quasar | 71d5442831a53d429d61cfdb48bb92ea0a30ca91782fb3b219bd9b3fe3d9cff2

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-12-2024 18:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FlashingSoftwarePRO.exe
Size

3.1MB
MD5

71b0a3eb76e864f63a108192fce45858
SHA1

e7bc4b311934f8223ef98483a8092c3c9cc5b95a
SHA256

71d5442831a53d429d61cfdb48bb92ea0a30ca91782fb3b219bd9b3fe3d9cff2
SHA512

a35ddfe5d194be8ec7b5444b4e1e0756de8cc7957f59cea217fe26446b299519c6676eafece1fd49e5107c34721af47402dc8aefb76f040deb5bcd51e7a2eef1
SSDEEP

49152:rvSe821/aQWl8P0lSk3aKA3Z+nHPLk9h4vJeLoGd+THHB72eh2NT:rvp821/aQWl8P0lSk3DA3Z+nIhZ

Score

10^/10

quasar svchost discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

svchost

quasqy10-51732.portmap.host:4782

193.161.193.99:4782

quasqy10-51732.portmap.host:1194

Mutex

1254c7bb-0f09-42ad-83dc-450c6528bddb

Attributes

encryption_key
BDB44181C868606DFCA1741A69056AAA62DADEFC
install_name
svchost.exe
log_directory
Logs
reconnect_delay
3000
startup_key
RuntimeBroker
subdirectory
System32

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 13 IoCs

resource	yara_rule
behavioral1/memory/1856-1-0x00000000008F0000-0x0000000000C14000-memory.dmp	family_quasar
behavioral1/files/0x0008000000015d19-6.dat	family_quasar
behavioral1/memory/2088-7-0x0000000000A80000-0x0000000000DA4000-memory.dmp	family_quasar
behavioral1/memory/2768-22-0x00000000001A0000-0x00000000004C4000-memory.dmp	family_quasar
behavioral1/memory/1552-33-0x00000000002F0000-0x0000000000614000-memory.dmp	family_quasar
behavioral1/memory/1444-45-0x0000000001260000-0x0000000001584000-memory.dmp	family_quasar
behavioral1/memory/2180-87-0x0000000000160000-0x0000000000484000-memory.dmp	family_quasar
behavioral1/memory/2792-98-0x0000000000F80000-0x00000000012A4000-memory.dmp	family_quasar
behavioral1/memory/1980-110-0x0000000000080000-0x00000000003A4000-memory.dmp	family_quasar
behavioral1/memory/2008-121-0x0000000000B10000-0x0000000000E34000-memory.dmp	family_quasar
behavioral1/memory/920-142-0x00000000012C0000-0x00000000015E4000-memory.dmp	family_quasar
behavioral1/memory/992-164-0x0000000001310000-0x0000000001634000-memory.dmp	family_quasar
behavioral1/memory/2736-175-0x0000000000300000-0x0000000000624000-memory.dmp	family_quasar

Executes dropped EXE 16 IoCs

pid	Process
2088	svchost.exe
2768	svchost.exe
1552	svchost.exe
1444	svchost.exe
688	svchost.exe
1648	svchost.exe
984	svchost.exe
2180	svchost.exe
2792	svchost.exe
1980	svchost.exe
2008	svchost.exe
1700	svchost.exe
920	svchost.exe
2128	svchost.exe
992	svchost.exe
2736	svchost.exe

Drops file in System32 directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\System32	svchost.exe
File opened for modification	C:\Windows\system32\System32	svchost.exe
File opened for modification	C:\Windows\system32\System32	svchost.exe
File opened for modification	C:\Windows\system32\System32	svchost.exe
File opened for modification	C:\Windows\system32\System32	svchost.exe
File opened for modification	C:\Windows\system32\System32	svchost.exe
File opened for modification	C:\Windows\system32\System32	svchost.exe
File opened for modification	C:\Windows\system32\System32	svchost.exe
File opened for modification	C:\Windows\system32\System32	svchost.exe
File opened for modification	C:\Windows\system32\System32	svchost.exe
File opened for modification	C:\Windows\system32\System32	svchost.exe
File opened for modification	C:\Windows\system32\System32	svchost.exe
File created	C:\Windows\system32\System32\svchost.exe	FlashingSoftwarePRO.exe
File opened for modification	C:\Windows\system32\System32	FlashingSoftwarePRO.exe
File opened for modification	C:\Windows\system32\System32	svchost.exe
File opened for modification	C:\Windows\system32\System32	svchost.exe
File opened for modification	C:\Windows\system32\System32	svchost.exe
File opened for modification	C:\Windows\system32\System32	svchost.exe
File opened for modification	C:\Windows\system32\System32\svchost.exe	FlashingSoftwarePRO.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 16 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2828	PING.EXE
1944	PING.EXE
1004	PING.EXE
2180	PING.EXE
2740	PING.EXE
2856	PING.EXE
2300	PING.EXE
1368	PING.EXE
2224	PING.EXE
3048	PING.EXE
352	PING.EXE
1860	PING.EXE
328	PING.EXE
1000	PING.EXE
1204	PING.EXE
1668	PING.EXE

Runs ping.exe 1 TTPs 16 IoCs

Remote System Discovery

T1018

pid	Process
1204	PING.EXE
2300	PING.EXE
2828	PING.EXE
2224	PING.EXE
2856	PING.EXE
352	PING.EXE
1860	PING.EXE
328	PING.EXE
2740	PING.EXE
1668	PING.EXE
1000	PING.EXE
2180	PING.EXE
3048	PING.EXE
1004	PING.EXE
1368	PING.EXE
1944	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 17 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1420	schtasks.exe
284	schtasks.exe
1256	schtasks.exe
2940	schtasks.exe
1940	schtasks.exe
1464	schtasks.exe
2868	schtasks.exe
1468	schtasks.exe
2072	schtasks.exe
2420	schtasks.exe
1504	schtasks.exe
2668	schtasks.exe
2632	schtasks.exe
1104	schtasks.exe
2556	schtasks.exe
2580	schtasks.exe
2864	schtasks.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	1856	FlashingSoftwarePRO.exe
Token: SeDebugPrivilege	2088	svchost.exe
Token: SeDebugPrivilege	2768	svchost.exe
Token: SeDebugPrivilege	1552	svchost.exe
Token: SeDebugPrivilege	1444	svchost.exe
Token: SeDebugPrivilege	688	svchost.exe
Token: SeDebugPrivilege	1648	svchost.exe
Token: SeDebugPrivilege	984	svchost.exe
Token: SeDebugPrivilege	2180	svchost.exe
Token: SeDebugPrivilege	2792	svchost.exe
Token: SeDebugPrivilege	1980	svchost.exe
Token: SeDebugPrivilege	2008	svchost.exe
Token: SeDebugPrivilege	1700	svchost.exe
Token: SeDebugPrivilege	920	svchost.exe
Token: SeDebugPrivilege	2128	svchost.exe
Token: SeDebugPrivilege	992	svchost.exe
Token: SeDebugPrivilege	2736	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1856 wrote to memory of 2072	1856	FlashingSoftwarePRO.exe	30
PID 1856 wrote to memory of 2072	1856	FlashingSoftwarePRO.exe	30
PID 1856 wrote to memory of 2072	1856	FlashingSoftwarePRO.exe	30
PID 1856 wrote to memory of 2088	1856	FlashingSoftwarePRO.exe	32
PID 1856 wrote to memory of 2088	1856	FlashingSoftwarePRO.exe	32
PID 1856 wrote to memory of 2088	1856	FlashingSoftwarePRO.exe	32
PID 2088 wrote to memory of 2420	2088	svchost.exe	33
PID 2088 wrote to memory of 2420	2088	svchost.exe	33
PID 2088 wrote to memory of 2420	2088	svchost.exe	33
PID 2088 wrote to memory of 2748	2088	svchost.exe	35
PID 2088 wrote to memory of 2748	2088	svchost.exe	35
PID 2088 wrote to memory of 2748	2088	svchost.exe	35
PID 2748 wrote to memory of 2832	2748	cmd.exe	37
PID 2748 wrote to memory of 2832	2748	cmd.exe	37
PID 2748 wrote to memory of 2832	2748	cmd.exe	37
PID 2748 wrote to memory of 2856	2748	cmd.exe	38
PID 2748 wrote to memory of 2856	2748	cmd.exe	38
PID 2748 wrote to memory of 2856	2748	cmd.exe	38
PID 2748 wrote to memory of 2768	2748	cmd.exe	40
PID 2748 wrote to memory of 2768	2748	cmd.exe	40
PID 2748 wrote to memory of 2768	2748	cmd.exe	40
PID 2768 wrote to memory of 2632	2768	svchost.exe	41
PID 2768 wrote to memory of 2632	2768	svchost.exe	41
PID 2768 wrote to memory of 2632	2768	svchost.exe	41
PID 2768 wrote to memory of 2628	2768	svchost.exe	43
PID 2768 wrote to memory of 2628	2768	svchost.exe	43
PID 2768 wrote to memory of 2628	2768	svchost.exe	43
PID 2628 wrote to memory of 2556	2628	cmd.exe	45
PID 2628 wrote to memory of 2556	2628	cmd.exe	45
PID 2628 wrote to memory of 2556	2628	cmd.exe	45
PID 2628 wrote to memory of 3048	2628	cmd.exe	46
PID 2628 wrote to memory of 3048	2628	cmd.exe	46
PID 2628 wrote to memory of 3048	2628	cmd.exe	46
PID 2628 wrote to memory of 1552	2628	cmd.exe	47
PID 2628 wrote to memory of 1552	2628	cmd.exe	47
PID 2628 wrote to memory of 1552	2628	cmd.exe	47
PID 1552 wrote to memory of 1504	1552	svchost.exe	48
PID 1552 wrote to memory of 1504	1552	svchost.exe	48
PID 1552 wrote to memory of 1504	1552	svchost.exe	48
PID 1552 wrote to memory of 1428	1552	svchost.exe	50
PID 1552 wrote to memory of 1428	1552	svchost.exe	50
PID 1552 wrote to memory of 1428	1552	svchost.exe	50
PID 1428 wrote to memory of 1208	1428	cmd.exe	52
PID 1428 wrote to memory of 1208	1428	cmd.exe	52
PID 1428 wrote to memory of 1208	1428	cmd.exe	52
PID 1428 wrote to memory of 1204	1428	cmd.exe	53
PID 1428 wrote to memory of 1204	1428	cmd.exe	53
PID 1428 wrote to memory of 1204	1428	cmd.exe	53
PID 1428 wrote to memory of 1444	1428	cmd.exe	54
PID 1428 wrote to memory of 1444	1428	cmd.exe	54
PID 1428 wrote to memory of 1444	1428	cmd.exe	54
PID 1444 wrote to memory of 1940	1444	svchost.exe	55
PID 1444 wrote to memory of 1940	1444	svchost.exe	55
PID 1444 wrote to memory of 1940	1444	svchost.exe	55
PID 1444 wrote to memory of 2460	1444	svchost.exe	57
PID 1444 wrote to memory of 2460	1444	svchost.exe	57
PID 1444 wrote to memory of 2460	1444	svchost.exe	57
PID 2460 wrote to memory of 2504	2460	cmd.exe	59
PID 2460 wrote to memory of 2504	2460	cmd.exe	59
PID 2460 wrote to memory of 2504	2460	cmd.exe	59
PID 2460 wrote to memory of 2300	2460	cmd.exe	60
PID 2460 wrote to memory of 2300	2460	cmd.exe	60
PID 2460 wrote to memory of 2300	2460	cmd.exe	60
PID 2460 wrote to memory of 688	2460	cmd.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\FlashingSoftwarePRO.exe
"C:\Users\Admin\AppData\Local\Temp\FlashingSoftwarePRO.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2072
- C:\Windows\system32\System32\svchost.exe
  "C:\Windows\system32\System32\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2420
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\ei5PdvP0U0GX.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2832
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2856
  - - C:\Windows\system32\System32\svchost.exe
      "C:\Windows\system32\System32\svchost.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2768
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2632
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lKl8Cbi9O48B.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2628
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2556
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3048
      - C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1504
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rRSidKxAWgOV.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1428
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1208
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1204
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1444
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1940
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IBImd4fRwptQ.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2504
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2300
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:688
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1104
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\3E6aC4w03tuW.bat" "
        11⤵
        
        PID:1284
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:764
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1668
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1648
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1464
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\z4J4TfGBr0Hc.bat" "
        13⤵
        
        PID:2232
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2916
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:352
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:984
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1420
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\8693GGGFffH5.bat" "
        15⤵
        
        PID:2252
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2072
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1860
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2180
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2868
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LzB2O2hPMwVq.bat" "
        17⤵
        
        PID:2176
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2296
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2828
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2792
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2556
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mjKJ7aKI33Ut.bat" "
        19⤵
        
        PID:2732
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1868
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1944
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1980
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:284
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jnuFla3N4s5N.bat" "
        21⤵
        
        PID:2436
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1724
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1004
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2008
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2668
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wAu0errzGbVr.bat" "
        23⤵
        
        PID:2596
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2568
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:328
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1700
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1256
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\4cl0wyVM8zIp.bat" "
        25⤵
        
        PID:1456
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2076
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1368
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:920
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1468
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\62YfIrtipLmw.bat" "
        27⤵
        
        PID:2916
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:1348
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1000
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2128
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2940
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Ytykm8w2tgAY.bat" "
        29⤵
        
        PID:564
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:2528
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2224
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:992
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2580
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\s7B7TXWhi5Bt.bat" "
        31⤵
        
        PID:2484
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:2700
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2180
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2736
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        33⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2864
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\2PqLZnqqvD43.bat" "
        33⤵
        
        PID:2656
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        34⤵
        
        PID:2768
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        34⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2PqLZnqqvD43.bat

Filesize
199B

MD5
b1e51aa5fde4d2e6a1d44169171a9852

SHA1
951bb835b8501f924c7da0cc7c44f9f8a6663975

SHA256
e6104b3e2090230fb20eaa9fb01c4949bed37858d7a441a3c899656f2952d3d8

SHA512
0ef5bf9b33cf6443bdf31f61906eeeedfb19d0f82d154bbb07f1d7c8b797eead20f18702a0d4e8fcc4c0915a9cf6ec5141679fa89fb09b6a0f2ffd31a742221a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3E6aC4w03tuW.bat

Filesize
199B

MD5
677ce94444d7fb582d406acc00f9011c

SHA1
9d458cf1ccf474d9f028dbb46b3274aa25a6a913

SHA256
33040c14efbec82ce03fd46c7977812931fb313e5ea1da43f01e7b9a3ba4356e

SHA512
a7c92e131271ce570d288302158221c0a7f5c6efb789c70fd792c6983c4a439c52eb7347e6161b618e3b827171c64f618236ffa0a6680f72e5d5e547c9f15313

Download Submit
C:\Users\Admin\AppData\Local\Temp\4cl0wyVM8zIp.bat

Filesize
199B

MD5
734e64e4ce8ef3c7ca1a0b757ffdbf9f

SHA1
db1216f73a517c132e8148c64496132661ed7b83

SHA256
4b4e3971512e64627dc72e9a2754430657704a326ad0e93e157480190162799f

SHA512
fe46aadf0d11583b88e72b751f1595a9e4e935aa4d78e7adda85f56f8c1345b94e19a78df00c3debe5ca0c5e545301113fa8968fc943eff6779b9a8ca230814f

Download Submit
C:\Users\Admin\AppData\Local\Temp\62YfIrtipLmw.bat

Filesize
199B

MD5
c108e5d1bce0f194ffd2dd1cdfb03747

SHA1
991edb1a1deb2391ad1936c8f2171defad99321c

SHA256
49c0588760507481d75c1a997433dadfad419ef822823cf39458d4efd6fbbc45

SHA512
32b169718c71ef83433dd9736ec10b1390f21620bf38f290be0d7560e1210a3220de243c5521c54ea021e1ecce401882a2236fc0bd407c24e72aa8132802eb0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\8693GGGFffH5.bat

Filesize
199B

MD5
e2ec1c6512240030c0f66fe20f1bbf77

SHA1
baabd94606902b28f24cb70acb653a61e9979c68

SHA256
3f422bfa017d53d4b27df489ac7c010580689c629020a7f79f9f170e2a32ae0f

SHA512
d414ca6084027befb1cd4ba5bceb85bbe61b050bac4137f783ea5f9ed428652d606a7cfaaf0786d6a9d7cfd77dc930b5ed2cbf5ffe9955461cd2983785ebd250

Download Submit
C:\Users\Admin\AppData\Local\Temp\IBImd4fRwptQ.bat

Filesize
199B

MD5
6bd71a8fedfbdba84bc80fbad0669f61

SHA1
5b409bdb301e1e6db69db0e4391cb5cb6c167d54

SHA256
71fa35cae9ddd8e2e89b851c14d30c775828b8f58902d954c228639acc95d6f3

SHA512
63b37e83f539273367e55f22c801090bec319ea5d06b0373cee1351e79c50405b833d68c63dd10ccbdf7c2ae67118dcefbe69162e99e38fa5e22e4fa1af60f77

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzB2O2hPMwVq.bat

Filesize
199B

MD5
a290716f6d2aeac34308c64a6ebe84a1

SHA1
5b1733f3e02518053a1479540da72212a3d2c8f7

SHA256
499a25009b54accd0a0a6d7ba049ec5c3379673983de10d65647942dba10da14

SHA512
0a11e5481d9fb01736b6c6374dd0f931bb9b9cc958b8fe28453f03f44b711eb7253e0bf2c4c6a158b3f37a0d7304e0eaa55db68fe4fc58e2bfc549d874a126e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ytykm8w2tgAY.bat

Filesize
199B

MD5
d0d6ad58fa021c1427ff9de06466fe94

SHA1
8aa574c2c7c1e90f57c6c87b4542f90c95413464

SHA256
7f604ae4db213450fc2bd6cc072c9ce6b466a762225f927d42cc287b6067877b

SHA512
1e2db8c1a1eba609ad5b49eb4a20e0cc9dbb8a195d5e489fe30945ed9c312aa36271ef53d0b6b9a84178ff86b35a7a03702030bf1bd31f0674d9e1376750eb52

Download Submit
C:\Users\Admin\AppData\Local\Temp\ei5PdvP0U0GX.bat

Filesize
199B

MD5
52bfd5a304834efde316b35da9c39627

SHA1
63068b76eb772be249e0b018ed785605923fd252

SHA256
8548106ac7d9d0a9610512cb1de92e0744b4d6dc03da660714cff99603fb5d7e

SHA512
c60d3d635f836e95924a8744897087d6fc4a509aef4c81e2f81494f76b6469ff64596a9afb7b3e136f0a027d5424323f1eab4fa10c80aa42f94b7de00237a2f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\jnuFla3N4s5N.bat

Filesize
199B

MD5
9c2435547c2a69e4666113a7945707e9

SHA1
97192254107c2f6de862c445171bbda36ef85dc2

SHA256
6c827ba330665ed739664335039e20fe6bf6b2a59c2c056ef0b0e2a1b4ce41c3

SHA512
0d43386a120b0ef02c05656ea3ef2bc0ecf013b665cb7a8291d3ffa9fa92e41635007721dc98578a25d2480ae5f938cbcfa66a7d362d5e82aff37702f85e42e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\lKl8Cbi9O48B.bat

Filesize
199B

MD5
49c5e587b495349138901b77d90e306f

SHA1
bb8a4d0199d99116ba99d98a63f3ed2748f1ad19

SHA256
e1de3b42e41ee74184a205306e9abe52392d295fa4416649d552e3a72198d4d1

SHA512
e566e7f6c1520ab27ecaa39bd383401eb07f8be488da88fd4bd924547a53e3f645df5394f1457b7ee0987efb6cfc536bc2fffd08610e8d19097772d3b449bc16

Download Submit
C:\Users\Admin\AppData\Local\Temp\mjKJ7aKI33Ut.bat

Filesize
199B

MD5
1b8f39d5c1ffaca962440516192264e8

SHA1
47581eb460c1fa2791e7dbf85f6a04457318bc4a

SHA256
914341fa30373d337df461e6d8791e334b7df2b76a263aa48b0e293f37e06749

SHA512
d1c00676c8d7c516264f557e585d56508aa31248e04aa5306490533e02b197906ad54d7b2c970fe1174d48d0546bc9bf9bd0f2583277ed320241a0252829be89

Download Submit
C:\Users\Admin\AppData\Local\Temp\rRSidKxAWgOV.bat

Filesize
199B

MD5
136b726ce082fee7d1c15b0145482d1f

SHA1
bc45953e40f3345d45243a39c6465697fd37b6d5

SHA256
96334ca4956dbc002963f30e8bdf50435438bca37f6dddb08c9cf310d39ff178

SHA512
64cd6b8f47e1f69ef465c74a6e50231e722492c38db0de1c9bac3a3dd7b345b860cfe29a35dfcc8fe43c7c74a636b7551d65aeef34ad4fb90cef346bc0c6aa53

Download Submit
C:\Users\Admin\AppData\Local\Temp\s7B7TXWhi5Bt.bat

Filesize
199B

MD5
3c13d1c7f8a80891c551d2b58ad3ea90

SHA1
8e5fc2f8bcd47e2a00e179f1a94d07782637793a

SHA256
d02ab26da1c27be3f8cba22c87d9da262f14d442cad4dee22fb72d850b9e55f1

SHA512
14f36e0e96c2c96519c36c56fd1c08cffab5bdc05d53a8b69b9dec9a4ae730bf72fb9666b29f8170b1cce9a33272df9c73777f81e142bb25de72e88f30103a5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\wAu0errzGbVr.bat

Filesize
199B

MD5
07b4de690d9876d57de66c31b0e86174

SHA1
f29c2909bb859046ff82f6454017bec73c54f545

SHA256
28bb00b26c3a730e19dd99be974333b1fea43218dac0cc6f67ea90a6f565811c

SHA512
c79669bfd8de3ea4eb9585b896fa11a4a291202856b2103680df09f2b16dfcfaba06da3e9090936c0b7f221157c8be7833249f69c7b17bf300c98120332294a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\z4J4TfGBr0Hc.bat

Filesize
199B

MD5
ba52f1a9857d346c16f6b48916e0446d

SHA1
86560e2f03af5aeeb4bceab1248704af46500f02

SHA256
065e2c273696b71a371ca45ab2e7127384467c4fd4444dbd7133e17ae3cc6d95

SHA512
e144b83844351c83059bde5092117a83060929f510d0ce8c4f1bae22f0636fa9684702997399356db56158490c462d97d6bb6846587acf68dafdd70d6fa18fae

Download Submit
C:\Windows\system32\System32\svchost.exe

Filesize
3.1MB

MD5
71b0a3eb76e864f63a108192fce45858

SHA1
e7bc4b311934f8223ef98483a8092c3c9cc5b95a

SHA256
71d5442831a53d429d61cfdb48bb92ea0a30ca91782fb3b219bd9b3fe3d9cff2

SHA512
a35ddfe5d194be8ec7b5444b4e1e0756de8cc7957f59cea217fe26446b299519c6676eafece1fd49e5107c34721af47402dc8aefb76f040deb5bcd51e7a2eef1

Download Submit
memory/920-142-0x00000000012C0000-0x00000000015E4000-memory.dmp

Filesize
3.1MB

Download
memory/992-164-0x0000000001310000-0x0000000001634000-memory.dmp

Filesize
3.1MB

Download
memory/1444-45-0x0000000001260000-0x0000000001584000-memory.dmp

Filesize
3.1MB

Download
memory/1552-33-0x00000000002F0000-0x0000000000614000-memory.dmp

Filesize
3.1MB

Download
memory/1856-0-0x000007FEF5983000-0x000007FEF5984000-memory.dmp

Filesize
4KB

Download
memory/1856-1-0x00000000008F0000-0x0000000000C14000-memory.dmp

Filesize
3.1MB

Download
memory/1856-2-0x000007FEF5980000-0x000007FEF636C000-memory.dmp

Filesize
9.9MB

Download
memory/1856-20-0x000007FEF5980000-0x000007FEF636C000-memory.dmp

Filesize
9.9MB

Download
memory/1980-110-0x0000000000080000-0x00000000003A4000-memory.dmp

Filesize
3.1MB

Download
memory/2008-121-0x0000000000B10000-0x0000000000E34000-memory.dmp

Filesize
3.1MB

Download
memory/2088-7-0x0000000000A80000-0x0000000000DA4000-memory.dmp

Filesize
3.1MB

Download
memory/2088-9-0x000007FEF5980000-0x000007FEF636C000-memory.dmp

Filesize
9.9MB

Download
memory/2088-8-0x000007FEF5980000-0x000007FEF636C000-memory.dmp

Filesize
9.9MB

Download
memory/2088-19-0x000007FEF5980000-0x000007FEF636C000-memory.dmp

Filesize
9.9MB

Download
memory/2180-87-0x0000000000160000-0x0000000000484000-memory.dmp

Filesize
3.1MB

Download
memory/2736-175-0x0000000000300000-0x0000000000624000-memory.dmp

Filesize
3.1MB

Download
memory/2768-22-0x00000000001A0000-0x00000000004C4000-memory.dmp

Filesize
3.1MB

Download
memory/2792-98-0x0000000000F80000-0x00000000012A4000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads