quasar | 71d5442831a53d429d61cfdb48bb92ea0a30ca91782fb3b219bd9b3fe3d9cff2

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-12-2024 18:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FlashingSoftwarePRO.exe
Size

3.1MB
MD5

71b0a3eb76e864f63a108192fce45858
SHA1

e7bc4b311934f8223ef98483a8092c3c9cc5b95a
SHA256

71d5442831a53d429d61cfdb48bb92ea0a30ca91782fb3b219bd9b3fe3d9cff2
SHA512

a35ddfe5d194be8ec7b5444b4e1e0756de8cc7957f59cea217fe26446b299519c6676eafece1fd49e5107c34721af47402dc8aefb76f040deb5bcd51e7a2eef1
SSDEEP

49152:rvSe821/aQWl8P0lSk3aKA3Z+nHPLk9h4vJeLoGd+THHB72eh2NT:rvp821/aQWl8P0lSk3DA3Z+nIhZ

Score

10^/10

quasar svchost discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

svchost

quasqy10-51732.portmap.host:4782

193.161.193.99:4782

quasqy10-51732.portmap.host:1194

Mutex

1254c7bb-0f09-42ad-83dc-450c6528bddb

Attributes

encryption_key
BDB44181C868606DFCA1741A69056AAA62DADEFC
install_name
svchost.exe
log_directory
Logs
reconnect_delay
3000
startup_key
RuntimeBroker
subdirectory
System32

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/3000-1-0x0000000000840000-0x0000000000B64000-memory.dmp	family_quasar
behavioral2/files/0x000a000000023b7a-5.dat	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	svchost.exe

Executes dropped EXE 15 IoCs

pid	Process
2904	svchost.exe
4116	svchost.exe
4548	svchost.exe
2468	svchost.exe
216	svchost.exe
1392	svchost.exe
2196	svchost.exe
4952	svchost.exe
1324	svchost.exe
5116	svchost.exe
2108	svchost.exe
2912	svchost.exe
3608	svchost.exe
1420	svchost.exe
1700	svchost.exe

Drops file in System32 directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\System32	FlashingSoftwarePRO.exe
File opened for modification	C:\Windows\system32\System32	svchost.exe
File created	C:\Windows\system32\System32\svchost.exe	FlashingSoftwarePRO.exe
File opened for modification	C:\Windows\system32\System32	svchost.exe
File opened for modification	C:\Windows\system32\System32	svchost.exe
File opened for modification	C:\Windows\system32\System32	svchost.exe
File opened for modification	C:\Windows\system32\System32	svchost.exe
File opened for modification	C:\Windows\system32\System32	svchost.exe
File opened for modification	C:\Windows\system32\System32	svchost.exe
File opened for modification	C:\Windows\system32\System32	svchost.exe
File opened for modification	C:\Windows\system32\System32	svchost.exe
File opened for modification	C:\Windows\system32\System32	svchost.exe
File opened for modification	C:\Windows\system32\System32	svchost.exe
File opened for modification	C:\Windows\system32\System32	svchost.exe
File opened for modification	C:\Windows\system32\System32\svchost.exe	FlashingSoftwarePRO.exe
File opened for modification	C:\Windows\system32\System32	svchost.exe
File opened for modification	C:\Windows\system32\System32	svchost.exe
File opened for modification	C:\Windows\system32\System32	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4312	PING.EXE
2972	PING.EXE
2736	PING.EXE
5016	PING.EXE
1492	PING.EXE
3096	PING.EXE
1664	PING.EXE
5092	PING.EXE
1540	PING.EXE
748	PING.EXE
2016	PING.EXE
4940	PING.EXE
2816	PING.EXE
912	PING.EXE
2700	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
2700	PING.EXE
4312	PING.EXE
912	PING.EXE
4940	PING.EXE
5092	PING.EXE
1540	PING.EXE
1492	PING.EXE
2816	PING.EXE
2972	PING.EXE
2736	PING.EXE
1664	PING.EXE
3096	PING.EXE
748	PING.EXE
2016	PING.EXE
5016	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4592	schtasks.exe
4500	schtasks.exe
2212	schtasks.exe
444	schtasks.exe
2660	schtasks.exe
4276	schtasks.exe
732	schtasks.exe
1496	schtasks.exe
468	schtasks.exe
1372	schtasks.exe
4576	schtasks.exe
4832	schtasks.exe
2996	schtasks.exe
2440	schtasks.exe
4284	schtasks.exe
404	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	3000	FlashingSoftwarePRO.exe
Token: SeDebugPrivilege	2904	svchost.exe
Token: SeDebugPrivilege	4116	svchost.exe
Token: SeDebugPrivilege	4548	svchost.exe
Token: SeDebugPrivilege	2468	svchost.exe
Token: SeDebugPrivilege	216	svchost.exe
Token: SeDebugPrivilege	1392	svchost.exe
Token: SeDebugPrivilege	2196	svchost.exe
Token: SeDebugPrivilege	4952	svchost.exe
Token: SeDebugPrivilege	1324	svchost.exe
Token: SeDebugPrivilege	5116	svchost.exe
Token: SeDebugPrivilege	2108	svchost.exe
Token: SeDebugPrivilege	2912	svchost.exe
Token: SeDebugPrivilege	3608	svchost.exe
Token: SeDebugPrivilege	1420	svchost.exe
Token: SeDebugPrivilege	1700	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 4592	3000	FlashingSoftwarePRO.exe	83
PID 3000 wrote to memory of 4592	3000	FlashingSoftwarePRO.exe	83
PID 3000 wrote to memory of 2904	3000	FlashingSoftwarePRO.exe	85
PID 3000 wrote to memory of 2904	3000	FlashingSoftwarePRO.exe	85
PID 2904 wrote to memory of 4276	2904	svchost.exe	86
PID 2904 wrote to memory of 4276	2904	svchost.exe	86
PID 2904 wrote to memory of 4500	2904	svchost.exe	88
PID 2904 wrote to memory of 4500	2904	svchost.exe	88
PID 4500 wrote to memory of 4616	4500	cmd.exe	90
PID 4500 wrote to memory of 4616	4500	cmd.exe	90
PID 4500 wrote to memory of 1492	4500	cmd.exe	91
PID 4500 wrote to memory of 1492	4500	cmd.exe	91
PID 4500 wrote to memory of 4116	4500	cmd.exe	104
PID 4500 wrote to memory of 4116	4500	cmd.exe	104
PID 4116 wrote to memory of 732	4116	svchost.exe	105
PID 4116 wrote to memory of 732	4116	svchost.exe	105
PID 4116 wrote to memory of 2544	4116	svchost.exe	108
PID 4116 wrote to memory of 2544	4116	svchost.exe	108
PID 2544 wrote to memory of 4964	2544	cmd.exe	110
PID 2544 wrote to memory of 4964	2544	cmd.exe	110
PID 2544 wrote to memory of 3096	2544	cmd.exe	111
PID 2544 wrote to memory of 3096	2544	cmd.exe	111
PID 2544 wrote to memory of 4548	2544	cmd.exe	112
PID 2544 wrote to memory of 4548	2544	cmd.exe	112
PID 4548 wrote to memory of 1496	4548	svchost.exe	113
PID 4548 wrote to memory of 1496	4548	svchost.exe	113
PID 4548 wrote to memory of 776	4548	svchost.exe	116
PID 4548 wrote to memory of 776	4548	svchost.exe	116
PID 776 wrote to memory of 4816	776	cmd.exe	118
PID 776 wrote to memory of 4816	776	cmd.exe	118
PID 776 wrote to memory of 2700	776	cmd.exe	119
PID 776 wrote to memory of 2700	776	cmd.exe	119
PID 776 wrote to memory of 2468	776	cmd.exe	124
PID 776 wrote to memory of 2468	776	cmd.exe	124
PID 2468 wrote to memory of 2996	2468	svchost.exe	125
PID 2468 wrote to memory of 2996	2468	svchost.exe	125
PID 2468 wrote to memory of 4684	2468	svchost.exe	128
PID 2468 wrote to memory of 4684	2468	svchost.exe	128
PID 4684 wrote to memory of 2500	4684	cmd.exe	130
PID 4684 wrote to memory of 2500	4684	cmd.exe	130
PID 4684 wrote to memory of 4312	4684	cmd.exe	131
PID 4684 wrote to memory of 4312	4684	cmd.exe	131
PID 4684 wrote to memory of 216	4684	cmd.exe	132
PID 4684 wrote to memory of 216	4684	cmd.exe	132
PID 216 wrote to memory of 4576	216	svchost.exe	133
PID 216 wrote to memory of 4576	216	svchost.exe	133
PID 216 wrote to memory of 1384	216	svchost.exe	136
PID 216 wrote to memory of 1384	216	svchost.exe	136
PID 1384 wrote to memory of 1368	1384	cmd.exe	138
PID 1384 wrote to memory of 1368	1384	cmd.exe	138
PID 1384 wrote to memory of 2816	1384	cmd.exe	139
PID 1384 wrote to memory of 2816	1384	cmd.exe	139
PID 1384 wrote to memory of 1392	1384	cmd.exe	141
PID 1384 wrote to memory of 1392	1384	cmd.exe	141
PID 1392 wrote to memory of 4500	1392	svchost.exe	142
PID 1392 wrote to memory of 4500	1392	svchost.exe	142
PID 1392 wrote to memory of 2800	1392	svchost.exe	145
PID 1392 wrote to memory of 2800	1392	svchost.exe	145
PID 2800 wrote to memory of 2020	2800	cmd.exe	147
PID 2800 wrote to memory of 2020	2800	cmd.exe	147
PID 2800 wrote to memory of 748	2800	cmd.exe	148
PID 2800 wrote to memory of 748	2800	cmd.exe	148
PID 2800 wrote to memory of 2196	2800	cmd.exe	150
PID 2800 wrote to memory of 2196	2800	cmd.exe	150

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\FlashingSoftwarePRO.exe
"C:\Users\Admin\AppData\Local\Temp\FlashingSoftwarePRO.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4592
- C:\Windows\system32\System32\svchost.exe
  "C:\Windows\system32\System32\svchost.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4276
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BeZnWYe9xNeJ.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4500
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:4616
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1492
  - - C:\Windows\system32\System32\svchost.exe
      "C:\Windows\system32\System32\svchost.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4116
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:732
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oGGrntdIGi3N.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2544
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:4964
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3096
      - C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1496
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EvPHbN4f2NeG.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:776
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:4816
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2700
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2996
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\p287RWFSkuXl.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4684
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2500
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4312
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:216
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4576
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3LT3P7UYKgxN.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1384
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1368
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2816
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1392
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4500
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cb7mYFPFS02g.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2020
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:748
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2196
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2212
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yMgTG97GKRX3.bat" "
        15⤵
        
        PID:2484
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:1140
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2016
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4952
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:444
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SqnsSQREnQcr.bat" "
        17⤵
        
        PID:5012
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:4008
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2972
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1324
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2440
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Oe2JbvLHNVwP.bat" "
        19⤵
        
        PID:3948
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:3120
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1664
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:5116
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:468
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VeTqzsa8vNH8.bat" "
        21⤵
        
        PID:4076
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:3956
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:912
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2108
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4284
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Dn5eiegTPRPC.bat" "
        23⤵
        
        PID:516
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:3872
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2736
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2912
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1372
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eg79tVoBrYhn.bat" "
        25⤵
        
        PID:4180
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2388
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5092
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3608
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4832
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UpDhlwspa30P.bat" "
        27⤵
        
        PID:928
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:2944
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1540
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1420
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:404
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5KairD8JlL1z.bat" "
        29⤵
        
        PID:2904
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:1596
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5016
        
        C:\Windows\system32\System32\svchost.exe
        
        "C:\Windows\system32\System32\svchost.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1700
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\svchost.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2660
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ilXU85erAnBD.bat" "
        31⤵
        
        PID:1164
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:4360
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\3LT3P7UYKgxN.bat

Filesize
199B

MD5
0e2b983c4cd4f73b65590f37f6bdb276

SHA1
772fed5cc6a4211e5331f7f19b0c73f268039b46

SHA256
4405879fc74f763b6136395cb3aeb437e4ede0d756792d427c06db33d5603925

SHA512
26ee1e49532f933d8d580fa3ec813b808e4fe7fa404a85254a81ec3ecf1b2dffe66079dc26ecdc651c11e3086e95d8e62b42631b54fcc5ac273b340f1a012867

Download Submit
C:\Users\Admin\AppData\Local\Temp\5KairD8JlL1z.bat

Filesize
199B

MD5
908219ab626a626269a59f963c7e1312

SHA1
c1860c72794c9ee656b057b2e23df4e30fd85e37

SHA256
68b23e952cc8725068d52184af1049eeb2ab41d2be76945c4d3097abe68439af

SHA512
c6c0f141f25f11ffe1b3c5a00773d09fab77970bf5b0a0f683830007e1fd903fd7ce21451c0625abe5777595adb8251550487f8e32280f52f6bd26fd670870e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\BeZnWYe9xNeJ.bat

Filesize
199B

MD5
2cf9de5c0a4a167f0d026bc385faf23e

SHA1
311da1510f4629efd6d8bada0d4ebe8a77110c4b

SHA256
9e619db785c3083e5f40c5343f1b48cabdb1b22385d5a9b61e3415b342f8ef84

SHA512
09503d81aec05284625bb91b39288aa9cd0d97bba83dbe1f7e53043c2433744ed7ab87fb44bd2816c42bc52a3f5a493efd07093871973c8e31d38608425d2052

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dn5eiegTPRPC.bat

Filesize
199B

MD5
e690cfb74a7b1d56e1386c1ca6f62b2b

SHA1
39c9a577c696173192ce266db2c86c2e3ec2226c

SHA256
02ce94dbf019055ab4c3bec23f84eedff48e916faa3caadac69e9d2ef078c33b

SHA512
edba98a64b50317060fed8a8ab393064b18964f9b2c5addd513294b42befc033021880f8ec9913c2dd7f6fbaba3f404d882fe7101e4c73b8f7898a3b2157bcef

Download Submit
C:\Users\Admin\AppData\Local\Temp\EvPHbN4f2NeG.bat

Filesize
199B

MD5
2e920a00596268a5c861e0466198ed1b

SHA1
114cb382125e5edc6b5c905df506c5c7bb4b3287

SHA256
a9b6ce079924a0082dc39242203713017942624e5cb25edbd3fbcf201913f514

SHA512
4f734d7fe5f0f8051c76b7e34bca3f0afa405a3a7570764a8a88c581f24656500ae1c3365670b8313d66d77eedc1a7b0752b6b03ad8f88c8860ab04076b76a47

Download Submit
C:\Users\Admin\AppData\Local\Temp\Oe2JbvLHNVwP.bat

Filesize
199B

MD5
0bb3e6e10a021166442a27082941f5d8

SHA1
bc0ae930ccbd05be0d519a4a3f5bd74280b08d86

SHA256
6fcf529402e9ace716587b11b56c28bff19af44c7d158c1011514b6cfc3c73d9

SHA512
325edf1baeb12242696f629553149485cbde436a07aacc4402e3d4e45bc006e3ba65f3e0bb58bbaae43f3e17e291d29779e78c2945848ac459f8c1343efb0334

Download Submit
C:\Users\Admin\AppData\Local\Temp\SqnsSQREnQcr.bat

Filesize
199B

MD5
5104368ffdd27aee7cf58638d49307c3

SHA1
3f4dc9d1a7efc2d2ec05a7331665dbf5e240d077

SHA256
9a318966a3026f128a801b5b833ff02418bd644e55d9448fa7e04fcf185c6dd7

SHA512
a89dabf57d8f1b17fb370e341c9c8b406f4b2ff7527cb6d77849a8e32084de246cf628384e0c26dace8637468391d511acd5179929d585fadf30d7ea1fbfaae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\UpDhlwspa30P.bat

Filesize
199B

MD5
2a61f7c9d27b4a8af924caffa7508c72

SHA1
c9ede0585f7290f81928db497789187dee75a507

SHA256
b780a625b829feeb9df93606fca89476f7fa636480f0aeaab4d4f821eb681b0e

SHA512
508b4faf93e328f6753c68693abe005c3d65f5dda8bf6b36b9021060f48dc945ab482af50e7c0b75819d3883579de3b8c2956d3cdb05b4a5fa3c634b43a5dfab

Download Submit
C:\Users\Admin\AppData\Local\Temp\VeTqzsa8vNH8.bat

Filesize
199B

MD5
671c24d09baced988292c949dc10471f

SHA1
0f94c4a37b030edb4afafaae3bd124625e9eab3b

SHA256
7f970a2f171b2b7b189f4a4d141e2062178ec6a437900cc08ed4e9ef6da4eb98

SHA512
3f2c76c897b5eb977478d83f71f982a100f7b5a0ce5401281c118cfdb150c8e1408bcad78bd4048914e9924e1f8cc8504e1018f01c9ec6edbadf53ba30b3fac8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb7mYFPFS02g.bat

Filesize
199B

MD5
4865fffd2f754213f456214e59b906fb

SHA1
ec2dd8e79edb8f326ee20b85dde9a7c22f319055

SHA256
dbe00ebdb09370be27c16d4177de55dc35b4b924beef223d865989bc73803f97

SHA512
16481e88b9e0814496c38841d82e88e79d0005bec1e84f81fe8a0ccc0a15156f8e93ef6ea0ba7a6d12c8c646f3914d19d632bbd650ec88669bd5fe8951cab417

Download Submit
C:\Users\Admin\AppData\Local\Temp\eg79tVoBrYhn.bat

Filesize
199B

MD5
417cb304b77d5090d755b80c4139a9e0

SHA1
d7494e1db244f40e83d5b4db020e4eeb3a139498

SHA256
df2016ed2db16f6ea36490d1df0750a12549887c5b389dda77e11f5ad870d497

SHA512
5eefd9bc060576e1f91888d55f1b113f2bd7b6c865b1dd1844b373c3d6cbdbc877d06b2d636ef91b0d05e0bc8f3a48983bab1b82f8109d03a74f135fd316e1f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ilXU85erAnBD.bat

Filesize
199B

MD5
0644eb27b405042f30affc627939a645

SHA1
e962de6415fed9229ca19e5e33952f1cb344c0fd

SHA256
b730cd9de4dd40cf0bf9d8f393a3e84ed2633332c409af12bf8f3938179c3989

SHA512
9ab557a852b41a441512c36a9a60df661460e2799c094386f3f9b9b5fc62a45706bbc779882dc270e42c1d57b044df5afa33b349e1394b02e4dbc414b76c9a3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\oGGrntdIGi3N.bat

Filesize
199B

MD5
49b17fe07e7b880283b3ff59078dc425

SHA1
bac95b9c34cbd10a7bae70d4bdcb79db8f7e0902

SHA256
1cf5e8674600fc64e3ae4b05d5e601021e2d03b3b3a66d1c2a10917f5379ae91

SHA512
81d5bffdc2c933cd40c3eee1ce4115bee23e23bdae2d8c491758dcf877288999da3c63a9daace8b534736dcb315032249b138a3a55ba4ed29ee9398d7eac19db

Download Submit
C:\Users\Admin\AppData\Local\Temp\p287RWFSkuXl.bat

Filesize
199B

MD5
256ce478177234bd6d55ab73a9bae905

SHA1
7ede75f2b7858a2b0a5fa657574eac3a1483ae92

SHA256
ab0a308f9e6e04cf61e059bfce82205d202924456f72166f55ad1be49a91a744

SHA512
da04b60489c48c1e2e749e11732625a41d4e3f4cac37e6b56c832fab411dd0197f4c6bd110ecfce22ee01104f41a357062afc86d5e842d935277f7a979fb4025

Download Submit
C:\Users\Admin\AppData\Local\Temp\yMgTG97GKRX3.bat

Filesize
199B

MD5
42438772b40bae45754f721aecd6c4fd

SHA1
c43bb53d1ce1cfcfcfd9185224526293a1690431

SHA256
366e2c24dcf189fbd8603a2b5589cdbb9b92e125c458b484688c8a6f4923ae3b

SHA512
d7060dc10ede0543ba4390d7dc2d211d657cf9d36f5543ad522a8a70c433bb23f9f95a85f6d3325b96a7666105164e92fee196bf78f5e2f827395966f4196c6d

Download Submit
C:\Windows\System32\System32\svchost.exe

Filesize
3.1MB

MD5
71b0a3eb76e864f63a108192fce45858

SHA1
e7bc4b311934f8223ef98483a8092c3c9cc5b95a

SHA256
71d5442831a53d429d61cfdb48bb92ea0a30ca91782fb3b219bd9b3fe3d9cff2

SHA512
a35ddfe5d194be8ec7b5444b4e1e0756de8cc7957f59cea217fe26446b299519c6676eafece1fd49e5107c34721af47402dc8aefb76f040deb5bcd51e7a2eef1

Download Submit
memory/2904-9-0x00007FFD6D400000-0x00007FFD6DEC1000-memory.dmp

Filesize
10.8MB

Download
memory/2904-10-0x000000001D100000-0x000000001D150000-memory.dmp

Filesize
320KB

Download
memory/2904-11-0x000000001D210000-0x000000001D2C2000-memory.dmp

Filesize
712KB

Download
memory/2904-16-0x00007FFD6D400000-0x00007FFD6DEC1000-memory.dmp

Filesize
10.8MB

Download
memory/3000-0-0x00007FFD6D403000-0x00007FFD6D405000-memory.dmp

Filesize
8KB

Download
memory/3000-2-0x00007FFD6D400000-0x00007FFD6DEC1000-memory.dmp

Filesize
10.8MB

Download
memory/3000-1-0x0000000000840000-0x0000000000B64000-memory.dmp

Filesize
3.1MB

Download
memory/3000-8-0x00007FFD6D400000-0x00007FFD6DEC1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads