a168088984526959ab0f6af0b42c8e376b7ec8070ba3e1905a8009ba89213560f206ea1

Download Submit
C:\Users\Admin\AppData\Local\Temp\J9TAKTHL5cbL.bat

Filesize
199B

MD5
e844d95a4e5eea2b7bcce8be60d8708e

SHA1
656c590842f8a0fac27fac30f0fe428234680a78

SHA256
756dc914bacce02d7c42d16ea7c0e9fdea739988fd5aea485f549f773488d066

SHA512
7ffb09078967d8faf5d64bc7ec94caa46e9136e6d3fd7347b3fac72629ee17d33cabe0aa03a1429149666442a32433abc1b35b971ad03d57c3a35f56d3a1e853

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lbl4XZQmleqo.bat

Filesize
199B

MD5
fa2e907827911f34a66eaf505ee4e58d

SHA1
73ab1905ad2ef0a4f02f08e69e16c478fc733f50

SHA256
6d664c4255984ff2e454ad3c5f3b65bb2301339a6c0bdd02799d415db6e38829

SHA512
55c74c0c0378fbc79c3a07b3cd7b7f59ea489ffc3990d6e3905e39a16a40de7d67f5f2920f3345b545e71d80d910c745ad3906f072e68672c4363b00a1c4b157

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qakdm5IafgX8.bat

Filesize
199B

MD5
07a5a95deefd358c66e5c25a7e89bdc2

SHA1
587174792cb35181d1b6558e5c9d7d1a2ddcd4ce

SHA256
2a7a23be574ac280d1e38208a71ac172ba3d5f522c5c90393f90be5f0df22bbd

SHA512
b8e8a967e1e1da5c12fd7f2f8aa89d8dcabea2ac4d4d78445bcf5e70cfc5b3ee0cc3ba2aa9265c4ee28cf23082311cb2bb00eb66f35b934a41aab553dc84fba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQMtxJmWpaCh.bat

Filesize
199B

MD5
a3b89f2cf7ef08ed93164d4253f993c5

SHA1
0c08da5695b066e7f184f4abfa783b6b2715ca80

SHA256
015ded7005f2b7fd8ad2f76f3404f093569f054af5c5805a13beb2fc5999039b

SHA512
cc4a4387e5720b896ef62e20ac3d9451c0dd28a241e41a2be310f1c0897e64d6e38f12daf94248e1a089fc5e446d7d1dec0204bb5d22435aeb7a1f5a761e2d07

Download Submit
C:\Users\Admin\AppData\Local\Temp\T6ctC3YsTx4V.bat

Filesize
199B

MD5
7459a43a2f2671d7c597718d40ac9897

SHA1
05f426b2be34c80657d9cc7a67f5b30df0b5c108

SHA256
c8b5d39770f6216a0442f1e2202c8538930367e93b5eed595f1882742067fb26

SHA512
1f0c34b0f80a9e38b0fac274ba31167c5a1dfa2db4f157ce566a61da8a5727c03f8c4d11f1d41dcc6949da7dbd952038423d4750b9801b156f4187d61ba0c36c

Download Submit
C:\Users\Admin\AppData\Local\Temp\fcvIOHLUWwf7.bat

Filesize
199B

MD5
999e4767b7e68aaa024bf38e3cbd8fbe

SHA1
e74557abd9a9fbf3f229d239f14485d0773ec1da

SHA256
0b7c8523af498f62439203f941fcc85a543e1d6ff3e83263256706d2d0a06537

SHA512
6cfbe33ffec166795c65b6d278b49e9718da2e6b736c07e30229fd535a1fad638b92ceab16e3784bc179dfe0ffe109a425d15a997f17f3b3c45e33919fc79c05

Download Submit
C:\Users\Admin\AppData\Local\Temp\iprmp7jukFH2.bat

Filesize
199B

MD5
b0c5f629438053ab498b5da992a2c463

SHA1
d095ea24e1739410ed78c752a2acf8f44e595dc0

SHA256
62dde16426a3b4695665f276b6d29bdcfef0c4bd4f6136990af17624921866c9

SHA512
c26954da938e05f7c52bea963b6412a9adb18f05000f12362df3e4ef7623f9f94d568e26d3b48b7629bc2d5c34f7b0aecdd4b57d798ab5b5b02ddc3bd48e910c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ngtegxel3mCC.bat

Filesize
199B

MD5
4cc53236598a1bd72e141211ff800008

SHA1
b13947f87e46ad5f895cc6f6cc5da11f2d039710

SHA256
2143dac4b7c4f15d799e1005398429dac88d47051f57685629da159e75f70902

SHA512
6f46e4e1e888f3c4273c8b2d09d9d2b85b872ebb0ca9a4b0255a3f06bbafb721905d3eaced16ea694e00f81e77165c7d3c8eccffb251c54ca6114dda3a2a02d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ow0eusIySeps.bat

Filesize
199B

MD5
af1662693349ffe1b369380ab680c272

SHA1
d75511832f65134edc072a388e56156897de416c

SHA256
3f467d1325f1619d37e23207adf8d1173e3f1264625be39469e929ba9137a251

SHA512
6149d2999ddd744013164bbc4d7a5f459d3bd87dbcefae33d16c0fa850fa06daaed8a7b9d5698a2029deec77e64fb24b2b220b5d682b9936633297d8e3b7ce51

Download Submit
C:\Users\Admin\AppData\Local\Temp\p8eSKodasVdu.bat

Filesize
199B

MD5
93e867455346004bb9e985394b0eb239

SHA1
5452a64cca27537fcd7e1e80a476a3889c188c7d

SHA256
2cc7970d7df2ab792d01f9057497c4c5a3c87ee7be2a6f94d428de3adfe81a9d

SHA512
ac6207f6ba80140b16baeb7e372234f9c06861402feed2362dc2531f4d79e638fd26ee3a8bd07d75266d25375a32252f6f732eddf3a8ad7710189fb17978f8c9

Download Submit
C:\Windows\System32\System32\svchost.exe

Filesize
3.1MB

MD5
71b0a3eb76e864f63a108192fce45858

SHA1
e7bc4b311934f8223ef98483a8092c3c9cc5b95a

SHA256
71d5442831a53d429d61cfdb48bb92ea0a30ca91782fb3b219bd9b3fe3d9cff2

SHA512
a35ddfe5d194be8ec7b5444b4e1e0756de8cc7957f59cea217fe26446b299519c6676eafece1fd49e5107c34721af47402dc8aefb76f040deb5bcd51e7a2eef1

Download Submit
memory/2980-7-0x000000001BD50000-0x000000001BDA0000-memory.dmp

Filesize
320KB

Download
memory/2980-6-0x00007FFD3A280000-0x00007FFD3AD42000-memory.dmp

Filesize
10.8MB

Download
memory/2980-16-0x00007FFD3A280000-0x00007FFD3AD42000-memory.dmp

Filesize
10.8MB

Download
memory/2980-8-0x000000001BE60000-0x000000001BF12000-memory.dmp

Filesize
712KB

Download
memory/5000-5-0x00007FFD3A280000-0x00007FFD3AD42000-memory.dmp

Filesize
10.8MB

Download
memory/5000-2-0x00007FFD3A280000-0x00007FFD3AD42000-memory.dmp

Filesize
10.8MB

Download
memory/5000-1-0x0000000000E20000-0x0000000001144000-memory.dmp

Filesize
3.1MB

Download
memory/5000-0-0x00007FFD3A283000-0x00007FFD3A285000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads