quasar | 527ebcd94bab6471192fa739e3ee318a7781c79c5a266b0795214bce0398ed35

Analysis

max time kernel
143s
max time network
121s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
16-12-2024 18:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FlashingSoftwarePRO.exe
Size

3.1MB
MD5

cee9f55f2ed2ad11bf3acb650277237a
SHA1

3515900f7d4ba68720cb506200f2dcff401a9a6e
SHA256

527ebcd94bab6471192fa739e3ee318a7781c79c5a266b0795214bce0398ed35
SHA512

da46b87edbf315b88f069d2670c440fb9ea76a1bde9742855fcf80c7bbad5ea4d895c90d97d62a57782cd2572f3db7c90667aabe34e37c6bf543da6ea323d906
SSDEEP

49152:/vJuf2NUaNmwzPWlvdaKM7ZxTwqky3EfsKk/WPIoGd0THHB72eh2NT:/vkf2NUaNmwzPWlvdaB7ZxTwqkyAw

Score

10^/10

quasar svchost discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

svchost

quasqy10-51732.portmap.host:4782

193.161.193.99:4782

Mutex

7d600197-9219-48e3-b7cb-1cd264aa77fa

Attributes

encryption_key
BDB44181C868606DFCA1741A69056AAA62DADEFC
install_name
svchost.exe
log_directory
Logs
reconnect_delay
3000
startup_key
RuntimeBroker
subdirectory
System32

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 11 IoCs

resource	yara_rule
behavioral1/memory/2756-1-0x0000000000A90000-0x0000000000DB4000-memory.dmp	family_quasar
behavioral1/files/0x0008000000015e8f-5.dat	family_quasar
behavioral1/memory/2744-7-0x0000000000DD0000-0x00000000010F4000-memory.dmp	family_quasar
behavioral1/memory/1248-53-0x00000000010C0000-0x00000000013E4000-memory.dmp	family_quasar
behavioral1/memory/2692-74-0x0000000001270000-0x0000000001594000-memory.dmp	family_quasar
behavioral1/memory/2776-85-0x00000000003F0000-0x0000000000714000-memory.dmp	family_quasar
behavioral1/memory/1624-96-0x00000000000A0000-0x00000000003C4000-memory.dmp	family_quasar
behavioral1/memory/1704-107-0x0000000000DA0000-0x00000000010C4000-memory.dmp	family_quasar
behavioral1/memory/1696-119-0x0000000000EA0000-0x00000000011C4000-memory.dmp	family_quasar
behavioral1/memory/2768-151-0x0000000000F20000-0x0000000001244000-memory.dmp	family_quasar
behavioral1/memory/2992-162-0x0000000001220000-0x0000000001544000-memory.dmp	family_quasar

Executes dropped EXE 15 IoCs

pid	Process
2744	svchost.exe
596	svchost.exe
2856	svchost.exe
396	svchost.exe
1248	svchost.exe
1384	svchost.exe
2692	svchost.exe
2776	svchost.exe
1624	svchost.exe
1704	svchost.exe
1696	svchost.exe
1284	svchost.exe
1652	svchost.exe
2768	svchost.exe
2992	svchost.exe

Drops file in System32 directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\System32	svchost.exe
File opened for modification	C:\Windows\system32\System32	svchost.exe
File opened for modification	C:\Windows\system32\System32	FlashingSoftwarePRO.exe
File opened for modification	C:\Windows\system32\System32	svchost.exe
File opened for modification	C:\Windows\system32\System32	svchost.exe
File opened for modification	C:\Windows\system32\System32	svchost.exe
File opened for modification	C:\Windows\system32\System32	svchost.exe
File opened for modification	C:\Windows\system32\System32	svchost.exe
File opened for modification	C:\Windows\system32\System32	svchost.exe
File opened for modification	C:\Windows\system32\System32\svchost.exe	FlashingSoftwarePRO.exe
File opened for modification	C:\Windows\system32\System32	svchost.exe
File opened for modification	C:\Windows\system32\System32	svchost.exe
File opened for modification	C:\Windows\system32\System32	svchost.exe
File opened for modification	C:\Windows\system32\System32	svchost.exe
File opened for modification	C:\Windows\system32\System32	svchost.exe
File opened for modification	C:\Windows\system32\System32	svchost.exe
File created	C:\Windows\system32\System32\svchost.exe	FlashingSoftwarePRO.exe
File opened for modification	C:\Windows\system32\System32	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
276	PING.EXE
704	PING.EXE
2512	PING.EXE
816	PING.EXE
1236	PING.EXE
280	PING.EXE
2428	PING.EXE
1128	PING.EXE
1708	PING.EXE
2988	PING.EXE
988	PING.EXE
780	PING.EXE
2928	PING.EXE
1892	PING.EXE
2228	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
2988	PING.EXE
780	PING.EXE
816	PING.EXE
1128	PING.EXE
2228	PING.EXE
2928	PING.EXE
704	PING.EXE
1892	PING.EXE
1708	PING.EXE
2428	PING.EXE
276	PING.EXE
280	PING.EXE
988	PING.EXE
1236	PING.EXE
2512	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2972	schtasks.exe
1168	schtasks.exe
320	schtasks.exe
2892	schtasks.exe
600	schtasks.exe
1604	schtasks.exe
2756	schtasks.exe
2916	schtasks.exe
1536	schtasks.exe
2940	schtasks.exe
3044	schtasks.exe
1004	schtasks.exe
2508	schtasks.exe
484	schtasks.exe
396	schtasks.exe
920	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2756	FlashingSoftwarePRO.exe
Token: SeDebugPrivilege	2744	svchost.exe
Token: SeDebugPrivilege	596	svchost.exe
Token: SeDebugPrivilege	2856	svchost.exe
Token: SeDebugPrivilege	396	svchost.exe
Token: SeDebugPrivilege	1248	svchost.exe
Token: SeDebugPrivilege	1384	svchost.exe
Token: SeDebugPrivilege	2692	svchost.exe
Token: SeDebugPrivilege	2776	svchost.exe
Token: SeDebugPrivilege	1624	svchost.exe
Token: SeDebugPrivilege	1704	svchost.exe
Token: SeDebugPrivilege	1696	svchost.exe
Token: SeDebugPrivilege	1284	svchost.exe
Token: SeDebugPrivilege	1652	svchost.exe
Token: SeDebugPrivilege	2768	svchost.exe
Token: SeDebugPrivilege	2992	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2744	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 2892	2756	FlashingSoftwarePRO.exe	30
PID 2756 wrote to memory of 2892	2756	FlashingSoftwarePRO.exe	30
PID 2756 wrote to memory of 2892	2756	FlashingSoftwarePRO.exe	30
PID 2756 wrote to memory of 2744	2756	FlashingSoftwarePRO.exe	32
PID 2756 wrote to memory of 2744	2756	FlashingSoftwarePRO.exe	32
PID 2756 wrote to memory of 2744	2756	FlashingSoftwarePRO.exe	32
PID 2744 wrote to memory of 2972	2744	svchost.exe	33
PID 2744 wrote to memory of 2972	2744	svchost.exe	33
PID 2744 wrote to memory of 2972	2744	svchost.exe	33
PID 2744 wrote to memory of 2672	2744	svchost.exe	35
PID 2744 wrote to memory of 2672	2744	svchost.exe	35
PID 2744 wrote to memory of 2672	2744	svchost.exe	35
PID 2672 wrote to memory of 2488	2672	cmd.exe	37
PID 2672 wrote to memory of 2488	2672	cmd.exe	37
PID 2672 wrote to memory of 2488	2672	cmd.exe	37
PID 2672 wrote to memory of 2228	2672	cmd.exe	38
PID 2672 wrote to memory of 2228	2672	cmd.exe	38
PID 2672 wrote to memory of 2228	2672	cmd.exe	38
PID 2672 wrote to memory of 596	2672	cmd.exe	39
PID 2672 wrote to memory of 596	2672	cmd.exe	39
PID 2672 wrote to memory of 596	2672	cmd.exe	39
PID 596 wrote to memory of 600	596	svchost.exe	40
PID 596 wrote to memory of 600	596	svchost.exe	40
PID 596 wrote to memory of 600	596	svchost.exe	40
PID 596 wrote to memory of 340	596	svchost.exe	42
PID 596 wrote to memory of 340	596	svchost.exe	42
PID 596 wrote to memory of 340	596	svchost.exe	42
PID 340 wrote to memory of 2708	340	cmd.exe	44
PID 340 wrote to memory of 2708	340	cmd.exe	44
PID 340 wrote to memory of 2708	340	cmd.exe	44
PID 340 wrote to memory of 2988	340	cmd.exe	45
PID 340 wrote to memory of 2988	340	cmd.exe	45
PID 340 wrote to memory of 2988	340	cmd.exe	45
PID 340 wrote to memory of 2856	340	cmd.exe	46
PID 340 wrote to memory of 2856	340	cmd.exe	46
PID 340 wrote to memory of 2856	340	cmd.exe	46
PID 2856 wrote to memory of 2940	2856	svchost.exe	47
PID 2856 wrote to memory of 2940	2856	svchost.exe	47
PID 2856 wrote to memory of 2940	2856	svchost.exe	47
PID 2856 wrote to memory of 2280	2856	svchost.exe	49
PID 2856 wrote to memory of 2280	2856	svchost.exe	49
PID 2856 wrote to memory of 2280	2856	svchost.exe	49
PID 2280 wrote to memory of 2996	2280	cmd.exe	51
PID 2280 wrote to memory of 2996	2280	cmd.exe	51
PID 2280 wrote to memory of 2996	2280	cmd.exe	51
PID 2280 wrote to memory of 988	2280	cmd.exe	52
PID 2280 wrote to memory of 988	2280	cmd.exe	52
PID 2280 wrote to memory of 988	2280	cmd.exe	52
PID 2280 wrote to memory of 396	2280	cmd.exe	53
PID 2280 wrote to memory of 396	2280	cmd.exe	53
PID 2280 wrote to memory of 396	2280	cmd.exe	53
PID 396 wrote to memory of 3044	396	svchost.exe	54
PID 396 wrote to memory of 3044	396	svchost.exe	54
PID 396 wrote to memory of 3044	396	svchost.exe	54
PID 396 wrote to memory of 2512	396	svchost.exe	56
PID 396 wrote to memory of 2512	396	svchost.exe	56
PID 396 wrote to memory of 2512	396	svchost.exe	56
PID 2512 wrote to memory of 2500	2512	cmd.exe	58
PID 2512 wrote to memory of 2500	2512	cmd.exe	58
PID 2512 wrote to memory of 2500	2512	cmd.exe	58
PID 2512 wrote to memory of 2428	2512	cmd.exe	59
PID 2512 wrote to memory of 2428	2512	cmd.exe	59
PID 2512 wrote to memory of 2428	2512	cmd.exe	59
PID 2512 wrote to memory of 1248	2512	cmd.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\FlashingSoftwarePRO.exe
"C:\Users\Admin\AppData\Local\Temp\FlashingSoftwarePRO.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2892
- C:\Windows\system32\System32\svchost.exe
  "C:\Windows\system32\System32\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2972
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\iIGHwTOBJJYC.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2488
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2228
  - - C:\Windows\system32\System32\svchost.exe
      "C:\Windows\system32\System32\svchost.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:596
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:600
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\8b0NJGAL8GVr.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:340
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2708
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2988
      - C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2940
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\g825YpIrUG88.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2996
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:988
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:396
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3044
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\6shJdHxTHO6N.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2512
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2500
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2428
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1248
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1604
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\4UE9OCpSB8kA.bat" "
        11⤵
        
        PID:1712
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1548
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:780
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1384
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1004
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\9IFjmJhWxSUN.bat" "
        13⤵
        
        PID:1616
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:848
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1236
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2692
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2508
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\S2lNWvT7uiKp.bat" "
        15⤵
        
        PID:3016
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2572
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:816
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2756
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\4YmOjOWxQjtD.bat" "
        17⤵
        
        PID:528
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2680
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:276
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1624
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:484
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wA4Ut1xuTqXs.bat" "
        19⤵
        
        PID:2968
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2104
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2928
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1704
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2916
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ImXFn1bInf7L.bat" "
        21⤵
        
        PID:2516
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:2160
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:704
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1696
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:396
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nZSpV35NdSNm.bat" "
        23⤵
        
        PID:2480
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:1016
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2512
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1284
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1168
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\R59xaxTjQPLv.bat" "
        25⤵
        
        PID:1796
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:972
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1892
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1652
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:920
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EZ7N5kHjYpCj.bat" "
        27⤵
        
        PID:2292
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:1020
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1708
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2768
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1536
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\a2CFWjfY1SHC.bat" "
        29⤵
        
        PID:1800
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:2640
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:280
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2992
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:320
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bUp2SonQfvaT.bat" "
        31⤵
        
        PID:2208
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:332
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4UE9OCpSB8kA.bat

Filesize
199B

MD5
c73ff61f27ce292d9b4f73b289216a9f

SHA1
230c8ee9389c336cacc2c9fe6b456a4a507fc5b1

SHA256
f513f76e7c11a4f6aa180097f42b62e89fb28f6a6ded0ac22304573b8057f591

SHA512
78252fe5cd720fb8f09ef5759c46b3e8692e057c11faedb420692de321a17e942e73596f6f3387acf73e96490bb9f790a3a6c01f9276079ae301b4a5b5ebea98

Download Submit
C:\Users\Admin\AppData\Local\Temp\4YmOjOWxQjtD.bat

Filesize
199B

MD5
31d0c3aca382f8272ba3b6bb0f74a1d5

SHA1
a3fae4f57c5b2635a17e42a4cb7da47196ecb54e

SHA256
2927549021def6018d1ff6c81fe8dfb181dad2001a25329b06a2f8ba51d8c56e

SHA512
c5c04c2ae11f3a76a68aa42f1b0dad0999db6bb7b0b859dad92710afc0296f98b419f96a8cf0bebacbb15a4f7b51da004d9032f58742bd2a7e639cd03a3f848a

Download Submit
C:\Users\Admin\AppData\Local\Temp\6shJdHxTHO6N.bat

Filesize
199B

MD5
c038403def60a0e49e8c24141ae3e8c4

SHA1
42c5cf1235a4dad6ca689d73a7635a03dd78ed41

SHA256
afe5aebd3269e6152724b7a89746856cfb007d6f856e258205d6ba78a9958069

SHA512
5d321c2be34f3669833a4e97d9b8fc48a1813b87b8f19373d1e0159ce8959cc6cdf232224447dd3c4d05eae3f83224d0d68415ddcb40050299c9b628ac8901b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\8b0NJGAL8GVr.bat

Filesize
199B

MD5
56d9eb0eded6e5bea4597f144e44cc85

SHA1
6d851a9f0e70dcb5c5d5704b89c5851ab418f2c3

SHA256
ed0a38b3385063d4bb04ab50d69b99a6497b8ac0565f36e337ad0fa5c20777ae

SHA512
b3afe6226a2d5a2be6482b7d0d13b316605fcfff65390f087a76efb39643605e7df9c6dfd3ed7beed240b0e435aad9a809241e1340420eefdd36fec80618153e

Download Submit
C:\Users\Admin\AppData\Local\Temp\9IFjmJhWxSUN.bat

Filesize
199B

MD5
e6bbf78503c1710ca8a5f25bd6d3031f

SHA1
d49ae7a1eccf156c7ce2ef9c8043f40731ddcaa4

SHA256
a0d6228f9c1b1752db236e78038760ce538615d6606eee8ba195ec90cdf61021

SHA512
53ade172dfc5cdb257eae54e0f89fcae77513e731571ec0200fb75c9f58d17d918e771d482d76fda32e450e6703f6d071c764af8159db111b7cb3d38c59d55c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\EZ7N5kHjYpCj.bat

Filesize
199B

MD5
8ebeb5e56d4e43db41c74e3fa8acc28c

SHA1
d199169bc4d5124054bd1067911c575dceee1186

SHA256
317283cc051689d1712126d45ea20a0a57ea9e85a636cf17a9a978aa388ffce6

SHA512
999af7061eb6a4905abedff18a1da397012ebd436cb00e51cc3c88d0535186bccd7866c84abc598658409df065f505ba61530c1c1a01697e1aef3a7cd7a07ce3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ImXFn1bInf7L.bat

Filesize
199B

MD5
35b6e9a6a7e2b78a05869487d6c8a494

SHA1
600c11c54858f337675d01a7e913c1861b526cc5

SHA256
67d0cfcb3e6fbc5501b8e675d10bd017b0df9f31daea65b3d8ab294306f1aac1

SHA512
7e00e2884146583c1fb1b356e332540e32c4a94636e99142a28d4037ac86ed684e42c3dba1740151a0a5e3d02c23ce9098175ac2ba3e6d78fa66eb62686b8eee

Download Submit
C:\Users\Admin\AppData\Local\Temp\R59xaxTjQPLv.bat

Filesize
199B

MD5
a322e9314563b9cba471a5eac72bbfca

SHA1
b9b4232b6e4d6f73e71db7dd5fda508f7b2d58c3

SHA256
9295c5098a13cd9e4d59b0d7f06ce79eb19b20c311d5d9431f1a0005bf659b25

SHA512
c63ecd89c0b67728f6093b2e58ba85be50b146537d260d02eeaa8eaaa589348790ef8d52def7a71b89570d80cbc61856e4af805b3dcd873a9c29ce917d34aa72

Download Submit
C:\Users\Admin\AppData\Local\Temp\S2lNWvT7uiKp.bat

Filesize
199B

MD5
09913f92c8a659909bcec42886e29439

SHA1
cf60ff014ec673f65864967e2d840d2877570574

SHA256
2c746134265a2f40df02506e82f2df464cf8472132f6dcc6b49ba993f492ca46

SHA512
38f0ab60123d4af49c5d8ff45e1fa1d897c172147780eb8f7fa52ad91fa129c7d060c9d114ce9f568ea8b157eae674b32b4ceeed8195f69901b0565d4174e0ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\a2CFWjfY1SHC.bat

Filesize
199B

MD5
e5fa913abff4d132605dbb67d7666e0a

SHA1
448c665ccb77a3d383ce8c057fa66cc9136c83af

SHA256
bf0aea32b37fdcea816f969db4773bbe9ca27f00432cccf0aa367cec990f375d

SHA512
c4be39a84736892f100cc59479bcfd2fc4e211952ffb77eb4c0bd06837811a1340a24c7964c135912d38407acc3097631444421994629c0875869c2212a1688c

Download Submit
C:\Users\Admin\AppData\Local\Temp\bUp2SonQfvaT.bat

Filesize
199B

MD5
4ec918bdbea3ae1812af3def2650d1d7

SHA1
b83627c7d5e66e904a756501de9903c4e3fafa65

SHA256
a9edf04a6ad429a1f7a39b314843439debcc60170da6eb91dd47bd1a14bbae1d

SHA512
274cff7723ced18b36d25d19d37f188402b8f00dd83382db459190e598e12738fb1686e71a440528b42e7581bbc835d86a2c8d663201d34c0f3f69abcd035996

Download Submit
C:\Users\Admin\AppData\Local\Temp\g825YpIrUG88.bat

Filesize
199B

MD5
18bace07a410897ae668c169a01ad2e2

SHA1
51d31c7690867b401f4b4e444e2c1eeb81722d33

SHA256
d8d6ff327f44024b1fc6a3199f4b9b3353238270977d637eee8779706436535e

SHA512
98d7e8f709d24812414bb4f6c7de3529dd0d0ca25d612b546f473fa1c54c55504c4b4dfa2f7f2e20d035103cb641d3fe1b72cad77e6258d82bc0e07639942adf

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIGHwTOBJJYC.bat

Filesize
199B

MD5
38654110d608aa4c0b41c392f1562f0f

SHA1
3ef881748fc19033436d43c963c1a2aa8332d635

SHA256
d2f8361f274d68464e31d956d124da59291bd60e2cc3bee6191454c244008481

SHA512
9c16431a787b9abbde952eb2838b72ba67f00e47b95417b50197bec13e1b1ef07daa2a089b01ab312dc8d8e2fe6b568ac30c7ae47e4f35049a76313d92f56fab

Download Submit
C:\Users\Admin\AppData\Local\Temp\nZSpV35NdSNm.bat

Filesize
199B

MD5
3770553baf9af51302861c23c0ef2f02

SHA1
c98231dbe1e57677194b46b3e217af285722fd4e

SHA256
1c3ed05347f40ed515063b3ec9025227fa7cc7811377cc1649e9c488e15e144b

SHA512
6d32f3afb668fac1f2276a49245da22f3870f90ae03e6e24d8835e4608247f305effa83b5d1690104443633f40b0e355adc996b417bdc6602ad13ab0c7e51dec

Download Submit
C:\Users\Admin\AppData\Local\Temp\wA4Ut1xuTqXs.bat

Filesize
199B

MD5
71bed6b7f844684b7a06c825e551a937

SHA1
b55b61b6a5fe5a854b3e4d439daf02816ae81513

SHA256
94ec4b73aaa6cc9c0ffe2d979d1b57366de28089ca04391124863cdfb74a48a5

SHA512
2e56ecb5adacd538c50fbe363e916840f3e3d8bbdc7d32ec7b1b2a84ee9e8160cd7e48132d2ada267234175f9ba7409b3904cda043bb6c7812000bd196d2195a

Download Submit
C:\Windows\System32\System32\svchost.exe

Filesize
3.1MB

MD5
cee9f55f2ed2ad11bf3acb650277237a

SHA1
3515900f7d4ba68720cb506200f2dcff401a9a6e

SHA256
527ebcd94bab6471192fa739e3ee318a7781c79c5a266b0795214bce0398ed35

SHA512
da46b87edbf315b88f069d2670c440fb9ea76a1bde9742855fcf80c7bbad5ea4d895c90d97d62a57782cd2572f3db7c90667aabe34e37c6bf543da6ea323d906

Download Submit
memory/1248-53-0x00000000010C0000-0x00000000013E4000-memory.dmp

Filesize
3.1MB

Download
memory/1624-96-0x00000000000A0000-0x00000000003C4000-memory.dmp

Filesize
3.1MB

Download
memory/1696-119-0x0000000000EA0000-0x00000000011C4000-memory.dmp

Filesize
3.1MB

Download
memory/1704-107-0x0000000000DA0000-0x00000000010C4000-memory.dmp

Filesize
3.1MB

Download
memory/2692-74-0x0000000001270000-0x0000000001594000-memory.dmp

Filesize
3.1MB

Download
memory/2744-10-0x000007FEF6780000-0x000007FEF716C000-memory.dmp

Filesize
9.9MB

Download
memory/2744-7-0x0000000000DD0000-0x00000000010F4000-memory.dmp

Filesize
3.1MB

Download
memory/2744-9-0x000007FEF6780000-0x000007FEF716C000-memory.dmp

Filesize
9.9MB

Download
memory/2744-19-0x000007FEF6780000-0x000007FEF716C000-memory.dmp

Filesize
9.9MB

Download
memory/2756-2-0x000007FEF6780000-0x000007FEF716C000-memory.dmp

Filesize
9.9MB

Download
memory/2756-0-0x000007FEF6783000-0x000007FEF6784000-memory.dmp

Filesize
4KB

Download
memory/2756-8-0x000007FEF6780000-0x000007FEF716C000-memory.dmp

Filesize
9.9MB

Download
memory/2756-1-0x0000000000A90000-0x0000000000DB4000-memory.dmp

Filesize
3.1MB

Download
memory/2768-151-0x0000000000F20000-0x0000000001244000-memory.dmp

Filesize
3.1MB

Download
memory/2776-85-0x00000000003F0000-0x0000000000714000-memory.dmp

Filesize
3.1MB

Download
memory/2992-162-0x0000000001220000-0x0000000001544000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads