Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17-12-2024 06:30
Behavioral task
behavioral1
Sample
built.exe
Resource
win7-20240903-en
General
-
Target
built.exe
-
Size
3.1MB
-
MD5
a813f565b05ee9df7e5db8dbbcc0fa43
-
SHA1
f508e738705163233b29ba54f4cb5ec4583d8df1
-
SHA256
ba59fb813ff718db8a17c4e5d244793d2199383969843ad31d09727b5e5ff156
-
SHA512
adb431c372c2e1d0f6019bedefe16a2253fcf76929ba7e2b9f9cc7a253137920615121a1a64f7003a43f39e8b17ace233daca32b2933b6953aa6cf558b834e2e
-
SSDEEP
98304:aydj2yMy5en93hlLLzJjVrv3zs9Yv+Wcvy:pLYvzs9Yv+Wcv
Malware Config
Extracted
quasar
1.4.0
Office04
microsoftsys.ddns.net:4782
67e0653d-eedf-4888-88ab-78e97eb2df27
-
encryption_key
23E5F6D22FEE1750D36544A759A48349B064BC34
-
install_name
PerfWatson1.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
svhost
-
subdirectory
KDOT
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/1260-1-0x0000000000A40000-0x0000000000D64000-memory.dmp family_quasar behavioral2/files/0x000a000000023ba0-4.dat family_quasar -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation PerfWatson1.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation PerfWatson1.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation PerfWatson1.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation PerfWatson1.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation PerfWatson1.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation PerfWatson1.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation PerfWatson1.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation PerfWatson1.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation PerfWatson1.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation PerfWatson1.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation PerfWatson1.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation PerfWatson1.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation PerfWatson1.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation PerfWatson1.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation PerfWatson1.exe -
Executes dropped EXE 15 IoCs
pid Process 3984 PerfWatson1.exe 4596 PerfWatson1.exe 1956 PerfWatson1.exe 2668 PerfWatson1.exe 2924 PerfWatson1.exe 1196 PerfWatson1.exe 2808 PerfWatson1.exe 232 PerfWatson1.exe 2064 PerfWatson1.exe 5028 PerfWatson1.exe 4720 PerfWatson1.exe 4688 PerfWatson1.exe 640 PerfWatson1.exe 212 PerfWatson1.exe 740 PerfWatson1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2856 PING.EXE 3488 PING.EXE 3816 PING.EXE 2864 PING.EXE 400 PING.EXE 3876 PING.EXE 1860 PING.EXE 2180 PING.EXE 4864 PING.EXE 1536 PING.EXE 540 PING.EXE 2672 PING.EXE 3392 PING.EXE 3812 PING.EXE 4284 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
pid Process 2672 PING.EXE 1536 PING.EXE 3812 PING.EXE 2856 PING.EXE 3816 PING.EXE 3392 PING.EXE 4864 PING.EXE 2864 PING.EXE 400 PING.EXE 4284 PING.EXE 2180 PING.EXE 3488 PING.EXE 540 PING.EXE 3876 PING.EXE 1860 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1260 schtasks.exe 3836 schtasks.exe 4588 schtasks.exe 1760 schtasks.exe 2288 schtasks.exe 3376 schtasks.exe 2464 schtasks.exe 932 schtasks.exe 752 schtasks.exe 1872 schtasks.exe 1256 schtasks.exe 556 schtasks.exe 2756 schtasks.exe 880 schtasks.exe 4184 schtasks.exe 4320 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 1260 built.exe Token: SeDebugPrivilege 3984 PerfWatson1.exe Token: SeDebugPrivilege 4596 PerfWatson1.exe Token: SeDebugPrivilege 1956 PerfWatson1.exe Token: SeDebugPrivilege 2668 PerfWatson1.exe Token: SeDebugPrivilege 2924 PerfWatson1.exe Token: SeDebugPrivilege 1196 PerfWatson1.exe Token: SeDebugPrivilege 2808 PerfWatson1.exe Token: SeDebugPrivilege 232 PerfWatson1.exe Token: SeDebugPrivilege 2064 PerfWatson1.exe Token: SeDebugPrivilege 5028 PerfWatson1.exe Token: SeDebugPrivilege 4720 PerfWatson1.exe Token: SeDebugPrivilege 4688 PerfWatson1.exe Token: SeDebugPrivilege 640 PerfWatson1.exe Token: SeDebugPrivilege 212 PerfWatson1.exe Token: SeDebugPrivilege 740 PerfWatson1.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1260 wrote to memory of 2288 1260 built.exe 82 PID 1260 wrote to memory of 2288 1260 built.exe 82 PID 1260 wrote to memory of 3984 1260 built.exe 84 PID 1260 wrote to memory of 3984 1260 built.exe 84 PID 3984 wrote to memory of 2756 3984 PerfWatson1.exe 85 PID 3984 wrote to memory of 2756 3984 PerfWatson1.exe 85 PID 3984 wrote to memory of 4848 3984 PerfWatson1.exe 87 PID 3984 wrote to memory of 4848 3984 PerfWatson1.exe 87 PID 4848 wrote to memory of 2824 4848 cmd.exe 89 PID 4848 wrote to memory of 2824 4848 cmd.exe 89 PID 4848 wrote to memory of 540 4848 cmd.exe 90 PID 4848 wrote to memory of 540 4848 cmd.exe 90 PID 4848 wrote to memory of 4596 4848 cmd.exe 95 PID 4848 wrote to memory of 4596 4848 cmd.exe 95 PID 4596 wrote to memory of 880 4596 PerfWatson1.exe 96 PID 4596 wrote to memory of 880 4596 PerfWatson1.exe 96 PID 4596 wrote to memory of 4420 4596 PerfWatson1.exe 98 PID 4596 wrote to memory of 4420 4596 PerfWatson1.exe 98 PID 4420 wrote to memory of 3620 4420 cmd.exe 100 PID 4420 wrote to memory of 3620 4420 cmd.exe 100 PID 4420 wrote to memory of 2672 4420 cmd.exe 101 PID 4420 wrote to memory of 2672 4420 cmd.exe 101 PID 4420 wrote to memory of 1956 4420 cmd.exe 105 PID 4420 wrote to memory of 1956 4420 cmd.exe 105 PID 1956 wrote to memory of 4184 1956 PerfWatson1.exe 106 PID 1956 wrote to memory of 4184 1956 PerfWatson1.exe 106 PID 1956 wrote to memory of 5028 1956 PerfWatson1.exe 108 PID 1956 wrote to memory of 5028 1956 PerfWatson1.exe 108 PID 5028 wrote to memory of 3380 5028 cmd.exe 110 PID 5028 wrote to memory of 3380 5028 cmd.exe 110 PID 5028 wrote to memory of 400 5028 cmd.exe 111 PID 5028 wrote to memory of 400 5028 cmd.exe 111 PID 5028 wrote to memory of 2668 5028 cmd.exe 114 PID 5028 wrote to memory of 2668 5028 cmd.exe 114 PID 2668 wrote to memory of 3376 2668 PerfWatson1.exe 115 PID 2668 wrote to memory of 3376 2668 PerfWatson1.exe 115 PID 2668 wrote to memory of 1768 2668 PerfWatson1.exe 117 PID 2668 wrote to memory of 1768 2668 PerfWatson1.exe 117 PID 1768 wrote to memory of 4484 1768 cmd.exe 119 PID 1768 wrote to memory of 4484 1768 cmd.exe 119 PID 1768 wrote to memory of 3876 1768 cmd.exe 120 PID 1768 wrote to memory of 3876 1768 cmd.exe 120 PID 1768 wrote to memory of 2924 1768 cmd.exe 121 PID 1768 wrote to memory of 2924 1768 cmd.exe 121 PID 2924 wrote to memory of 1260 2924 PerfWatson1.exe 122 PID 2924 wrote to memory of 1260 2924 PerfWatson1.exe 122 PID 2924 wrote to memory of 3864 2924 PerfWatson1.exe 124 PID 2924 wrote to memory of 3864 2924 PerfWatson1.exe 124 PID 3864 wrote to memory of 4896 3864 cmd.exe 126 PID 3864 wrote to memory of 4896 3864 cmd.exe 126 PID 3864 wrote to memory of 1860 3864 cmd.exe 127 PID 3864 wrote to memory of 1860 3864 cmd.exe 127 PID 3864 wrote to memory of 1196 3864 cmd.exe 128 PID 3864 wrote to memory of 1196 3864 cmd.exe 128 PID 1196 wrote to memory of 752 1196 PerfWatson1.exe 129 PID 1196 wrote to memory of 752 1196 PerfWatson1.exe 129 PID 1196 wrote to memory of 764 1196 PerfWatson1.exe 131 PID 1196 wrote to memory of 764 1196 PerfWatson1.exe 131 PID 764 wrote to memory of 4984 764 cmd.exe 133 PID 764 wrote to memory of 4984 764 cmd.exe 133 PID 764 wrote to memory of 2180 764 cmd.exe 134 PID 764 wrote to memory of 2180 764 cmd.exe 134 PID 764 wrote to memory of 2808 764 cmd.exe 135 PID 764 wrote to memory of 2808 764 cmd.exe 135 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\built.exe"C:\Users\Admin\AppData\Local\Temp\built.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\built.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:2288
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2756
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dFqfZtqdAnHg.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:2824
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:540
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:880
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ulx5LocqN2cm.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:3620
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2672
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:4184
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oedyIkyhmOPi.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:3380
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:400
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:3376
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\K16VMDbSzbIx.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:4484
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3876
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:1260
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vrRLkJTyxoh4.bat" "11⤵
- Suspicious use of WriteProcessMemory
PID:3864 -
C:\Windows\system32\chcp.comchcp 6500112⤵PID:4896
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1860
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:752
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Vv0cB5fJV0pZ.bat" "13⤵
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\system32\chcp.comchcp 6500114⤵PID:4984
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2180
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2808 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:1256
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\a9hb1XbesWap.bat" "15⤵PID:2292
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:4844
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3488
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:232 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:556
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7Jbf8zROjEku.bat" "17⤵PID:1348
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:3464
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3392
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2064 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:3836
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XG3EC06BpxcN.bat" "19⤵PID:1052
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:1388
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4864
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5028 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:4320
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wcN6Ozq6dflL.bat" "21⤵PID:3952
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:1404
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2864
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4720 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:1872
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LQtdjBepjV2K.bat" "23⤵PID:4204
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:872
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3812
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4688 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:4588
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5hjLr7LncdKx.bat" "25⤵PID:2348
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:3840
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4284
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:640 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
PID:2464
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CJnYFIBRxc4G.bat" "27⤵PID:1256
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:2644
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2856
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:212 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
PID:1760
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cScKlMb5KUxR.bat" "29⤵PID:624
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:2664
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3816
-
-
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:740 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f31⤵
- Scheduled Task/Job: Scheduled Task
PID:932
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Q2u3emh0rcWk.bat" "31⤵PID:2372
-
C:\Windows\system32\chcp.comchcp 6500132⤵PID:1956
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1536
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD58f0271a63446aef01cf2bfc7b7c7976b
SHA1b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA51278a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5
-
Filesize
210B
MD5fabee1ba80307ed0de71238fc1789b2d
SHA1009bd232e64128674dd4a0ab267ce97f32497382
SHA2567d12228df26b3115949863f571bbb8b4e5ac3b869d0e8947c45e551160c99523
SHA51267a24cbd0fe6fb727bc82d8d924dfa024dcf74ec5b4f870aa6fd1d22c3df94c9505d8cf530cec54d638dfaf2237d16e9f5fe591b8371088fb9e76297bf50d70f
-
Filesize
210B
MD5477e0adcdfc99f694ca94463332ad086
SHA147d3267a1d040f27ea24254a1bc5d644d1a333fa
SHA25647af6324bf7723ff83c7c3fdf1982eaca9e4f28efbb8b0b1e954419fa7cf7af0
SHA512d1b7041fe8a21f210618fc530845954f2260a23eaba7336be87a876e677c7501529b12d0f9d3ea787c96a8f6b6c7eed2920f1aa14c498bdf340f6b357cc26486
-
Filesize
210B
MD51f7a8a177db56c22286d3150a6fca047
SHA1e1e144336f37789ad838d0180e32a7387473a68c
SHA256ee351cdddbc6c4616c21e0ce0372cf7a4b0a7c29a25e53d97a17ad6c5f2c530e
SHA512bb380dc33225a1f320e0d519de73ec2172ff51b48bd7ba8457d3de1230b98ee91d25617a2eed20a6610772aeaecaeb9dfedd7121fc8418653bd391d57a18e0c2
-
Filesize
210B
MD5791458ae18a561e4eb50f3b8925d723a
SHA1086124f6ef812e93e8849ae8befd5f46b0c591b7
SHA2563b39dad7640cc26e0eb6708cb4fcf49b7e5948d50409e3a063b8aa4e833da6c7
SHA51264e71ca7ada00efd4e18e077ca62534be0985d3ec8d15e72d8baa99cd6746bf0b98b72a358da6fc01a2bf0357b9e56c2733ea58fe9e7be07b4aaff5b1cff02a4
-
Filesize
210B
MD53b503faeef67120fa801a828d3fce6d2
SHA102f3a6542b0153083f5359b1371d2d54ccd44064
SHA256a422e7cc531a5d3c4a80a4cb7f87bf0c06efc098c8ad5679e2f2b8457eb4d300
SHA512f41ff06a5e1bf2e11cb12f407f1c2cba64d126c3937f58bb26c824fa937fe5ab9abff2cd9de1c43959953933c88c3c8f0693d977ad498dea862353698cdba62c
-
Filesize
210B
MD517edb97dc18d1d75aab2a14a953c219c
SHA12b146a61a37a8b3369dd672cd5e398870e135a03
SHA256272663c4efcd969085d0a8b62b0583c1d71606c34198e89e40bcb610dffa2a5a
SHA512ed8785dfd573b3ae7c2314a42dfadcc9cfd9cb4f40c56ebd41bbe654cc2477d211bc62472397907938f11363b60bc9f35f65894cf6ee33e81cd911b3cafd1fab
-
Filesize
210B
MD550335859c3401b803676231c8816cfc7
SHA1d52c8d5c233cfe52785cfa07b0ef9b474be3afaa
SHA256b266ae5c9fce27d7389253494490534292998097fca7b301d2c9bbe8126e4c3b
SHA5123ae1ba33470bcb77a89337911327f6c469c914f3a20fd5ae24812d0969b9f95bb5afa1b44de030752954d6040b9e46cabe7196a451a0c259f12dd847ca9aa397
-
Filesize
210B
MD53080f7a3081fc82c989635756ddd1baa
SHA18364c42e4dd047d4cb69f16098e870b4fe596321
SHA256090a5ab626ccb4de34bccb1f6b83d04b023240fbbca15031aec7572e77d42164
SHA5124615010c32f69b21d9794eb543b2cb607c1af7c201f1743ce16bb3b4641ca0904b5c85555b6897e965f715fffb9f0dfff272e58bd4cc2e209ee708080417a649
-
Filesize
210B
MD59a01211698f3775d79b8f08804748db0
SHA1f8b1715019970e89ec1dd0572148970e694393a8
SHA25623b16eeeb4114a19ba99357d86edeb00633b31da07e55ac79ef6db2264d5c263
SHA512b7394da7acec4dbc49db38cdb10e196da52d941b2363e6395244e8b7ea1ebe923b57807aaf373a5285abb9cbb0e56183ae279a011402843531604de1a53536eb
-
Filesize
210B
MD52688f5ff4da732fa022ba57a5893d1c6
SHA1811d4c6c8716e1b1687121fa3d7d90ad016c4b79
SHA256bec47fd5e4286379f4003793e885384aab0bfa950f5fd0a01cee57b59078ac68
SHA5121fc363924a49cbabf7ada15359a7c35dfb0671b810f046f686acfa20c3e06d4daca4aed83f442113ba5fbee4710cd2fcb4e9442e8a0c26364edfc5c2aa00dd2c
-
Filesize
210B
MD54941a54f12f38ad7e8096307a817508e
SHA1637e86fc365c548f7dc0329dd3459267431ceabb
SHA2568749c90fdfbcce3a87d984df56f3e675b7c9e3c7d98d8f813194ebe643cf403e
SHA5126d576ecf4fb83f590909992b6b715a22f6ac0e43219b0eeff73166575da98c1fb5f5f17744d400a559c262d2a0dcce3a7b0a61581d898b85cd01a9900e0ca0e9
-
Filesize
210B
MD54cbf8a2bb47e3d1ab63906302d62f8d5
SHA16fe657f4da0607a71b32aa0f249b595ce1f24ad3
SHA2562abca790046882aeb21d67eb195add9b7e54c498c90979cb15b107f54ed3fcb1
SHA512e255a3e4d7959c161debe33fde8b917eeb9130e9ca06a56d328049fa86c2733480d37c7d568cc1a71ee5544e731a80f8d808ca045bddba70ef19745e2dcaedf5
-
Filesize
210B
MD5e962cd7c49d5e7dd8476a1a5407ba8ce
SHA1e9bbcad4e01978a6e6d02d417d36341a7fa13888
SHA25667ebf5b452fa3919ec72fdcebd912e8b7da68799b266068b07c48d8693865b95
SHA512d4e3d42612b9c184ad7e862a289a68388bc9bfc8f705e870e69bce258013d76cfe31ff20591a291b7d411c7dd22e9a452cd85464bd07ffc495b337da58ffda27
-
Filesize
210B
MD5664fe2229a1eefad839c97205adc0d73
SHA1e830c56d42e364c7051fc76ed74d82603afe5fbd
SHA2560ac1cd94bfdf9970aec6c647df19e8021a9726f27959d0c36f8236fe1ec7dc5c
SHA512fb1492308ff86cade54ce4e4f881cc1aacba5ad3f1ceb3e2c24756c579e08fe7835721b6694cf2bbe2db58dcd0f3ee93f74df9a469c34cfe24a51079a4f2bce1
-
Filesize
210B
MD5780ef0fa68f61eda2f3deae892366430
SHA1c08dfcc94b9f820dcc2124f915470f3d48c67134
SHA256ccc1af8aec396bcb347accf16748bb209b3490a52e223000cc5f049c4449ad12
SHA512939d8bf96c76425c012451e0cdd9bff7f84be4d615a8a85e9dda21a5190fbd523cae66fad672420940d6168f57b96ce4b94265f57c6a61f3713dc7bbe60205ff
-
Filesize
3.1MB
MD5a813f565b05ee9df7e5db8dbbcc0fa43
SHA1f508e738705163233b29ba54f4cb5ec4583d8df1
SHA256ba59fb813ff718db8a17c4e5d244793d2199383969843ad31d09727b5e5ff156
SHA512adb431c372c2e1d0f6019bedefe16a2253fcf76929ba7e2b9f9cc7a253137920615121a1a64f7003a43f39e8b17ace233daca32b2933b6953aa6cf558b834e2e