quasar | 527ebcd94bab6471192fa739e3ee318a7781c79c5a266b0795214bce0398ed35

Analysis

max time kernel
145s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-12-2024 18:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FlashingSoftwarePRO.exe
Size

3.1MB
MD5

cee9f55f2ed2ad11bf3acb650277237a
SHA1

3515900f7d4ba68720cb506200f2dcff401a9a6e
SHA256

527ebcd94bab6471192fa739e3ee318a7781c79c5a266b0795214bce0398ed35
SHA512

da46b87edbf315b88f069d2670c440fb9ea76a1bde9742855fcf80c7bbad5ea4d895c90d97d62a57782cd2572f3db7c90667aabe34e37c6bf543da6ea323d906
SSDEEP

49152:/vJuf2NUaNmwzPWlvdaKM7ZxTwqky3EfsKk/WPIoGd0THHB72eh2NT:/vkf2NUaNmwzPWlvdaB7ZxTwqkyAw

Score

10^/10

quasar svchost discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

svchost

quasqy10-51732.portmap.host:4782

193.161.193.99:4782

Mutex

7d600197-9219-48e3-b7cb-1cd264aa77fa

Attributes

encryption_key
BDB44181C868606DFCA1741A69056AAA62DADEFC
install_name
svchost.exe
log_directory
Logs
reconnect_delay
3000
startup_key
RuntimeBroker
subdirectory
System32

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/220-1-0x0000000000270000-0x0000000000594000-memory.dmp	family_quasar
behavioral2/files/0x000a000000023b88-5.dat	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	svchost.exe

Executes dropped EXE 15 IoCs

pid	Process
3096	svchost.exe
3376	svchost.exe
4472	svchost.exe
2588	svchost.exe
4700	svchost.exe
2320	svchost.exe
3628	svchost.exe
4624	svchost.exe
1492	svchost.exe
864	svchost.exe
3064	svchost.exe
2360	svchost.exe
3528	svchost.exe
3136	svchost.exe
756	svchost.exe

Drops file in System32 directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\System32	svchost.exe
File opened for modification	C:\Windows\system32\System32	svchost.exe
File opened for modification	C:\Windows\system32\System32	svchost.exe
File opened for modification	C:\Windows\system32\System32	svchost.exe
File opened for modification	C:\Windows\system32\System32	svchost.exe
File opened for modification	C:\Windows\system32\System32	svchost.exe
File opened for modification	C:\Windows\system32\System32	svchost.exe
File opened for modification	C:\Windows\system32\System32	svchost.exe
File opened for modification	C:\Windows\system32\System32	svchost.exe
File opened for modification	C:\Windows\system32\System32	svchost.exe
File opened for modification	C:\Windows\system32\System32	svchost.exe
File opened for modification	C:\Windows\system32\System32	svchost.exe
File created	C:\Windows\system32\System32\svchost.exe	FlashingSoftwarePRO.exe
File opened for modification	C:\Windows\system32\System32	svchost.exe
File opened for modification	C:\Windows\system32\System32	svchost.exe
File opened for modification	C:\Windows\system32\System32	svchost.exe
File opened for modification	C:\Windows\system32\System32\svchost.exe	FlashingSoftwarePRO.exe
File opened for modification	C:\Windows\system32\System32	FlashingSoftwarePRO.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2416	PING.EXE
848	PING.EXE
3836	PING.EXE
1808	PING.EXE
5116	PING.EXE
1116	PING.EXE
632	PING.EXE
2848	PING.EXE
1528	PING.EXE
4428	PING.EXE
1292	PING.EXE
2988	PING.EXE
5080	PING.EXE
5088	PING.EXE
324	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
5088	PING.EXE
324	PING.EXE
2988	PING.EXE
2416	PING.EXE
2848	PING.EXE
1528	PING.EXE
3836	PING.EXE
1808	PING.EXE
1116	PING.EXE
632	PING.EXE
848	PING.EXE
5080	PING.EXE
1292	PING.EXE
5116	PING.EXE
4428	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1972	schtasks.exe
4152	schtasks.exe
1868	schtasks.exe
1268	schtasks.exe
2172	schtasks.exe
3532	schtasks.exe
2704	schtasks.exe
4244	schtasks.exe
1680	schtasks.exe
3196	schtasks.exe
1324	schtasks.exe
908	schtasks.exe
4260	schtasks.exe
3676	schtasks.exe
1968	schtasks.exe
4612	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	220	FlashingSoftwarePRO.exe
Token: SeDebugPrivilege	3096	svchost.exe
Token: SeDebugPrivilege	3376	svchost.exe
Token: SeDebugPrivilege	4472	svchost.exe
Token: SeDebugPrivilege	2588	svchost.exe
Token: SeDebugPrivilege	4700	svchost.exe
Token: SeDebugPrivilege	2320	svchost.exe
Token: SeDebugPrivilege	3628	svchost.exe
Token: SeDebugPrivilege	4624	svchost.exe
Token: SeDebugPrivilege	1492	svchost.exe
Token: SeDebugPrivilege	864	svchost.exe
Token: SeDebugPrivilege	3064	svchost.exe
Token: SeDebugPrivilege	2360	svchost.exe
Token: SeDebugPrivilege	3528	svchost.exe
Token: SeDebugPrivilege	3136	svchost.exe
Token: SeDebugPrivilege	756	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3096	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 220 wrote to memory of 1268	220	FlashingSoftwarePRO.exe	84
PID 220 wrote to memory of 1268	220	FlashingSoftwarePRO.exe	84
PID 220 wrote to memory of 3096	220	FlashingSoftwarePRO.exe	86
PID 220 wrote to memory of 3096	220	FlashingSoftwarePRO.exe	86
PID 3096 wrote to memory of 4244	3096	svchost.exe	87
PID 3096 wrote to memory of 4244	3096	svchost.exe	87
PID 3096 wrote to memory of 1712	3096	svchost.exe	89
PID 3096 wrote to memory of 1712	3096	svchost.exe	89
PID 1712 wrote to memory of 3032	1712	cmd.exe	91
PID 1712 wrote to memory of 3032	1712	cmd.exe	91
PID 1712 wrote to memory of 2988	1712	cmd.exe	92
PID 1712 wrote to memory of 2988	1712	cmd.exe	92
PID 1712 wrote to memory of 3376	1712	cmd.exe	102
PID 1712 wrote to memory of 3376	1712	cmd.exe	102
PID 3376 wrote to memory of 1324	3376	svchost.exe	103
PID 3376 wrote to memory of 1324	3376	svchost.exe	103
PID 3376 wrote to memory of 4592	3376	svchost.exe	108
PID 3376 wrote to memory of 4592	3376	svchost.exe	108
PID 4592 wrote to memory of 1984	4592	cmd.exe	110
PID 4592 wrote to memory of 1984	4592	cmd.exe	110
PID 4592 wrote to memory of 632	4592	cmd.exe	111
PID 4592 wrote to memory of 632	4592	cmd.exe	111
PID 4592 wrote to memory of 4472	4592	cmd.exe	113
PID 4592 wrote to memory of 4472	4592	cmd.exe	113
PID 4472 wrote to memory of 2172	4472	svchost.exe	114
PID 4472 wrote to memory of 2172	4472	svchost.exe	114
PID 4472 wrote to memory of 2780	4472	svchost.exe	117
PID 4472 wrote to memory of 2780	4472	svchost.exe	117
PID 2780 wrote to memory of 1100	2780	cmd.exe	119
PID 2780 wrote to memory of 1100	2780	cmd.exe	119
PID 2780 wrote to memory of 2416	2780	cmd.exe	120
PID 2780 wrote to memory of 2416	2780	cmd.exe	120
PID 2780 wrote to memory of 2588	2780	cmd.exe	125
PID 2780 wrote to memory of 2588	2780	cmd.exe	125
PID 2588 wrote to memory of 1968	2588	svchost.exe	126
PID 2588 wrote to memory of 1968	2588	svchost.exe	126
PID 2588 wrote to memory of 1696	2588	svchost.exe	129
PID 2588 wrote to memory of 1696	2588	svchost.exe	129
PID 1696 wrote to memory of 2848	1696	cmd.exe	131
PID 1696 wrote to memory of 2848	1696	cmd.exe	131
PID 1696 wrote to memory of 848	1696	cmd.exe	132
PID 1696 wrote to memory of 848	1696	cmd.exe	132
PID 1696 wrote to memory of 4700	1696	cmd.exe	134
PID 1696 wrote to memory of 4700	1696	cmd.exe	134
PID 4700 wrote to memory of 1680	4700	svchost.exe	135
PID 4700 wrote to memory of 1680	4700	svchost.exe	135
PID 4700 wrote to memory of 1520	4700	svchost.exe	138
PID 4700 wrote to memory of 1520	4700	svchost.exe	138
PID 1520 wrote to memory of 2264	1520	cmd.exe	140
PID 1520 wrote to memory of 2264	1520	cmd.exe	140
PID 1520 wrote to memory of 5080	1520	cmd.exe	141
PID 1520 wrote to memory of 5080	1520	cmd.exe	141
PID 1520 wrote to memory of 2320	1520	cmd.exe	143
PID 1520 wrote to memory of 2320	1520	cmd.exe	143
PID 2320 wrote to memory of 4612	2320	svchost.exe	144
PID 2320 wrote to memory of 4612	2320	svchost.exe	144
PID 2320 wrote to memory of 4600	2320	svchost.exe	146
PID 2320 wrote to memory of 4600	2320	svchost.exe	146
PID 4600 wrote to memory of 1912	4600	cmd.exe	149
PID 4600 wrote to memory of 1912	4600	cmd.exe	149
PID 4600 wrote to memory of 3836	4600	cmd.exe	150
PID 4600 wrote to memory of 3836	4600	cmd.exe	150
PID 4600 wrote to memory of 3628	4600	cmd.exe	153
PID 4600 wrote to memory of 3628	4600	cmd.exe	153

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\FlashingSoftwarePRO.exe
"C:\Users\Admin\AppData\Local\Temp\FlashingSoftwarePRO.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:220
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1268
- C:\Windows\system32\System32\svchost.exe
  "C:\Windows\system32\System32\svchost.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3096
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\abyfXRPeuGM6.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1712
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:3032
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2988
  - - C:\Windows\system32\System32\svchost.exe
      "C:\Windows\system32\System32\svchost.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3376
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1324
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jcW4dHg3WqTw.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4592
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1984
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:632
      - C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4472
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2172
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jH3VKNC1BeCu.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1100
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2416
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1968
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hWAlrESoysqT.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2848
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:848
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4700
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1680
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\M03j5NkuAYnD.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1520
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:2264
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5080
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2320
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4612
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\H2YNliDjOaUx.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:4600
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:1912
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3836
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3628
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:908
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DRQLMXcUuFP9.bat" "
        15⤵
        
        PID:540
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:524
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1292
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4624
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1972
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LVCrYKMQbJID.bat" "
        17⤵
        
        PID:3608
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:1468
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2848
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1492
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3532
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\e44MgVobXXDg.bat" "
        19⤵
        
        PID:4636
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:892
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1808
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:864
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3196
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ADd01vA31Gkj.bat" "
        21⤵
        
        PID:5036
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:2064
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5116
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3064
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4260
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OMHvWaOi2aZd.bat" "
        23⤵
        
        PID:2528
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:3700
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5088
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2360
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2704
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tOh4MUoRq5LL.bat" "
        25⤵
        
        PID:3636
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2792
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1116
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3528
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4152
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rikDDsjB9G5U.bat" "
        27⤵
        
        PID:2812
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:2612
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1528
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3136
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3676
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YATTU8ZXSXrE.bat" "
        29⤵
        
        PID:2220
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:4812
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:324
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:756
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1868
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ullx4xdf1f1k.bat" "
        31⤵
        
        PID:1628
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:3220
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADd01vA31Gkj.bat

Filesize
199B

MD5
55dc16e2ed1afde21012625f3804b8bb

SHA1
0b8d526cc5aeda1f34cbde2c571143296c6a7b7e

SHA256
e1692f032976e0fa6e3c11c1f2425f211edb49d2d0e81be91d941bbf7ffeb522

SHA512
052ad2460206bbeebba32b6cef26e195ae1ad710644e730909ded900487d6af49dfb1024ca614d8d551bca60ba07f8f89795df058815728e9d35e18973a147d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRQLMXcUuFP9.bat

Filesize
199B

MD5
5eeb18285f0188b2fea2739f079f6e0a

SHA1
01674044c60312736ee8048a73162ecb1539f826

SHA256
ed66bb1dea73b4859767148a8cd0b33c829f7897b1627f122d2e79a8a09335db

SHA512
412a39cdbe40dd12bfba53dba4187f56bc283d6fbe75008ad6b8eb7337765f04dd5d926cb05083d48a551a14eddf98102aa4410dad8476b19472e7e5a73f736e

Download Submit
C:\Users\Admin\AppData\Local\Temp\H2YNliDjOaUx.bat

Filesize
199B

MD5
9ff182a08800684751986b9900549313

SHA1
8eac454313121629126cfcfae1a17ab805210255

SHA256
21594354ea8dde7b751afeb637687ab32960e4fab7ba65c9e28c47c8e000230f

SHA512
d8afff42a5ae4ebe712db0aecff1a667470da78df2eeb3afce1edc0d9bdbe983a95cbc611161010fe6f3b07fdca5f4488950f96c8a592d7942e1180c6eaa089a

Download Submit
C:\Users\Admin\AppData\Local\Temp\LVCrYKMQbJID.bat

Filesize
199B

MD5
8a85454d09a431c494ded6c86794954a

SHA1
fd7e2070e546dc2442fcb1933d6273ce1a0e5a58

SHA256
7ed0c1f0d5c1ffe214eb6ba51c96dd4acd757e24ba7c25bf33575bc6c31e512c

SHA512
12ff5c231dc9d33ee0b18632af3fce44b7fc545d56450ea5e7874a83cf3d0748896e9d0f976e029e18f4f52e96f8823baa84525c1ed1916e0402ff370cf753ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\M03j5NkuAYnD.bat

Filesize
199B

MD5
5ce015b53150c1814e7356f856dd4dbb

SHA1
e68f480ea02ef8cd84ae235a7d561d8e7a5710d9

SHA256
5cfb3fbaf75258b7be2f0ea1fffd40dc73ccc69cbdaf5aa079b79b5ab45d11e6

SHA512
db5a6fe50b2c00d6bec68dc4997774d39832c361596d7d87fd75cf88d77374d72631267bbbf47f4ea43235b62a7b2fe290051b3b55d42ca21f1d09bdc9d6d194

Download Submit
C:\Users\Admin\AppData\Local\Temp\OMHvWaOi2aZd.bat

Filesize
199B

MD5
23300da7e4f69524ad8500c948c2ad10

SHA1
e6ded000c17cbfc37459382abb12bcc0ebe82c89

SHA256
64c9eecb1597ac820ca4bf72619ba351ea73ef2f898ea3cf12ef6f7398f0b4e3

SHA512
1fff2ec61a17e012044e0f0132786733636157997dd58edd7910380074f5b29951c651ca36dc3848480127659da85fcf31f17712b54f028a732bebda32ff9e6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ullx4xdf1f1k.bat

Filesize
199B

MD5
016272550a832b12c0bc2974f02793fb

SHA1
37eedee651fe4b2fad13412830286d0a350d966c

SHA256
d1770b16e2729c93113c2c35840c25aca9d1092adfb50e839381cf227e1a1cb4

SHA512
e21bfd4a2a263c7800194418695feb31db09a443c0296e50e69fb2db7550c7f4b01f9e42b066977d95b21f5448320817e2b8bdac90d4f8380485d588acd03da6

Download Submit
C:\Users\Admin\AppData\Local\Temp\YATTU8ZXSXrE.bat

Filesize
199B

MD5
417303e273c860456f920af882afdad7

SHA1
6c489095f907b05cbb10430c05c0af21fdce1496

SHA256
27f6506cb1763f8e1168eebd2964069c8e843892c680b3d5ee8a1491c27a98ca

SHA512
482fad3ae5e9fa95ece5b0d0e3f8f80fa8c994fd434e7567e003c457fd7a493be26c0799233330cb779d72288f2a404e5cedd85010e03daaddb46155d8ef70d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\abyfXRPeuGM6.bat

Filesize
199B

MD5
57410c0fe1fe71975c516ad551207ff4

SHA1
4becab62129eecd8faa8c20e587e754c711435b6

SHA256
62d5abbd30bd5026eed6c4110a6f2924e9217185b3a74b1c97da21da0bf98842

SHA512
b740e892734d7bf5dd7af3a64d0635f2ca5a6b3fb0750c29c5e82bab80367bf6c254177411c50a82c0d23ed873a3309af240bec47855b2e685b9c2cae1299924

Download Submit
C:\Users\Admin\AppData\Local\Temp\e44MgVobXXDg.bat

Filesize
199B

MD5
c21afbd75e581f4e121c74bfb56f74e9

SHA1
78ed95c3ddb4f8420d25e5d2ea322fdf07848b29

SHA256
31534ba02c95c2f3ddbe70bb2f6a0e64ba0393ff3644c687fb9ecd7ed12f2c8c

SHA512
54e9d8508db4742e18550112d4f45ae48333f5e853daec53e959df59d3ad8284ce93ffa5ec5b0693bd8870ced1f49571dcb6844a949b62356c497d570002b401

Download Submit
C:\Users\Admin\AppData\Local\Temp\hWAlrESoysqT.bat

Filesize
199B

MD5
55ae1d3738b0cf8cbb18b1d184721885

SHA1
70ad0ecca8eade2b9c4096cf95f96eba392d1b64

SHA256
977ed0397673399ba66dea964c600c2520ef7af7db32c8fb8489e76f4f12a323

SHA512
4f1073601df19d5fab2c5f39f820770e5ddcd2bc242d763ab5c4bb0e81c1c1df28b81ccd025abd8b7ca5e67d906cf4875846596606dd36177637e35718670d85

Download Submit
C:\Users\Admin\AppData\Local\Temp\jH3VKNC1BeCu.bat

Filesize
199B

MD5
2daea96a14876ec320382e801e99cc9f

SHA1
22c91b9474cb648d121808a1d711b30dbb502aeb

SHA256
99552ad778b87d6d4f1986d0034e69373769f56b1bd69c093ad8c09b7db6f8d3

SHA512
bda3859707a0a91af3cafe974d285dd84cae662041f5b5292ff68978b8f98ddda136e68983ed29a683c5e35e0a433209d93fd3e292d0ece10ae2dc3671d7c4df

Download Submit
C:\Users\Admin\AppData\Local\Temp\jcW4dHg3WqTw.bat

Filesize
199B

MD5
2077ed10219e18762c8540e60b72c411

SHA1
b8b040c744393688f311ef2631a4e78c303709fe

SHA256
76bc454d669c3bf929fde09812cbc9751ac80f5eb729fa58c6c4b8bd23915b88

SHA512
aa3221f6082bd1fbb12fdebb337b2e76544ff7632c24d878baf012d9f7f3fd2795dfc89dfd4253e4293cf58e613d2c14b677d33f4b21ccd8b474ed37aeb238e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\rikDDsjB9G5U.bat

Filesize
199B

MD5
7932d367d750d0f2905f82b06b9c4d92

SHA1
eeb886cc85c94e878e347aa21857e483ff064447

SHA256
afd4c95ac31723501e3bdbbdab97f12f04371dda0b13f8a0c490220ae4cd69af

SHA512
159f33bdf2062f6d57ec6e47e736776e53192e671d67fc07eed7a56b0a6908a1cb7859c66c388f13e0ec77614921f7b6ebf3df958060609f09ca334932ad703e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tOh4MUoRq5LL.bat

Filesize
199B

MD5
afa484ddcc749afea6b5a4aec76410da

SHA1
d8b555e0048f6e1b33b8bdeb4cc1ed3c2ead6b6b

SHA256
a1132e80d854b8f4a42282a045ac7946f63e18425ec991a97ffc19320c2c70c0

SHA512
4d122f9dcebe5edcd4f524c9372c242c9d86f0b851083376f0f2b4aa77f953b5d915dd10ee990d0f0006ef3e405f501772059dcb27dce99534f622cd4bff9ec2

Download Submit
C:\Windows\System32\System32\svchost.exe

Filesize
3.1MB

MD5
cee9f55f2ed2ad11bf3acb650277237a

SHA1
3515900f7d4ba68720cb506200f2dcff401a9a6e

SHA256
527ebcd94bab6471192fa739e3ee318a7781c79c5a266b0795214bce0398ed35

SHA512
da46b87edbf315b88f069d2670c440fb9ea76a1bde9742855fcf80c7bbad5ea4d895c90d97d62a57782cd2572f3db7c90667aabe34e37c6bf543da6ea323d906

Download Submit
memory/220-0-0x00007FFCFBDB3000-0x00007FFCFBDB5000-memory.dmp

Filesize
8KB

Download
memory/220-17-0x00007FFCFBDB0000-0x00007FFCFC871000-memory.dmp

Filesize
10.8MB

Download
memory/220-2-0x00007FFCFBDB0000-0x00007FFCFC871000-memory.dmp

Filesize
10.8MB

Download
memory/220-1-0x0000000000270000-0x0000000000594000-memory.dmp

Filesize
3.1MB

Download
memory/3096-15-0x00007FFCFBDB0000-0x00007FFCFC871000-memory.dmp

Filesize
10.8MB

Download
memory/3096-10-0x000000001BF10000-0x000000001BFC2000-memory.dmp

Filesize
712KB

Download
memory/3096-9-0x000000001BE00000-0x000000001BE50000-memory.dmp

Filesize
320KB

Download
memory/3096-8-0x00007FFCFBDB0000-0x00007FFCFC871000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads