quasar | e848b330ee5a8bd5ae1f6b991551e30a4a5b2e5deeb4718a15b2122101f2c270

Analysis

max time kernel
145s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-12-2024 05:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e848b330ee5a8bd5ae1f6b991551e30a4a5b2e5deeb4718a15b2122101f2c270.exe
Size

3.3MB
MD5

bc884c0edbc8df559985b42fdd2fc985
SHA1

9611a03c424e0285ab1a8ea9683918ce7b5909ab
SHA256

e848b330ee5a8bd5ae1f6b991551e30a4a5b2e5deeb4718a15b2122101f2c270
SHA512

1b8c97d500de45fbf994dcd9bf65cc78106a62ff0770a362add18866cceebbe9f5e157a77d26cb0d0d8de89abe3d446bc911f33e7027fa8f8809d2720b0cedcc
SSDEEP

49152:BvmI22SsaNYfdPBldt698dBcjHideEErHFk/uVSoGdf3THHB72eh2NT:Bvr22SsaNYfdPBldt6+dBcjHidel8

Score

10^/10

quasar java discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Java

dez345-37245.portmap.host:37245

Mutex

f0e53bcd-851e-44af-8fd5-07d8ab5ed968

Attributes

encryption_key
65439CE7DEF3E0FAF01C526FEA90388C9FD487A1
install_name
java.exe
log_directory
Logs
reconnect_delay
3000
startup_key
java ©
subdirectory
Programfiles

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/2328-1-0x0000000000CC0000-0x000000000100E000-memory.dmp	family_quasar
behavioral2/files/0x0007000000023c97-6.dat	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	java.exe

Executes dropped EXE 15 IoCs

pid	Process
1548	java.exe
1964	java.exe
3144	java.exe
2936	java.exe
4964	java.exe
2188	java.exe
2344	java.exe
1756	java.exe
1928	java.exe
4976	java.exe
4572	java.exe
2192	java.exe
1724	java.exe
764	java.exe
3440	java.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3512	PING.EXE
4688	PING.EXE
1424	PING.EXE
3556	PING.EXE
1768	PING.EXE
4852	PING.EXE
2992	PING.EXE
2456	PING.EXE
2656	PING.EXE
4160	PING.EXE
3416	PING.EXE
2616	PING.EXE
4788	PING.EXE
3840	PING.EXE
4252	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
3556	PING.EXE
2656	PING.EXE
4252	PING.EXE
1768	PING.EXE
3512	PING.EXE
4688	PING.EXE
1424	PING.EXE
4788	PING.EXE
3840	PING.EXE
2616	PING.EXE
3416	PING.EXE
2992	PING.EXE
2456	PING.EXE
4852	PING.EXE
4160	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4348	schtasks.exe
3984	schtasks.exe
1912	schtasks.exe
4624	schtasks.exe
4512	schtasks.exe
3604	schtasks.exe
1324	schtasks.exe
1828	schtasks.exe
4992	schtasks.exe
4460	schtasks.exe
2464	schtasks.exe
4252	schtasks.exe
4828	schtasks.exe
1824	schtasks.exe
4960	schtasks.exe
1892	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2328	e848b330ee5a8bd5ae1f6b991551e30a4a5b2e5deeb4718a15b2122101f2c270.exe
Token: SeDebugPrivilege	1548	java.exe
Token: SeDebugPrivilege	1964	java.exe
Token: SeDebugPrivilege	3144	java.exe
Token: SeDebugPrivilege	2936	java.exe
Token: SeDebugPrivilege	4964	java.exe
Token: SeDebugPrivilege	2188	java.exe
Token: SeDebugPrivilege	2344	java.exe
Token: SeDebugPrivilege	1756	java.exe
Token: SeDebugPrivilege	1928	java.exe
Token: SeDebugPrivilege	4976	java.exe
Token: SeDebugPrivilege	4572	java.exe
Token: SeDebugPrivilege	2192	java.exe
Token: SeDebugPrivilege	1724	java.exe
Token: SeDebugPrivilege	764	java.exe
Token: SeDebugPrivilege	3440	java.exe

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
1548	java.exe
1964	java.exe
3144	java.exe
2936	java.exe
4964	java.exe
2188	java.exe
2344	java.exe
1756	java.exe
1928	java.exe
4976	java.exe
4572	java.exe
2192	java.exe
1724	java.exe
764	java.exe
3440	java.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
1548	java.exe
1964	java.exe
3144	java.exe
2936	java.exe
4964	java.exe
2188	java.exe
2344	java.exe
1756	java.exe
1928	java.exe
4976	java.exe
4572	java.exe
2192	java.exe
1724	java.exe
764	java.exe
3440	java.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4572	java.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 3604	2328	e848b330ee5a8bd5ae1f6b991551e30a4a5b2e5deeb4718a15b2122101f2c270.exe	85
PID 2328 wrote to memory of 3604	2328	e848b330ee5a8bd5ae1f6b991551e30a4a5b2e5deeb4718a15b2122101f2c270.exe	85
PID 2328 wrote to memory of 1548	2328	e848b330ee5a8bd5ae1f6b991551e30a4a5b2e5deeb4718a15b2122101f2c270.exe	87
PID 2328 wrote to memory of 1548	2328	e848b330ee5a8bd5ae1f6b991551e30a4a5b2e5deeb4718a15b2122101f2c270.exe	87
PID 1548 wrote to memory of 1324	1548	java.exe	88
PID 1548 wrote to memory of 1324	1548	java.exe	88
PID 1548 wrote to memory of 3704	1548	java.exe	90
PID 1548 wrote to memory of 3704	1548	java.exe	90
PID 3704 wrote to memory of 4816	3704	cmd.exe	92
PID 3704 wrote to memory of 4816	3704	cmd.exe	92
PID 3704 wrote to memory of 2992	3704	cmd.exe	93
PID 3704 wrote to memory of 2992	3704	cmd.exe	93
PID 3704 wrote to memory of 1964	3704	cmd.exe	101
PID 3704 wrote to memory of 1964	3704	cmd.exe	101
PID 1964 wrote to memory of 4252	1964	java.exe	102
PID 1964 wrote to memory of 4252	1964	java.exe	102
PID 1964 wrote to memory of 1372	1964	java.exe	105
PID 1964 wrote to memory of 1372	1964	java.exe	105
PID 1372 wrote to memory of 4832	1372	cmd.exe	107
PID 1372 wrote to memory of 4832	1372	cmd.exe	107
PID 1372 wrote to memory of 4688	1372	cmd.exe	108
PID 1372 wrote to memory of 4688	1372	cmd.exe	108
PID 1372 wrote to memory of 3144	1372	cmd.exe	116
PID 1372 wrote to memory of 3144	1372	cmd.exe	116
PID 3144 wrote to memory of 4828	3144	java.exe	117
PID 3144 wrote to memory of 4828	3144	java.exe	117
PID 3144 wrote to memory of 2300	3144	java.exe	120
PID 3144 wrote to memory of 2300	3144	java.exe	120
PID 2300 wrote to memory of 2296	2300	cmd.exe	122
PID 2300 wrote to memory of 2296	2300	cmd.exe	122
PID 2300 wrote to memory of 1424	2300	cmd.exe	123
PID 2300 wrote to memory of 1424	2300	cmd.exe	123
PID 2300 wrote to memory of 2936	2300	cmd.exe	127
PID 2300 wrote to memory of 2936	2300	cmd.exe	127
PID 2936 wrote to memory of 1828	2936	java.exe	128
PID 2936 wrote to memory of 1828	2936	java.exe	128
PID 2936 wrote to memory of 2092	2936	java.exe	131
PID 2936 wrote to memory of 2092	2936	java.exe	131
PID 2092 wrote to memory of 1884	2092	cmd.exe	133
PID 2092 wrote to memory of 1884	2092	cmd.exe	133
PID 2092 wrote to memory of 4788	2092	cmd.exe	135
PID 2092 wrote to memory of 4788	2092	cmd.exe	135
PID 2092 wrote to memory of 4964	2092	cmd.exe	137
PID 2092 wrote to memory of 4964	2092	cmd.exe	137
PID 4964 wrote to memory of 4992	4964	java.exe	138
PID 4964 wrote to memory of 4992	4964	java.exe	138
PID 4964 wrote to memory of 4548	4964	java.exe	141
PID 4964 wrote to memory of 4548	4964	java.exe	141
PID 4548 wrote to memory of 4840	4548	cmd.exe	143
PID 4548 wrote to memory of 4840	4548	cmd.exe	143
PID 4548 wrote to memory of 3556	4548	cmd.exe	144
PID 4548 wrote to memory of 3556	4548	cmd.exe	144
PID 4548 wrote to memory of 2188	4548	cmd.exe	145
PID 4548 wrote to memory of 2188	4548	cmd.exe	145
PID 2188 wrote to memory of 4460	2188	java.exe	146
PID 2188 wrote to memory of 4460	2188	java.exe	146
PID 2188 wrote to memory of 3652	2188	java.exe	149
PID 2188 wrote to memory of 3652	2188	java.exe	149
PID 3652 wrote to memory of 2272	3652	cmd.exe	151
PID 3652 wrote to memory of 2272	3652	cmd.exe	151
PID 3652 wrote to memory of 3840	3652	cmd.exe	152
PID 3652 wrote to memory of 3840	3652	cmd.exe	152
PID 3652 wrote to memory of 2344	3652	cmd.exe	154
PID 3652 wrote to memory of 2344	3652	cmd.exe	154

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e848b330ee5a8bd5ae1f6b991551e30a4a5b2e5deeb4718a15b2122101f2c270.exe
"C:\Users\Admin\AppData\Local\Temp\e848b330ee5a8bd5ae1f6b991551e30a4a5b2e5deeb4718a15b2122101f2c270.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3604
- C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
  "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1548
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1324
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Wc5l72tt46VJ.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3704
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:4816
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2992
  - - C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
      "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:1964
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4252
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UDmAEtDeuAar.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1372
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:4832
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4688
      - C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3144
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4828
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\krghFjfgaNQS.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2296
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1424
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2936
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1828
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8rXMqgey3ZD7.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2092
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:1884
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4788
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4964
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4992
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iFo0AQvHy9do.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:4840
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3556
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2188
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4460
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\y7RrYuuoJBpY.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:3652
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2272
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3840
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2344
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4348
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uXbzXJeMC9gH.bat" "
        15⤵
        
        PID:3636
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:1312
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2456
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1756
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2464
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qbI2P85Ufeh2.bat" "
        17⤵
        
        PID:2888
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:4656
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2656
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1928
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1912
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5CFiKLG1GmDy.bat" "
        19⤵
        
        PID:1416
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1204
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1768
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4976
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1824
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6GJvAIWsykdB.bat" "
        21⤵
        
        PID:4108
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:4548
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4252
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:4572
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4960
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\L0qmplctkXfo.bat" "
        23⤵
        
        PID:3288
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:3500
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4852
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2192
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4512
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MX1mTFM27HRY.bat" "
        25⤵
        
        PID:3304
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:404
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4160
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1724
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1892
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kdGzOu6LXOVa.bat" "
        27⤵
        
        PID:3620
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:1912
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2616
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:764
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4624
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EamAhQGMEXAy.bat" "
        29⤵
        
        PID:1416
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:4444
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3416
        
        C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3440
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3984
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\f94KopCAVrfx.bat" "
        31⤵
        
        PID:816
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:1148
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\java.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\5CFiKLG1GmDy.bat

Filesize
211B

MD5
4e844ae4f711e400eb7c518f3c25b7d5

SHA1
e72cdde94e2c055a46b8574d408b5a6b9dfc3df5

SHA256
4f46e7a42fd05e81c2a52fc2d22d113034ceb08756d242d1ea288f7898b743a7

SHA512
a1fe1fcaa234c899d23f68542e04b91b6c8998ea926c840bffca56952f4e0148e31c2564bb88eae9dd161b8e20d44ecbd74a143311f11bbde411c0771bb4d0d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\6GJvAIWsykdB.bat

Filesize
211B

MD5
bf8f94a94729f7efdf8aec01b779f09f

SHA1
4b5607c83704d7f30950d752b870dbd5677af27a

SHA256
54e74ce350a9a0f35ed6db71d41faddc39610430ae22845651482b610ca6b0c2

SHA512
3ede04b266fb7f97772c8e66dc70ed378f0890d5a8cd6239e4b2816ecf528877428a6e0a425101400a3e6d48eb56dc2546768fafa10fac59d7a1450ad673fd32

Download Submit
C:\Users\Admin\AppData\Local\Temp\8rXMqgey3ZD7.bat

Filesize
211B

MD5
8d4cceb595d3fb737d34c3faacfa4ef0

SHA1
99910578668278eb66eba3f6fefc33ab2733a963

SHA256
7eea6a71103b76e8fe77c5f396e976e6bda536b27f113e541b9d00d25b4562d6

SHA512
274c050aee41d4c0679620e355da67f80f35ae422236b1c7ab9d8191b1b724965bc53c85d427141091e6e7cdedc1ba6eba9fde4556ac8b7d91dbccc0e12f035b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EamAhQGMEXAy.bat

Filesize
211B

MD5
bbf22a0af853405edcd5c7110248d798

SHA1
cf38668a5853d67e6ae7f9877be68b9fe1fbbb63

SHA256
fed3b2cbe65f0746c080821f8dc613c4ecdc2d1eec517fa04f23e0c21f03d77f

SHA512
c737c541b5c6dd375741fea91c6c226d55d234effe62300c0a6dc5fb412af2e11dbb0dda65e4b40b1784d7b9be5469212327d62659e15c6330db3573881ff813

Download Submit
C:\Users\Admin\AppData\Local\Temp\L0qmplctkXfo.bat

Filesize
211B

MD5
be95b56ac89cc457b0ef6d13bf6b82dd

SHA1
9ec69a54d6c789708431782541c518c439369978

SHA256
e8b6bed9ed9c522f8797bf49f4426ac971636426413b6a48f80ceb99307bdc0d

SHA512
1cd4a0a88bcd2b0acc67c6a139da51399109efc7db085652e4c423cab84dd8052134a4dcab7f6e8928c19a1f50da4d35735df37ce323d33498139cd8c1804092

Download Submit
C:\Users\Admin\AppData\Local\Temp\MX1mTFM27HRY.bat

Filesize
211B

MD5
b649d53b6a2b9e238786739e3ac70868

SHA1
622fab385c37c36b61f9138d3959096be9ffa276

SHA256
6aeeb052ce1d54c57fd0f3f65f5baf9acc552ceab8eb17d883b00075ee83e3a6

SHA512
554e1496beb1479ab6f850974e8292a575e42af2d5258819f919f5092f774d92a5d20f7cfc1c2267470c20b6737033454b80edabbfbfb8e9dc7fa81530229308

Download Submit
C:\Users\Admin\AppData\Local\Temp\UDmAEtDeuAar.bat

Filesize
211B

MD5
b62adc22f054c261fb9ebc6cac99d759

SHA1
dd063a11ae0fd2083106c0651699a90d7b4dee38

SHA256
1378a8c71dc2ff324db62887632405fc4b9ef1d28b0790abbd7def86e8c6c728

SHA512
8ad148ea7c53f010b145728d28269e9fd0cd7801ec8893a78431d18806216b57a987bfe7c123ad670a540432bf1026ee8ae41225ffa79cd6d0f8d6a0e21357eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wc5l72tt46VJ.bat

Filesize
211B

MD5
c067aa5073a8edeeef9cfa8b0c8ba18c

SHA1
843c02b4043282b61e09e6ce6a167ffacc9315a3

SHA256
a920cb177cd9940406dec5a96d5a1c7faad5077e1f72bcac6409f85316dfc55e

SHA512
01e81f20be83c2e1999385b724244093aef51eee559be5a21ac5a4c6537967a04f0d0b34c23d7f2b16047459c146f0b4dba8d7ad88d5bb818abb34aef9843378

Download Submit
C:\Users\Admin\AppData\Local\Temp\f94KopCAVrfx.bat

Filesize
211B

MD5
55c21420a05a83cc18c50ad00dae7705

SHA1
805741b3d634dd48d5e5e33f7170f51a79d4dc88

SHA256
ea6438522ec2e0a736a7c9f7f811d856e1fd50fb2bd6c3d169bf4d1f5d2eb151

SHA512
d5c382e39f123ead6f801b1bcb4942e426f55771a899c0ac6238c644ab5569a8c54e55bb8442ffb11af74d00e1784e76521b11ec7caee9872467bfd93f2800fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\iFo0AQvHy9do.bat

Filesize
211B

MD5
f0d94523cc7f88a34ff9e48462e3d2b4

SHA1
bbac066cd5208f39ce7e4fb333ea52a3bd8b7487

SHA256
3f6a77e5a4079ecb6873183d6e625ed94506a4f55a5996911360ba0e093d1a8f

SHA512
1a8b751f31b01968dd3b7f85adfe00059b0946cc91af1568081811eef6c73267b7097dc39380bee48cab2bfb42ae94654a64af08501bbb084d6ebd451bfc003e

Download Submit
C:\Users\Admin\AppData\Local\Temp\kdGzOu6LXOVa.bat

Filesize
211B

MD5
ddf796082204e4ba530aeadf30496c94

SHA1
2d4f2c3044f15a65e5d2c661add19c40118af611

SHA256
b98acc5011886716cd119ed93e487610179b8131f973f34bee03a54d23c0f3bb

SHA512
e50e4fe1ac4287ee86b464ac6ec71197538ad8bc14a5108d5c0bae521a6dfa927ba00d6b2902077f47b41a442d23515fb3eefc040c52af90f4f2d7e4fe4e5df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\krghFjfgaNQS.bat

Filesize
211B

MD5
d8d27456c4839adda8a0fb662997d74d

SHA1
2371452b6d7b6a9e0c6f67184ab01cad1dc3df14

SHA256
6eb2fa2a61ce1726adb542c0094d902ebc0c5d53e1f88bac570711470753e9c1

SHA512
9c2915d81e53de17d54b04c3a0612aa3e15d0b4775ca5f6ff179b973aeda99b808c196face7bf256616f0d1aba7e8f4ad951f0950a779284821f6cdd04beaee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\qbI2P85Ufeh2.bat

Filesize
211B

MD5
7698f270ff405fe34709d82fb5585f49

SHA1
ec0014ed4ff7f2f2886ad9086a2d2c94e5f7751d

SHA256
9c70e161944788a8ea41f2eb129afda82c6faa4a91a6602fb1f4f3086bd53b52

SHA512
28edcf5a577cba60ebc58b005dad9d5603ebfe914aa1e51ce4b46cd7d804706fcf7a7fd6bf560d3ccedbfe89ecad0f68600e3e069644d605354464d63c7a0c99

Download Submit
C:\Users\Admin\AppData\Local\Temp\uXbzXJeMC9gH.bat

Filesize
211B

MD5
30612a4576dabe3f87721b41d07025fa

SHA1
45a6908c6fe041219ed9142d9d94cecd933f4ecb

SHA256
d64304b47954dddca23510dccc4c956dcc95e5e4e31f184596e235e57b610132

SHA512
25824ce0bdc4ecd99b694a2324869d385e403317bc74eb82a908c54ec21ea769971025b20d86c86782afe72f40084fecb6db14d121b6a17e3c71f83cbbdbc773

Download Submit
C:\Users\Admin\AppData\Local\Temp\y7RrYuuoJBpY.bat

Filesize
211B

MD5
09374019118d8768028dd088b3d40205

SHA1
e2f03f2ecc2014dc56dcc63506a2076937cbee93

SHA256
81af29d81dcbbd890b4668faaa8c7a2342d6e16366485410649913c3586f3510

SHA512
2a755220fb86107840ea5f7046fd9754281544347a31e35ee534fbe3c3ad733bc48fc56daad58ae0eed96f5dba200dbca996cb42299c49636b5c7256bfdb114d

Download Submit
C:\Users\Admin\AppData\Roaming\Programfiles\java.exe

Filesize
3.3MB

MD5
bc884c0edbc8df559985b42fdd2fc985

SHA1
9611a03c424e0285ab1a8ea9683918ce7b5909ab

SHA256
e848b330ee5a8bd5ae1f6b991551e30a4a5b2e5deeb4718a15b2122101f2c270

SHA512
1b8c97d500de45fbf994dcd9bf65cc78106a62ff0770a362add18866cceebbe9f5e157a77d26cb0d0d8de89abe3d446bc911f33e7027fa8f8809d2720b0cedcc

Download Submit
memory/1548-18-0x00007FFBA0A00000-0x00007FFBA14C1000-memory.dmp

Filesize
10.8MB

Download
memory/1548-13-0x000000001C650000-0x000000001C702000-memory.dmp

Filesize
712KB

Download
memory/1548-12-0x000000001BBA0000-0x000000001BBF0000-memory.dmp

Filesize
320KB

Download
memory/1548-11-0x00007FFBA0A00000-0x00007FFBA14C1000-memory.dmp

Filesize
10.8MB

Download
memory/1548-10-0x00007FFBA0A00000-0x00007FFBA14C1000-memory.dmp

Filesize
10.8MB

Download
memory/2328-0-0x00007FFBA0A03000-0x00007FFBA0A05000-memory.dmp

Filesize
8KB

Download
memory/2328-9-0x00007FFBA0A00000-0x00007FFBA14C1000-memory.dmp

Filesize
10.8MB

Download
memory/2328-2-0x00007FFBA0A00000-0x00007FFBA14C1000-memory.dmp

Filesize
10.8MB

Download
memory/2328-1-0x0000000000CC0000-0x000000000100E000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads