quasar | e848b330ee5a8bd5ae1f6b991551e30a4a5b2e5deeb4718a15b2122101f2c270

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-12-2024 05:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e848b330ee5a8bd5ae1f6b991551e30a4a5b2e5deeb4718a15b2122101f2c270.exe
Size

3.3MB
MD5

bc884c0edbc8df559985b42fdd2fc985
SHA1

9611a03c424e0285ab1a8ea9683918ce7b5909ab
SHA256

e848b330ee5a8bd5ae1f6b991551e30a4a5b2e5deeb4718a15b2122101f2c270
SHA512

1b8c97d500de45fbf994dcd9bf65cc78106a62ff0770a362add18866cceebbe9f5e157a77d26cb0d0d8de89abe3d446bc911f33e7027fa8f8809d2720b0cedcc
SSDEEP

49152:BvmI22SsaNYfdPBldt698dBcjHideEErHFk/uVSoGdf3THHB72eh2NT:Bvr22SsaNYfdPBldt6+dBcjHidel8

Score

10^/10

quasar java discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Java

dez345-37245.portmap.host:37245

Mutex

f0e53bcd-851e-44af-8fd5-07d8ab5ed968

Attributes

encryption_key
65439CE7DEF3E0FAF01C526FEA90388C9FD487A1
install_name
java.exe
log_directory
Logs
reconnect_delay
3000
startup_key
java ©
subdirectory
Programfiles

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/3680-1-0x0000000000E50000-0x000000000119E000-memory.dmp	family_quasar
behavioral2/files/0x000c000000023a72-6.dat	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	java.exe

Executes dropped EXE 15 IoCs

pid	Process
864	java.exe
1436	java.exe
4848	java.exe
3364	java.exe
4804	java.exe
3124	java.exe
4512	java.exe
2212	java.exe
4376	java.exe
1500	java.exe
4072	java.exe
812	java.exe
4360	java.exe
4800	java.exe
3884	java.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3244	PING.EXE
4044	PING.EXE
456	PING.EXE
2488	PING.EXE
312	PING.EXE
3468	PING.EXE
1956	PING.EXE
4644	PING.EXE
4052	PING.EXE
3328	PING.EXE
3892	PING.EXE
3176	PING.EXE
3672	PING.EXE
3896	PING.EXE
4504	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
3244	PING.EXE
3672	PING.EXE
4044	PING.EXE
3468	PING.EXE
1956	PING.EXE
4052	PING.EXE
312	PING.EXE
3896	PING.EXE
4644	PING.EXE
3176	PING.EXE
456	PING.EXE
3328	PING.EXE
2488	PING.EXE
4504	PING.EXE
3892	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1904	schtasks.exe
780	schtasks.exe
4572	schtasks.exe
2240	schtasks.exe
4552	schtasks.exe
3848	schtasks.exe
1324	schtasks.exe
1920	schtasks.exe
3052	schtasks.exe
720	schtasks.exe
2380	schtasks.exe
3504	schtasks.exe
720	schtasks.exe
1936	schtasks.exe
512	schtasks.exe
1528	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	3680	e848b330ee5a8bd5ae1f6b991551e30a4a5b2e5deeb4718a15b2122101f2c270.exe
Token: SeDebugPrivilege	864	java.exe
Token: SeDebugPrivilege	1436	java.exe
Token: SeDebugPrivilege	4848	java.exe
Token: SeDebugPrivilege	3364	java.exe
Token: SeDebugPrivilege	4804	java.exe
Token: SeDebugPrivilege	3124	java.exe
Token: SeDebugPrivilege	4512	java.exe
Token: SeDebugPrivilege	2212	java.exe
Token: SeDebugPrivilege	4376	java.exe
Token: SeDebugPrivilege	1500	java.exe
Token: SeDebugPrivilege	4072	java.exe
Token: SeDebugPrivilege	812	java.exe
Token: SeDebugPrivilege	4360	java.exe
Token: SeDebugPrivilege	4800	java.exe
Token: SeDebugPrivilege	3884	java.exe

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
864	java.exe
1436	java.exe
4848	java.exe
3364	java.exe
4804	java.exe
3124	java.exe
4512	java.exe
2212	java.exe
4376	java.exe
1500	java.exe
4072	java.exe
812	java.exe
4360	java.exe
4800	java.exe
3884	java.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
864	java.exe
1436	java.exe
4848	java.exe
3364	java.exe
4804	java.exe
3124	java.exe
4512	java.exe
2212	java.exe
4376	java.exe
1500	java.exe
4072	java.exe
812	java.exe
4360	java.exe
4800	java.exe
3884	java.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3680 wrote to memory of 3052	3680	e848b330ee5a8bd5ae1f6b991551e30a4a5b2e5deeb4718a15b2122101f2c270.exe	84
PID 3680 wrote to memory of 3052	3680	e848b330ee5a8bd5ae1f6b991551e30a4a5b2e5deeb4718a15b2122101f2c270.exe	84
PID 3680 wrote to memory of 864	3680	e848b330ee5a8bd5ae1f6b991551e30a4a5b2e5deeb4718a15b2122101f2c270.exe	86
PID 3680 wrote to memory of 864	3680	e848b330ee5a8bd5ae1f6b991551e30a4a5b2e5deeb4718a15b2122101f2c270.exe	86
PID 864 wrote to memory of 720	864	java.exe	87
PID 864 wrote to memory of 720	864	java.exe	87
PID 864 wrote to memory of 4020	864	java.exe	89
PID 864 wrote to memory of 4020	864	java.exe	89
PID 4020 wrote to memory of 1904	4020	cmd.exe	91
PID 4020 wrote to memory of 1904	4020	cmd.exe	91
PID 4020 wrote to memory of 4644	4020	cmd.exe	92
PID 4020 wrote to memory of 4644	4020	cmd.exe	92
PID 4020 wrote to memory of 1436	4020	cmd.exe	100
PID 4020 wrote to memory of 1436	4020	cmd.exe	100
PID 1436 wrote to memory of 2380	1436	java.exe	103
PID 1436 wrote to memory of 2380	1436	java.exe	103
PID 1436 wrote to memory of 2160	1436	java.exe	106
PID 1436 wrote to memory of 2160	1436	java.exe	106
PID 2160 wrote to memory of 4536	2160	cmd.exe	108
PID 2160 wrote to memory of 4536	2160	cmd.exe	108
PID 2160 wrote to memory of 3176	2160	cmd.exe	109
PID 2160 wrote to memory of 3176	2160	cmd.exe	109
PID 2160 wrote to memory of 4848	2160	cmd.exe	114
PID 2160 wrote to memory of 4848	2160	cmd.exe	114
PID 4848 wrote to memory of 4572	4848	java.exe	115
PID 4848 wrote to memory of 4572	4848	java.exe	115
PID 4848 wrote to memory of 4108	4848	java.exe	118
PID 4848 wrote to memory of 4108	4848	java.exe	118
PID 4108 wrote to memory of 2704	4108	cmd.exe	120
PID 4108 wrote to memory of 2704	4108	cmd.exe	120
PID 4108 wrote to memory of 3244	4108	cmd.exe	121
PID 4108 wrote to memory of 3244	4108	cmd.exe	121
PID 4108 wrote to memory of 3364	4108	cmd.exe	125
PID 4108 wrote to memory of 3364	4108	cmd.exe	125
PID 3364 wrote to memory of 3848	3364	java.exe	126
PID 3364 wrote to memory of 3848	3364	java.exe	126
PID 3364 wrote to memory of 2848	3364	java.exe	129
PID 3364 wrote to memory of 2848	3364	java.exe	129
PID 2848 wrote to memory of 4704	2848	cmd.exe	131
PID 2848 wrote to memory of 4704	2848	cmd.exe	131
PID 2848 wrote to memory of 3672	2848	cmd.exe	132
PID 2848 wrote to memory of 3672	2848	cmd.exe	132
PID 2848 wrote to memory of 4804	2848	cmd.exe	134
PID 2848 wrote to memory of 4804	2848	cmd.exe	134
PID 4804 wrote to memory of 1324	4804	java.exe	135
PID 4804 wrote to memory of 1324	4804	java.exe	135
PID 4804 wrote to memory of 404	4804	java.exe	138
PID 4804 wrote to memory of 404	4804	java.exe	138
PID 404 wrote to memory of 1648	404	cmd.exe	140
PID 404 wrote to memory of 1648	404	cmd.exe	140
PID 404 wrote to memory of 4052	404	cmd.exe	141
PID 404 wrote to memory of 4052	404	cmd.exe	141
PID 404 wrote to memory of 3124	404	cmd.exe	143
PID 404 wrote to memory of 3124	404	cmd.exe	143
PID 3124 wrote to memory of 2240	3124	java.exe	144
PID 3124 wrote to memory of 2240	3124	java.exe	144
PID 3124 wrote to memory of 712	3124	java.exe	147
PID 3124 wrote to memory of 712	3124	java.exe	147
PID 712 wrote to memory of 4616	712	cmd.exe	149
PID 712 wrote to memory of 4616	712	cmd.exe	149
PID 712 wrote to memory of 4044	712	cmd.exe	150
PID 712 wrote to memory of 4044	712	cmd.exe	150
PID 712 wrote to memory of 4512	712	cmd.exe	153
PID 712 wrote to memory of 4512	712	cmd.exe	153

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e848b330ee5a8bd5ae1f6b991551e30a4a5b2e5deeb4718a15b2122101f2c270.exe
"C:\Users\Admin\AppData\Local\Temp\e848b330ee5a8bd5ae1f6b991551e30a4a5b2e5deeb4718a15b2122101f2c270.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3680
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3052
- C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
  "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:864
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:720
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ARQ9QJMWbLQo.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4020
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:1904
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4644
  - - C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
      "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:1436
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2380
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0uSs6enFxYZc.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2160
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:4536
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3176
      - C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4848
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4572
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\81aJAwrgBjV8.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4108
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2704
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3244
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3364
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3848
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gXp87F6Xebil.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:4704
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3672
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4804
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1324
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\R1i9tSvta2xq.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:404
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1648
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4052
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3124
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2240
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\U4gkPkDU9vRH.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:712
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:4616
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4044
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4512
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4552
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dKEySggMfpZZ.bat" "
        15⤵
        
        PID:1556
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:3984
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:312
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2212
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3504
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QKIiTBePzopg.bat" "
        17⤵
        
        PID:4960
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:3976
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:456
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4376
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1904
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\N0ZeJthcyVUa.bat" "
        19⤵
        
        PID:3672
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:3600
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3328
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1500
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1936
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\El5bFWti8D7N.bat" "
        21⤵
        
        PID:2268
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:3952
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2488
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4072
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:512
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LSSoNKi9N1Uz.bat" "
        23⤵
        
        PID:2544
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2092
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3468
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:812
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1528
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D5CUXJ2faewQ.bat" "
        25⤵
        
        PID:208
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2412
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3896
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4360
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1920
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1RZ6DptdCqbu.bat" "
        27⤵
        
        PID:4108
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:4936
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4504
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4800
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:780
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aNG4FHDEXUT4.bat" "
        29⤵
        
        PID:3824
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:2072
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3892
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3884
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:720
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ilq0nEOW1CTW.bat" "
        31⤵
        
        PID:3852
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:5092
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\java.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\0uSs6enFxYZc.bat

Filesize
211B

MD5
422bf9283418d62ce5674fc95ee3ef3b

SHA1
c4a7d09a8b71c9553ba3cd1f139c810880d13a04

SHA256
6f4697af67daa1138597609795e42dfd0951691a6ce85d55603f585a10c401e7

SHA512
389991ed4c755c3ae7584a9a89d281b39cc7092952a223daf0dca8abb94df4ecd4351183ab6fd7316267e5e058e781f7a988be715c37d3ae6d2ab2b4e24f4662

Download Submit
C:\Users\Admin\AppData\Local\Temp\1RZ6DptdCqbu.bat

Filesize
211B

MD5
bfb51af95c48b0d5accc43ee10169e0c

SHA1
7aa732363768261ffa86f2d5c4f0aa2546665be2

SHA256
e70b6db57c1821c8cb27e4008df021b6e1e694601457547c6e151494b04c56db

SHA512
be955e238445a4ce83502f2d1101b1e262eba24fe7001b3d73abb5d4413dfd6504b08833bfa4929c1f5906ce6b0ff550c66b5358111ce7ccf06ad3aab936272a

Download Submit
C:\Users\Admin\AppData\Local\Temp\81aJAwrgBjV8.bat

Filesize
211B

MD5
ed700507f7a4a5e3cdf75b750f2179fe

SHA1
3d0d3b732f9dda52118a1cea54d2b82754c5fe3a

SHA256
16a49666fff8e2284d50b8abb51ae5229f4480d467dc9f5d94774a3cf41f0055

SHA512
58509733338eca61d8a5adbb01b2062866e6adf82d9f1c4539453de56a692710ef17601b435b959e978752ffbb7a9860beb47f440905b90384b46ceded7e8553

Download Submit
C:\Users\Admin\AppData\Local\Temp\ARQ9QJMWbLQo.bat

Filesize
211B

MD5
517b31c5cb739ab2016fc6739585e8e1

SHA1
9545391127f2f48c048e127a305f1d5d80e4df90

SHA256
933bb7defafdd3e29bb2d19dfa0b2d471cef35cd4cbb8ac890e98850b0ee52e9

SHA512
ec71b082f393a4e9f8fa865b564f7101a89a0ea483e6e1a7ddb692070f9a041fc10dc6d04019ab7b92e60d19794914ed1517426088036c77a43abc0c3ca94fd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\D5CUXJ2faewQ.bat

Filesize
211B

MD5
da0dea1b61ccd9356a509bfb444a6e8b

SHA1
b66f839cb9397372bde4a2e1aa22c9ec6d5b238c

SHA256
53a3fa2bc73982fc5607e261b285f66938815049a68dd79af318404342e42a56

SHA512
37856bde3b65277eca2ad6a088015b2a9051ee3d26e696599103dd88b9c7cca63ac562f86a7e13d9b0bac8a8889307cd975787b8dd6317bfd95205a5281137a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\El5bFWti8D7N.bat

Filesize
211B

MD5
234fc70f217c8e755a020d259d98b593

SHA1
27c1e86bafd5847bd9d39784c39d5e4db27fef03

SHA256
4a13eec4c80e59e79c190a029640d888b3d3c085fde99dee77239603a72784bd

SHA512
060bd3c7e04ddb23bfc7beea7462a29894b08a99ef29a9ea020824e385f4b386887671ddbcee4298f1caac19d71f2110b21d1b80e4cc5dab49a5cfd5efbae44a

Download Submit
C:\Users\Admin\AppData\Local\Temp\LSSoNKi9N1Uz.bat

Filesize
211B

MD5
6fba8db2c7abde3d4417a48f43ba2bdd

SHA1
c7992831844d71bea37b92683becd60e2253fc6a

SHA256
c4028d7f56999d3738591f2da82477cfe1b3747b554e6b42b8c4641002b7d476

SHA512
7b9ab3c72168fc2a837f9c5bb1229531cf1e1de55c571b2d37ecfae47bd8cfae23666cbf1f183273a50aeec2c376e86bae3e79254c41641a99a73ec3484db8e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\N0ZeJthcyVUa.bat

Filesize
211B

MD5
93885bc9c89727ba875fd32a21160b35

SHA1
dd8ec997c8eeb6c7e8b6f3526801b3db0a9fdd44

SHA256
d96b52b13476d0ca8becc2a924e2f640cb7d894d20f341852d2144202368a9a6

SHA512
0357420a18d20e67e6d0cc09719045f9f0de6e4bdf8da79adb4c9f5a0ab8acdd8998e378efc4e1f388fa92e5d12aae61c0cd1920cbcdf293e27a86f6e3009293

Download Submit
C:\Users\Admin\AppData\Local\Temp\QKIiTBePzopg.bat

Filesize
211B

MD5
bb0403cbecbd7a03e003361e138f2472

SHA1
ba1396df19006c1f1a6f4d25da2b30d8c88c1d6d

SHA256
494bb2678505889b34f80e0634d264a8f7da678c9c0a06b1a86eae5f36252742

SHA512
67d18763e7a016994e59bce54fa83b6c0f832dc3b077515cf799d024fa87c8c497524baeab342857611462cb1e8a45b11cf19eb803fd26e9e5582f5295694019

Download Submit
C:\Users\Admin\AppData\Local\Temp\R1i9tSvta2xq.bat

Filesize
211B

MD5
c5138a6a2b0870abad6755f94008ff19

SHA1
28aac1080634214e7f4563616dcb33499179026a

SHA256
676a10c437ce99c7455335572647cbf908e1681de2ea15e46feeda77e581cd97

SHA512
3894fecda7774ae149cf24e74e2ee2068cc889a1197edb5a36834a9ac20c2b9f1aa4651f552f2078bc9d66e4aaf9a9ed9ba1c05e4f93289a852dbb2ad9bec33d

Download Submit
C:\Users\Admin\AppData\Local\Temp\U4gkPkDU9vRH.bat

Filesize
211B

MD5
f82035ce4dded572251836cd3220a455

SHA1
71e0db2e120f84361b5751f39ea0f4d77c3bfabb

SHA256
585d196f8e845ab3754970eadcce532d9a9a3fa0a32bd3df68b695fa81ebe39e

SHA512
099670f9d22d020f7284318571464287e48a0bae13719b58fffba0f0270cc4dacc804ebae756489fc3ad53b7e17f81579b2d28ea08401793f00481853145fe72

Download Submit
C:\Users\Admin\AppData\Local\Temp\aNG4FHDEXUT4.bat

Filesize
211B

MD5
27e51e1cc01dad974800f034a47786fb

SHA1
82aeddbaef050da6fef48e8987f730ebe21cac8a

SHA256
86201be81df2203dabf818eeb198240b0c33a2063da5a9fbab7ec7834a97c5bd

SHA512
269c0470956e225dc076b58234f82349e06c810b86298de9aac3925dee62bc76946553fe5ee540f12bc61e744c7b54e108f38ea235ea856e8aac84dc89a0eab8

Download Submit
C:\Users\Admin\AppData\Local\Temp\dKEySggMfpZZ.bat

Filesize
211B

MD5
7e8f3b4d722ae849733f8d63604319b2

SHA1
4a2f59e61c52f995fc0a093d6aa97c4ba7328c9c

SHA256
cecb2e12b2a83356831abf9f6dfe457b9705ae770a71c0b4c7ff0b0ae440528d

SHA512
6f47a7632b8ba1c55cc6b925d42a6841e5e773a4c6382300a79b2d7fcce78338ddb20a6f1e7f3400e306788341a624029f5644c6904dc49eef2818585eb3513c

Download Submit
C:\Users\Admin\AppData\Local\Temp\gXp87F6Xebil.bat

Filesize
211B

MD5
0167a66aef6b284c7afeee06a228a392

SHA1
3a1ddf953eeca8daf85cdef930419a109d6b9aa0

SHA256
dc58d85cc87a711323c1c090a8923ac05c6e3b0580dfcab4adc975d537c2c3b7

SHA512
6fa1a305c95333003f3154dd94f92fd291b34fbe72535be281e208f4070ceef4e05975be711349f66e267a445152053afc6c70ddcba239f0f8d7d227c373a8a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ilq0nEOW1CTW.bat

Filesize
211B

MD5
96d2f6485d18c5e05630738ba626931d

SHA1
07e8934a018730f43c25c4b8226cc5bc18fffe06

SHA256
b287c6f7debcf99df5818412b22d4785e0fa394694d8dccc96d505ffbe632ee5

SHA512
e945f094f5a97170a8b2a06e3086c6d3952ebdf827e6c0c727440256299c2fd78c954d055c94999b1951bbf945b9596514b8bb8791dc7bb202a65e082e637b5b

Download Submit
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe

Filesize
3.3MB

MD5
bc884c0edbc8df559985b42fdd2fc985

SHA1
9611a03c424e0285ab1a8ea9683918ce7b5909ab

SHA256
e848b330ee5a8bd5ae1f6b991551e30a4a5b2e5deeb4718a15b2122101f2c270

SHA512
1b8c97d500de45fbf994dcd9bf65cc78106a62ff0770a362add18866cceebbe9f5e157a77d26cb0d0d8de89abe3d446bc911f33e7027fa8f8809d2720b0cedcc

Download Submit
memory/864-13-0x000000001C760000-0x000000001C812000-memory.dmp

Filesize
712KB

Download
memory/864-12-0x000000001C650000-0x000000001C6A0000-memory.dmp

Filesize
320KB

Download
memory/864-11-0x00007FF9F5A70000-0x00007FF9F6531000-memory.dmp

Filesize
10.8MB

Download
memory/864-18-0x00007FF9F5A70000-0x00007FF9F6531000-memory.dmp

Filesize
10.8MB

Download
memory/864-9-0x00007FF9F5A70000-0x00007FF9F6531000-memory.dmp

Filesize
10.8MB

Download
memory/3680-0-0x00007FF9F5A73000-0x00007FF9F5A75000-memory.dmp

Filesize
8KB

Download
memory/3680-1-0x0000000000E50000-0x000000000119E000-memory.dmp

Filesize
3.3MB

Download
memory/3680-2-0x00007FF9F5A70000-0x00007FF9F6531000-memory.dmp

Filesize
10.8MB

Download
memory/3680-10-0x00007FF9F5A70000-0x00007FF9F6531000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads