quasar | 21a6c7941638ef73d9b41185eea6f284f2df63d818a0aed86c391aa1d5aa26fb

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-12-2024 02:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21a6c7941638ef73d9b41185eea6f284f2df63d818a0aed86c391aa1d5aa26fb.exe
Size

3.1MB
MD5

a3ffca2a5a9a4917a64bcabccb4f9fad
SHA1

9cfc0318809849ab6f2edfc18f6975da812a9f51
SHA256

21a6c7941638ef73d9b41185eea6f284f2df63d818a0aed86c391aa1d5aa26fb
SHA512

d491dcf7bf4d7d20632b31e82eee824ffb1eedca18f0f25b46aae1750f40240589e4600566e327bd866374ec36321db2d79f05fe6fc49ed3d30901e31bfc384e
SSDEEP

49152:nv3I22SsaNYfdPBldt698dBcjHKPRJ6CbR3LoGd2THHB72eh2NT:nv422SsaNYfdPBldt6+dBcjHKPRJ68

Score

10^/10

quasar dilly discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

dilly

lvke-45989.portmap.host:45989

Mutex

0cb49dc2-fd0d-4581-ae1e-04154c41f310

Attributes

encryption_key
E5250226804167CB0B1B4B0E9667D0C056694DCA
install_name
defenderx64.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Defender Helper
subdirectory
en

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 10 IoCs

resource	yara_rule
behavioral1/memory/2316-1-0x0000000000C30000-0x0000000000F54000-memory.dmp	family_quasar
behavioral1/files/0x0008000000015ed2-5.dat	family_quasar
behavioral1/memory/2252-7-0x0000000000D70000-0x0000000001094000-memory.dmp	family_quasar
behavioral1/memory/2700-22-0x0000000001310000-0x0000000001634000-memory.dmp	family_quasar
behavioral1/memory/1820-66-0x00000000003C0000-0x00000000006E4000-memory.dmp	family_quasar
behavioral1/memory/888-78-0x0000000000D20000-0x0000000001044000-memory.dmp	family_quasar
behavioral1/memory/2880-90-0x0000000000120000-0x0000000000444000-memory.dmp	family_quasar
behavioral1/memory/2596-101-0x0000000001000000-0x0000000001324000-memory.dmp	family_quasar
behavioral1/memory/1688-113-0x0000000001260000-0x0000000001584000-memory.dmp	family_quasar
behavioral1/memory/1640-145-0x0000000001300000-0x0000000001624000-memory.dmp	family_quasar

Executes dropped EXE 15 IoCs

pid	Process
2252	defenderx64.exe
2700	defenderx64.exe
1792	defenderx64.exe
2684	defenderx64.exe
2912	defenderx64.exe
1820	defenderx64.exe
888	defenderx64.exe
2880	defenderx64.exe
2596	defenderx64.exe
1688	defenderx64.exe
2952	defenderx64.exe
896	defenderx64.exe
1640	defenderx64.exe
2268	defenderx64.exe
2424	defenderx64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
588	PING.EXE
2560	PING.EXE
1224	PING.EXE
2288	PING.EXE
2144	PING.EXE
288	PING.EXE
448	PING.EXE
540	PING.EXE
2312	PING.EXE
1804	PING.EXE
1056	PING.EXE
2620	PING.EXE
320	PING.EXE
1588	PING.EXE
2928	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
588	PING.EXE
1588	PING.EXE
2928	PING.EXE
2144	PING.EXE
1224	PING.EXE
2288	PING.EXE
2560	PING.EXE
448	PING.EXE
2312	PING.EXE
1056	PING.EXE
540	PING.EXE
1804	PING.EXE
2620	PING.EXE
320	PING.EXE
288	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2344	schtasks.exe
768	schtasks.exe
1092	schtasks.exe
1568	schtasks.exe
2720	schtasks.exe
1708	schtasks.exe
2012	schtasks.exe
2724	schtasks.exe
2708	schtasks.exe
2696	schtasks.exe
2232	schtasks.exe
1960	schtasks.exe
2084	schtasks.exe
2220	schtasks.exe
2112	schtasks.exe
576	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2316	21a6c7941638ef73d9b41185eea6f284f2df63d818a0aed86c391aa1d5aa26fb.exe
Token: SeDebugPrivilege	2252	defenderx64.exe
Token: SeDebugPrivilege	2700	defenderx64.exe
Token: SeDebugPrivilege	1792	defenderx64.exe
Token: SeDebugPrivilege	2684	defenderx64.exe
Token: SeDebugPrivilege	2912	defenderx64.exe
Token: SeDebugPrivilege	1820	defenderx64.exe
Token: SeDebugPrivilege	888	defenderx64.exe
Token: SeDebugPrivilege	2880	defenderx64.exe
Token: SeDebugPrivilege	2596	defenderx64.exe
Token: SeDebugPrivilege	1688	defenderx64.exe
Token: SeDebugPrivilege	2952	defenderx64.exe
Token: SeDebugPrivilege	896	defenderx64.exe
Token: SeDebugPrivilege	1640	defenderx64.exe
Token: SeDebugPrivilege	2268	defenderx64.exe
Token: SeDebugPrivilege	2424	defenderx64.exe

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
2252	defenderx64.exe
2700	defenderx64.exe
1792	defenderx64.exe
2684	defenderx64.exe
2912	defenderx64.exe
1820	defenderx64.exe
888	defenderx64.exe
2880	defenderx64.exe
2596	defenderx64.exe
1688	defenderx64.exe
2952	defenderx64.exe
896	defenderx64.exe
1640	defenderx64.exe
2268	defenderx64.exe
2424	defenderx64.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
2252	defenderx64.exe
2700	defenderx64.exe
1792	defenderx64.exe
2684	defenderx64.exe
2912	defenderx64.exe
1820	defenderx64.exe
888	defenderx64.exe
2880	defenderx64.exe
2596	defenderx64.exe
1688	defenderx64.exe
2952	defenderx64.exe
896	defenderx64.exe
1640	defenderx64.exe
2268	defenderx64.exe
2424	defenderx64.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 576	2316	21a6c7941638ef73d9b41185eea6f284f2df63d818a0aed86c391aa1d5aa26fb.exe	31
PID 2316 wrote to memory of 576	2316	21a6c7941638ef73d9b41185eea6f284f2df63d818a0aed86c391aa1d5aa26fb.exe	31
PID 2316 wrote to memory of 576	2316	21a6c7941638ef73d9b41185eea6f284f2df63d818a0aed86c391aa1d5aa26fb.exe	31
PID 2316 wrote to memory of 2252	2316	21a6c7941638ef73d9b41185eea6f284f2df63d818a0aed86c391aa1d5aa26fb.exe	33
PID 2316 wrote to memory of 2252	2316	21a6c7941638ef73d9b41185eea6f284f2df63d818a0aed86c391aa1d5aa26fb.exe	33
PID 2316 wrote to memory of 2252	2316	21a6c7941638ef73d9b41185eea6f284f2df63d818a0aed86c391aa1d5aa26fb.exe	33
PID 2252 wrote to memory of 2696	2252	defenderx64.exe	34
PID 2252 wrote to memory of 2696	2252	defenderx64.exe	34
PID 2252 wrote to memory of 2696	2252	defenderx64.exe	34
PID 2252 wrote to memory of 2716	2252	defenderx64.exe	36
PID 2252 wrote to memory of 2716	2252	defenderx64.exe	36
PID 2252 wrote to memory of 2716	2252	defenderx64.exe	36
PID 2716 wrote to memory of 2748	2716	cmd.exe	38
PID 2716 wrote to memory of 2748	2716	cmd.exe	38
PID 2716 wrote to memory of 2748	2716	cmd.exe	38
PID 2716 wrote to memory of 2620	2716	cmd.exe	39
PID 2716 wrote to memory of 2620	2716	cmd.exe	39
PID 2716 wrote to memory of 2620	2716	cmd.exe	39
PID 2716 wrote to memory of 2700	2716	cmd.exe	40
PID 2716 wrote to memory of 2700	2716	cmd.exe	40
PID 2716 wrote to memory of 2700	2716	cmd.exe	40
PID 2700 wrote to memory of 2012	2700	defenderx64.exe	41
PID 2700 wrote to memory of 2012	2700	defenderx64.exe	41
PID 2700 wrote to memory of 2012	2700	defenderx64.exe	41
PID 2700 wrote to memory of 1744	2700	defenderx64.exe	43
PID 2700 wrote to memory of 1744	2700	defenderx64.exe	43
PID 2700 wrote to memory of 1744	2700	defenderx64.exe	43
PID 1744 wrote to memory of 1892	1744	cmd.exe	45
PID 1744 wrote to memory of 1892	1744	cmd.exe	45
PID 1744 wrote to memory of 1892	1744	cmd.exe	45
PID 1744 wrote to memory of 320	1744	cmd.exe	46
PID 1744 wrote to memory of 320	1744	cmd.exe	46
PID 1744 wrote to memory of 320	1744	cmd.exe	46
PID 1744 wrote to memory of 1792	1744	cmd.exe	47
PID 1744 wrote to memory of 1792	1744	cmd.exe	47
PID 1744 wrote to memory of 1792	1744	cmd.exe	47
PID 1792 wrote to memory of 1568	1792	defenderx64.exe	48
PID 1792 wrote to memory of 1568	1792	defenderx64.exe	48
PID 1792 wrote to memory of 1568	1792	defenderx64.exe	48
PID 1792 wrote to memory of 1684	1792	defenderx64.exe	50
PID 1792 wrote to memory of 1684	1792	defenderx64.exe	50
PID 1792 wrote to memory of 1684	1792	defenderx64.exe	50
PID 1684 wrote to memory of 1368	1684	cmd.exe	52
PID 1684 wrote to memory of 1368	1684	cmd.exe	52
PID 1684 wrote to memory of 1368	1684	cmd.exe	52
PID 1684 wrote to memory of 288	1684	cmd.exe	53
PID 1684 wrote to memory of 288	1684	cmd.exe	53
PID 1684 wrote to memory of 288	1684	cmd.exe	53
PID 1684 wrote to memory of 2684	1684	cmd.exe	54
PID 1684 wrote to memory of 2684	1684	cmd.exe	54
PID 1684 wrote to memory of 2684	1684	cmd.exe	54
PID 2684 wrote to memory of 2232	2684	defenderx64.exe	55
PID 2684 wrote to memory of 2232	2684	defenderx64.exe	55
PID 2684 wrote to memory of 2232	2684	defenderx64.exe	55
PID 2684 wrote to memory of 1920	2684	defenderx64.exe	57
PID 2684 wrote to memory of 1920	2684	defenderx64.exe	57
PID 2684 wrote to memory of 1920	2684	defenderx64.exe	57
PID 1920 wrote to memory of 2400	1920	cmd.exe	59
PID 1920 wrote to memory of 2400	1920	cmd.exe	59
PID 1920 wrote to memory of 2400	1920	cmd.exe	59
PID 1920 wrote to memory of 448	1920	cmd.exe	60
PID 1920 wrote to memory of 448	1920	cmd.exe	60
PID 1920 wrote to memory of 448	1920	cmd.exe	60
PID 1920 wrote to memory of 2912	1920	cmd.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\21a6c7941638ef73d9b41185eea6f284f2df63d818a0aed86c391aa1d5aa26fb.exe
"C:\Users\Admin\AppData\Local\Temp\21a6c7941638ef73d9b41185eea6f284f2df63d818a0aed86c391aa1d5aa26fb.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:576
- C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
  "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2252
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2696
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\h1dh6cJf5gkm.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2748
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2620
  - - C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
      "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2700
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2012
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ygeZCbyu7hgD.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1744
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1892
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:320
      - C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
        
        "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1792
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1568
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Dzc3v33C8oXW.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1684
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1368
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:288
        
        C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
        
        "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2232
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\84B1TzffrIdu.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2400
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:448
        
        C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
        
        "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2912
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1960
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rlY2WWKkxdun.bat" "
        11⤵
        
        PID:880
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:860
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2144
        
        C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
        
        "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1820
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2344
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\2qtfzSvbsY03.bat" "
        13⤵
        
        PID:1636
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2148
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:540
        
        C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
        
        "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:888
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:768
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\M7cDIjv2feQv.bat" "
        15⤵
        
        PID:1404
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2896
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:588
        
        C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
        
        "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2880
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2720
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PaHvCBqhdlSS.bat" "
        17⤵
        
        PID:2300
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2760
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2312
        
        C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
        
        "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2596
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2708
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\n7RmN04S3tRQ.bat" "
        19⤵
        
        PID:1892
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1828
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1804
        
        C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
        
        "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1688
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1708
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UccIIpbCwp1k.bat" "
        21⤵
        
        PID:2780
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:2672
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1056
        
        C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
        
        "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2952
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2084
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\5MQz7hMMpMNJ.bat" "
        23⤵
        
        PID:676
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:1328
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1224
        
        C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
        
        "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:896
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2220
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OxSsHbGr7Hdf.bat" "
        25⤵
        
        PID:296
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2176
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2288
        
        C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
        
        "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1640
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1092
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YOgjdBAfJgEa.bat" "
        27⤵
        
        PID:580
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:1592
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1588
        
        C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
        
        "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2268
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2112
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OrJJ8Mfhtz38.bat" "
        29⤵
        
        PID:3032
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:2876
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2560
        
        C:\Users\Admin\AppData\Roaming\en\defenderx64.exe
        
        "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2424
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\en\defenderx64.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2724
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RFKCRISU1OQW.bat" "
        31⤵
        
        PID:2620
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:2788
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2qtfzSvbsY03.bat

Filesize
208B

MD5
759abd20c848cf72a77b6130d477dfdb

SHA1
85249a318aae1447b39dbe4045f0cf5c0c345259

SHA256
42a94e5b34eb787ad6438bb691b92360c43d99f38c61173256d840213fec53ab

SHA512
f78bba160324a4d91ee4562a755b85a96ba3fd2f9f949f2a016a20e7a34a82ea545fa55ef3533c7924aa2ba50145c111493efc48fa93f3246b30acf6635c04aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\5MQz7hMMpMNJ.bat

Filesize
208B

MD5
dabc3f664dae5c9ac32100d4f854ef20

SHA1
c3eb2a7253274149cbf92e2e2a7d688865907c53

SHA256
4c9586b8f55855d51b2171b8e066446b2fb9b012e4f5f902b424d8bd83fa82eb

SHA512
666f2b7c43e87c0ee5ddb97959d611751da8339bab02a15b0cffc016dc9e84bd7277d0540c2f3f75e6b05be0ac2d23a7d9959f766e29683136a227c283e3c309

Download Submit
C:\Users\Admin\AppData\Local\Temp\84B1TzffrIdu.bat

Filesize
208B

MD5
5fa6235f1fd8efd1b48259ce7727ff4b

SHA1
6dae3b2a2488cb4790da71334283073bfe1a54b2

SHA256
dc0d9be59355c6712fecc1903fabfc06c5b11141984bb344bd4ea5868b4a36ff

SHA512
a902db2dba596f8cbd741ee332a2a00f4024b96f544638c0aefb503fa7484dd79e4742a10ee008fde5ce4249b090d610c0170c9b1adca9f3060987987da3e787

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dzc3v33C8oXW.bat

Filesize
208B

MD5
b06ad264574e8ca9fd38185993c74037

SHA1
a9e024091c1b9bc12122ef82323de97cca44dd90

SHA256
3bd18109de646855351356a7ff7027b5c7c93adbef1dd12df63e3031fa95a411

SHA512
bc9eea399398e075f772736350da654c26f691f74a281cfffe67beb68b2762f517d6a043276c3499e086287d6b7c690072e732be9310e03e911f20bb6fb0ef15

Download Submit
C:\Users\Admin\AppData\Local\Temp\M7cDIjv2feQv.bat

Filesize
208B

MD5
264a26e0e231923b895da99cb91acffc

SHA1
795934ac91573ccc8f676bbfc4ef1ecbd66bb4f3

SHA256
a5d130540a475d7fffdc325a9670e727ee59fc084df677fbd80abf3b58f94d7f

SHA512
eddb6ebe7f3290fcdab50d4d9ab767035e1a3768f820ad9aeae541065c14820b7a3f092a96e4170be9afda9019f1d95dc3847538456975529b3dad50da2cb255

Download Submit
C:\Users\Admin\AppData\Local\Temp\OrJJ8Mfhtz38.bat

Filesize
208B

MD5
0fa0d309cc5e29c43288d4026c4fb478

SHA1
4bbccacbd28d7a6b444e2baadb77a3bc4508b92a

SHA256
8130ed07e84eef279924604bc25a629461d33c540b2ffb6e8e3c236ee3cffcb1

SHA512
ded521fc878324e4d9afc74d3434b8a4db82092328999ffd831d81ec9832eef378d90c1cee30f0936e91be0f46cb17b03e36cfdb178c0e7684a9fd486a457757

Download Submit
C:\Users\Admin\AppData\Local\Temp\OxSsHbGr7Hdf.bat

Filesize
208B

MD5
13730ba7c6e1e5b3199b83683ad9639e

SHA1
72f9065bcc7973094d6dbc2cfba3d8a8c4f5d65f

SHA256
7b123fdd849a6169fa0d38593d1ae0d25def26cb91f2c8cbfd938bf957046383

SHA512
64fbd2cd36b1bdca11c5aa7b59984873c57b8f173b05469397df1fa3f107df3d183801f51e600cd5eeb17a5a51313f3e30525220023671852c5790169f137e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\PaHvCBqhdlSS.bat

Filesize
208B

MD5
02acf3c54b561ded6501d8dfe32b66b8

SHA1
71bae839cfc0cf32f898c45c820aab4b1aa579b3

SHA256
48866107a79aa184bbeec256ca52c369b4c55edd07c7daaee4150658bd9fe4cd

SHA512
73aa0c9c8783c156ce33afdbf852108a24b5fe709f9681da4d15b11df782035eb340dcf068373143e55691e10e3390e7b9bc31de30c20ef9389381b7b59b4785

Download Submit
C:\Users\Admin\AppData\Local\Temp\RFKCRISU1OQW.bat

Filesize
208B

MD5
b2daea181c830d53f5b84a9c99db6948

SHA1
8ecb71b21a15860e67fbd4b21a4bd468461ffab5

SHA256
7b977d2e430dd50eba3a86571bf734203aef0395b40bfefcb40f2554ef2a8d32

SHA512
b49796d208963095df5146b384375f9d021b931087632b0460c51e02de21da7e26ce64570c62a4551233f3bed249de304b4b2e5092b4d4ee2ec777548ef02328

Download Submit
C:\Users\Admin\AppData\Local\Temp\UccIIpbCwp1k.bat

Filesize
208B

MD5
985cfc3c6288132626fe7210ef61bd9d

SHA1
03c851485217a9381d4376c88b055c9b1894623c

SHA256
b30dd462f66136b4e1352b0db4278ea099e6002d84fd7b07a020f9c221ed71d6

SHA512
3997d4280b527fd532fc0d60b06dc42ab7b6ac21a999466541e65afb32e441dc51f6f65d10867c45abe31bc4bd81053293082aec8ad36ed1575f09c3b07d771b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YOgjdBAfJgEa.bat

Filesize
208B

MD5
4f452ae95e9fd3d57af193358fd5b6cd

SHA1
c80144fd4af23774c78d4622e72c8eae86ac0ebc

SHA256
9618379daa46bb24f015880615f41ae6ea19557c2c44fdaab823a51e545df3e0

SHA512
b1606beb6eafeee5a3e7fed8af99bc6cefc9f34ad613fc6bdeab1a65aaf0e087e2d66446aebbdeaffdebad7f9696ac024dbce077e1270fc969e1ae1bd477726c

Download Submit
C:\Users\Admin\AppData\Local\Temp\h1dh6cJf5gkm.bat

Filesize
208B

MD5
6f42991e15d4a50501094c4a3ffadec0

SHA1
9ef672587e9b3977dca8e26a9286602d985a5606

SHA256
7fe6c2687acfbb2aa005ba2e4ec80ed5bbc9f3bbe8f4ad7c255b3ed7e629d780

SHA512
77bf401e626c774f5cbecd9b1a6d4d34018367f71f60f519069d53a58545b6670aa81c1335c04d2a6fa0391d2bd227ccb51389487b60d71034cfcf33e0accf55

Download Submit
C:\Users\Admin\AppData\Local\Temp\n7RmN04S3tRQ.bat

Filesize
208B

MD5
dad4ba578636fa75800afbf9d128a8bd

SHA1
4633cd8f78cb6bb418a9beff2139aa53e8d22c22

SHA256
b284f79d7c69f5a9a24b7220c64ece2b902117f5e604f2255f98f1973d75d224

SHA512
13728fa028142ab0965b5f1f9eb82ec83ad942581945a9650651696b9eea6449b28192a92d71b86ff670af19d2f3729170de66ddcca21e41185ca06cb38f6de0

Download Submit
C:\Users\Admin\AppData\Local\Temp\rlY2WWKkxdun.bat

Filesize
208B

MD5
f9b82aea65bf94decc78dc1311effc1c

SHA1
6a6482362ab7230167899f05a78dbac2b125dfe6

SHA256
52575170a7bf04c3a4cf9f1f258c42c2cb97af01dae7e9e27d2b4ce6eb201c5e

SHA512
e62f7bf62fd6c0f3458cb2b0d3b118301b9ec7cc94a832467339ee1f8fc11a1bd20f9294a5eb43f8bc031ac44c693b6fdc1d9df5d2fc904183fea21ff199db8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ygeZCbyu7hgD.bat

Filesize
208B

MD5
80329f0a76902f40fae509e69cf2b821

SHA1
48d0f9d86a278e26cac1bc9b62775b08426aa447

SHA256
dfd3f2b56f110b5720bb2a541fde07ef544d2ae00a4338932002ebc6ab1da59a

SHA512
a9f1260e3b8edb3912f6c787b3fcd4e1e219285ec934c0372648a8173d2efbb26f449003a53c239114958ed7437021cc6c94c74e20d0fe6b0067e06eaa999d62

Download Submit
C:\Users\Admin\AppData\Roaming\en\defenderx64.exe

Filesize
3.1MB

MD5
a3ffca2a5a9a4917a64bcabccb4f9fad

SHA1
9cfc0318809849ab6f2edfc18f6975da812a9f51

SHA256
21a6c7941638ef73d9b41185eea6f284f2df63d818a0aed86c391aa1d5aa26fb

SHA512
d491dcf7bf4d7d20632b31e82eee824ffb1eedca18f0f25b46aae1750f40240589e4600566e327bd866374ec36321db2d79f05fe6fc49ed3d30901e31bfc384e

Download Submit
memory/888-78-0x0000000000D20000-0x0000000001044000-memory.dmp

Filesize
3.1MB

Download
memory/1640-145-0x0000000001300000-0x0000000001624000-memory.dmp

Filesize
3.1MB

Download
memory/1688-113-0x0000000001260000-0x0000000001584000-memory.dmp

Filesize
3.1MB

Download
memory/1820-66-0x00000000003C0000-0x00000000006E4000-memory.dmp

Filesize
3.1MB

Download
memory/2252-19-0x000007FEF58D0000-0x000007FEF62BC000-memory.dmp

Filesize
9.9MB

Download
memory/2252-10-0x000007FEF58D0000-0x000007FEF62BC000-memory.dmp

Filesize
9.9MB

Download
memory/2252-9-0x000007FEF58D0000-0x000007FEF62BC000-memory.dmp

Filesize
9.9MB

Download
memory/2252-7-0x0000000000D70000-0x0000000001094000-memory.dmp

Filesize
3.1MB

Download
memory/2316-0-0x000007FEF58D3000-0x000007FEF58D4000-memory.dmp

Filesize
4KB

Download
memory/2316-8-0x000007FEF58D0000-0x000007FEF62BC000-memory.dmp

Filesize
9.9MB

Download
memory/2316-2-0x000007FEF58D0000-0x000007FEF62BC000-memory.dmp

Filesize
9.9MB

Download
memory/2316-1-0x0000000000C30000-0x0000000000F54000-memory.dmp

Filesize
3.1MB

Download
memory/2596-101-0x0000000001000000-0x0000000001324000-memory.dmp

Filesize
3.1MB

Download
memory/2700-22-0x0000000001310000-0x0000000001634000-memory.dmp

Filesize
3.1MB

Download
memory/2880-90-0x0000000000120000-0x0000000000444000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads