quasar | ba59fb813ff718db8a17c4e5d244793d2199383969843ad31d09727b5e5ff156

Analysis

max time kernel
142s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-12-2024 06:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

built.exe
Size

3.1MB
MD5

a813f565b05ee9df7e5db8dbbcc0fa43
SHA1

f508e738705163233b29ba54f4cb5ec4583d8df1
SHA256

ba59fb813ff718db8a17c4e5d244793d2199383969843ad31d09727b5e5ff156
SHA512

adb431c372c2e1d0f6019bedefe16a2253fcf76929ba7e2b9f9cc7a253137920615121a1a64f7003a43f39e8b17ace233daca32b2933b6953aa6cf558b834e2e
SSDEEP

98304:aydj2yMy5en93hlLLzJjVrv3zs9Yv+Wcvy:pLYvzs9Yv+Wcv

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Office04

microsoftsys.ddns.net:4782

Mutex

67e0653d-eedf-4888-88ab-78e97eb2df27

Attributes

encryption_key
23E5F6D22FEE1750D36544A759A48349B064BC34
install_name
PerfWatson1.exe
log_directory
Logs
reconnect_delay
3000
startup_key
svhost
subdirectory
KDOT

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 9 IoCs

resource	yara_rule
behavioral1/memory/1796-1-0x00000000011D0000-0x00000000014F4000-memory.dmp	family_quasar
behavioral1/files/0x00080000000167dc-5.dat	family_quasar
behavioral1/memory/2036-8-0x0000000000290000-0x00000000005B4000-memory.dmp	family_quasar
behavioral1/memory/2824-22-0x0000000001030000-0x0000000001354000-memory.dmp	family_quasar
behavioral1/memory/1620-34-0x0000000001340000-0x0000000001664000-memory.dmp	family_quasar
behavioral1/memory/1528-65-0x0000000000170000-0x0000000000494000-memory.dmp	family_quasar
behavioral1/memory/1628-76-0x0000000000DE0000-0x0000000001104000-memory.dmp	family_quasar
behavioral1/memory/2692-88-0x0000000000F10000-0x0000000001234000-memory.dmp	family_quasar
behavioral1/memory/1688-129-0x0000000001100000-0x0000000001424000-memory.dmp	family_quasar

Executes dropped EXE 15 IoCs

pid	Process
2036	PerfWatson1.exe
2824	PerfWatson1.exe
1620	PerfWatson1.exe
2892	PerfWatson1.exe
1500	PerfWatson1.exe
1528	PerfWatson1.exe
1628	PerfWatson1.exe
2692	PerfWatson1.exe
2868	PerfWatson1.exe
1932	PerfWatson1.exe
2948	PerfWatson1.exe
1688	PerfWatson1.exe
1208	PerfWatson1.exe
848	PerfWatson1.exe
2780	PerfWatson1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1808	PING.EXE
2512	PING.EXE
2428	PING.EXE
1352	PING.EXE
3008	PING.EXE
756	PING.EXE
1048	PING.EXE
996	PING.EXE
2928	PING.EXE
2888	PING.EXE
3016	PING.EXE
1724	PING.EXE
900	PING.EXE
2812	PING.EXE
2164	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
2888	PING.EXE
1048	PING.EXE
900	PING.EXE
2928	PING.EXE
3016	PING.EXE
756	PING.EXE
996	PING.EXE
2164	PING.EXE
3008	PING.EXE
1808	PING.EXE
2512	PING.EXE
2428	PING.EXE
2812	PING.EXE
1352	PING.EXE
1724	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2692	schtasks.exe
2580	schtasks.exe
1976	schtasks.exe
2796	schtasks.exe
2112	schtasks.exe
2680	schtasks.exe
2568	schtasks.exe
1980	schtasks.exe
2244	schtasks.exe
2152	schtasks.exe
2004	schtasks.exe
1332	schtasks.exe
2752	schtasks.exe
2904	schtasks.exe
1028	schtasks.exe
2520	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	1796	built.exe
Token: SeDebugPrivilege	2036	PerfWatson1.exe
Token: SeDebugPrivilege	2824	PerfWatson1.exe
Token: SeDebugPrivilege	1620	PerfWatson1.exe
Token: SeDebugPrivilege	2892	PerfWatson1.exe
Token: SeDebugPrivilege	1500	PerfWatson1.exe
Token: SeDebugPrivilege	1528	PerfWatson1.exe
Token: SeDebugPrivilege	1628	PerfWatson1.exe
Token: SeDebugPrivilege	2692	PerfWatson1.exe
Token: SeDebugPrivilege	2868	PerfWatson1.exe
Token: SeDebugPrivilege	1932	PerfWatson1.exe
Token: SeDebugPrivilege	2948	PerfWatson1.exe
Token: SeDebugPrivilege	1688	PerfWatson1.exe
Token: SeDebugPrivilege	1208	PerfWatson1.exe
Token: SeDebugPrivilege	848	PerfWatson1.exe
Token: SeDebugPrivilege	2780	PerfWatson1.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1796 wrote to memory of 1976	1796	built.exe	31
PID 1796 wrote to memory of 1976	1796	built.exe	31
PID 1796 wrote to memory of 1976	1796	built.exe	31
PID 1796 wrote to memory of 2036	1796	built.exe	33
PID 1796 wrote to memory of 2036	1796	built.exe	33
PID 1796 wrote to memory of 2036	1796	built.exe	33
PID 2036 wrote to memory of 2692	2036	PerfWatson1.exe	34
PID 2036 wrote to memory of 2692	2036	PerfWatson1.exe	34
PID 2036 wrote to memory of 2692	2036	PerfWatson1.exe	34
PID 2036 wrote to memory of 2556	2036	PerfWatson1.exe	36
PID 2036 wrote to memory of 2556	2036	PerfWatson1.exe	36
PID 2036 wrote to memory of 2556	2036	PerfWatson1.exe	36
PID 2556 wrote to memory of 2844	2556	cmd.exe	38
PID 2556 wrote to memory of 2844	2556	cmd.exe	38
PID 2556 wrote to memory of 2844	2556	cmd.exe	38
PID 2556 wrote to memory of 2888	2556	cmd.exe	39
PID 2556 wrote to memory of 2888	2556	cmd.exe	39
PID 2556 wrote to memory of 2888	2556	cmd.exe	39
PID 2556 wrote to memory of 2824	2556	cmd.exe	40
PID 2556 wrote to memory of 2824	2556	cmd.exe	40
PID 2556 wrote to memory of 2824	2556	cmd.exe	40
PID 2824 wrote to memory of 2568	2824	PerfWatson1.exe	41
PID 2824 wrote to memory of 2568	2824	PerfWatson1.exe	41
PID 2824 wrote to memory of 2568	2824	PerfWatson1.exe	41
PID 2824 wrote to memory of 2092	2824	PerfWatson1.exe	43
PID 2824 wrote to memory of 2092	2824	PerfWatson1.exe	43
PID 2824 wrote to memory of 2092	2824	PerfWatson1.exe	43
PID 2092 wrote to memory of 1652	2092	cmd.exe	45
PID 2092 wrote to memory of 1652	2092	cmd.exe	45
PID 2092 wrote to memory of 1652	2092	cmd.exe	45
PID 2092 wrote to memory of 756	2092	cmd.exe	46
PID 2092 wrote to memory of 756	2092	cmd.exe	46
PID 2092 wrote to memory of 756	2092	cmd.exe	46
PID 2092 wrote to memory of 1620	2092	cmd.exe	47
PID 2092 wrote to memory of 1620	2092	cmd.exe	47
PID 2092 wrote to memory of 1620	2092	cmd.exe	47
PID 1620 wrote to memory of 2796	1620	PerfWatson1.exe	48
PID 1620 wrote to memory of 2796	1620	PerfWatson1.exe	48
PID 1620 wrote to memory of 2796	1620	PerfWatson1.exe	48
PID 1620 wrote to memory of 1664	1620	PerfWatson1.exe	50
PID 1620 wrote to memory of 1664	1620	PerfWatson1.exe	50
PID 1620 wrote to memory of 1664	1620	PerfWatson1.exe	50
PID 1664 wrote to memory of 1740	1664	cmd.exe	52
PID 1664 wrote to memory of 1740	1664	cmd.exe	52
PID 1664 wrote to memory of 1740	1664	cmd.exe	52
PID 1664 wrote to memory of 1808	1664	cmd.exe	53
PID 1664 wrote to memory of 1808	1664	cmd.exe	53
PID 1664 wrote to memory of 1808	1664	cmd.exe	53
PID 1664 wrote to memory of 2892	1664	cmd.exe	54
PID 1664 wrote to memory of 2892	1664	cmd.exe	54
PID 1664 wrote to memory of 2892	1664	cmd.exe	54
PID 2892 wrote to memory of 2152	2892	PerfWatson1.exe	55
PID 2892 wrote to memory of 2152	2892	PerfWatson1.exe	55
PID 2892 wrote to memory of 2152	2892	PerfWatson1.exe	55
PID 2892 wrote to memory of 2964	2892	PerfWatson1.exe	57
PID 2892 wrote to memory of 2964	2892	PerfWatson1.exe	57
PID 2892 wrote to memory of 2964	2892	PerfWatson1.exe	57
PID 2964 wrote to memory of 2224	2964	cmd.exe	59
PID 2964 wrote to memory of 2224	2964	cmd.exe	59
PID 2964 wrote to memory of 2224	2964	cmd.exe	59
PID 2964 wrote to memory of 1048	2964	cmd.exe	60
PID 2964 wrote to memory of 1048	2964	cmd.exe	60
PID 2964 wrote to memory of 1048	2964	cmd.exe	60
PID 2964 wrote to memory of 1500	2964	cmd.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\built.exe
"C:\Users\Admin\AppData\Local\Temp\built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1796
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\built.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1976
- C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
  "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2692
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\HF4Pksh9Bbx0.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2556
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2844
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2888
  - - C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
      "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2824
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2568
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Xyzxv5cwNhdX.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2092
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1652
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:756
      - C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2796
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iIM23qeFmuch.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1740
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1808
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2152
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BASqhumwQ2Bk.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2224
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1048
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1500
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2004
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\6r144E6Ss0Nf.bat" "
        11⤵
        
        PID:2936
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1708
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:900
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1528
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2112
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kPJpvu6BZTs8.bat" "
        13⤵
        
        PID:2384
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2504
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:996
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1628
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1332
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Phl9vl5vsLyL.bat" "
        15⤵
        
        PID:2464
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2444
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2512
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2692
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2680
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tadX04NGh8g8.bat" "
        17⤵
        
        PID:2844
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:1368
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2428
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2868
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2580
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qBgO2bxoZZW6.bat" "
        19⤵
        
        PID:2260
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:976
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2812
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2752
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\l2sSFucA4Rgp.bat" "
        21⤵
        
        PID:2440
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1416
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2928
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2948
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2904
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RhADGRM2REMy.bat" "
        23⤵
        
        PID:1496
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2232
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3016
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1028
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\9XROn4uyhpXr.bat" "
        25⤵
        
        PID:752
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:1712
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1352
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1208
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2520
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gMJETqlc0et6.bat" "
        27⤵
        
        PID:804
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:3036
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1724
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:848
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1980
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\5MxPoR3qXOku.bat" "
        29⤵
        
        PID:2640
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:920
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2164
        
        C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
        
        "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2780
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2244
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gPhUQkvSVV2P.bat" "
        31⤵
        
        PID:3000
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:2728
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5MxPoR3qXOku.bat

Filesize
210B

MD5
ba53c967eaef86c01cfbe759365ece4e

SHA1
db45debf54fe23201d0a677aafe72e79b9271537

SHA256
416257de14eed21c0b7ca638afb676108f51f7f7137c8bb5388c53bc57a7a796

SHA512
f05cf2782c6c132861f40655997ab3e00ae8098b8e347d1f9e23c1bc5fdab56edbb170b917763dc564eeccf4bcd9185418c7a3d833f3c96c0afa00ca46d93fee

Download Submit
C:\Users\Admin\AppData\Local\Temp\6r144E6Ss0Nf.bat

Filesize
210B

MD5
a0ef964fe30d3a5d74bcd686e62408a2

SHA1
8d9d61552a73753326fde216f61c645497ede63d

SHA256
6eff9214479c96c82c8f31aff613ea81ff9c033539e95d0f71bb292ecae83350

SHA512
a2df1c1a0c5c0eb50d021d772907093282e512aa1da36aa7d1984484f7b638512aa386f95bac7d1da6d6b8f247779da0b5d9aba9ff0a8557c51776e84dc0be05

Download Submit
C:\Users\Admin\AppData\Local\Temp\9XROn4uyhpXr.bat

Filesize
210B

MD5
c30507eace376ce6e942ff50101c9913

SHA1
34f32f93ec92f78f3d08283e54115d0c4fb1edfc

SHA256
58581461c2dfbf5b3c69d41fbb18ed20029fa6de69b87470c3d69e49ca4ab5e0

SHA512
770c91594591be39790d46ef5467717e81752b939d60564b2ea5517268f3e888bfb6a97d8b40b5233eccbdb59904e253db985e80ac098b65b37e1a27f749cf2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\BASqhumwQ2Bk.bat

Filesize
210B

MD5
e06c299cc8343942ecc8d902b1396fd1

SHA1
0f6ccfda96e3b394d766da6748a7c0d9c5a85fea

SHA256
ed16e162fb3bd2303a622942453d15d27b9b8864159f456c70fcf87e3ce855d3

SHA512
8a91c451e518e38204553e486e083357d7be9101619e962b3a212507ff6d8d5571d69cf15155084e367d7b1cb9cdf80cfea1b6b1b513bc5a1399ba08eea3ad39

Download Submit
C:\Users\Admin\AppData\Local\Temp\HF4Pksh9Bbx0.bat

Filesize
210B

MD5
89659f68291561cde6877279a64205fa

SHA1
caaad80b429812e001cceac37f0ea5a1e93540ce

SHA256
e59bbca2e2ba6f1aa358f5f0ff6e3f5b0a853bffcd1832a130f998d195f31f45

SHA512
643ed4f8af24baacd8bf5d9a71f34020c2476490be2ce04e13cae86de58db66d738bbbad02b8cefdce30300f75c9f7a09323e8063575a72c8ab762b059085e8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Phl9vl5vsLyL.bat

Filesize
210B

MD5
840a4e84590dee4772dff984ef1b1695

SHA1
36766a6bef7e2b4fe15a21c4e58ce09240ebea7d

SHA256
4a1112125477f604397a7003817863906565aa2746b14cd99cb23c03ff12df79

SHA512
70c1d44081cf2f68a0992ec1415ba230246c0c359380bbd858cd9f339effd020a39909693ec0fec6e434714ec2752a699635844742de1907881515a896d4725a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RhADGRM2REMy.bat

Filesize
210B

MD5
52203e78aa6e35df13e64d43ef819170

SHA1
6231f1eb88e0102f3351ab9dfc1e8de985a30273

SHA256
c6bf235d0b8f5c421aaaf0a7b2320fdcc910df10f4e9f420a213395903063acb

SHA512
b4b9da134ca04a537b2e58fea0e2e18393a32c852eb6c3745a9d868df90e871910556b34ca6036744558662a60ec2342ab23bb9f5c070313a4475c70eb90cf41

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xyzxv5cwNhdX.bat

Filesize
210B

MD5
ee0c386fd44c76934e96fbd87e309c54

SHA1
d973aa82b97633c420dc8090c124d9ee6d0af8de

SHA256
b5371ad56247618eac46b55518dd0904609d4e48c33fdcbd0629d8b998867fdb

SHA512
069a970648f6afbcde98b32b023d7516bf949294b227b6130eed8ed72e84b1d6dfc7ccef834b1e2365a3997eaec1a5a8b8a5d3e7291a25e78f38c46b04e7a815

Download Submit
C:\Users\Admin\AppData\Local\Temp\gMJETqlc0et6.bat

Filesize
210B

MD5
73dcd2f2b3d1e80f015915bdaa6dbbf3

SHA1
286f887054833fb406b1a71216eb9ec8db73bcfe

SHA256
033a7c2dd70f423cacaa93b9f2ae91efc4a18270763a74a2f12a1599f077aa08

SHA512
35537526b3592dc176711e76338b9840212e4290bcacb281893f08201f29e3bc3bb58ed759f8b182d2525bb81ba58bd11a74cdfae19ffe0f887f4752a9cd5149

Download Submit
C:\Users\Admin\AppData\Local\Temp\gPhUQkvSVV2P.bat

Filesize
210B

MD5
02ec307c021022c9bd2ca4b9595c30f4

SHA1
11812f390283dc4ebe5d3c085e58b819b5f2ea08

SHA256
d05d82d385997a38d5f0d7a0a487dd9ed52bc63de985e431abcfa4dfada6d620

SHA512
a172c552c01f7ce39808492783ae76f54ca6b57b07d7c7308eb9b98f88b9fe89defec5d785f5c2953c8da0b1b21219566b6cf2701d66a26003b19ab8195fa93c

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIM23qeFmuch.bat

Filesize
210B

MD5
e9eaf0edee047d7caacba6947a29cefb

SHA1
e5f9d33d62dc81c25154db7a0984695e245d16a6

SHA256
a6e433d92f1ff97a47fea6731af60af5b750f48b23769849f7545a1c1a7d8014

SHA512
46cea7b326a039fe2ed7ca89a163a89ae0f8bb7035bb5a30f701cc02b37018e7bb3d6a8d4e8825924dbea5f58a4a4b08014e1be5bbe7c4fd19ea1b0ddb571c1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kPJpvu6BZTs8.bat

Filesize
210B

MD5
fada712717c6c9da39d39389ef685ebe

SHA1
70971fbc67a0dceaa2c45147574c8b0d67fcae6b

SHA256
72704c8d7041065d38a5e0b8b7168c89b9b6150ea66b0212668c2dcc4f619d0a

SHA512
2f9b55887b6e2639b01f4ce4615c2d1ca6f26708d8070539316f5209b1eaaa7e8fbaa81a63e7cc88b4c51ac49506b49729bf26cfff3c9f75201367937af7cfb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\l2sSFucA4Rgp.bat

Filesize
210B

MD5
abeea1a59d25547b6cf39921db21db10

SHA1
2c2133e7f379126dd066f68353dd1c3acd3203e7

SHA256
3104c63a9e92c7e02751d9a9dc1acf32ee2ecfab4e230ba5d43e0278b65aff1f

SHA512
3a2387137330530a6075b9897985591a94f61da7e4372aa8440748dc1835f0a4e08a3f78d5ad0b6d7ae087853c206def15199a335861f4ded423697624459121

Download Submit
C:\Users\Admin\AppData\Local\Temp\qBgO2bxoZZW6.bat

Filesize
210B

MD5
2d1525286a9c5de95d1823b7db57d9b7

SHA1
6d0a928927066e7a4173fc9d5efb501086547b42

SHA256
69be305dc4766e8a8854551e72c363db9f3cf47134af7b9a919cb5e5fd6d70b4

SHA512
cab24e7b3839bde388eef2d25565ba23d787cf2c8a8078c608b02105c6d2e7a390d1c80090ebf293e2ad53c63b6e15db2aa96c4cca76eac3c6cb801419853626

Download Submit
C:\Users\Admin\AppData\Local\Temp\tadX04NGh8g8.bat

Filesize
210B

MD5
773c5486d9d3c51f98d5e070c724e216

SHA1
b2d0ac52e420823723d6f678c5ff787d37987cdd

SHA256
deab67ace0240b4b7e51acf6db4f493f28567080b88126a2817213314fd8b6e1

SHA512
678ab51c3a028ef459e4c3192cee61a25e98b15991e3d909a6dcd6feef91330b6c35b55aa49b00beb513bcc933c17a3a41db7129b01ebab11950ec60823bb2be

Download Submit
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

Filesize
3.1MB

MD5
a813f565b05ee9df7e5db8dbbcc0fa43

SHA1
f508e738705163233b29ba54f4cb5ec4583d8df1

SHA256
ba59fb813ff718db8a17c4e5d244793d2199383969843ad31d09727b5e5ff156

SHA512
adb431c372c2e1d0f6019bedefe16a2253fcf76929ba7e2b9f9cc7a253137920615121a1a64f7003a43f39e8b17ace233daca32b2933b6953aa6cf558b834e2e

Download Submit
memory/1528-65-0x0000000000170000-0x0000000000494000-memory.dmp

Filesize
3.1MB

Download
memory/1620-34-0x0000000001340000-0x0000000001664000-memory.dmp

Filesize
3.1MB

Download
memory/1628-76-0x0000000000DE0000-0x0000000001104000-memory.dmp

Filesize
3.1MB

Download
memory/1688-129-0x0000000001100000-0x0000000001424000-memory.dmp

Filesize
3.1MB

Download
memory/1796-9-0x000007FEF57D0000-0x000007FEF61BC000-memory.dmp

Filesize
9.9MB

Download
memory/1796-1-0x00000000011D0000-0x00000000014F4000-memory.dmp

Filesize
3.1MB

Download
memory/1796-2-0x000007FEF57D0000-0x000007FEF61BC000-memory.dmp

Filesize
9.9MB

Download
memory/1796-0-0x000007FEF57D3000-0x000007FEF57D4000-memory.dmp

Filesize
4KB

Download
memory/2036-10-0x000007FEF57D0000-0x000007FEF61BC000-memory.dmp

Filesize
9.9MB

Download
memory/2036-19-0x000007FEF57D0000-0x000007FEF61BC000-memory.dmp

Filesize
9.9MB

Download
memory/2036-8-0x0000000000290000-0x00000000005B4000-memory.dmp

Filesize
3.1MB

Download
memory/2036-7-0x000007FEF57D0000-0x000007FEF61BC000-memory.dmp

Filesize
9.9MB

Download
memory/2692-88-0x0000000000F10000-0x0000000001234000-memory.dmp

Filesize
3.1MB

Download
memory/2824-22-0x0000000001030000-0x0000000001354000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads